Irs Safeguards Sdsem v2.0

Safeguard Computer Security Evaluation Matrix
(SCSEM)
Release v2.0
July 30, 2010
Agency: Insert agency name and type

DES: Insert name of DES who completed the review
Date: Insert date(s) review occurred
Location: Insert Location review was conducted, i.e., data center, field office, alternate storage site
Agency POC(s): Insert agency interviewee(s) name, title
The dashboard is provided to automatically calculate disclosure test results
from the individual locations.
SDSEM Results Dashboard Data Center SDSEM Results Dashboard
Status # of Tests Percent (%) Status # of Tests

Pass 0 0.0% Pass 0
Fail 0 0.0% Fail 0
Not Applicable (N/A) 0 0.0% Not Applicable (N/A) 0
Blank (Not Reviewed) Err:504 0.0% Blank (Not Reviewed) Err:504
Total # of Tests Performed 0 - Total # of Tests Performed 0
Total # of Tests Available Err:504 - Total # of Tests Available Err:504
Head Quarters SDSEM Results Dashboard Off Site Storage SDSEM Results Dashboard
Status # of Tests Percent (%) Status # of Tests

Pass 0 0.0% Pass 0
Fail 0 0.0% Fail 0
Not Applicable (N/A) 0 0.0% Not Applicable (N/A) 0
Blank (Not Reviewed) Err:504 0.0% Blank (Not Reviewed) Err:504
Total # of Tests Performed 0 - Total # of Tests Performed 0
Total # of Tests Available Err:504 - Total # of Tests Available Err:504
Field Office SDSEM Results Dashboard
Status # of Tests Percent (%)

Pass 0 0.0%
Fail 0 0.0%
Not Applicable (N/A) 0 0.0%
Blank (Not Reviewed) Err:504 0.0%
Total # of Tests Performed 0 -
Total # of Tests Available Err:504 -
ts Dashboard
Percent (%)
0.0%
0.0%
0.0%
0.0%
-
-
ults Dashboard
Percent (%)
0.0%
0.0%
0.0%
0.0%
-
-
IRS Safeguards
Safeguards Disclosure Security Evaluation Matrix (SDSEM)
Instructions for Completing the SDSEM

Agency Instructions:
Upon receipt of the SDSEM, the agency point of contact(s) should complete Column J "Agency's Pre-review Answers" in each tab
prior to the start of the Safeguard Review. The Agency IT POC should be involved in filling out the answers to the "Data Center" and
possibly the "Off Site Storage" tabs. The Agency may wish to list the title of any documentation or reports they are listing as
evidence to support their claim. This will be useful for the IRS Disclosure Enforcement Specialist (DES) to reference when on-site
working with the Agency POC. The Agency should set aside all referenced evidence, so that it can be provided for the DES when the
site review is conducted.
Column I "Pass / Fail" should not be filled out by the Agency. The IRS DES will determine the test result for each test case based
on a verification of the evidence during the Safeguard Review.
The pre-populated SDSEM should be provided by the agency to the DES no later than 15 days prior to the on-site review kick-off.
Head Quarters Tab: This section is designed around head quarters operations and the protection of FTI, at the agency's head
quarters or main building of operations. These questions can often be answered by the disclosure and physical security POCs.
Field Office Tab: This section is intended to cover local offices and their protection of FTI. These questions should be answered by
the head of the local field office.
Data Center Tab: This section address security controls surrounding the operation and security of the agency or state run data
center. These questions can often be answered by the agency/state IT data center office.
Off Site Storage Tab: This section is specific to a an off site data storage location. These questions can often be answered by the
personnel in charge of the off site storage as well as head quarters and data center personnel.
IRS Safeguards DES Reviewer Instructions:

The DES is to execute the test cases in appropriate tabs and document the results. The DES is required to complete the following
columns: Column I "Pass/Fail", and Column K "IRS Comments/Supporting Evidence." See the Legend tab for information on
completing these columns.
350737130.xls Instructions 4 of 81
IRS Safeguards
DES # - Column B: This is an optional column not required to be completed as part of the Safeguard review. The purpose of this
column is to allow the DES to customize the Test Cases tab by sorting the order of the test cases within each IRC Category to fit the
individual DES's normal order of test execution while on-site. The following steps provide guidance to do this for IRC Section 6103(p)
(4)(A) as an example:
1. Insert a sequence number in Column B for each test case. This is the sequence in which you will execute each test within the
section.
2. Select the area to be sorted, in this case rows 3-36, columns A-J for each row.
3. Go to "Data" --> "Sort"
4. In the Sort dialog box, the Sort By drop down box reads Column B (to ensure it will sort on the DES #) and the Ascending button is
selected.
5. Click OK.
6. The rows will rearrange based on the numerical order of the DES # column.
7. To undo the sort, repeat #2, 3 and 4, but ensure the Sort By drop down box reads Column A (to sort on Test ID) and click OK.
Note: This must be done one section at a time. The gray IRC section headers cannot be selected as part of the area to
sort or else the sort will not function properly.
Pass/Fail - Column I: Determine if the supporting evidence supports a Pass, Fail or N/A test result. If the control is marked as N/A,
provide appropriate justification as to why the control is considered N/A. The cell will only accept the values P, F, or N/A.
IRS Comments/Supporting Evidence - Column K: Include a supporting narrative that explains the evidence used to confirm if the
test case passed, failed or is not applicable As evidence, at a minimum provide the following information for the following
assessment methods:
1. Interview - Name and title of the person providing information. Also provide the date when the information is provided.
2. Examination - Provide the name, title, and date of the document referenced as the evidence. Also provide section number where
the pertinent information is resident within the document (if possible).
3. Test - Provide a description of the condition observed during the test and the name and title of the agency person that assisted
with the test execution.
If Column I is marked as 'N/A', an explanation is needed in this section as to why this isn't applicable.
350737130.xls Instructions 5 of 81
Child Support Agency - Extract Type Check all Form of Receipt (e.g. SDT, Explain the use of each Extract Which internal and external
that Apply CyberFusion, ConnectDirect, or organizations have access?
Other)
IRS Taxpayer Address Request Master File Extract (l)(6)
FMS Tax Refund Offset Program Extract (l)(10)
Social Security Administration Wage Database Extract (l)(8)
Other Extracts:
Human Services Agency - Extract Type Check all Form of Receipt (e.g. SDT, Explain the use of each Extract Which internal and external
Other)
DIFSLA (l)(7) Extract
BEERS Extract
Other Extracts:
Department of Revenue Agency or other "D" Agency - Check all Form of Receipt (e.g. SDT, Explain the use of each Extract Which internal and external
Extract Type that Apply CyberFusion, ConnectDirect, or organizations have access?
Other)
1099-MISC
Abusive Tax Transaction (ATAT)
Appeals
Business Master File (BMF)
Business Return Transaction File (BRTF)
Corporate Affiliations
CP 2000
Examination Operational Automation Database (EOAD)
Exam
Federal Employee Identification Number (FEIN)
Individual Master File (IMF)
Individual Return Transaction File (IRTF)
Individual Returns Master File (IRMF)
Individual Taxpayer Identification Number (ITIN)
Levy
Military Combat Zone (MCZ)
Non-Itemizer
Preparere Tax Identification Number (PTIN)
Taxpayer Address Report (TAR)
Other Extracts:
Federal Agency - Extract Type Check all Form of Receipt (e.g. SDT, Explain the use of each Extract Which internal and external
Other)
Describe Extracts:
IRS Safeguards
Test ID PUB 1075 PUB 1075 NIST Test Objective Test Steps Assessment Pass / Agency's Pre-review Answers IRS Comments/Supporting
Reporting REF ID Method Fail Evidence
Category
IRC Section 6103(p)(4)(A)
HQ1 Record Keeping 3.0 PE-16 Obtaining FTI How is FTI received (i.e., FedEx, UPS, Interview
Requirements USPO, Secure Data Transfer, i.e.,
Tumbleweed, ConnectDirect,
CyberFusion, encrypted CD, TDS)?
HQ2 Record Keeping 3.0 PE-16 Obtaining FTI What FTI do you receive (extracts) and in Interview
Requirements what format do you receive it in?
HQ3 Record Keeping 3.0 PE-16 Obtaining FTI Is FTI receipt acknowledged electronically Examine
Requirements and returned to IRS?
Is there an electronic or manual log?
HQ4 Record Keeping 3.0 PE-16 Obtaining FTI: Is FTI received in the mailroom? Interview/
Requirements Mailroom If so, is receipt acknowledged? Examine
Is the package logged in?
Does the mailroom open the package?
Is the package brought to another
function?
Does the other function sign the log?
HQ5 Record Keeping 3.0 MP-2 Request for FTI If requests for FTI are made, how are they Interview
Requirements logged (Form 8796, TDS, ad-hoc
requests)?
Is the log compliant with IRS Publication
1075 Section 3?
HQ6 Record Keeping 3.0 MP-2 Request for FTI Are documents created from the FTI data Interview
Requirements (e.g., CDs, tapes, letters, reports, etc?)
HQ7 Record Keeping 3.0 MP-2 Request for FTI With whom are FTI based products Interview
Requirements shared? Are logs kept and are they
compliant with Publication 1075, Section
3?
HQ8 Record Keeping 3.0 MP-2 Receipt FTI If FTI is printed at data center what Interview/
Requirements Paper Reports functions is it distributed to? Examine
HQ9 Record Keeping 3.0 MP-2 Receipt FTI Is paper FTI logged from receipt to Interview/
Requirements Paper Reports destruction? Examine
350737130.xls Head Quarters 8 of 81

IRS Safeguards
Category
HQ10 Record Keeping 3.0 MP-5 Electronic Media Is electronic media (CDs/tapes) generated Interview
Requirements Containing FTI upon receipt?
Processed
HQ11 Record Keeping 3.0 MP-6 Electronic Media What electronic media (CDs/tapes) do you Interview
Requirements Containing FTI still have and how are you planning
Processed disposal?
HQ12 Record Keeping 3.0 MP-5 Electronic Media Is electronic media (CDs/tapes) provided Interview
Requirements Containing FTI to a contracted State Agency or
Processed Contractor?
HQ13 Record Keeping 3.0 MP-5 Electronic Media What safeguard controls are in place Interview
Requirements Containing FTI when transmitting and processing
Processed electronic media (CDs/tapes) at a
contracted state agency or contractor
site?
HQ14 Record Keeping 3.0 MP-4 Storage of IRS Where is electronic media (CDs/tapes) Interview
Requirements FTI electronic stored before and after processing?
media -At Agency?
-At Data Center?
-Is electronic media with FTI stored with
other Agency data?
HQ15 Record Keeping 3.2 MP-2 Electronic Files Is a log kept or are transmittal documents Interview/
Requirements retained? Is the log compliant with Examine
Publication 1075 Section 3? Documented
receipt? Informal receipt? By whom?
-In-house?
-Contractor?
-Outside of Agency?
HQ16 Record Keeping 3.2 MP-2 Electronic Files Are electronic media inventories Examine
Requirements performed -- How Often? Results of prior
inventories?
HQ17 Record Keeping 9.16 SI-12 Stored in the Are file retention cycles documented and Examine
Requirements Media Library: monitored to ensure destruction?
Electronic Media
Library:
Procedures - File
Retention Cycles

IRS Safeguards
Category
HQ18 Record Keeping 9.6 CP-9 Stored in the How are data files backed up, by whom, Interview
Requirements Media Library: and on what type of media (e.g., data
Electronic Media center backup, agency programmer
Library: backup)?
Procedures -
Data Backup
HQ19 Record Keeping 9.6 CP-9 Stored in the is FTI commingled with other data on the Interview
Requirements Media Library: backup tapes/media?
Electronic Media
Library:
Procedures -
Data Backup
HQ20 Record Keeping 9.6 CP-9 Stored in the Are backup tapes/media containing FTI Interview
Requirements Media Library: labeled
Electronic Media
Library: Are backup tapes/electronic media
Procedures - (containing FTI) labeled in accordance
Data Backup with Publication 1075 section 5.6.10?
HQ21 Record Keeping 9.16 SI-12 Stored in the What is retention period of backup media Interview
Requirements Media Library: and how many generations of backup files
Electronic Media exist at the same time?
Library:
Procedures -
Retention
HQ22 Record Keeping 9.6 CP-6 Stored in the Where are backup files stored? Are Interview/
Requirements MP-4 Media Library: backup files stored off-site? If so, where? Examine
Electronic Media
Library:
Procedures -
Retention
HQ23 Record Keeping 9.6 CP-6 Stored in the How are files protected? Who has access Interview/
Requirements MP-4 Media Library: to these files? Examine
Electronic Media
Library:
Procedures -
Retention

IRS Safeguards
Category
HQ24 Record Keeping 9.6 CP-6 Stored in the Are backup tapes logged to be tracked Interview
Requirements MP-4 Media Library: from creation to destruction?
Electronic Media
Library:
Procedures -
Retention
HQ25 Record Keeping 9.6 CP-6 Stored in the How long are any and all FTI logs Interview
Requirements MP-4 Media Library: (request, receipt, destruction logs)
Electronic Media retained?
Library:
Procedures -
Retention
HQ26 Record Keeping 3.4 CP-6 Converted Media Does the agency convert FTI frompaper to Interview
Requirements MP-4 electronic media (scanning) or from
electronic media to paper (print screens or
printed reports)?
If so, is all converted FTI tracked on logs

containing the data elements detailed in
sections 3.2 and 3.3 of the Publication
1075?
IRC Section 6103(p)(4)(B)

HQ27 Secure Storage 4.3.2 PE-3 Guards Guards: Contractor or Employee? Interview
4.3.4
HQ28 Secure Storage 4.3.2 PE-3 Guards Guards: How many posts: Examine
4.3.4
-Main Entrance_____
-Rear Entrance_____
-Side Entrance_____
-Outside_____
-Inside_____
HQ29 Secure Storage 4.3.2 PE-3 Guards Guards: Hours on Duty? Interview
4.3.4
HQ30 Secure Storage 4.3.12 PE-6 Alarms Electronic Intrusion Alarm System? Interview/
Examine
HQ31 Secure Storage 4.3.12 PE-6 Alarms Motion Detectors? Interview/
Examine
HQ32 Secure Storage 4.3.12 PE-6 Alarms Emergency Exit Alarm? Interview/
Examine

