1 / 37

SB/SE Security Awareness for Employees II (S.A.F.E. II)

SB/SE Security Awareness for Employees II (S.A.F.E. II). Version 1.14, April 2010 FISMA Year 2010 ELMS # 30907. S.A.F.E. II Table of Contents. Introduction to S.A.F.E. II What is SBU or PII Data? Disclosure/Loss/Theft Incident Analysis and Trends

merv
Download Presentation

SB/SE Security Awareness for Employees II (S.A.F.E. II)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SB/SESecurity Awareness for Employees II (S.A.F.E. II) Version 1.14, April 2010 FISMA Year 2010 ELMS # 30907

  2. S.A.F.E. II Table of Contents • Introduction to S.A.F.E. II • What is SBU or PII Data? • Disclosure/Loss/Theft Incident Analysis and Trends • Trends/Protection Guidelines and Key Security Preventative TIPS • Scenarios • Reporting a Disclosure/Loss/Theft

  3. Introduction – What is your responsibility? As with all Federal agencies, IRS employees and managers have a responsibility to safeguard Sensitive But Unclassified (SBU) and Personally Identifiable Information (PII). The IRS must safeguard tax, financial and personal information regarding taxpayers, fellow employees and other individuals. You must protect any information that, if lost or disclosed, could: • Violate a person’s privacy • Put a person at risk for identity theft • Compromise the integrity of the tax administration process Loss, theft or disclosure of sensitive information places taxpayers and others at serious risk for identity theft and erodes the public’s confidence in the IRS.

  4. …Introduction – What is S.A.F.E. II? S.A.F.E. II was developed to keep the topic of safeguarding taxpayer data and other SBU/PII data foremost in the minds of SBSE employees. • Last year we conducted S.A.F.E. briefings to reinforce safeguarding policies, procedures, and requirements, and we provided all employees with reference materials and preventative tips to assist in the protection of both government equipment and sensitive data. This awareness and training briefing provides employees with the current loss and disclosure trends and key tips and actions for lowering these incidents. Exercising the same care in handling, securing and protecting data in your possession as you would your own personal information and valuables is a simple way to reduce the number of loss or disclosure incidents.

  5. To begin, what is SBU or PII Data? • SBU data refers to sensitive but unclassified information originating within IRS offices. • Sensitive information (including tax and tax-related information) is any information which if lost, stolen, or altered without proper authorization, may adversely affect Service operations (IRM 10.2.13.3). • PII is a specific type of SBU information. • PII includes the personal data of taxpayers, and also the personal information of employees, contractors, applicants, and visitors to the IRS. • Failure to protect PII could result in disciplinary action for employees and managers (IRM 10.2.13.3.1(1) provides examples of PII).

  6. Disclosure/Loss/Theft Incident Analysis and Trends

  7. Did you know? …………. • Unintentional/Inadvertent Disclosure Definition • Disclosure is making known in any way: • Unintentional or inadvertent unauthorized disclosures of sensitive data, including but not limited to federal tax returns or return information, Privacy Act Information, Bank Secrecy Act information, Trade Secrets Act information, Financial Right to Privacy Act information, Grand Jury information, and other sensitive information except as provided for by statute • Sensitive data may include infrastructure/configuration data • Includes personally identifiable information (PII) of individuals, including personnel and job applicant information. • Loss/Theft Definition • Lost or stolen: • IT equipment , such as: Computers, laptops, routers, removable Media, CD/DVD, flash drive, floppies, cell phones, or wireless/air cards • Hardcopy records • Packages lost during shipment

  8. Did you know? …………. • 47% of all FY09 SB/SE incidents resulted from procedural deviation • 59% of those incidents resulted in disclosure • 34% of all FY09 SB/SE incidents resulted from human error • 33% of those incidents resulted in disclosure • 14% of all FY09 SB/SE incidents resulted from loss and theft of IT equipment • 5% of all FY09 SB/SE incidents resulted from other reported incidents such as recovered loss and method not stated

  9. IRS Disclosure/Loss/Theft of IT Assets and DataFY07 through FY09 • Between 2007 and 2009, the IRS experienced more than 3,150 incidents of loss, theft or disclosure of IT assets or data. This chart shows the breakdown between each type of incident. • During 2009 loss/theft incidents had a slight increase (6%). • The total number of disclosures in 2009 increased at an alarming rate to more than1,800. • This increase can largely be attributed to a change in the reporting requirements for inadvertent disclosures, which may not have been captured by CSIRC in the past, as well as increased employee awareness as the result of outreach and education efforts. • CSIRC Loss/Theft/Disclosure Reporting does not include UNAX violations and investigations. Source: Statistics provided by Office of DC-Operations Support, Privacy – Information Protection and Data Security, Privacy & Information Protection, Incident Management

