Providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of: 1) Information collected or maintained by or on behalf of the agency; and 2) Information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency;

Complying with the requirements of this policy and related policies, procedures, standards, and guidelines, including: 1) Information security standards promulgated under the U.S. Code Section 11331 of Title 40; and 2) Information security standards and guidelines for national security systems issued in accordance with law and as directed by the President; and

Ensuring information security management processes are integrated with agency strategic and operational planning processes.

Ensuring that the agency has trained personnel sufficient to assist the agency in complying with the requirements of this policy and related policies, procedures, standards, and guidelines.

Ensure that senior agency officials provide information security, for the information and information systems that support the operations and assets under their control;

Assess risk and magnitude of the harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of such information or information systems;

Determine the levels of information security appropriate to protect such information and information systems in accordance with standards and policies for information security classifications and related requirements;

Implement policies and procedures to cost-effectively reduce risks to an acceptable level; and

Periodically test and evaluate information security controls and techniques to ensure that they are effectively implemented.

Delegate to the agency Chief Information Officer (CIO), established under Section 3506 of the FISMA Act (or comparable official in an agency not covered by such section), the authority to ensure compliance with the requirements imposed on the agency.

Ensure that the agency CIO, in coordination with other senior agency officials, reports annually to the agency head on the effectiveness of the agency information security program to include progress of remedial actions.

Delegate to the Senior Agency Information Officer, the authority to carry out the CIO's responsibilities under this section.

Possess professional qualifications, including training and experience, required to administer the functions described under this section;

Have information security duties be the primary duty; and

Head an office with the mission and resources to assist in ensuring agency compliance with this section;

Develop, document, and implement an agency wide information security program to provide security for all systems, networks, and data that support the operations of the organization;

Develop and maintain information security policies, procedures, and control techniques to address all applicable requirements;

Train and oversee personnel with significant responsibilities for information security with respect to such responsibilities; and

Assist senior agency officials concerning their responsibilities.

Perform annual FISMA activity reviews;

Review the results of the annual FISMA activity reviews, including any weaknesses for inclusion in the IRS' Plan of Action and Milestones (POA&Ms); and

Coordinate with the Designated Accrediting Authorities (DAAs) regarding the security posture of IT resources.

Designate a Senior Agency Information Security Officer (SAISO) who shall carry out the CIO’s responsibilities for system and program security assessments;

Develop and maintain an agency-wide information security program including information security policies, procedures, and control techniques to address all applicable requirements;

Manage the identification, implementation, and assessment of common security controls;

Ensure compliance with applicable information security requirements;

Ensure that personnel with significant responsibilities for system and program security assessments are trained;

Assist senior agency officials with their responsibilities for system and program security assessments;

Report annually to the agency head on the effectiveness of the agency information security program, including progress of remedial actions;

Encourage the maximum reuse and sharing of security-related information including: 1) Threat and vulnerability assessments; 2) Risk assessments; 3) Results from common security control assessments; and 4) Any other general information that may be of assistance to information system owners and their supporting security staffs.

Determine the appropriate allocation of resources dedicated to the protection of the agency’s information systems based on organizational priorities.

Ensure that IT system C&A reports and risk analyses are conducted by each DAA;

Review IRS business cases and budget submissions to ensure that IT security requirements are addressed and adequately resourced;

Establish an IRS IT security oversight program to ensure that the security procedures and requirements are in compliance with Department of Treasury and IRS policies and standards;

Conduct security audits, verifications and acceptance checks and maintain documentation on the results;

Provide oversight to Plan of Action and Milestones (POA&Ms) processes, for all IT security weaknesses and provide a quarterly status to Department of Treasury through the IRS CIO;

Coordinate the implementation of logical access controls into operating systems, relational database management systems (RDBMS), remote terminals and IT applications;

Provide IT and facility technical and nontechnical (e.g., physical and personnel security) certification support to any Information System Owner;

Prepare and submit a written report for all technical security exceptions. The report shall outline the risks and vulnerabilities and/or advantages that could result from granting the exception or from implementing any alternative. Maintain a file of all approved IT facility security-related exceptions;

Ensure that risk analyses are conducted at least every 3 years or when major changes occur for IT systems/application processing sensitive information;

Ensure that contingency plans for IT systems processing sensitive information are developed, maintained and tested;

Develop each certification letter citing risks and mitigations along with Authority to Operate (ATO) or Interim Authority to Operate (IATO) recommendation to the DAA;

Review and approve security Certification & Accreditation (C&A) package artifacts;

Be a voting member on the Configuration Control Board (CCB) for the IRS' IT architecture;

Review contract vehicles to ensure they address appropriate security measures; and

Define and implement performance metrics to evaluate the effectiveness of their IT security programs.