IRS Safeguards
Category
HQ33 Secure Storage 4.3.12 PE-6 Alarms Who monitors the various alarms? Interview
HQ34 Secure Storage 4.3.2 PE-6 Cameras Where are they placed? Examine
(Outside/Inside)
HQ35 Secure Storage 4.3.2 PE-6 Cameras How many cameras? Examine
(Outside/Inside)
HQ36 Secure Storage 4.3.2 PE-6 Cameras Who monitors the various cameras? Interview
(Outside/Inside)
HQ37 Secure Storage 4.3.2 PE-6 Cameras Are cameras recording their view? Test
(Outside/Inside)
HQ38 Secure Storage 4.3.2 PE-6 Cameras How long are electronic media (Hard Interview/
(Outside/Inside) Drive, DVR, Tapes) maintained? Examine
HQ39 Secure Storage 4.3.2 PE-6 Access: What controls are in place to monitor Interview
Monitoring access control points to restricted area
(i.e., cameras, logs, real-time entry
monitoring)?
HQ40 Secure Storage 4.3.2 PE-6 Access: How often are access control points Interview
Monitoring monitored?
HQ41 Secure Storage 4.3.2 PE-2 Access: What is used to control access from Examine/
Keys/Cards outside the facility: Keys or Electronic Test
access control system?
HQ42 Secure Storage 4.3.10 PE-2 Access: What is used to control access to secure Examine/
4.3.11 Keys/Cards areas (e.g., server room, data center) Test
within the facility?: Keys or Electronic
access control system?
HQ43 Secure Storage 4.3.10 PE-2 Access: Is a record maintained on the issuance of Examine
Keys/Cards keys/key cards?
Buildings:
Offices:
Containers:
HQ44 Secure Storage 4.3.10 PE-2 Access: If so, how are records maintained (i.e., Examine
Keys/Cards custody receipt/automated file)?
Buildings:
Offices:
Containers:

IRS Safeguards
Category
HQ45 Secure Storage 4.3.10 PE-2 Access: Who is responsible for issuance of Interview
Buildings:
Offices:
Containers:
HQ46 Secure Storage 4.3.10 PE-2 Access: Who has access to keys/key cards? Interview
Keys/Cards
Buildings:
Offices:
Containers:
HQ47 Secure Storage 4.3.10 PE-2 Access: Are periodic reviews being conducted to Interview/
Keys/Cards reconcile records? Examine
Buildings:
Offices:
Containers:
When was the last review?
HQ48 Secure Storage 4.3.10 PE-2 Access: Is there a written policy on recovery of Examine
Keys/Cards ID/keys/key cards after employee leaves?
HQ49 Secure Storage 4.3.10 PE-2 Access: Are the locking mechanisms routinely Interview
Keys/Cards checked for malfunctions?
Buildings:
Offices:
Containers:
By Whom?
How often?
HQ50 Secure Storage 4.3.10 PE-2 Access: Who controls the duplicate keys for: Interview
Keys/Cards
Buildings:
Offices:
Containers:

IRS Safeguards
Category
HQ51 Secure Storage 4.3.10 PE-2 Access: Are all employees given keys to: Interview
Keys/Cards
Buildings:
Offices:
Containers:
HQ52 Secure Storage 4.3.10 PE-2 Access: What is the key reproducing policy? Interview/
Keys/Cards Examine
Buildings:
Offices:
Containers:
HQ53 Secure Storage 4.3.10 PE-2 Access: Who maintains the key to cabinet that Interview
Keys/Cards contain(s) the electronic FTI?
Are there backup keys?
Where is the key kept during the day?
Where is the key kept at night?
How many keys are there in total?
HQ54 Secure Storage 4.3.10 PE-2 Access: Who maintains the key to cabinet that Interview
Keys/Cards contain(s) the paper FTI?
HQ55 Secure Storage 4.3.10 PE-2 Access: Who maintains backup keys to cabinets Interview
Keys/Cards that contain the IRS electronic media(s) or
FTI Reports?
HQ56 Secure Storage 4.3.10 PE-3 Access: How often are door/safe combinations Interview
Combinations changed?
HQ57 Secure Storage 4.3.10 PE-3 Access: Who is responsible to change the Interview
Combinations combinations?
HQ58 Secure Storage 4.3.10 PE-3 Access: Who has access to combinations? Interview
Combinations
HQ59 Secure Storage 4.3.10 PE-3 Access: Who safeguards the combinations? Interview
Combinations

IRS Safeguards
Category
HQ60 Secure Storage 4.3.10 PE-3 Access: How are combinations safeguarded? Interview
Combinations
HQ61 Secure Storage 4.3.2 PE-2 ID Cards Are employees wearing the agency Test
(Badges) authorized IDs?
HQ62 Secure Storage 4.3.2 PE-2 ID Cards Are lost ID cards reported? Interview
(Badges)
HQ63 Secure Storage 4.3.2 PE-2 ID Cards How do employees enter the work area Interview
(Badges) without an ID card?
HQ64 Secure Storage 4.3.2 PE-2 ID Cards Is there a written policy on ID cards? Examine
(Badges)
HQ65 Secure Storage 4.3.2 PE-2 ID Cards Are ID cards inventoried (i.e., automated, Examine
(Badges) written down and placed in safe, etc.)?
HQ66 Secure Storage 4.3.2 PE-2 ID Cards Who has access to ID Card/Badge Interview
(Badges) inventory?
HQ67 Secure Storage 4.3.2 PE-7 Visitor/Vendor Do visitors/vendors sign a visitor access Examine
Access log?
HQ68 Secure Storage 4.3.2 PE-8 Visitor/Vendor Does the visitor access log contain the Examine
Access following information?
(i) name and organization of the visitor;

(ii) signature of the visitor;
(iii) form of identification;
(iv) date of access;
(v) time of entry and departure;
(vi) purpose of visit; and
(vii) name and organization of person
visited.
HQ69 Secure Storage 4.3.2 PE-8 Visitor/Vendor Do designated officials or designees within Interview
Access the agency review the visitor access
records, at least annually?
HQ70 Secure Storage 4.3.2 PE-7 Visitor/Vendor Are visitors/vendors escorted? Interview/
Access Examine
If so, what are the escorting procedures?

IRS Safeguards
Category
HQ71 Secure Storage 4.3.2 PE-7 Visitor/Vendor Are visitors/vendors issued ID cards? Are Interview/
Access ID cards turned in at end of day? Are ID Examine
cards inventoried/monitored?
HQ72 Secure Storage 4.3.1 PE-3 Restricted Area Verify two barriers are present to access Examine
FTI under normal security:
secured perimeter/locked container,
locked perimeter/secured interior, or
locked perimeter/security container.
HQ73 Secure Storage 4.3.1 PE-3 Restricted Area List the Restricted Access areas where Interview/
FTI is located. Examine
HQ74 Secure Storage 4.3.1 PE-3 Restricted Area How is access to the restricted areas Interview
controlled?
HQ75 Secure Storage 4.3.1 PE-2 Restricted Area Who authorizes access to the restricted Interview
areas?
HQ76 Secure Storage 4.3.1 PE-2 Restricted Area Are the names of departed/transferred Interview/
employees removed? When are they Examine
removed?
HQ77 Secure Storage 4.3.1 PE-2 Restricted Area Is an access record review conducted to Interview
update who can access certain areas?
How often?
HQ78 Secure Storage 4.3.1 PE-6 Restricted Area Who reviews electronic and paper audit Interview
trails? How often are they reviewed?
HQ79 Secure Storage 4.5 PE-16 Loading Docks How are loading docks secured? Interview/
Examine
HQ80 Secure Storage 4.5 MP-4 Document Are documents containing FTI stored in a Examine
Security locked container until pick-up for disposal?
HQ81 Secure Storage 4.5 MP-5 Document How is the paper waste material Interview
Security transported?
HQ82 Secure Storage 4.3.4 MP-2 Document Is there a written clean desk policy Examine
Security (should cover desktop, credenzas, and
in/out baskets)?
HQ83 Secure Storage 4.3.4 MP-2 Document Does management periodically conduct Interview/
Security an after-hours check to ensure the clean Examine
desk policy, i.e., locked containers, office
doors locked, etc. How often? When was
the last review? Were there any findings
and have there been any findings and
corrective actions taken?

IRS Safeguards
Category
HQ84 Secure Storage 4.3.6 MP-4 Containers What type of container is used to store Examine
4.3.7 FTI (i.e., lateral, upright, credenza,
4.3.8 overhead, desk, safes, vaults)?
HQ85 Secure Storage 4.3.6 MP-4 Containers Do all containers have locks? Examine
4.3.7
4.3.8
HQ86 Secure Storage 4.3.9 MP-4 Containers What type of lock (i.e., lock bars, key lock, Examine
padlock, combination padlock)?
HQ87 Secure Storage 4.3.6 MP-4 Containers Is FTI stored in locked containers after Interview/
4.3.7 hours or when not in use? Examine
4.3.8
HQ88 Secure Storage 4.3.4 PE-3 Office Security How is access restricted to internal Interview/
offices? Examine
HQ89 Secure Storage 4.3.4 PE-3 Office Security Are integral office doors locked after Interview/
hours? Examine
HQ90 Secure Storage 4.3.4 PE-2 Office Security Who has access to the offices after Interview
hours?
Cleaning Crews:
Landlord:
Maintenance Crews:
Security Guards:
Employees (i.e. all or management):
HQ91 Secure Storage 4.3.4 MP-2 File Rooms Does file room have its own staff? How Interview
Containing FTI many employees?
HQ92 Secure Storage 4.3.4 MP-2 File Rooms Can only file room staff access client files? Interview
Containing FTI
HQ93 Secure Storage 4.3.4 MP-5 File Rooms Are items removed/returned from the file Examine
Containing FTI room logged or scanned?
HQ94 Secure Storage 4.3.4 MP-4 File Rooms Is there a follow-up for missing files Interview
Containing FTI performed?
HQ95 Secure Storage 4.3.4 MP-4 File Rooms Is file room door locked at night? Interview/
Containing FTI Examine
HQ96 Secure Storage 4.3.4 MP-2 File Rooms If so, who can access the room after Interview
Containing FTI normal working hours (i.e., cleaning,
guards, maintenance)?
HQ97 Secure Storage 4.3.4 MP-4 Storage of Files Are files stored at the field office/district Interview/
Containing FTI office/agency? Examine
HQ98 Secure Storage 4.3.4 MP-4 Storage of Files How long are files stored at the field Interview
Containing FTI office/district office/agency?

IRS Safeguards
Category
HQ99 Secure Storage 9.6 CP-6 Storage Off-Site Are files stored at a alternate storage Interview
facility?
HQ100 Secure Storage 9.6 CP-6 Storage Off-Site If this is a agency facility, do agency Interview
employees work at the facility?
HQ101 Secure Storage 9.6 CP-6 Storage Off-Site If this is a facility administered by a Interview
different state agency, how is access to
FTI controlled?
HQ102 Secure Storage 9.6 CP-6 Storage Off-Site If this is a Contractor Facility, how is Interview
access FTI controlled?
HQ103 Secure Storage 4.5 CP-6 Storage Off-Site How is paper or electronic FTI shipped / Interview
9.6 MP-5 transfer to alternate storage facility?
HQ104 Secure Storage 4.5 CP-6 Storage Off-Site What type of container is used to ship the Interview/
9.6 MP-5 files? Examine
HQ105 Secure Storage 4.5 CP-6 Storage Off-Site Is the container taped or locked? Examine/
9.6 MP-5 Test
HQ106 Secure Storage 4.5 CP-6 Storage Off-Site For retrieval of a single document/file/tape Interview
9.6 MP-5 containing FTI, is the entire container
recalled or only the individual item?
HQ107 Secure Storage 4.5 CP-6 Storage Off-Site Who is in charge of storage or shipping Interview
9.6 MP-5 files to storage facilities?
HQ108 Secure Storage 9.6 CP-6 Storage of Files Does the storage contractor have a sub- Interview
MP-2 Containing FTI contractor (e.g. responsible for disposal)?
HQ109 Secure Storage 9.16 SI-12 Storage of Files Is there a written policy on document Examine
Containing FTI retention?
HQ110 Secure Storage 4.7 PE-17 Alternate Work Are employees allowed to work with FTI Interview/
Site from an alternate work site (i.e., any Examine
working area that is attached to the Wide
Area Network (WAN) either through a
Public Switched Data Network (PSDN) or
through the Internet)? Examples:
Working at home, working at a different
agency site, working at a contractor site.
HQ111 Secure Storage 4.7 PE-17 Alternate Work Does the agency have a documented plan Examine
Site for the security of alternative work site?

IRS Safeguards
Category
HQ112 Secure Storage 4.7 PE-17 Alternate Work Does the agency certify the security Examine
Site controls of the alternate work site are
adequate for security needs. Additionally,
does the agency promulgate rules and
procedures to ensure that employees do
not leave computers unprotected at any
time. These rules should address brief
absences while employees are away from
the computer.
HQ113 Secure Storage 4.7 PE-17 Alternate Work Do all computers and mobile devices that Examine/
Site contain FTI and are resident in an Test
alternate work site employ encryption
mechanisms to ensure
that this data may not be accessed, if the
computer is lost and/or stolen? What is
the encryption strength?
HQ114 Secure Storage 4.7 PE-17 Alternate Work Does the agency provide specialized Interview/
Site training in security, disclosure awareness, Examine
and ethics for all participating employees
and managers? Does the training cover
situations that could occur as the result of
an interruption of work by family, friends,
or other sources?
HQ115 Secure Storage 4.7 PE-17 Alternate Work Does the agency conduct periodic Interview/
Site inspections of alternative work sites during Examine
the year to ensure that safeguards are
adequate. Are the results of each
inspection documented?
HQ116 Secure Storage 4.7 PE-17 Alternate Work Does the agency retain ownership and Interview
Site control, for all hardware, software, and
telecommunications equipment
connecting to public communication
networks, where these are resident at all
alternate work sites.

