Raise Your Hand If You Have Heard of IRS Publication 1075
No, you are not getting a bigger refund. IRS Publication 1075 is 185 pages of “Tax Information Security Guidelines for Federal, State and Local Agencies” to provide “Safeguard for Protecting Federal Tax Returns and Return Information”. Last updated in September 2016, the guide details the protections IT departments need to put in place to protect Federal Tax Information (FTI). There are legitimate reasons when State and Local agencies may need FTI. For example, sending Federal Tax Information to State agencies for wage garnishments, or Health and Human Services – Office of Child Support Enforcement.
And “Those agencies or agents that legally receive FTI directly from either the IRS or from secondary sources (e.g., Social Security Administration [SSA]), pursuant to IRC 6103 or by an IRS-approved exchange agreement must have adequate programs in place to protect the data received.”
Failing to protect Federal Tax Information has strict penalties. It is considered a felony for Federal or State employees who illegally disclose the information, and even the unauthorized inspection of FTI is considered a misdemeanor, punishable by fines, imprisonment, or both.
The IRS Publication 1075 provides guidelines for “policies, practices, controls, and safeguards” needed for anyone in receipt of and responsible for protecting FTI.
- Safeguard alerts and technical assistance memorandums
- Recommendations on how to comply with Publication 1075 requirements
- Reporting requirement templates (e.g., Safeguard Security Report [SSR]) and guidance
- Instructions for reporting unauthorized accesses, disclosures, or data breaches
- Internal inspections report templates and instructions
- IRS disclosure awareness videos and resources
- Disclosure and physical security requirements documented in the Safeguard
- Disclosure Security Evaluation Matrix (SDSEM) template
- Computer security requirements documented in Safeguard Computer Security Evaluation Matrix (SCSEM) templates organized by technology or topic
The IRS provides Microsoft XLS spreadsheets that aid in the testing of systems that transmit or store the FTI. These XLS sheets detail the requirements, steps to take when auditing, expected results, and even mappings to NIST controls where appropriate. Assessors that may want to automate many of the tests also have an option. While not every control assessment can be “automated”, the IRS has published a set of files to help evaluate as many of the requirements of IRS Publication 1075 compliance as possible. These “.audit” files are for the Tenable Nessus scanner and used for compliance testing. A paid copy of Nessus is required to use these configuration files. These automated scanning profiles include tests for IBM AIX, Cisco networking, VMware ESX, IBM DB2, Oracle database, RedHat Enterprise Linux, Microsoft SQL Server, SUSE, Microsoft Windows desktop, and Microsoft Windows Server. The IRS finds that agencies that use automated scanning typically increase their compliance to 65 to 85 percent. https://www.irsvideos.gov/Governments/Safeguards/UseOfAutomatedTools
Compliance to IRS Publication 1075 can be a daunting task. While their website does have some of the most comprehensive templates and testing cools, consider utilizing the experts at OCD Tech to minimize the pain.