Plan for security in all phases of the system life cycle;

Ensure appropriate officials are assigned security responsibility;

Review security controls annually (i.e., FISMA annual security program review); and

Formally authorize (accredit) processing prior to operations (as a Designated Approving Authority (DAA)) and periodically thereafter.

Exercising oversight to ensure that a program manager is assigned for each system;

Exercising oversight over Security Awareness Training and Education (ATE) funding; and

Annually validating and updating the master inventory of information systems.

Be responsible for all funding and ultimate prioritization of activities within their respective units.

Develop organizational assignments and operational procedures to implement the roles and responsibilities defined in this policy.

Be the official responsible for the overall procurement, development, integration, modification, operation, and maintenance of an information system or application.

Be knowledgeable in the nature of the information and process supported by the application and in the management, operational, and technical controls used to protect it.

In accordance with FISMA requirements, include security requirements in their capital planning and investment business cases.

Ensure security requirements are adequately funded and documented in accordance with OMB Circular A-11.

Serve as or designate a "user representative" ; which represents the operational interests of the user community and serve as the liaison for that community throughout the system development life cycle.

Own the business case, which is a product of the ELC, and formally propose the continuation of the project submitting the related funding requests;

Initiate and manage C&A activities to ensure they are performed appropriately and timely;

Plan and coordinate activities within his/her organization required to complete C&A, FISMA reviews, and POA&M development;

Ensure full and current documentation of the information system in the system security plan and other associated C&A documentation;

Ensure submission of all C&A documents to MA&SS;

Complete the annual review of system security controls for the annual FISMA system security program review.

Conduct annual testing of the system;

Combine and review all security weaknesses from the self-assessment, risk assessment, TIGTA audits, GAO audits and internal reviews into the POA&M;

Coordinate the completion of the Self-Assessment Questionnaire with appropriate organizations and provide the consolidated assessment to the PMO;

Propose changes to the information systems including hardware, software, and surrounding environment as part of the POA&M activities;

Ensure risks to IRS operations and assets are identified, documented, assessed, and appropriately managed (See IRM 10.8.1 for certification);

Assess the business impact of a weakness occurring as part of the POA&M activities;

Determine the corrective actions to mitigate the weakness and the associated cost, time, and resources;

Based on the threat, probability of occurrence, and business and technical impact, consider the cost, time and resources necessary to mitigate and prioritize the weaknesses into High (H), Medium (M), Low (L) categories and notate on the POA&M as appropriate;

Implement corrective actions to mitigate weaknesses assigned to the BO;

Track the mitigation of the weaknesses in the POA&M through status updates, changes to milestones and additional comments;

Test and validate the effectiveness of the corrective actions;

Plan and manage the development and execution of the POA&M to ensure all identified security weaknesses are documented, assessed, prioritized, and managed;

Provide quarterly POA&M status reports to PMO for submission to MA&SS;

Implement and manage a change control process in conjunction with MITS to ensure changes to the system or its environment are appropriately documented, authorized, tested, and implemented;

Ensure least-privilege system access controls and administration are in compliance with policy;

Ensure that appropriate technical, administrative, physical, and personnel security requirements in specifications for the acquisition or operation of information systems are reviewed and approved by the management official responsible for security at the facility operating the information system; and

Confirm the required deliverables of the C&A package with MA&SS.

Conduct an annual FISMA Contractor Review of the contractor’s facility and systems.

Perform continuous monitoring and a Plan of Action and Milestones (POA&M) of their FISMA Contractor Systems in accordance with NIST 800-37 and 800-53 guidance

Provide funding to conduct the annual FISMA Contractor reviews.

Fully describe and document the information system in the ITCP;

Clearly define system and application priorities, subsequent needs, and related risk acceptance or avoidance for recovery and BR, accounting for possible degrading of computer processing capabilities;

Acquire and transport replacement equipment required to restore operations;

Acquire space for processing operation to include occupation of an alternate processing facility when necessary; and

Estimate supplies and office equipment needed to support a computer processing operation occupying an alternate processing facility when appropriate.