  10. SB/SE versus IRS Disclosure/Loss/Theft FY07 through FY09 (%) SBSE percentage of total IRS incidents

  11. Correcting the top 7 Disclosure Types of Incidents will address 63% of all SB/SE FY09 Disclosures

  12. Correcting the top 4 Loss/Theft Types of Incidents will address 85% of all SB/SE FY09 Losses/Thefts

  13. Loss/Theft and Disclosure by SB/SE OU’s in FY09 13 (#) Total Number of Incidents

  14. Without immediate action, we are on a trajectory to have 6 times more Disclosures in FY10 than in FY09 Disclosures FY09 vs. FY10 Trend Loss/Theft FY09 vs. FY10 Trend • FY10 Disclosure trend is based on Oct-Dec 2010 (75 incidents) • FY10 Loss/Theft trend is based on Oct-Dec 2010 (30 losses)

  15. FY09 Trends & Protection GuidelinesKey Security Preventative TIPS

  16. FY09 Trends & Protection Guidelines… Disclosure – 3rd Party Permissible Disclosure FY09 Trend:15% of inadvertent disclosures were due to 3rd party permissions that were not verified and/or not current. Protection Guidelines • 3rd Party permissions can work in 4 different ways as listed in the following table: http://mysbse.web.irs.gov/CLD/GLD/Disclosure/Reference/HotTopics/POA/3002.aspx

  17. FY09 Trends & Protection Guidelines… Disclosure – 3rd Party Permissible Disclosure Continued http://mysbse.web.irs.gov/CLD/GLD/Disclosure/Reference/HotTopics/POA/3021.aspx

  18. …Key Security Preventative TIPS Disclosure – Power of Attorney (POA) • Understand the different types of permissible 3rd party authorizations and the information allowed to be disclosed under each • Keep the Quick Guide* from Disclosure for a chart that identifies permissible disclosures based on the taxpayer designee type • All discussions of tax matters must be held only with someone named on the POA and for the year(s) covered by that POA, Form 2848 • Verify there is a valid Power of Attorney (POA) on file before disclosing any information • POAs must be held by individuals • Non-IRS POAs may be used given that it is clearly stated on the POA that the designee has rights to federal tax information • POAs must be on file for the year(s) in question • Some acts must be specifically authorized, e.g. receive and endorse a refund check, substitute a representative *A Quick Guide to the Powers of Attorney and Tax Information Authorizations can be found at: http://mysbse.web.irs.gov/CLD/GLD/Disclosure/Reference/HotTopics/POA/7486.aspx

  19. FY09 Trends & Protection Guidelines… Disclosure – Fax, Multi-Stuffing and Pre-Printed Forms FY09 Trend:Inadvertent disclosures occurring during routine activities account for 46% of all SB/SE disclosures and include key errors such as: • Misdirected Faxes • Double-stuffing, stuffing envelopes incorrectly • Different party’s information on a pre-printed form (a.k.a. pattern correspondence) Protection Guidelines • For faxing - use a cover sheet with the recipient’s name, number of pages and Notice of Disclosure – no confidential information on cover page • Fax the cover sheet in the order in which the cover sheet is the first page covering the faxed correspondence (IRM Reference: 11.3.1.10). • Cover sheet template link: http://core.publish.no.irs.gov/forms/internal/pdf/23436c07.pdf • Wherever possible, pattern correspondence templates should be saved without confidential information

  20. …Key Security Preventative TIPS Disclosure – Fax, Multi-Stuffing and Pre-Printed Forms • Do not use the redial button on the fax machine • Before hitting the “Send” button - take the time to double check the fax number you just entered • Before sealing envelope, verify only ONE taxpayer’s documentation is in the envelope • Work one case file at a time to prevent documents becoming mixed between cases • For pattern correspondences/pre-printed forms: • Use a new template letter or document • Remove references to other taxpayers • Take a second look at the correspondence for accuracy

  21. FY09 Trends & Protection Guidelines… Disclosure – Incorrect Addressee, Address, SSN/Name Mismatch FY09 Trend: 27% of inadvertent disclosures were due to incorrect addressee, address and SSN/Name mismatch • Disclosures resulting from incorrect addressee or address and SSN and Name mismatch • Addressee is a different taxpayer • Address is incomplete or similar to another case • Recipient of correspondence has the same name, but different SSN • Address obtained from Accurint was not for the same person for which the correspondence was intended Protection Guidelines • Conduct a Mail Trace using e-Discovery and/or Accurint to verify the name and address match SSN/EIN/TIN you are processing