IRS Safeguards
Category
HQ117 Secure Storage CP-7 Alternate Does the agency have an alternate site Interview/
Processing Site identified for business resumption when Examine
the primary processing location (office
space) is unavailable? The alternate site
could be a (i) dedicated site owned or
operated by the agency, (ii) reciprocal
agreement or memorandum of agreement
with an internal or external entity, or (iii)
commercially leased facility.
HQ118 Secure Storage CP-7 Alternate Does the agency have an alternate Examine
Processing Site processing site agreement in place to
permit the resumption of operations?
Does the agreement define the time
period within which processing must be
resumed at the alternate processing site?
HQ119 Secure Storage 4.3.2 PE-5 Access Control Are computer monitors or other display Examine
for Display devices that display FTI positioned so as
Medium to not be visible to passers-by in hallways
or common areas?
HQ120 Secure Storage 4.3.2 PE-18 Location of For all areas that process FTI, does the Examine
4.3.3 Information agency position information system
4.3.4 System components within the facility to minimize
Components potential damage from physical and
environmental hazards and to minimize
the opportunity for unauthorized access?
HQ121 Secure Storage 4.4 PE-3 Security During How is FTI protected during an office Interview
Office Moves move? Is FTI kept in locked cabinets or
sealed packing cartons during the move?
HQ122 Secure Storage 4.4 PE-3 Security During Is FTI mailed or transported between Interview
Office Moves office locations?
Is this FTI placed in double-envelopes or

locked in a secure container during
transport?
Is a transmittal document used to track the

movement and ensure the delivery of FTI?

IRS Safeguards
Category
IRC Section 6103(p)(4)(C)
HQ123 Restricting 5.3 MP-2 Commingling Describe how the agency labels paper Interview
Access documents containing FTI.
HQ124 Restricting 5.3 MP-2 Commingling Describe how the agency labels case files Interview
Access containing paper FTI.
HQ125 Restricting 5.3 MP-2 Commingling Describe how the agency labels paper Interview
HQ126 Restricting 5.3 MP-2 Commingling How is paper FTI filed? Interview
Access
HQ127 Restricting 5.3 MP-2 Commingling How can paper FTI be retrieved? Interview
Access
HQ128 Restricting 5.3 MP-2 Commingling What identifying information is used for Interview
Access retrieval? Individual name?
HQ129 Restricting 5.3 MP-2 Commingling Is paper FTI kept separate or commingled Interview/
Access with other information? Examine
HQ130 Restricting 5.3 MP-2 Commingling If commingled, is commingled paper FTI Interview/
Access identifiable? Examine
HQ131 Restricting 5.3 MP-2 Commingling Can paper FTI within agency records be Interview
Access located and segregated?
HQ132 Restricting 5.3 MP-2 Commingling Please provide documents or letters Examine
Access (Verification, Adjustment, Third Party)
used to obtain FTI verification from clients,
financial institutions and others.
HQ133 Restricting 5.3 MP-2 Commingling What specific data, from paper FTI, is Interview
Access entered into the system after independent
verification has been received?
HQ134 Restricting 5.3 MP-2 Commingling How is electronic FTI filed? Interview
Access
HQ135 Restricting 5.3 MP-2 Commingling How can electronic FTI be retrieved? Interview
Access
HQ136 Restricting 5.3 MP-2 Commingling What identifying information is used for Interview
HQ137 Restricting 5.3 MP-2 Commingling Is electronic FTI kept separate or Interview/
Access commingled with other information? Examine
HQ138 Restricting 5.3 MP-2 Commingling If commingled, is commingled electronic Interview/

Access FTI identifiable? Examine

IRS Safeguards
Category
HQ139 Restricting 5.3 MP-2 Commingling Can electronic FTI within agency records Interview
Access be located and segregated?
HQ140 Restricting 5.3 MP-2 Commingling What electronic FTI is either printed and Interview
Access used in paper form?
What electronic FTI is referenced in

electronic or paper case notations? (e.g.
case history, source of information, or
comments section)
HQ141 Restricting 5.5 AC-6 Computer Center If this is an agency facility, who works at Interview
Access Facility the facility?
-Only agency employees?
-Other state agency employees?
-Contractors
How is access to FTI limited?
HQ142 Restricting 11.0 MP-2 Contractor Is data disclosed to any contractor? Interview/
Access 11.4 SA-9 Access Identify the data disclosed and the Examine
contractor.
HQ143 Restricting 11.0 MP-2 Contractor Provide a copy of the contractor's Examine
Access 11.4 SA-9 Access contract.
HQ144 Restricting 11.0 MP-2 Contractor Does the contract include the required Examine
Access 11.4 SA-9 Access Safeguards language in the contract?
(Publication 1075 Exhibit 7 Language)
HQ145 Restricting 11.0 MP-2 Contractor Does the contractor sub-contract any work Interview
Access 11.4 SA-9 Access containing FTI?
HQ146 Restricting 11.0 SA-9 External Does the agency outsource to a Interview/
Access 11.4 Information commercial vendor information system Examine
System Services services for systems that store, process or
transmit FTI to provider external to the
agency (contractor)?
Does the contract include the required

Safeguards language in the contract?
(Publication 1075 Exhibit 7)

IRS Safeguards
Category
HQ147 Restricting 11.0 SA-9 Consolidated Does the agency receive IT system Interview
Access 11.4 Data Center support from a consolidated data center
(e.g. a Dept. of Info Tech) which is
operated by a different state agency?
If so, is there a Service Level Agreement

between the agencies in place?
What is the name of the IT agency?
HQ148 Restricting 11.0 SA-9 Off-site Storage Do employees or contractors, at an off-site Interview
Access 11.4 Facility storage facility, have access to FTI? If so,
describe, by whom and how is FTI access
restricted?
HQ149 Restricting 9.1 AC-8 IRS Approved Have a user open every application, Examine
Access Warning Banner containing FTI, to show the warning
banner's wording. Examine it to ensure it
meets the requirements of Publication
1075 Section 5.6.1.
HQ150 Restricting 5.2 AC-6 Access How is access limited to authorized Interview
Access employees?
HQ151 Restricting 5.2 AC-6 Access Who designates authorized employees? Interview
Access
HQ152 Restricting 5.2 AC-6 Access Do all authorized employees have a need- Interview
Access to-know?
HQ153 Restricting 5.2 AC-6 Access Do state auditors or inspector generals Interview
Access have access to case files?
HQ154 Restricting 5.2 AC-6 Access Provide the written procedures in effect for Examine
Access specifying to whom disclosures of FTI can
be made.
HQ155 Restricting 5.2 AC-6 Quality Control, Do reviewers have access to FTI online? Test
Access Quality In paper?
Assurance,
Quality Review
HQ156 Restricting 5.2 AC-6 Quality Control, Do reviewers send out verification letters Interview
Access Quality on FTI?
Assurance,
Quality Review

IRS Safeguards
Category
HQ157 Restricting 5.2 AC-6 Quality Control, Are reviewers agency employees? Interview
Access Quality
Assurance,
Quality Review
HQ158 Restricting 5.2 AC-6 Other Entities Do other entities (e.g., volunteers, Interview
Access researchers, contractors, non-agency
employees, interns) have access to FTI?
HQ159 Restricting 5.2 AC-6 Federal Offset Are Federal Offset Payments released to Interview
Access Payments courts or other third parties, such as
custodial parents?
HQ160 Restricting 5.2 AC-6 Federal Offset Does the agency receive Federal Offset Interview
Access Payments Payments (Applies to Revenue and Child
Support)?
HQ161 Restricting 5.2 AC-6 Federal Offset Does the agency use a contractor to Interview
Access Payments process the Offset (Reconciliation of
payment or data processing)?
HQ162 Restricting 5.4 AC-6 Sharing FTI Is FTI shared between Child Support, Interview
Access Human Services or Labor? Are
employees shared between these
agencies?
HQ163 Restricting 5.4 AC-6 Sharing FTI Does the agency share FTI with any Interview
Access agency or entity e.g. tribes, cities/states,
other state agencies)? If yes, what data,
to whom and by what authority?
HQ164 Restricting 5.2 AC-6 Modeling Does the agency use FTI for modeling Interview/
Access and or revenue projections? If yes, do Examine
they have a signed Need and Use
justification statement?
HQ165 Restricting 5.2 AC-6 Portal Access Does the agency have internal or external Interview/
Access facing web applications or portals? Test
Is FTI accessible through the portal/web

applications?
Who has access?
What data?

IRS Safeguards
Category
HQ166 Restricting 5.2 AC-6 Portal Access Does the agency have an Integrated Voice Interview/
Access Response (IVR) system? Test
If so, what data is available and who is the

intended user?
HQ167 Restricting 5.4 AC-6 Client Who can represent a client? Interview
Access Representation
HQ168 Restricting 9.2 AU-2 FTI Access Logs What data elements are captured on the Examine
Access FTI access log reports?
HQ169 Restricting 9.2 AU-6 FTI Access Logs Are FTI access log reports monitored to Interview
Access detect unauthorized browsing?
HQ170 Restricting 9.2 AU-6 FTI Access Logs What actions are taken when Interview
Access unauthorized action is found on an FTI
access log report?
HQ171 Restricting 9.2 AU-2 FTI Access Logs Are FTI access logs maintained of Test
Access accesses or updates to electronic data?
HQ172 Restricting 9.2 AU-2 FTI Access Logs Are access records or listings of FTI Test
Access extracts made?
HQ173 Restricting 9.2 AU-2 FTI Access Logs Do these FTI access logs include: Test
Access -Reason for access?
-Current location of data?
-Final disposition?
-Who monitors?
-How often monitored?
-Any findings within the last two years?
-What action was taken?
HQ174 Reporting 10.1 IR-1 Incident Is there a documented policy with steps Examine
Improper Response for reporting unauthorized disclosure of
Inspections or FTI?
Disclosures
HQ175 Reporting 10.1 IR-1 Incident Does the incident reporting policy contain Examine
Improper Response the IRS and TIGTA contact information,
Inspections or coordination steps and detail when these
Disclosures entities should be notified of the incident?

IRS Safeguards
Category
HQ176 Reporting 10.1 IR-2 Incident Does the agency provide incident Interview/
Improper Response response training to all personnel with Examine
Inspections or Training access to FTI and personnel with incident
Disclosures response responsibilities? Is Initial
training provided, and refresher training
provided at least annually?
HQ177 Reporting 10.1 IR-7 Incident Does the agency provide an incident Interview
Improper Response response support resource for users?
Inspections or Assistance Possible implementations of incident
Disclosures response support resources include a help
desk or an assistance group, and access
to forensics services.
HQ178 Reporting 10.1 IR-3 Incident Does the agency test/exercise the Examine
Improper Response Testing Disclosure aspect of its incident response
Inspections or and Exercises capability at least annually? Review
Disclosures documented test results of prior incident
response tests.
HQ179 Reporting 10.1 IR-4 Incident Handling Does the agency's incident response Examine
Improper procedures address an incident handling
Inspections or capability for security incidents that
Disclosures includes preparation, detection and
analysis, containment, eradication, and
recovery and post-incident activity?
HQ180 Reporting 10.1 IR-5 Incident How is the incident documented, tracked Interview/
Improper Response and monitored? Examine
Inspections or
Disclosures
HQ181 Reporting 10.1 IR-5 Incident Does the agency notify the impacted Tax Examine
Improper Response Payer(s)?
Inspections or
Disclosures
HQ182 Restricting 9.1 PS-2 Personnel Does the agency have a personnel Examine
Access Security Policy security policy that addresses position
and Procedures categorization, personnel screening,
personnel termination, personnel transfer,
and access agreements?
Who is responsible for implementation of

the policy?
HQ183 Restricting 9.17.5 - Electronic Mail Does the agency have a policy that states Examine
Access FTI shall not be transmitted or used on
email systems?

IRS Safeguards
Category
HQ184 Restricting 9.17.5 - Electronic Mail If it is necessary to transmit FTI via email, Interview
Access does the agency take the following
precautions to protect FTI sent via email?
- Email transmitting the FTI is encrypted
(i.e. Digital Certification encryption)
- Attachments containing FTI are
encrypted
- Ensure that all messages sent are to the
proper address
- Email stays within the agency email
system and is not sent outside the firewall
- Employees should log off the computer
when away from the area
HQ185 Restricting 5.6.17.6 - Fax Machines If FAX machines are used to transmit FTI Interview/
Access does the agency take the following Examine
precautions to protect Fax transmissions?
- A trusted staff member is located at both
the sending and receiving fax machines.
-Broadcast lists and other preset numbers
of frequent recipients of FTI are
maintained and periodically updated
- Fax machines are placed in a secured
area.
- A cover sheet is included on fax
transmissions that explicitly provides
guidance to the recipient, which includes:
- A notification of the sensitivity of the
data and the need for protection
- A notice to unintended recipients to
telephone the sendercollect if necessary
to report the disclosure and confirm
destruction of the information.