Determine recovery needs and time frames needed for business restoration through comprehensive business impact analysis evaluations;

Determine what data needs to be recovered and the priority order for recovery;

Develop DR requirements during the development phase of all new systems and throughout any production system upgrades;

Determine what data needs to be recovered and the priority order for recovery;

Provide the funding for the DR equipment/space/storage needed to meet the recovery goals (set by the business);

Fully describe and document the details of the information system in the IT Contingency Plan (ITCP) that is required by FISMA for each major system;

Clearly define system and application priorities, subsequent needs, and related risk acceptance or avoidance for recovery and BR;

Support expeditious acquisition and transportation of replacement equipment required to restore operations;

Support the development of processing priorities for completion of work following emergencies that degrade computer processing capabilities;

Ensure ITCPs and DR plans for all applications and systems are tested annually;

Work jointly with MITS and MA&SS in the development and testing of DR plans to ensure business continuity;

Work jointly with MITS and MA&SS in the testing of the DR plans to ensure availability of data from the recovered system.

Develop security controls for systems and applications;

Conduct annual testing of the systems and applications;

Test and validate the effectiveness of corrective actions;

Ensure IT contingency planning and DR requirements are addressed for all applications and systems owned by MITS;

Mitigate technical vulnerabilities and validate fixes;

Implement corrective actions to mitigate weaknesses assigned to MITS; and

Create and implement configuration management plans that control changes to systems and applications during development;

Track security flaws, require authorization of changes, and provide documentation of the configuration management plan and its implementation.

Jointly develop the detailed content of each DR plan to include recovery of the system, the application, and the associated data, including all platforms applicable to the system/application;

Ensure requirements, priorities, recovery times, and costs of each DR plan are appropriate and achievable;

Exercise and execute each DR plan;

Maintain and update the content of the DR plans;

Support procurement activities to enhance DR capabilities to meet stated business objectives;

Maintain DR equipment located at MITS locations for the business units;

Establish DR location(s) based on FISMA and NIST DR policy and requirements;

Ensure offsite storage of data needed for recovery and ongoing backup of data;

Establish a schedule and notify MA&SS IT Security Field Operations of the schedule for coordinating DR tests throughout the year;

Annually test each major system and establish DR testing priorities; and

Work with business units and MA&SS to resolve (if possible) issues identified during DR testing or document reasons/risk/impact.

Establish the rules for appropriate use and protection of the subject information (e.g., rules of behavior);

Retain responsibility for the information even when the information is shared with other organizations; and

Provide input to information system owners regarding the security requirements and security controls for the information systems where the information resides.

For all equipment capable of storing or transmitting data, a risk assessment before connecting it to an IRS system or network.

Apply adequate countermeasures before connecting the equipment to an IRS system or network.

Decide through C&A processes to allow or disallow equipment to be connected to an IRS system or network.

Document interconnections between external networks with an Interconnection Security Agreement (ISA) signed by both DAAs.

Oversee the budget and business operations of the information system within the agency and is often called upon to approve system security requirements, system security plans, and memorandums of agreement and/or memorandums of understanding;

Issue an Interim Authorization to Operate (IATO) the information system under specific terms and conditions;

Deny Authorization to Operate (ATO) the information system (or if the system is already operational, halt operations) if unacceptable security risks exist;

Report to the Business and Functional Unit Owner and manage the day-to-day activities for the owner.

Ensure that the BO responsibilities are assigned within their organization for each system;

Obtaining and maintain C&A for his/her systems and applications;

Sign the Accreditation Letter and assume responsibility and accountability for operating a system at an acceptable level of risk;

Ensure C&A documentation is current.

Determine information sensitivity in accordance with NIST special publication guidance on security;

Coordinate with the CIO regarding the security requirements of the sensitive information and provide definitive directions to IT developers or owners relative to the risk in the security posture of the IT system;

Respond to self-assessment questions assigned;

Decide on accepting the minimum security safeguards (requirements) prescribed for an IT system;

Implement all applicable protection policies as required by the Business system owner;

Ensure that risk analysis responsibilities are accomplished in accordance with this policy;

Ensure development of the documentation required for certification and ensure delivery to MA&SS, which is supporting the CIO;

Evaluate security impact of any facility-unique patches or system modifications and approve those that do not adversely affect system security;

Report any condition which appears to invalidate a certification, immediately to MA&SS;

Ensure that current copies of approved C&A or IATO documentation are distributed to the organizations with a need to know as outlined in C&A processes;

Ensure that all acquisitions of goods or services provide for information security, personnel security and physical security; and

The results of contracted and outsourced efforts belong to the DAA(s) who provided funding.