  22. …Key Security Preventative TIPS Disclosure – Incorrect Addressee, Address, SSN/Name Mismatch Taking a few simple precautions can greatly reduce these incidents: • When using Accurint, be sure to: • Use Accurint guide to optimize searches • Redact all identifying information that does not relate to the taxpayer in question based upon how it appears in the IRS address of record • Remove other SSNs listed with taxpayer names • Verify taxpayer using identifiers other than name (such as DOB, SSN) Accurint QRG: http://rnet.web.irs.gov/docs/pdfs/accurint_qrg.pdf Redacting Choicepoint and Accurint: http://mysbse.web.irs.gov/CLD/GLD/Disclosure/Office/Guidance/Dispatch/3425.aspx

  23. Other Key Security Preventative TIPS Disclosure • Good disclosure decisions use the CAP process: • Be sure Code (C)allows the disclosure, • that you have the authority (A) to make the disclosure and • that you follow the appropriate procedures (P)when making the disclosure. • Safeguard Paper Files • Follow the Clean Desk Policy – do not leave confidential information unattended • Securely lock paper documents containing sensitive information when not in use • Protect documents while you are in the field as well as in the office by keeping them in a folder or placing a blank cover sheet on top • Misrepresentation of contact is often due to incomplete authentication of taxpayer or taxpayer’s Limited English Proficiency • Required Taxpayer Authentication procedures should be followed as outlined in IRM 21.1.3.2.3 and 21.1.3.2.4 • Taxpayers may use their minor child as interpreter by giving verbal or written consent • CAP: http://mysbse.web.irs.gov/CLD/GLD/Disclosure/Reference/Basics/3131.aspx • Disclosure Awareness Pocket Guide: http://core.publish.no.irs.gov/docs/pdf/14784k08.pdf • General Disclosure Hot Topics: http://mysbse.web.irs.gov/CLD/GLD/Disclosure/Reference/HotTopics/default.aspx

  24. FY09 Trends & Protection Guidelines…Laptop Losses/Thefts Note: Year-to-date data represents the period from Oct 1 to Dec 31

  25. FY09 Trends & Protection Guidelines…Loss/Theft – IT Assets FY09 Trend: 52% of all SB/SE loss and theft incidents are related to IT asset loss and theft, which includes: • Cell phones • Laptops • Media Cards, Thumb drives, printers, etc • Protection Guidelines • IRS laptops and other IT assets (e.g. air cards) shall never, under any circumstance, be stored in checked luggage while traveling, whether it is an international or a domestic flight. • Protect your passwords at all times. Passwords, smart cards or grid cards should be protected and shall not be stored on or with the laptop/cell phone. • Never leave your laptop unattended and/or unsecured!!

  26. ...Key Security Preventative TIPSLoss/Theft – IT Assets • When possible place your laptop under the seat in front of you when traveling by plane, bus or train, rather than in an overhead bin where it is out of your sight. • If your laptop is stored in overhead bin it should be within your direct line of sight • Set up an encrypted directory and save sensitive files to an encrypted folder • Newer laptop images have forced encryption on everything in the “My Documents” folder • Use cable locks to secure your laptop - even within IRS-controlled facilities. • Laptops may be locked in a cabinet or desk for additional protection overnight • Never leave your laptop in your vehicle overnight!! • Not even in your trunk, in the driveway, or in the garage • Enable the password/PIN function on your cell phone

  27. FY09 Trends & Protection Guidelines… Loss/Theft - Hardcopy Loss FY09 Trend: Loss of hardcopy SBU/PII data accounted for 48% of all losses/thefts and is comprised of: • UPS Shipping • Losses within IRS Facilities • Other hard copy loss, e.g. residence, vehicle, public transportation Protection Guidelines • When transmitting PII in paper or removable media format by mail or through a carrier, employees are required to do so in a manner that ensures it does not become misdirected or disclosed to unauthorized personnel. • Use Small Package Carrier (e.g. UPS) when shipping PII • Use US Postal Service to mail documents to the taxpayer • Use Form 3210, Document Transmittal to track mail and shipments IRM Reference for Form 3210: 3.13.62.7.1

  28. ...Key Security Preventative TIPS Loss/Theft – Shipping Loss • Do not use “Sensitive Contents” labels on PII packages – decreases temptation for theft. • Securely package PII contents prior to shipping • Use undamaged packaging materials • Double wrap or double box all materials. • Place address labels on both inside and outside packages • When shipping via United Parcel Service (UPS) • Monitor the package during shipment using the basic tracking number provided by UPS and confirm receipt • Set and monitor timelines for transmittal acknowledgement – within 7 days • For internal IRS shipments, use a document receipt to verify that confidential material has been properly received • If sender, initiate Form 3210; if recipient, complete and return Form 3210