IRS Safeguards
Category
HQ186 Restricting 9.17.1 - Data Warehouse Does the agency employ a data Interview
Access Configuration warehousing environment. If so, what FTI
resides there?
How is the FTI identified as FTI within the

data warehouse?
How is the use, movement, and

destruction tracked within the warehouse?
IRC Section 6103(p)(4)(D)

HQ187 Other 6.2 AT-1 Employee Does the agency have a security Examine
Safeguards Awareness awareness and training policy?
HQ188 Other 6.2 AT-1 Employee Does the agency have security training Examine
Safeguards Awareness and awareness procedures that address
the policy elements and is disseminated to
employees responsible for implementing
security training and awareness?
HQ189 Other 6.2 AT-2 Employee Are new employees given a security Interview
Safeguards Awareness orientation prior to having access to FTI?
HQ190 Other 6.2 AT-2 Employee Does the orientation specifically cover Examine
Safeguards Awareness FTI?
HQ191 Other 6.2 AT-2 Employee Does the orientation cover Penalty Examine
Safeguards Awareness Provisions under the Internal Revenue
Code (IRC) 7213, 7213A and 7431?
HQ192 Other 6.2 AT-2 Employee Does the disclosure awareness training Examine
Safeguards Awareness cover the incident response policy and
procedure for reporting unauthorized
disclosures and data breaches?
HQ193 Other 6.2 AT-2 Employee Do employees sign a certification at initial Examine
Safeguards Awareness security awareness orientation (provide a
copy of agreement)?
HQ194 Other 6.2 AT-2 Employee Do employees sign a re-certification every Test
Safeguards Awareness year thereafter?

IRS Safeguards
Category
HQ195 Other 6.2 AT-2 Employee Are contractors with access to FTI Interview
Safeguards Awareness included in the employee awareness
orientation?
HQ196 Other 6.2 AT-2 Employee Are employees and/or contractors, from Interview
Safeguards Awareness the consolidated data center, with access
to FTI included in the employee
awareness?
Are employees and/or contractors from an

off-site storage center, with access to FTI
included in the employee awareness
orientation?
Note: Access maybe physical or logical.

Such as System Administrator, Database
Administrators, etc.
HQ197 Other 6.2 AT-2 Employee Does the agency maintain training records Examine
Safeguards Awareness for employees/contractors that identifies
the security and awareness training that
each user has completed?
HQ198 Employee 6.2 MP-2 Document Are employees aware of the need to Interview
Awareness Security protect FTI against inadvertent disclosure
when visitors/maintenance
personnel/vendors are in work area?
HQ199 Other 6.3 CA-2 Internal Is the agency periodically audited by a Interview
Safeguards Inspections third party (e.g. Internal Audit, Inspector
General (IG))?
HQ200 Other 6.3 CA-2 Internal When was the last audit conducted? Examine
Safeguards Inspections Provide a copy of the audit report.
HQ201 Other 6.3 CA-2 Internal Does the agency conduct internal audit Interview
Safeguards Inspections inspections of field offices that address
the safeguard requirements the IRC and
the IRS impose?

IRS Safeguards
Category
HQ202 Other 6.3 CA-2 Internal When was the last internal inspection held Interview Note: All local offices receiving FTI
Safeguards Inspections for -- are reviewed within a three-year
-Field offices? cycle. Headquarters office facilities
-District offices? housing FTI and the agency
-County offices? computer facility should be reviewed
-Central office? within an 18-month cycle.
-Headquarters?
-Administration?
-Storage Facilities?
HQ203 Other 6.3 CA-2 Internal Are contractors with access to FTI, Interview
Safeguards Inspections including a consolidated data center or off-
site storage facility included with internal
inspection activities?
HQ204 Other 6.3 CA-2 Internal When was the last internal inspection for Interview
Safeguards Inspections contractor run:
-Data Center?
-Off-site Storage Facility?
-Other?
HQ205 Other 6.3 CA-2 Internal Who conducts the internal inspections? Interview
Safeguards Inspections
HQ206 Other 6.3 CA-2 Internal Are follow-up reviews conducted to Interview
Safeguards Inspections determine the effectiveness of corrective
actions taken on findings from after-hours
and duty hours reviews?
HQ207 Other 6.3 CA-2 Internal During the past two inspections, were Interview
Safeguards Inspections there findings? If so, what action was
taken?
HQ208 Other 6.3 CA-2 Internal Are copies of the inspection report Examine
Safeguards Inspections submitted with the annual SAR?
HQ209 Other 6.3 CA-2 Internal Please provide a copy of the Examine
Safeguards Inspections questionnaire that is used for the internal
inspection review process.
HQ210 Other 6.3 CA-2 Internal Does the agency complete an internal Examine
Safeguards Inspections inspection plan, detailing the timing of all
internal inspections in the current year and
next two years? Please provide plan.
If IRS templates are used, please specify

and don't attach.

IRS Safeguards
Category
IRC Section 6103(p)(4)(E)
HQ211 Reporting 7.2 PL-2 Safeguard When was the last SPR approved? Interview/
Requirements Procedures Examine
Report
HQ212 Reporting 7.2 PL-2 Safeguard Have there been any significant changes Interview
Requirements Procedures since the last SPR was approved?
Report
HQ213 Reporting 7.2 PL-2 Safeguard If the agency has a data warehouse is it Examine
Requirements Procedures reflected in the SPR?
Report
HQ214 Reporting 7.2 PL-2 Safeguard Does the SPR reflect all data extracts Examine
Requirements Procedures received by the agency?
Report
HQ215 Reporting 7.4 PL-2 Safeguard Activity When was the last SAR approved? Interview/
Requirements Report Examine
What period did the SAR cover?
HQ216 Reporting 7.4 PL-2 Safeguard Activity When was the last Corrective Action Plan Interview/
Requirements Report (CAP) submitted? Examine
When was it approved?
IRC Section 6103(p)(4)(F)

HQ217 Disposing 8.3 MP-6 Paper FTI Where is paper FTI secured prior to Examine
Federal Tax disposal?
Information -Recycle bins?
-Locking container?
-Waste paper basket?
-Container on desk?
HQ218 Disposing 8.3 MP-6 Paper FTI How is paper FTI destroyed? Interview
Federal Tax -Shredding (i.e., are strips rendered
Information unreadable, size of strips, print
perpendicular to cutting line)?
-Pulping (i.e., what size is material
reduced to) ?
-Burning (i.e., is there complete
combustion)?
-Disintegration (how fine a screen is
used)?

IRS Safeguards
Category
HQ219 Disposing 8.3 MP-6 Paper FTI Who performs destruction of paper FTI? Interview
Federal Tax 8.4 -Agency staff?
Information -Contractor?
HQ220 Disposing 8.3 MP-6 Paper FTI Who picks up/takes paper FTI for Interview
Federal Tax 8.4 destruction?
Information -State Agency/Federal Agency?
-Contractor?
HQ221 Restricting 8.3 AC-6 Destruction If the destruction facility is a contractor Interview
Access 8.4 Facility facility, how is access to paper FTI limited
to employees?
HQ222 Disposing 8.3 MP-6 Paper FTI: What is the name of the contractor used Interview
Federal Tax 8.4 Contractor for pick up and destruction of paper FTI
Information
HQ223 Disposing 8.3 MP-6 Paper FTI: Location of the contractor used for pick up Interview
Federal Tax 8.4 Contractor and destruction of paper FTI?
Information
HQ224 Disposing 8.3 MP-6 Paper FTI: Name and telephone number of contact Interview
Federal Tax 8.4 Contractor person at the contractor used for pick up
Information and destruction of paper FTI
HQ225 Disposing 8.3 MP-6 Paper FTI: If the contractor does not have a Interview
Federal Tax 8.4 Contractor destruction facility, where is the paper FTI
Information taken?
HQ226 Disposing 8.3 MP-6 Paper FTI: Does Agency staff accompany paper FTI Interview
Federal Tax 8.4 Contractor and view destruction?
Information
HQ227 Disposing 8.3 MP-6 Paper FTI: How is paper FTI packaged and secured? Interview/
Federal Tax 8.4 Contractor Examine
Information
HQ228 Disposing 8.3 MP-6 Electronic Media Is paper FTI shredded (size of shred)? Test
Federal Tax 8.4 Library:
Information Procedures -
Destruction
HQ229 Disposing 8.3 MP-6 Electronic Media How is electronic FTI destroyed? Interview
Federal Tax 8.4 Library: -Returned to the IRS?
Information Procedures - -Returned to scratch pool?
Destruction
HQ230 Disposing 8.3 MP-6 Electronic Media How is FTI cleared from electronic media Interview
Federal Tax 8.4 Library: (removable or non-removable; e.g.,
Information Procedures - primary or systemic backups) before
Destruction reallocation or destruction?

IRS Safeguards
Category
HQ231 Disposing 8.3 MP-6 Electronic Media Is FTI erased? If so, in what manner: Interview
Information Procedures - -Degaussed (specify make and strength of
Destruction degaussed)?
-Written over with 0 (zero) and 1 (one)?
-Written over with new data?
-Written over with FTI only?
HQ232 Disposing 8.3 MP-6 Electronic Media Describe the method of verification for the Interview
Federal Tax 8.4 Library: destruction of electronic media containing
Information Procedures - FTI.
Destruction
Need and Use

HQ233 Need and Use 2.2 AC-6 Need and Use Describe each FTI dataset received by the Interview
agency and how it is used by the agency.
HQ234 Need and Use 2.2 AC-6 Need and Use For every FTI data extract received by the Interview
agency for an authorized use, does the
agency have a need?
HQ235 Need and Use 2.2 AC-6 Need and Use State Agencies Receiving FTI under IRC Examine
6103(d):
Provide copies of all current need and use

statements? (GLDEP, modeling, live data
testing)
HQ236 Need and Use 2.2 AC-6 Need and Use Is use of the FTI documented? Examine Examine
case files for evidence.
Other DES Observations
220

IRS Safeguards
Category
FO1 Record Keeping 3.0 PE-16 Obtaining FTI How is FTI received (i.e., FedEx, UPS, Interview
Requirements USPO, Secure Data Transfer, i.e.,
Tumbleweed, ConnectDirect, encrypted
CD)?
FO2 Record Keeping 3.0 PE-16 Obtaining FTI: Is FTI received in the mailroom? Interview/
Requirements Mailroom If so, is receipt acknowledged? Examine
Is the package logged in?
Does the mailroom open the package?
Is the package brought to another
function?
Does the other function sign the log?
FO3 Record Keeping 3.0 MP-2 Request for FTI If requests for FTI are made through data Interview
Requirements center, how are the logged (Form 8796,
TDS, ad-hoc requests)?
Are requests compliant with IRS
Publication 1075 Section 3?
FO4 Record Keeping 3.0 MP-2 Request for FTI Are documents created from the FTI data Interview
Requirements (e.g., CDs, tapes, letters, reports, etc?)
FO5 Record Keeping 3.0 MP-2 Request for FTI Are FTI based products shared? Are logs Interview
Requirements kept and are they compliant with
Publication 1075, Section 3?
FO6 Record Keeping 3.0 MP-2 Receipt FTI If FTI is printed at data center what Interview/

FO7 Secure Storage 4.3.2 PE-3 Guards Guards: Contractor or Employee? Interview
4.3.4
FO8 Secure Storage 4.3.2 PE-3 Guards Guards: How many posts: Examine
4.3.4
-Main Entrance_____
-Rear Entrance_____
-Side Entrance_____
-Outside_____
-Inside_____
FO9 Secure Storage 4.3.2 PE-3 Guards Guards: Hours on Duty? Interview
4.3.4
FO10 Secure Storage 4.3.12 PE-6 Alarms Electronic Intrusion Alarm System? Interview/
Examine
350737130.xls Field Office 35 of 81

IRS Safeguards
Category
FO11 Secure Storage 4.3.12 PE-6 Alarms Motion Detectors? Interview/
Examine
FO12 Secure Storage 4.3.12 PE-6 Alarms Emergency Exit Alarm? Interview/
Examine
FO13 Secure Storage 4.3.12 PE-6 Alarms Who monitors the various alarms? Interview
FO14 Secure Storage 4.3.2 PE-6 Cameras Where are they placed? Examine
(Outside/Inside)
FO15 Secure Storage 4.3.2 PE-6 Cameras How many cameras? Examine
(Outside/Inside)
FO16 Secure Storage 4.3.2 PE-6 Cameras Who monitors the various cameras? Interview
(Outside/Inside)
FO17 Secure Storage 4.3.2 PE-6 Cameras Are cameras recording their view? Test
(Outside/Inside)
FO18 Secure Storage 4.3.2 PE-6 Cameras How long are electronic media (Hard Interview/
FO19 Secure Storage 4.3.2 PE-6 Access: What controls are in place to monitor Interview
Monitoring access to restricted area (i.e., logs,
electronic monitoring)?
FO20 Secure Storage 4.3.2 PE-6 Access: How often are access control points Interview
FO21 Secure Storage 4.3.2 PE-2 Access: What is used to control access from the Examine/
Keys/Cards outside: Keys or Electronic access control Test
system?
FO22 Secure Storage 4.3.10 PE-2 Access: What is used to control access from the Examine/
4.3.11 Keys/Cards inside: Keys or Electronic access control Test
system?
FO23 Secure Storage 4.3.10 PE-2 Access: Is a record maintained on the issuance of Examine
Buildings:
Offices:
Containers:
FO24 Secure Storage 4.3.10 PE-2 Access: If so, how are records maintained (i.e., Examine
Buildings:
Offices:
Containers:

IRS Safeguards
Category
FO25 Secure Storage 4.3.10 PE-2 Access: Who is responsible for issuance of Interview
Buildings:
Offices:
Containers:
FO26 Secure Storage 4.3.10 PE-2 Access: Who has access to keys/key cards? Interview
Keys/Cards
Buildings:
Offices:
Containers:
FO27 Secure Storage 4.3.10 PE-2 Access: Are periodic reviews being conducted to Interview/
Buildings:
Offices:
Containers:
FO28 Secure Storage 4.3.10 PE-2 Access: Is there a written policy on recovery of Examine
FO29 Secure Storage 4.3.10 PE-2 Access: Are the locking mechanisms checked for Interview
Keys/Cards malfunctions?
Buildings:
Offices:
Containers:
By Whom?
How often?
FO30 Secure Storage 4.3.10 PE-2 Access: Who controls the duplicate keys for: Interview
Keys/Cards
Buildings:
Offices:
Containers:
FO31 Secure Storage 4.3.10 PE-2 Access: Are all employees given keys to: Interview
Keys/Cards
Buildings:
Offices:
Containers:

IRS Safeguards
Category
FO32 Secure Storage 4.3.10 PE-2 Access: What is the key reproducing policy? Interview/
Keys/Cards Examine
Buildings:
Offices:
Containers:
FO33 Secure Storage 4.3.10 PE-2 Access: Who maintains the key to cabinet that Interview
FO34 Secure Storage 4.3.10 PE-2 Access: Who maintains the key to cabinet that Interview
FO35 Secure Storage 4.3.10 PE-2 Access: Who maintains backup keys to cabinets Interview
FTI Reports?
FO36 Secure Storage 4.3.10 PE-3 Access: How often are door/safe combinations Interview
FO37 Secure Storage 4.3.10 PE-3 Access: Who is responsible to change the Interview
FO38 Secure Storage 4.3.10 PE-3 Access: Who safeguards the combinations? Interview
Combinations
FO39 Secure Storage 4.3.10 PE-3 Access: Who controls (records)/safeguards Interview
FO40 Secure Storage 4.3.10 PE-3 Access: How are combinations safeguarded? Interview
Combinations
FO41 Secure Storage 4.3.2 PE-2 ID Cards Are employees wearing the agency Test
FO42 Secure Storage 4.3.2 PE-2 ID Cards Are lost ID cards reported? Interview
(Badges)

IRS Safeguards
Category
FO43 Secure Storage 4.3.2 PE-2 ID Cards How do employees enter the work area Interview
FO44 Secure Storage 4.3.2 PE-2 ID Cards Is there a written policy on ID cards? Examine
(Badges)
FO45 Secure Storage 4.3.2 PE-2 ID Cards Are ID cards inventoried (i.e., automated, Examine
FO46 Secure Storage 4.3.2 PE-2 ID Cards Who has access to ID Card/Badge Interview
(Badges) inventory?
FO47 Secure Storage 4.3.2 PE-7 Visitor/Vendor Do visitors/vendors sign a visitor access Examine
Access log?
FO48 Secure Storage 4.3.2 PE-8 Visitor/Vendor Does the visitor access log contain the Examine

visited.
FO49 Secure Storage 4.3.2 PE-8 Visitor/Vendor Do designated officials or designees within Interview
FO50 Secure Storage 4.3.2 PE-7 Visitor/Vendor Are visitors/vendors escorted? Interview/
Access Examine
FO51 Secure Storage 4.3.2 PE-7 Visitor/Vendor Are visitors/vendors issued ID cards? Are Interview/
FO52 Secure Storage 4.3.1 PE-3 Restricted Area Verify two barriers are present to access Examine
FO53 Secure Storage 4.3.1 PE-3 Restricted Area Specify the Restricted Access areas Interview/
where FTI is located? Examine

IRS Safeguards
Category
FO54 Secure Storage 4.3.1 PE-3 Restricted Area How is access to the restricted areas Interview
controlled?
FO55 Secure Storage 4.3.1 PE-2 Restricted Area Who authorizes access to the restricted Interview
areas?
FO56 Secure Storage 4.3.1 PE-2 Restricted Area Are the names of departed/transferred Interview/
removed?
FO57 Secure Storage 4.3.1 PE-2 Restricted Area Is an access record review conducted to Interview
How often?
FO58 Secure Storage 4.3.1 PE-6 Restricted Area Who reviews electronic and paper audit Interview
FO59 Secure Storage 4.5 PE-16 Loading Docks How are loading docks secured? Interview/
Examine
FO60 Secure Storage 4.5 MP-4 Document Are documents containing FTI stored in a Examine
FO61 Secure Storage 4.5 MP-5 Document How is the paper waste material Interview
FO62 Secure Storage 4.3.4 MP-2 Document Is there a written clean desk policy Examine
in/out baskets)?
FO63 Secure Storage 4.3.4 MP-2 Document Does management periodically conduct Interview/
FO64 Secure Storage 4.3.6 MP-4 Containers What type of container is used to store Examine
FO65 Secure Storage 4.3.6 MP-4 Containers Do all containers have locks? Examine
4.3.7
4.3.8
FO66 Secure Storage 4.3.9 MP-4 Containers What type of lock (i.e., lock bars, key lock, Examine
FO67 Secure Storage 4.3.6 MP-4 Containers Is FTI stored in secure containers after Interview/
4.3.8
FO68 Secure Storage 4.3.4 PE-3 Office Security How is access restricted to internal Interview/
offices? Examine

IRS Safeguards
Category
FO69 Secure Storage 4.3.4 PE-3 Office Security Are integral office doors locked after Interview/
hours? Examine
FO70 Secure Storage 4.3.4 PE-2 Office Security Who has access to the offices after Interview
hours?
Cleaning Crews:
Landlord:
Maintenance Crews:
Security Guards:
FO71 Secure Storage 4.3.4 MP-2 File Rooms Does file room have its own staff? How Interview
Containing FTI many employees?
FO72 Secure Storage 4.3.4 MP-2 File Rooms Can only file room staff access client files? Interview
Containing FTI
FO73 Secure Storage 4.3.4 MP-5 File Rooms Are items removed/returned from the file Examine
Containing FTI room logged or scanned?
FO74 Secure Storage 4.3.4 MP-4 File Rooms Is there a follow-up for missing files Interview
Containing FTI performed?
FO75 Secure Storage 4.3.4 MP-4 File Rooms Is file room door locked at night? Interview/
Containing FTI Examine
FO76 Secure Storage 4.3.4 MP-2 File Rooms If so, who can access the room after Interview
Containing FTI normal working hours (i.e., cleaning,
guards, maintenance)?
FO77 Secure Storage 4.3.4 MP-4 Storage of Files Are files stored at the field office/district Interview/
Containing FTI office/agency? Examine
FO78 Secure Storage 4.3.4 MP-4 Storage of Files How long are files stored at the field Interview
Containing FTI office/district office/agency?
FO79 Secure Storage 5.6.6 CP-6 Storage Off-Site Are files stored at a alternate storage Interview
facility?
FO80 Secure Storage 5.6.6 CP-6 Storage Off-Site If this is a agency facility, do agency Interview
FO81 Secure Storage 5.6.6 CP-6 Storage Off-Site If this is a facility administered by a Interview
FTI controlled?
FO82 Secure Storage 5.6.6 CP-6 Storage Off-Site If this is a Contractor Facility, how is Interview
FO83 Secure Storage 4.5 CP-6 Storage Off-Site How is paper or electronic FTI shipped / Interview
5.6.6 MP-5 transfer to alternate storage facility?
FO84 Secure Storage 4.5 CP-6 Storage Off-Site What type of container is used to ship the Interview/
5.6.6 MP-5 files? Examine
FO85 Secure Storage 4.5 CP-6 Storage Off-Site Is the container taped or locked? Examine/
5.6.6 MP-5 Test

IRS Safeguards
Category
FO86 Secure Storage 4.5 CP-6 Storage Off-Site For retrieval of a single Interview
5.6.6 MP-5 documents/file/tape, containing FTI, is
entire container recalled or only the
individual item?
FO87 Secure Storage 4.5 CP-6 Storage Off-Site Who is in charge of storage or shipping Interview
5.6.6 MP-5 files to storage facilities?
FO88 Secure Storage 5.6.6 CP-6 Storage of Files Does the storage contractor have a sub- Interview
FO89 Secure Storage 5.6.16 SI-12 Storage of Files Is there a written policy on document Examine
FO90 Secure Storage 4.7 PE-17 Alternate Work Are employees allowed to work with FTI Interview/
FO91 Secure Storage 4.7 PE-17 Alternate Work Does the agency have a documented plan Examine
FO92 Secure Storage 4.7 PE-17 Alternate Work Does the agency certify the security Examine
the computer.
FO93 Secure Storage 4.7 PE-17 Alternate Work Do all computers and mobile devices that Examine/

IRS Safeguards
Category
FO94 Secure Storage 4.7 PE-17 Alternate Work Does the agency provide specialized Interview/
or other sources?
FO95 Secure Storage 4.7 PE-17 Alternate Work Does the agency conduct periodic Interview/
FO96 Secure Storage 4.7 PE-17 Alternate Work Does the agency retain ownership and Interview
FO97 Secure Storage 4.3.2 PE-5 Access Control Are computer monitors or other display Examine
for Display devices that display FTI positioned so as
Medium to not be visible to passers-by in hallways
or common areas?
FO98 Secure Storage 4.32 PE-18 Location of For all areas that process FTI, does the Examine
4.33 Information agency position information system
4.34 System components within the facility to minimize
FO99 Secure Storage 4.4 PE-3 Security During How is FTI protected during an office Interview

IRS Safeguards
Category
FO100 Secure Storage 4.4 PE-3 Security During Is FTI mailed or transported between Interview

transport?

movement and receipt of FTI?


FO101 Restricting 5.3 MP-2 Commingling Describe how the agency labels paper Interview
FO102 Restricting 5.3 MP-2 Commingling Describe how the agency labels case files Interview
Access containing paper FTI.
FO103 Restricting 5.3 MP-2 Commingling Describe how the agency labels paper Interview
FO104 Restricting 5.3 MP-2 Commingling How is paper FTI filed? Interview
Access
FO105 Restricting 5.3 MP-2 Commingling How can paper FTI be retrieved? Interview
Access
FO106 Restricting 5.3 MP-2 Commingling What identifying information is used for Interview
FO107 Restricting 5.3 MP-2 Commingling Is paper FTI kept separate or commingled Interview/
Access with other information? Examine
FO108 Restricting 5.3 MP-2 Commingling If commingled, is commingled paper FTI Interview/
FO109 Restricting 5.3 MP-2 Commingling Can paper FTI within agency records be Interview
Access located and segregated?
FO110 Restricting 5.3 MP-2 Commingling Please provide documents or letters Examine
Access (Verification, Adjustment, Third Party)
used to obtain FTI verification from clients,
financial institutions and others.
FO111 Restricting 5.3 MP-2 Commingling What specific data, from paper FTI, is Interview
Access entered into the system after independent
verification has been received?
FO112 Restricting 5.3 MP-2 Commingling How is electronic FTI filed? Interview
Access

IRS Safeguards
Category
FO113 Restricting 5.3 MP-2 Commingling How can electronic FTI be retrieved? Interview
Access
FO114 Restricting 5.3 MP-2 Commingling What identifying information is used for Interview
FO115 Restricting 5.3 MP-2 Commingling Is electronic FTI kept separate or Interview/
Access commingled with other information? Examine
FO116 Restricting 5.3 MP-2 Commingling If commingled, is commingled electronic Interview/
Access FTI identifiable? Examine
FO117 Restricting 5.3 MP-2 Commingling Can electronic FTI within agency records Interview
Access be located and segregated?
FO118 Restricting 5.3 MP-2 Commingling What electronic FTI is either printed and Interview
Access used in paper form?
What electronic FTI is referenced in

electronic or paper case notations? (e.g.
case history, source of information, or
comments section)
FO119 Restricting 5.5 AC-6 Computer Center If this is an agency facility, who works at Interview
-Contractors
FO120 Restricting 11.0 MP-2 Contractor Is data disclosed to any contractor? Interview/
Access 11.4 SA-9 Access Identify the data disclosed and the Examine
contractor.
FO121 Restricting 11.0 MP-2 Contractor Provide a copy of the contractor's Examine
FO122 Restricting 11.0 MP-2 Contractor Does the contract include the required Examine
FO123 Restricting 11.0 MP-2 Contractor Does the contractor sub-contract any work Interview

IRS Safeguards
Category
FO124 Restricting 11.0 SA-9 External Does the agency outsource to a Interview/

FO125 Restricting 11.0 SA-9 External Do employees or contractors, at an off-site Interview

Access 11.4 Information storage facility, have access to FTI? If so,
System Services describe, by whom and how is FTI access
restricted?
FO126 Restricting 5.2 AC-6 Access How is access limited to authorized Interview
Access employees?
FO127 Restricting 5.2 AC-6 Access Who designates authorized employees? Interview
Access
FO128 Restricting 5.2 AC-6 Access Do all authorized employees have a need- Interview
Access to-know?
FO129 Restricting 5.2 AC-6 Access Do state auditors or inspector generals Interview
Access have access to case files?
FO130 Restricting 5.2 AC-6 Access Provide the written procedures in effect for Examine
Access specifying to whom disclosures of FTI can
be made.
FO131 Restricting 5.2 AC-6 Quality Control, Do reviewers have access to FTI online? Test
Access Quality In paper?
Assurance,
Quality Review
FO132 Restricting 5.2 AC-6 Quality Control, Do reviewers send out verification letters Interview
Access Quality on FTI?
Assurance,
Quality Review
FO133 Restricting 5.2 AC-6 Quality Control, Are reviewers agency employees? Interview
Access Quality
Assurance,
Quality Review
FO134 Restricting 5.2 AC-6 Other Entities Do other entities (e.g., volunteers, Interview

IRS Safeguards
Category
FO135 Restricting AC-6 Federal Offset Are Federal Offset Payments released to Interview
Access Payments courts or other third parties, such as
custodial parents?
FO136 Restricting AC-6 Federal Offset Does the agency receive Federal Offset Interview
Access Payments Payments (Applies to Revenue and Child
Support)?
FO137 Restricting AC-6 Federal Offset Does the agency use a contractor to Interview
Access Payments process the Offset (Reconciliation of
payment or data processing)?
FO138 Restricting 5.4 AC-6 Sharing FTI Is FTI shared between Child Support, Interview
agencies?
FO139 Restricting 5.4 AC-6 Sharing FTI Does the agency share FTI with any Interview
FO140 Restricting AC-6 Client Who can represent a client? Interview

Access Representation
FO141 Reporting 10.1 IR-1 Incident Is there a documented policy with steps Examine
Inspections or FTI?
Disclosures
FO142 Reporting 10.1 IR-1 Incident Does the incident reporting policy contain Examine
FO143 Reporting 10.1 IR-2 Incident Does the agency provide incident Interview/
FO144 Reporting 10.1 IR-7 Incident Does the agency provide an incident Interview

IRS Safeguards
Category
FO145 Reporting 10.1 IR-3 Incident Does the agency test/exercise the Examine
response tests.
FO146 Reporting 10.1 IR-4 Incident Handling Does the agency's incident response Examine
FO147 Reporting 10.1 IR-5 Incident How is the incident documented, tracked Interview/
Inspections or
Disclosures
FO148 Reporting 10.1 IR-5 Incident Does the agency document the incident Examine
Improper Response search efforts? Do they notify the
Inspections or impacted Tax Payer(s)?
Disclosures
FO149 Restricting 5.6.17.5 - Electronic Mail Does the agency have a policy that states Examine
email systems?
FO150 Restricting 5.6.17.5 - Electronic Mail If it is necessary to transmit FTI via email, Interview
encrypted
proper address

IRS Safeguards
Category
FO151 Restricting 5.6.17.6 - Fax Machines If FAX machines are used to transmit FTI Interview/
area.
FO152 Restricting 5.6.17.1 - Data Warehouse Does the agency employ a data Interview
resides there?

data warehouse?