The ISSO shall be appointed in writing;

Be responsible for the coordination of activities that facilitate confidentiality, integrity, and availability of assigned IRS systems and applications;

Accomplished duties through planning, analysis, development, implementation, maintenance, and enhancement of MA&SS information systems security programs, policies, procedures, and tools consistent with Department of Treasury, FISMA, and NIST guidelines.

Support the DAA in day-to-day management of an enterprise risk management capability that incorporates the specific GSS or application;

Be a voting member on the Change Control Board (CCB) for the systems and applications for which the DAA is responsible;

Ensure current security plans and contingency plans exist;

Ensure Disaster Recovery (DR) / Business Resumption (BR) planning and testing occurs;

Facilitate testing of corrective action effectiveness, system security controls, and any other security testing;

Facilitate local reviews to ensure that media controls are in place and effectively implemented; background screening requests for individuals in sensitive positions are submitted on time; and adequate physical security controls are implemented.

Provide an early warning to appropriate personnel, assisting with (or in) the tasks necessary to plan, allocate resources, and conduct any required security re-certification and accreditation;

Assist in identification of IT and security resources which support critical operations;

Coordinate activities relating to the security posture of the GSS or application with responsible organizations;

Periodically report the status of the security posture of the GSS or application to the ISSM and the DAA;

Recommend (dis)approval of deviations from policy for the systems or applications for which they are responsible;

Analyze the proposed changes to the systems and applications (including hardware, software, and surrounding environment) to determine needs for re-certification;

Coordinate the C&A packages with the DAA; and

Participate in role-based training opportunities provided by the ISSM;

Enforce clean desk policy;

Sign a Form 11370, Certification of Annual UNAX Awareness Briefing, or comparable document/process.

Be responsible for providing prompt notification to the responsible organization via Form 5081 of the system user status changes (e.g., terminations, transfers). The responsible organization shall immediately suspend, cancel and/or adjust all access privileges associated with changes in status of the user.

Receive Security Awareness Training and Education (ATE). Detailed training requirements for management are stated in IRM 10.8.1.

Work in partnership with the SAISO to ensure that agency contracting policies adequately address the information security requirements;

Coordinate with the SAISO to ensure that all agency contracts and procurements are compliant with the agency’s information security policy;

Ensure that all personnel with responsibilities in the agency’s procurement process are properly trained in information security; and

Collaborate with the SAISO to monitor contract performance for compliance with the agency’s information security policy.

Lead agency enterprise architecture development and implementation efforts;

Collaborate with lines of business within the agency to ensure proper integration of lines of business into enterprise architecture;

Participate in agency strategic planning and performance planning activities to ensure proper integration of enterprise architecture;

Facilitate integration of information security into all layers of enterprise architecture to ensure agency implementation of secure solutions; and

Work closely with the program managers, the senior agency information security officer (SAISO), and the business owners to ensure that all technical architecture requirements are adequately addressed by applying Federal Enterprise Architecture (FEA) and the Security and Privacy Profile (SPP).

Review cost goals of each major information security investment;

Report financial management information to OMB as part of the President’s budget;

Comply with legislative and OMB-defined responsibilities as they relate to IT capital investments;

Review systems that impact financial management activities; and

Forward investment assessments to the IRB.

Develop, promote, and support the organization’s privacy programs;

Encourage awareness of potential privacy issues and policies; and

Review and implement privacy regulations and legislation.

Develop, promulgate, implement, and monitor the organization’s physical security programs, to include appropriate controls for alternate work sites;

Ensure organizational implementation and monitoring of access controls (i.e., authorization, access, visitor control, transmission medium, display medium, logging);

Coordinate organizational environmental controls (i.e., ongoing and emergency power support and backups, fire protection, temperature and humidity controls, water damage); and

Oversee and managing controls for delivery and removal of assets.

Develop, promulgate, implement and monitor the organization’s personnel security programs;

Develop and implement position categorization (including third-party controls), access agreements, and personnel screening, termination, and transfers; and

Ensure consistent and appropriate sanctions for personnel violating management, operation, or technical information security controls.