  29. Scenarios

  30. Scenario 1: Incorrectly Stuffed Envelope A Revenue Agent (RA)/ Correspondence Examination Technician (CET) was working several cases and preparing letters to be sent to taxpayers and their representatives. The RA/CET prepared a letter for case 1 to send to POA “A” on behalf of Mr. and Mrs. Jones. The RA/CET then moved on to case 2 and prepared a report to send to POA “B”, Mr. and Mrs. Smith’s representative. The RA/CET packaged up the documents for mailing, addressed the envelopes and moved on to other case work. Two days later, POA “A” called to say he had received the report for Mr. and Mrs. Smith, and he does not represent them. Which of the following are True statements about this scenario? • This is not a disclosure • This is a disclosure • Prior to sealing envelope, RA/CET should have checked contents • RA/CET should have completed case 1 prior to moving to case 2 See Notes for Answers

  31. Scenario 2: Incorrectly Stuffed Envelope A Tax Compliance Officer (TCO) was preparing a report to send to a taxpayer. The report was sent to the network printer, promptly retrieved and put in an envelope for mailing. 3 days later, the taxpayer called to say that they had received additional documents of another taxpayer. Which of the following are True statements about this scenario? • This is not a disclosure • This is a disclosure • Prior to sealing envelope, TCO should have checked the documents retrieved from the printer to verify pages were only for this taxpayer See Notes for Answers

  32. Scenario 3: Incorrect Addressee A Revenue Officer (RO)/ Tax Examining Technician (TET) researched the address of a taxpayer, found a newer address on Accurint, and mailed a letter to the address. The individual at the address opened the letter believing it was for her since it was her maiden name. Upon opening the letter, the individual realized the letter was for someone else. Which of the following are True statements about this scenario? • This is not a disclosure • This is a disclosure • The RO/TET should have verified the identity of the taxpayer using additional identifiers such as SSN and Date of Birth See Notes for Answers

  33. Reporting a Loss/Theft/Disclosure

  34. Reporting a Disclosure/Loss/Theft • Within one hour of becoming aware of the inadvertent disclosure of sensitive information, or the loss or theft of a laptop, IT asset or hardcopy document containing sensitive information, you should report the incident to: • Your manager, • If it involves taxpayer correspondence, report it directly to the Notice Gatekeeper using the Servicewide Notice Information Program’s Erroneous Taxpayer Correspondence SNIP Reporting Form http://gatekeeper.web.irs.gov/errCPReport2.aspx This form has now been expanded to include electronic communication like faxes, transcripts and e-mails. • If it does not involve taxpayer correspondence (for example, a verbal disclosure, lost laptop, data disk or internal mail shipment), report it to the Computer Security Incident Response Center using the CSIRC Incident Reporting Form, or by calling 866.216.4809 • If the incident involves the loss or theft of an IT asset or hardcopy data, contact TIGTA at 800.366.4484.(TTY/TDD 1-800-877-8339) http://www.treas.gov/tigta/contact_report.shtml • When calling TIGTA, alwayssecure a TIGTA reference number. • Local Law Enforcement, as appropriate

  35. Reporting a Disclosure/Loss/Theft • Situations that are not to be reported to SNIP or CSIRC: • Example 1:An IRS employee follows all procedures to verify the identity of a caller before disclosing any information, only to later find they are not talking to the taxpayer or the taxpayer’s authorized representative. The employee terminates the call at that point without disclosing any further information. • Example 2:An IRS employee faxes return information as requested by a taxpayer or authorized representative. The employee follows all established procedures for faxing sensitive information, only to later find that the fax number given to them by the taxpayer or authorized representative was incorrect. • Example 3:IRS employees follow all established procedures for locating a potential new address for a taxpayer, and a letter is generated to that address in an attempt to contact the taxpayer. A person who receives the correspondence at that address contacts the IRS and says they are not the taxpayer. • Example 4:The IRS sends correspondence to the last known address of a taxpayer. A person who receives the correspondence at that address contacts the IRS to say the taxpayer does not live there.

  36. Reporting a Disclosure/Loss/Theft • The timely reporting of all information losses or thefts is critical so that any needed investigation can be initiated quickly, which can decrease/mitigate the possibility that the information will be compromised and used to perpetrate identity theft or other forms of fraud. • Refer to IRM 10.5.3.6 - Reporting Losses, Thefts and Disclosures of Sensitive Information • If you see indications of an intentional unauthorized disclosure, the incident must be reported to TIGTA. See IRM 11.3.1.6(2) and IRM 11.3.38.6.1(1).

  37. Security Awareness for Employees II (S.A.F.E. II) Please email the SB/SE Security PMO with any questions at: *SBSE Security

More Related