FO153 Other 6.2 AT-1 Employee Does the agency have a security Examine

IRS Safeguards
Category
FO154 Other 6.2 AT-1 Employee Does the agency have security training Examine
FO155 Other 6.2 AT-2 Employee Are new employees given a security Interview
FO156 Other 6.2 AT-2 Employee Does the orientation specifically cover Examine
FO157 Other 6.2 AT-2 Employee Does the orientation cover Penalty Examine
Code (IRC) 7213, 7213A and 7431?
FO158 Other 6.2 AT-2 Employee Do employees sign a certification at initial Examine
copy of agreement)?
FO159 Other 6.2 AT-2 Employee Do employees sign a re-certification every Test
FO160 Other 6.2 AT-2 Employee Does the agency maintain training records Examine
FO161 Employee 6.2 MP-2 Document Are employees aware of the need to Interview
FO162 Other 6.3 CA-2 Internal Is the agency periodically audited by a Interview
General (IG))?
FO163 Other 6.3 CA-2 Internal When was the last audit conducted? Examine
Safeguards Inspections Provide a copy of the audit report.
FO164 Disposing 8.3 MP-6 Paper FTI Where is paper FTI secured prior to Examine
-Locking container?
-Container on desk?

IRS Safeguards
Category
FO165 Disposing 8.3 MP-6 Paper FTI How is paper FTI destroyed? Interview
reduced to) ?
combustion)?
used)?
FO166 Disposing 8.3 MP-6 Paper FTI Who performs destruction of paper FTI? Interview
FO167 Disposing 8.3 MP-6 Paper FTI Who picks up/takes paper FTI for Interview
-Contractor?
FO168 Restricting 8.3 AC-6 Destruction If the destruction facility is a contractor Interview
to employees?
FO169 Disposing 8.3 MP-6 Paper FTI: What is the name of the contractor used Interview
Information
FO170 Disposing 8.3 MP-6 Paper FTI: Location of the contractor used for pick up Interview
Information
FO171 Disposing 8.3 MP-6 Paper FTI: Name and telephone number of contact Interview
FO172 Disposing 8.3 MP-6 Paper FTI: If the contractor does not have a Interview
Information taken?
FO173 Disposing 8.3 MP-6 Paper FTI: Does Agency staff accompany paper FTI Interview
Information
FO174 Disposing 8.3 MP-6 Paper FTI: How is paper FTI packaged and secured? Interview/
Information

IRS Safeguards
Category
FO175 Disposing 8.3 MP-6 Electronic Media Is paper FTI shredded (size of shred)? Test
Destruction
220

IRS Safeguards
Category
DC1 Record Keeping 3.0 MP-5 Electronic Media Is electronic media generated upon Interview
Requirements Containing FTI receipt?
Processed
DC2 Record Keeping 3.0 MP-6 Electronic Media What electronic media do you still have Interview
Requirements Containing FTI and how are you planning disposal?
Processed
DC3 Record Keeping 3.0 MP-5 Electronic Media Is electronic media provided to a Interview
Requirements Containing FTI contracted State Agency or Contractor?
Processed
DC3 Record Keeping 11.3 - Electronic Media All agencies intending to disclose federal Interview/
Requirements Containing FTI tax information to contractors (including Examine
Processed consolidated data centers, off-site storage
facilities, shred companies, information
technology support, and for tax modeling
or revenue forecasting purposes) must
notify the IRS prior to executing any
agreement to disclose to such a person
(contractor), but in no event less than 45
days prior to the disclosure of FTI.
Does such a documented policy and

process exist to address this?
DC4 Record Keeping 3.0 MP-5 Electronic Media What safeguard controls are in place Interview
Requirements Containing FTI when transmitting and processing
Processed electronic media at a contracted state
agency or contractor site?
DC5 Record Keeping 3.0 MP-2 Receipt FTI If FTI is printed at data center what Interview/
DC6 Record Keeping 3.0 MP-4 Storage of IRS Where is electronic media stored before Interview
Requirements FTI electronic and after processing?
media -At Agency?
-At Data Center?
-Is electronic media with FTI stored with
other Agency data?
350737130.xls Data Center 53 of 81

IRS Safeguards
Category
DC7 Record Keeping 3.2 MP-2 Electronic Files Is a log kept or are transmittal documents Interview/
Requirements retained? Documented receipt? Informal Examine
receipt? By whom?
-In-house?
-Contractor?
-Outside of Agency?
DC8 Record Keeping 3.2 MP-2 Electronic Files Are Electronic Media inventories Examine
Requirements performed -- Periodic? Results of prior
inventories?
DC9 Record Keeping 5.6.16 SI-12 Stored in the Are cycles documented and monitored to Examine
Requirements Media Library: ensure destruction?
Electronic Media
Library:
Procedures - File
Retention Cycles
DC10 Record Keeping 5.6.6 CP-9 Stored in the How are data files backed up, by whom, Interview
Requirements Media Library: and on what type of media (e.g., data
Electronic Media center backup, agency programmer
Library: backup)?
Procedures -
Data Backup
DC11 Record Keeping 5.6.16 SI-12 Stored in the What is retention period of backup media Interview
Requirements Media Library: and how many generations of backup files
Electronic Media exist at the same time?
Library:
Procedures -
Retention
DC12 Record Keeping 5.6.6 CP-6 Stored in the Where are backup files stored? Are Interview/
Electronic Media
Library:
Procedures -
Retention
DC13 Record Keeping 5.6.6 CP-6 Stored in the How are files protected? Who has access Interview/
Electronic Media
Library:
Procedures -
Retention

IRS Safeguards
Category
DC14 Record Keeping 5.6.6 CP-6 Stored in the Is paper FTI printed at the Data Center? Interview/
Requirements MP-4 Media Library: Examine
Electronic Media If so, is it tracked and logged from creation
Library: to destruction?
Procedures -
Retention
DC15 Record Keeping 5.6.6 CP-6 Stored in the Does the agency label removable media Interview/
Requirements MP-4 Media Library: (CDs, magnetic tapes, external hard Examine
Electronic Media drives, flash/thumb drives, DVDs) and
Library: information system output containing FTI
Procedures - (reports, documents, data files, back-up
Retention tapes) indicating Federal Tax
Information?

DC16 Secure Storage 4.3.2 PE-3 Guards Guards: Contractor or Employee? Interview
4.3.4
DC17 Secure Storage 4.3.2 PE-3 Guards Guards: How many posts: Examine
4.3.4
-Main Entrance_____
-Rear Entrance_____
-Side Entrance_____
-Outside_____
-Inside_____
DC18 Secure Storage 4.3.2 PE-3 Guards Guards: Hours on Duty? Interview
4.3.4
DC19 Secure Storage 4.3.12 PE-6 Alarms Electronic Intrusion Alarm System? Interview/
Examine
DC20 Secure Storage 4.3.12 PE-6 Alarms Motion Detectors? Interview/
Examine
DC21 Secure Storage 4.3.12 PE-6 Alarms Emergency Exit Alarm? Interview/
Examine
DC22 Secure Storage 4.3.12 PE-6 Alarms Who monitors the various alarms? Interview
DC23 Secure Storage 4.3.2 PE-6 Cameras Where are they placed? Examine
(Outside/Inside)
DC24 Secure Storage 4.3.2 PE-6 Cameras How many cameras? Examine
(Outside/Inside)
DC25 Secure Storage 4.3.2 PE-6 Cameras Who monitors the various cameras? Interview
(Outside/Inside)
DC26 Secure Storage 4.3.2 PE-6 Cameras Are cameras recording their view? Test
(Outside/Inside)

IRS Safeguards
Category
DC27 Secure Storage 4.3.2 PE-6 Cameras How long are electronic media (Hard Interview/
DC28 Secure Storage 4.3.2 PE-6 Access: What controls are in place to monitor Interview
DC29 Secure Storage 4.3.2 PE-6 Access: How often are access control points Interview
DC30 Secure Storage 4.3.2 PE-2 Access: What is used to control access from the Examine/
system?
DC31 Secure Storage 4.3.10 PE-2 Access: What is used to control access from the Examine/
system?
DC32 Secure Storage 4.3.10 PE-2 Access: Is a record maintained on the issuance of Examine
Buildings:
Offices:
Containers:
DC33 Secure Storage 4.3.10 PE-2 Access: If so, how are records maintained (i.e., Examine
Buildings:
Offices:
Containers:
DC34 Secure Storage 4.3.10 PE-2 Access: Who is responsible for issuance of Interview
Buildings:
Offices:
Containers:
DC35 Secure Storage 4.3.10 PE-2 Access: Who has access to keys/key cards? Interview
Keys/Cards
Buildings:
Offices:
Containers:

IRS Safeguards
Category
DC36 Secure Storage 4.3.10 PE-2 Access: Are periodic reviews being conducted to Interview/
Buildings:
Offices:
Containers:
DC37 Secure Storage 4.3.10 PE-2 Access: Is there a written policy on recovery of Examine
DC38 Secure Storage 4.3.10 PE-2 Access: Are the locking mechanisms checked for Interview
Buildings:
Offices:
Containers:
By Whom?
How often?
DC39 Secure Storage 4.3.10 PE-2 Access: Who controls the duplicate keys for: Interview
Keys/Cards
Buildings:
Offices:
Containers:
DC40 Secure Storage 4.3.10 PE-2 Access: Are all employees given keys to: Interview
Keys/Cards
Buildings:
Offices:
Containers:
DC41 Secure Storage 4.3.10 PE-2 Access: What is the key reproducing policy? Interview/
Keys/Cards Examine
Buildings:
Offices:
Containers:

IRS Safeguards
Category
DC42 Secure Storage 4.3.10 PE-2 Access: Who maintains the key to cabinet that Interview
DC43 Secure Storage 4.3.10 PE-2 Access: Who maintains the key to cabinet that Interview
DC44 Secure Storage 4.3.10 PE-2 Access: Who maintains backup keys to cabinets Interview
FTI Reports?
DC45 Secure Storage 4.3.10 PE-3 Access: How often are door/safe combinations Interview
DC46 Secure Storage 4.3.10 PE-3 Access: Who is responsible to change the Interview
DC47 Secure Storage 4.3.10 PE-3 Access: Who safeguards the combinations? Interview
Combinations
DC48 Secure Storage 4.3.10 PE-3 Access: Who controls (records)/safeguards Interview
DC49 Secure Storage 4.3.10 PE-3 Access: How are combinations safeguarded? Interview
Combinations
DC50 Secure Storage 4.3.2 PE-2 ID Cards Are employees wearing the agency Test
DC51 Secure Storage 4.3.2 PE-2 ID Cards Are lost ID cards reported? Interview
(Badges)
DC52 Secure Storage 4.3.2 PE-2 ID Cards How do employees enter the work area Interview
DC53 Secure Storage 4.3.2 PE-2 ID Cards Is there a written policy on ID cards? Examine
(Badges)

IRS Safeguards
Category
DC54 Secure Storage 4.3.2 PE-2 ID Cards Are ID cards inventoried (i.e., automated, Examine
DC55 Secure Storage 4.3.2 PE-2 ID Cards Who has access to ID Card/Badge Interview
(Badges) inventory?
DC56 Secure Storage 4.3.2 PE-7 Visitor/Vendor Do visitors/vendors sign a visitor access Examine
Access log?
DC57 Secure Storage 4.3.2 PE-8 Visitor/Vendor Does the visitor access log contain the Examine

visited.
DC58 Secure Storage 4.3.2 PE-8 Visitor/Vendor Do designated officials or designees within Interview
DC59 Secure Storage 4.3.2 PE-7 Visitor/Vendor Are visitors/vendors escorted? Interview/
Access Examine
DC60 Secure Storage 4.3.2 PE-7 Visitor/Vendor Are visitors/vendors issued ID cards? Are Interview/
DC61 Secure Storage 4.3.1 PE-3 Restricted Area Verify two barriers are present to access Examine
DC62 Secure Storage 4.3.1 PE-3 Restricted Area Specify the Restricted Access areas Interview/
where FTI is located? Examine
DC63 Secure Storage 4.3.1 PE-3 Restricted Area How is access to the restricted areas Interview
controlled?
DC64 Secure Storage 4.3.1 PE-2 Restricted Area Who authorizes access to the restricted Interview
areas?

IRS Safeguards
Category
DC65 Secure Storage 4.3.1 PE-2 Restricted Area Are the names of departed/transferred Interview/
removed?
DC66 Secure Storage 4.3.1 PE-2 Restricted Area Is an access record review conducted to Interview
How often?
DC67 Secure Storage 4.3.1 PE-6 Restricted Area Who reviews electronic and paper audit Interview
DC68 Secure Storage 4.5 PE-16 Loading Docks How are loading docks secured? Interview/
Examine
DC69 Secure Storage 4.5 MP-4 Document Are documents containing FTI stored in a Examine
DC70 Secure Storage 4.5 MP-5 Document How is the paper waste material Interview
DC71 Secure Storage 4.3.4 MP-2 Document Is there a written clean desk policy Examine
in/out baskets)?
DC72 Secure Storage 4.3.4 MP-2 Document Does management periodically conduct Interview/
DC73 Secure Storage 4.3.6 MP-4 Containers What type of container is used to store Examine
DC74 Secure Storage 4.3.6 MP-4 Containers Do all containers have locks? Examine
4.3.7
4.3.8
DC75 Secure Storage 4.3.9 MP-4 Containers What type of lock (i.e., lock bars, key lock, Examine
DC76 Secure Storage 4.3.6 MP-4 Containers Is FTI stored in secure containers after Interview/
4.3.8
DC77 Secure Storage 4.3.4 PE-3 Office Security How is access restricted to internal Interview/
offices? Examine
DC78 Secure Storage 4.3.4 PE-3 Office Security Are integral office doors locked after Interview/
hours? Examine

IRS Safeguards
Category
DC79 Secure Storage 4.3.4 PE-2 Office Security Who has access to the offices after Interview
hours?
Cleaning Crews:
Landlord:
Maintenance Crews:
Security Guards:
DC80 Secure Storage 5.6.6 CP-6 Storage Off-Site Does the data center perform a nightly Interview
dump that is separate from the daily,
weekly and monthly backups that are
performed by the agency that are sent to a
storage facility?
DC81 Secure Storage 4.7 PE-17 Alternate Work Are employees allowed to work with FTI Interview/
DC82 Secure Storage 4.7 PE-17 Alternate Work Does the agency have a documented plan Examine
DC83 Secure Storage 4.7 PE-17 Alternate Work Does the agency certify the security Examine
the computer.
DC84 Secure Storage 4.7 PE-17 Alternate Work Do all computers and mobile devices that Examine/

IRS Safeguards
Category
DC85 Secure Storage 4.7 PE-17 Alternate Work Does the agency provide specialized Interview/
or other sources?
DC86 Secure Storage 4.7 PE-17 Alternate Work Does the agency conduct periodic Interview/
DC87 Secure Storage 4.7 PE-17 Alternate Work Does the agency retain ownership and Interview
DC88 Secure Storage CP-7 Alternate Does the agency have an alternate site Interview/
Processing Site identified for business resumption when Examine
the primary processing location (office
space) is unavailable? The alternate site
could be a (i) dedicated site owned or
operated by the agency, (ii) reciprocal
agreement or memorandum of agreement
with an internal or external entity, or (iii)
commercially leased facility.
DC89 Secure Storage CP-7 Alternate Does the agency have an alternate Examine
Processing Site processing site agreement in place to
permit the resumption of operations?
Does the agreement define the time
period within which processing must be
resumed at the alternate processing site?

IRS Safeguards
Category
DC90 Secure Storage 4.32 PE-18 Location of For all areas that process FTI, does the Examine
4.33 Information agency position information system
4.34 System components within the facility to minimize
DC91 Secure Storage 4.4 PE-3 Security During How is FTI protected during an office Interview
DC92 Secure Storage 4.4 PE-3 Security During Is FTI mailed or transported between Interview

transport?

movement and receipt of FTI?


DC93 Restricting 5.3 MP-2 Commingling Is FTI kept separate or commingled with Interview/
Access other information? Examine
DC94 Restricting 5.3 MP-2 Commingling If commingled, is commingled FTI Interview/
DC95 Restricting 5.5 AC-6 Computer Center If this is an agency facility, who works at Interview
-Contractors
DC96 Restricting 11.0 MP-2 Contractor Do contractors have access to FTI? Such Interview/
Access 11.4 SA-9 Access as serving as System Administrators, Examine
Database Administrators, Network
Administrators, Maintenance personnel,
and Disposal personnel.

IRS Safeguards
Category
DC97 Restricting 11.0 MP-2 Contractor Provide a copy of the contractor's Examine
DC98 Restricting 11.0 MP-2 Contractor Does the contract include the required Examine
DC99 Restricting 11.0 MP-2 Contractor Does the contractor sub-contract any work Interview
DC100 Restricting 11.0 SA-9 External Does the agency outsource to a Interview/

DC101 Restricting 9.1 AC-8 IRS Approved Are all systems that store, process, or Examine
Access Warning Banner transmit FTI configured with an IRS
approved Warning Banner that meets the
requirements of Publication 1075 Section
5.6.1?
DC102 Restricting 5.2 AC-6 Access How is access limited to authorized Interview
Access employees?
DC103 Restricting 5.2 AC-6 Access Who designates authorized employees? Interview
Access
DC104 Restricting 5.2 AC-6 Access Do all authorized employees have a need- Interview
Access to-know?
DC105 Restricting 5.2 AC-6 Other Entities Do other entities (e.g., volunteers, Interview
DC106 Restricting 5.4 AC-6 Sharing FTI Is FTI shared between Child Support, Interview
agencies?
DC107 Restricting 5.4 AC-6 Sharing FTI Does the agency share FTI with any Interview

IRS Safeguards
Category
DC108 Restricting 5.5 AC-6 Computer Center If this is an Agency facility, who works at Interview
-Computer programmers?
-How is access to FTI limited to
contractors?
DC109 Restricting 5.6.2 AU-2 FTI Access Logs What data elements are captured on the Examine
Access FTI access log reports?
DC110 Restricting 5.6.2 AU-6 FTI Access Logs Are FTI access log reports monitored to Interview
Access detect unauthorized browsing?
DC111 Restricting 5.6.2 AU-6 FTI Access Logs What actions are taken when Interview
Access unauthorized action is found on an FTI
access log report?
DC112 Restricting 5.6.2 AU-2 FTI Access Logs Are FTI access logs maintained of Test
Access accesses or updates to electronic data?
DC113 Restricting 5.6.2 AU-2 FTI Access Logs Are access records or listings of FTI Test
Access extracts made?
DC114 Restricting 5.6.2 AU-2 FTI Access Logs Do these FTI access logs include: Test
Access -Reason for access?
-Current location of data?
-Final disposition?
-Who monitors?
-How often monitored?
-Any findings within the last two years?
-What action was taken?
DC115 Restricting 5.6.2 AC-20 Non-Agency Can employees access agency systems, Interview
Access Computers containing FTI, with personal computers.
DC116 Restricting 5.6.2 AC-20 Non-Agency Can contractors access agency systems, Interview
Access Computers containing FTI, with contractor equipment.
DC117 Reporting 10.1 IR-1 Incident Is there a documented policy with steps Examine
Inspections or FTI?
Disclosures
DC118 Reporting 10.1 IR-1 Incident Does the incident reporting policy contain Examine

IRS Safeguards
Category
DC119 Reporting 10.1 IR-2 Incident Does the agency provide incident Interview/
DC120 Reporting 10.1 IR-7 Incident Does the agency provide an incident Interview
DC121 Reporting 10.1 IR-3 Incident Does the agency test/exercise the Examine
response tests.
DC122 Reporting 10.1 IR-4 Incident Handling Does the agency's incident response Examine
DC123 Reporting 10.1 IR-5 Incident How is the incident documented, tracked Interview/
Inspections or
Disclosures
DC124 Reporting 10.1 IR-5 Incident Does the agency document the incident Examine
Improper Response search efforts? Do they notify the
Inspections or impacted Tax Payer(s)?
Disclosures
DC125 Restricting 5.6.11 PS-2 Personnel Does the agency have a personnel Examine
Access Security Policy security policy that addresses position
and Procedures categorization, personnel screening,
personnel termination, personnel transfer,
and access agreements?
Who is responsible for implementation of

the policy?
DC126 Restricting 5.6.17.5 - Electronic Mail Does the agency have a policy that states Examine
email systems?

IRS Safeguards
Category
DC127 Restricting 5.6.17.5 - Electronic Mail If it is necessary to transmit FTI via email, Interview
encrypted
proper address
DC128 Restricting 5.6.17.6 - Fax Machines If FAX machines are used to transmit FTI Interview/
area.

IRS Safeguards
Category
DC129 Restricting 5.6.17.1 - Data Warehouse Does the agency employ a data Interview
resides there?

data warehouse?


DC130 Other 6.2 AT-1 Employee Does the agency have a security Examine
DC131 Other 6.2 AT-1 Employee Does the agency have security training Examine
DC132 Other 6.2 AT-1 Employee Does the awareness training cover Interview
Safeguards Awareness internal inspection procedures and
requirements?
DC133 Other 6.2 AT-2 Employee Are new employees given a security Interview
DC134 Other 6.2 AT-2 Employee Does the orientation specifically cover Examine
DC135 Other 6.2 AT-2 Employee Does the orientation cover Penalty Examine
Code (IRC) 7213, 7213A and 7431?
DC136 Other 6.2 AT-2 Employee Do employees sign a certification at initial Examine
copy of agreement)?
DC137 Other 6.2 AT-2 Employee Do employees sign a re-certification every Test

IRS Safeguards
Category
DC138 Other 6.2 AT-2 Employee Are contractors with access to FTI Interview
orientation?
DC139 Other 6.2 AT-2 Employee Does the agency maintain training records Examine
DC140 Employee 6.2 MP-2 Document Are employees aware of the need to Interview
DC141 Other 6.3 CA-2 Internal Is the agency periodically audited by a Interview
General (IG))?
DC142 Disposing 8.3 MP-6 Paper FTI Where is paper FTI secured prior to Examine
-Locking container?
-Container on desk?
DC143 Disposing 8.3 MP-6 Paper FTI How is paper FTI destroyed? Interview
reduced to) ?
combustion)?
used)?
DC144 Disposing 8.3 MP-6 Paper FTI Who performs destruction of paper FTI? Interview
DC145 Disposing 8.3 MP-6 Paper FTI Who picks up/takes paper FTI for Interview
-Contractor?
DC146 Restricting 8.3 AC-6 Destruction If the destruction facility is a contractor Interview
to employees?

IRS Safeguards
Category
DC147 Disposing 8.3 MP-6 Paper FTI: What is the name of the contractor used Interview
Information
DC148 Disposing 8.3 MP-6 Paper FTI: Location of the contractor used for pick up Interview
Information
DC149 Disposing 8.3 MP-6 Paper FTI: Name and telephone number of contact Interview
DC150 Disposing 8.3 MP-6 Paper FTI: If the contractor does not have a Interview
Information taken?
DC151 Disposing 8.3 MP-6 Paper FTI: Does Agency staff accompany paper FTI Interview
Information
DC152 Disposing 8.3 MP-6 Paper FTI: How is paper FTI packaged and secured? Interview/
Information
DC153 Disposing 8.3 MP-6 Electronic Media Is paper FTI shredded (size of shred)? Test
Destruction
DC154 Disposing 8.3 MP-6 Electronic Media How is electronic FTI destroyed? Interview
Federal Tax 8.4 Library: -Returned to the IRS?
Information Procedures - -Returned to scratch pool?
Destruction
DC155 Disposing 8.3 MP-6 Electronic Media How is FTI cleared from electronic media Interview
Federal Tax 8.4 Library: (removable or non-removable; e.g.,
Information Procedures - primary or systemic backups) before
Destruction reallocation or destruction?
DC156 Disposing 8.3 MP-6 Electronic Media Is FTI erased? If so, in what manner: Interview
Information Procedures - -Degaussed (specify make and strength of
Destruction degaussed)?
-Written over with 0 (zero) and 1 (one)?
-Written over with new data?
-Written over with FTI only?

IRS Safeguards
Category
DC157 Disposing 8.3 MP-6 Electronic Media Describe the method of verification for the Interview
Federal Tax 8.4 Library: destruction of electronic media containing
Information Procedures - FTI.
Destruction

DC158

IRS Safeguards
Category
OS1 Record Keeping 5.6.6 CP-6 Stored in the Where are backup files stored? Are Interview/
Electronic Media
Library:
Procedures -
Retention
OS2 Record Keeping 5.6.6 CP-6 Stored in the How are files protected? Who has access Interview/
Electronic Media
Library:
Procedures -
Retention
OS3 Secure Storage 4.3.2 PE-3 Guards Guards: Contractor or Employee? Interview
4.3.4
OS4 Secure Storage 4.3.2 PE-3 Guards Guards: How many posts: Examine
4.3.4
-Main Entrance_____
-Rear Entrance_____
-Side Entrance_____
-Outside_____
-Inside_____
OS5 Secure Storage 4.3.2 PE-3 Guards Guards: Hours on Duty? Interview
4.3.4
OS6 Secure Storage 4.3.12 PE-6 Alarms Electronic Intrusion Alarm System? Interview/
Examine
OS7 Secure Storage 4.3.12 PE-6 Alarms Motion Detectors? Interview/
Examine
OS8 Secure Storage 4.3.12 PE-6 Alarms Emergency Exit Alarm? Interview/
Examine
OS9 Secure Storage 4.3.12 PE-6 Alarms Who monitors the various alarms? Interview
OS10 Secure Storage 4.3.2 PE-6 Cameras Where are they placed? Examine
(Outside/Inside)
OS11 Secure Storage 4.3.2 PE-6 Cameras How many cameras? Examine
(Outside/Inside)
OS12 Secure Storage 4.3.2 PE-6 Cameras Who monitors the various cameras? Interview
(Outside/Inside)
OS13 Secure Storage 4.3.2 PE-6 Cameras Are cameras recording their view? Test
(Outside/Inside)
OS14 Secure Storage 4.3.2 PE-6 Cameras How long are electronic media (Hard Interview/
350737130.xls Off Site Storage 72 of 81

IRS Safeguards
Category
OS15 Secure Storage 4.3.2 PE-6 Access: What controls are in place to monitor Interview
OS16 Secure Storage 4.3.2 PE-6 Access: How often are access control points Interview
OS17 Secure Storage 4.3.2 PE-2 Access: What is used to control access from the Examine/
system?
OS18 Secure Storage 4.3.10 PE-2 Access: What is used to control access from the Examine/
system?
OS19 Secure Storage 4.3.10 PE-2 Access: Is a record maintained on the issuance of Examine
Buildings:
Offices:
Containers:
OS20 Secure Storage 4.3.10 PE-2 Access: If so, how are records maintained (i.e., Examine
Buildings:
Offices:
Containers:
OS21 Secure Storage 4.3.10 PE-2 Access: Who is responsible for issuance of Interview
Buildings:
Offices:
Containers:
OS22 Secure Storage 4.3.10 PE-2 Access: Who has access to keys/key cards? Interview
Keys/Cards
Buildings:
Offices:
Containers:
OS23 Secure Storage 4.3.10 PE-2 Access: Are periodic reviews being conducted to Interview/
Buildings:
Offices:
Containers:

IRS Safeguards
Category
OS24 Secure Storage 4.3.10 PE-2 Access: Is there a written policy on recovery of Examine
OS25 Secure Storage 4.3.10 PE-2 Access: Are the locking mechanisms checked for Interview
Buildings:
Offices:
Containers:
By Whom?
How often?
OS26 Secure Storage 4.3.10 PE-2 Access: Who controls the duplicate keys for: Interview
Keys/Cards
Buildings:
Offices:
Containers:
OS27 Secure Storage 4.3.10 PE-2 Access: Are all employees given keys to: Interview
Keys/Cards
Buildings:
Offices:
Containers:
OS28 Secure Storage 4.3.10 PE-2 Access: What is the key reproducing policy? Interview/
Keys/Cards Examine
Buildings:
Offices:
Containers:
OS29 Secure Storage 4.3.10 PE-2 Access: Who maintains the key to cabinet that Interview

IRS Safeguards
Category
OS30 Secure Storage 4.3.10 PE-2 Access: Who maintains the key to cabinet that Interview
OS31 Secure Storage 4.3.10 PE-2 Access: Who maintains backup keys to cabinets Interview
FTI Reports?
OS32 Secure Storage 4.3.10 PE-3 Access: How often are door/safe combinations Interview
OS33 Secure Storage 4.3.10 PE-3 Access: Who is responsible to change the Interview
OS34 Secure Storage 4.3.10 PE-3 Access: Who safeguards the combinations? Interview
Combinations
OS35 Secure Storage 4.3.10 PE-3 Access: Who controls (records)/safeguards Interview
OS36 Secure Storage 4.3.10 PE-3 Access: How are combinations safeguarded? Interview
Combinations
OS37 Secure Storage 4.3.2 PE-2 ID Cards Are employees wearing the agency Test
OS38 Secure Storage 4.3.2 PE-2 ID Cards Are lost ID cards reported? Interview
(Badges)
OS39 Secure Storage 4.3.2 PE-2 ID Cards How do employees enter the work area Interview
OS40 Secure Storage 4.3.2 PE-2 ID Cards Is there a written policy on ID cards? Examine
(Badges)
OS41 Secure Storage 4.3.2 PE-2 ID Cards Are ID cards inventoried (i.e., automated, Examine
OS42 Secure Storage 4.3.2 PE-2 ID Cards Who has access to ID Card/Badge Interview
(Badges) inventory?
OS43 Secure Storage 4.3.2 PE-7 Visitor/Vendor Do visitors/vendors sign a visitor access Examine
Access log?

IRS Safeguards
Category
OS44 Secure Storage 4.3.2 PE-8 Visitor/Vendor Does the visitor access log contain the Examine

visited.
OS45 Secure Storage 4.3.2 PE-8 Visitor/Vendor Do designated officials or designees within Interview
OS46 Secure Storage 4.3.2 PE-7 Visitor/Vendor Are visitors/vendors escorted? Interview/
Access Examine
OS47 Secure Storage 4.3.2 PE-7 Visitor/Vendor Are visitors/vendors issued ID cards? Are Interview/
OS48 Secure Storage 4.3.1 PE-3 Restricted Area Verify two barriers are present to access Examine
OS49 Secure Storage 4.3.1 PE-3 Restricted Area How is access to the restricted areas Interview
controlled?
OS50 Secure Storage 4.3.1 PE-2 Restricted Area Who authorizes access to the restricted Interview
areas?
OS51 Secure Storage 4.3.1 PE-2 Restricted Area Are the names of departed/transferred Interview/
removed?
OS52 Secure Storage 4.3.1 PE-2 Restricted Area Is an access record review conducted to Interview
How often?
OS53 Secure Storage 4.3.1 PE-6 Restricted Area Who reviews electronic and paper audit Interview
OS54 Secure Storage 4.5 PE-16 Loading Docks How are loading docks secured? Interview/
Examine

IRS Safeguards
Category
OS55 Secure Storage 4.3.6 MP-4 Containers What type of container is used to store Examine
OS56 Secure Storage 4.3.6 MP-4 Containers Do all containers have locks? Examine
4.3.7
4.3.8
OS57 Secure Storage 4.3.9 MP-4 Containers What type of lock (i.e., lock bars, key lock, Examine
OS58 Secure Storage 4.3.6 MP-4 Containers Is FTI stored in secure containers after Interview/
4.3.8
OS59 Secure Storage 5.6.6 CP-6 Storage Off-Site Are files stored at a alternate storage Interview
facility?
OS60 Secure Storage 5.6.6 CP-6 Storage Off-Site If this is a agency facility, do agency Interview
OS61 Secure Storage 5.6.6 CP-6 Storage Off-Site If this is a facility administered by a Interview
FTI controlled?
OS62 Secure Storage 5.6.6 CP-6 Storage Off-Site If this is a Contractor Facility, how is Interview
OS63 Secure Storage 4.5 CP-6 Storage Off-Site How is paper or electronic FTI shipped / Interview
5.6.6 MP-5 transfer to alternate storage facility?
OS64 Secure Storage 4.5 CP-6 Storage Off-Site What type of container is used to ship the Interview/
5.6.6 MP-5 files? Examine
OS65 Secure Storage 4.5 CP-6 Storage Off-Site Is the container taped or locked? Examine/
5.6.6 MP-5 Test
OS66 Secure Storage 4.5 CP-6 Storage Off-Site For retrieval of a single Interview
5.6.6 MP-5 documents/file/tape, containing FTI, is
entire container recalled or only the
individual item?
OS67 Secure Storage 4.5 CP-6 Storage Off-Site Who is in charge of storage or shipping Interview
5.6.6 MP-5 files to storage facilities?
OS68 Secure Storage 5.6.6 CP-6 Storage of Files Does the storage contractor have a sub- Interview
OS69 Secure Storage 5.6.16 SI-12 Storage of Files Is there a written policy on document Examine
OS70 Other 6.2 AT-1 Employee Does the agency have a security Examine

IRS Safeguards
Category
OS71 Other 6.2 AT-1 Employee Does the agency have security training Examine
OS72 Other 6.2 AT-2 Employee Are new employees given a security Interview
OS73 Other 6.2 AT-2 Employee Does the orientation specifically cover Examine
OS74 Other 6.2 AT-2 Employee Does the orientation cover Penalty Examine
Code (IRC) 7213, 7213A and 7431?
OS75 Other 6.2 AT-2 Employee Do employees sign a certification at initial Examine
copy of agreement)?
OS76 Other 6.2 AT-2 Employee Do employees sign a re-certification every Test
OS77 Other 6.2 AT-2 Employee Are contractors with access to FTI Interview
orientation?
OS78 Employee 6.2 MP-2 Document Are employees aware of the need to Interview
OS79 Other 6.3 CA-2 Internal Is the agency periodically audited by a Interview
General (IG))?
OS80 Disposing 8.3 MP-6 Paper FTI How is paper FTI destroyed? Interview
reduced to) ?
combustion)?
used)?

IRS Safeguards
Category
OS81 Disposing 8.3 MP-6 Paper FTI Who performs destruction of paper FTI? Interview
OS82 Disposing 8.3 MP-6 Paper FTI Who picks up/takes paper FTI for Interview
-Contractor?
OS83 Restricting 8.3 AC-6 Destruction If the destruction facility is a contractor Interview
to employees?
OS84 Disposing 8.3 MP-6 Paper FTI: What is the name of the contractor used Interview
Information
OS85 Disposing 8.3 MP-6 Paper FTI: Location of the contractor used for pick up Interview
Information
OS86 Disposing 8.3 MP-6 Paper FTI: Name and telephone number of contact Interview
OS87 Disposing 8.3 MP-6 Paper FTI: If the contractor does not have a Interview
Information taken?
OS88 Disposing 8.3 MP-6 Paper FTI: How is paper FTI packaged and secured? Interview/
Information
OS89 Disposing 8.3 MP-6 Electronic Media Is paper FTI shredded (size of shred)? Test
Destruction
220

IRS Safeguards
IRS Safeguards SDSEM Legend
Identification number of SCSEM test case that allows each DES to customize the SDSEM to fit the order in which the tests are actually
DES #
executed on-site during a review.
Pub 1075 Reporting Category IRC 6103 Category
Pub 1075 REF Reference to the Section in IRS Publication 1075 where the test maps to.
NIST ID NIST 800-53/PUB 1075 Control Identifier
Test Objective Objective of test procedure.
Test Steps Detailed test procedures to follow for test execution.
The assessment methods define the nature of the actions that the assessor should take to execute the test case and obtain supporting
evidence. The "Examine", "Interview" and "Test" assessment methods are used in the SDSEM. Definition of those assessment methods is
provided below:
Examine: The process of checking, inspecting, reviewing, observing, studying, or analyzing evidence (assessment objects) to support the
determination of security control existence, functionality, correctness, completeness, and potential for improvement over time. Typical
assessment objects for the Examine method include: Specifications (e.g., policies, plans, procedures, system requirements, designs);
Mechanisms (e.g., functionality implemented in hardware, software, firmware) and Activities (e.g., system operations, administration,
management; exercises).
Assessment Method
Interview: The process of conducting discussions with individuals or groups within an organization to facilitate support the determination of
security control existence, functionality, correctness, completeness, and potential for improvement over time. Typical assessment objects for
the Interview method include: Individuals or groups of individuals.
Test: The process of exercising one or more assessment objects under specified conditions to compare actual with expected behavior,
the results of which are used to support the determination of security control existence, functionality, correctness, completeness,
and potential for improvement over time. Typical assessment objects for the Test method include: Mechanisms (e.g., hardware, software,
firmware) and Activities (e.g., system operations, administration, management; exercises).
Reviewer to indicate if the test case passed, failed or is not applicable. Choose from the drop down list; accepted values are "P" (pass); "F"
Pass/Fail
(fail) and "N/A" (not applicable).
Agency's Pre-review Answers Field for Agency answers only leading up to the review. Comments should be accompanied by the individuals name and title.
Evidence to support the test result for the test case is documented here. As evidence, provide the following information for the following
assessment methods:
1. Interview - Name and title of the person providing information. Also provide the date when the interview occurred and an indication of
whether or not the information provided by the interviewee meets the test objective.
IRS Comments/Supporting 2. Examination - Provide the name, title, and date of the document referenced as the evidence. Also provide section number where the
Evidence pertinent information is resident within the document (if possible) and an indication of how the document examined does or does not meet the
test objective.
3. Test - Description of the condition observed during the test and how it does or does not meet the test objective.
If the test case is marked as N/A, then provide appropriate justification as to why the control is considered N/A.
350737130.xls Legend 81 of 81

Irs Safeguards Sdsem v2.0

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Irs Safeguards Sdsem v2.0

Uploaded by

Copyright:

Available Formats

Safeguard Computer Security Evaluation Matrix

Agency: Insert agency name and type

SDSEM Results Dashboard Data Center SDSEM Results Dashboard

Status # of Tests Percent (%) Status # of Tests

Status # of Tests Percent (%) Status # of Tests

Field Office SDSEM Results Dashboard

Status # of Tests Percent (%)

Instructions for Completing the SDSEM

IRS Safeguards DES Reviewer Instructions:

350737130.xls Head Quarters 8 of 81

350737130.xls Head Quarters 9 of 81

350737130.xls Head Quarters 10 of 81

If so, is all converted FTI tracked on logs

IRC Section 6103(p)(4)(B)

350737130.xls Head Quarters 11 of 81

350737130.xls Head Quarters 12 of 81

When was the last review?

350737130.xls Head Quarters 13 of 81

Are there backup keys?

Where is the key kept during the day?

Where is the key kept at night?

How many keys are there in total?

Are there backup keys?

Where is the key kept during the day?

Where is the key kept at night?

How many keys are there in total?

350737130.xls Head Quarters 14 of 81

(i) name and organization of the visitor;

350737130.xls Head Quarters 15 of 81

350737130.xls Head Quarters 16 of 81

350737130.xls Head Quarters 17 of 81

350737130.xls Head Quarters 18 of 81

350737130.xls Head Quarters 19 of 81

Is this FTI placed in double-envelopes or

Is a transmittal document used to track the

350737130.xls Head Quarters 20 of 81

HQ138 Restricting 5.3 MP-2 Commingling If commingled, is commingled electronic Interview/

350737130.xls Head Quarters 21 of 81

What electronic FTI is referenced in

How is access to FTI limited?

Does the contract include the required

350737130.xls Head Quarters 22 of 81

If so, is there a Service Level Agreement

What is the name of the IT agency?

350737130.xls Head Quarters 23 of 81

Is FTI accessible through the portal/web

Who has access?

350737130.xls Head Quarters 24 of 81

If so, what data is available and who is the

350737130.xls Head Quarters 25 of 81

Who is responsible for implementation of

350737130.xls Head Quarters 26 of 81

350737130.xls Head Quarters 27 of 81

How is the FTI identified as FTI within the

How is the use, movement, and

IRC Section 6103(p)(4)(D)

350737130.xls Head Quarters 28 of 81

Are employees and/or contractors from an

Note: Access maybe physical or logical.

350737130.xls Head Quarters 29 of 81

If IRS templates are used, please specify

350737130.xls Head Quarters 30 of 81

When was it approved?