AccessibilitySkip to Top NavigationSkip to Main ContentHome  |  Contact IRS  |  About IRS  |  Site Map  |  Español  |  Help  

Part 4. Examining Process

Chapter 7. Examination Returns Control System (ERCS)

Section 2. Security

4.7.2  Security

4.7.2.1  (07-31-2000)
Overview

  1. This section discusses ERCS security and procedures for controlling access.

4.7.2.2  (07-31-2000)
Basic Principles of Security

  1. The basic principles of security in the Internal Revenue Service are:

    1. All information processed by the Service is considered sensitive,

    2. Access to sensitive information is granted only on a "need-to-know" basis,

    3. Employees are provided the least privileges necessary to accomplish their normal and recurring work assignments,

    4. Privacy protection is a personal and fundamental right of all taxpayers and employees. The Service collects, maintains, uses and disseminates identifiable personal information and data only as required under the law, and

    5. Security is the responsibility of all Internal Revenue Service personnel, including contractors.

4.7.2.2.1  (07-31-2000)
Security Assurance

  1. In addition to numerous system consistency/security checks, ERCS security is primarily assured by:

    1. Limited system access to assure data is provided on a need-to-know basis,

    2. Audit trail generation of users' activities, and

    3. Electronic managerial approval of certain actions. See text 1.8.3 of this section.

4.7.2.3  (07-31-2000)
Taxpayer Browsing Protection Act of 1997 (UNAX)

  1. On August 5, 1997, President Clinton signed the Taxpayer Browsing Protection Act into law. Under the law:

    1. Willful unauthorized access or inspection of non-computerized taxpayer records, including hard copies of returns — as well as computerized information — is a misdemeanor, punishable, upon conviction, by fines, prison terms and termination of employment,

    2. Taxpayers have the right to take legal action when they are victims of unlawful access or inspection — even if a taxpayer's information is never revealed to a third-party, and

    3. When managers of employees are criminally charged, the Service is required to notify taxpayers that their records have been accessed without authorization.

  2. The Law provides a criminal misdemeanor penalty for the willful, unauthorized inspection of tax returns or return information. The penalty is a fine up to $1,000 and/or imprisonment up to one year. It applies to all federal employees, state employees and contractors who receive federal tax information. Upon conviction, a federal employee is dismissed from employment.

4.7.2.4  (07-31-2000)
C2 Security

  1. C2 security is a government-wide requirement for all computer systems which process, store, or transmit sensitive but unclassified information. C2 requirements include identification of users, controlling access between system resources and users, and creation of an audit trail.

4.7.2.4.1  (10-01-2003)
C2 Certification

  1. The Department of Treasury Directive TD 71-10 establishes policy by requiring formal review (certification) and issuance of official declarations (accreditation) that all Sensitive But Unclassified (SBU) systems or networks are approved to operate. C2 is the minimum level of protection required for information systems and networks accessed by more than one user group or group of users when those users or groups do not have the same authorization to use sensitive but unclassified information.

  2. Guidance on the requirements of certification is provided, in part, by:

    • IRM 25.10.1, Section 1, Information Technology (IT) Security Policy and Guidance.

  3. ERCS obtained its original C2 certification in June 1999.

4.7.2.4.2  (10-01-2003)
C2 Certification Documentation

  1. The following documents were submitted as part of the certification process:

    1. ERCS Risk Assessment Report —identifies existing and potential threats, vulnerabilities and effectiveness of the current and proposed safeguards. A formal review of the minimum baseline security requirements for SBU systems is part of the Risk Assessment,

    2. ERCS Computer Security Plan — identifies the security requirements of a system and whether controls are in place to meet the requirements,

    3. ERCS Privacy Impact Assessment (PIA) — a process used to evaluate the privacy issues of a system. Approval by the Privacy Advocate must be obtained before a system is C2 certified,

    4. System of Records Notice (SOR) — defines the who, what, when and why a file exists in a government agency. ERCS is covered by SOR 42.008, Audit Information Management System (AIMS),

    5. ERCS Technical Contingency Planning Document (TCPD) — identifies the priorities, resources and procedures necessary to ensure that essential operational tasks can be continued after disruption to a system. Approval of the TCPD by the Disaster Recovery Planning Section (DRPS) must be obtained before a system is C2 certified,

    6. ERCS Trusted Facility Manual — describes how a system is to be configured and operated to maintain its accepted level of risk,

    7. ERCS Security Features Users Guide — describes how a user is to interact with the system, ensuring security controls are understood and used correctly, and

    8. ERCS Configuration Management Plan — relates the identification, control, accounting for and auditing of all changes to system hardware, software, firmware, documentation, test plans and test results throughout the life cycle of the system.

  2. The following documents were developed by the Certification Program Office:

    1. ERCS Security Test Plan — provides a detailed evaluation of the system based on the Certification package,

    2. ERCS Security Test and Evaluation Report — documentation of the results of the security test, and

    3. ERCS Certification Statement — recommends to the Principal Accrediting Authority (PAA) that the system be or not be accredited. if there are conditions or issues that must be addressed, they are noted in this statement.

  3. The following document is developed by the Principal Accrediting Authority (PAA):

    1. ERCS Accreditation Statement — issued by the PAA (System Owner) to record the decision to accept the level of risk of the assessed system, network, or facility.
      The PAA for ERCS is the Director, Compliance Policy.

4.7.2.4.3  (07-31-2000)
Distribution of C2 Certification Documentation

  1. Copies of the ERCS Accreditation Memo, ERCS Certification Statement, ERCS Computer Security Plan, ERCS Configuration Management Guide, ERCS Privacy Impact Assessment, ERCS Risk Assessment Report, ERCS Security Evaluation Report, ERCS Security Features Users Guide, ERCS Security Test & Evaluation Report, ERCS Technical Contingency Planning Document (TCPD), ERCS Trusted Facility Manual, and Unconditional Security Certification Transmittal Memorandum for ERCS were provided to all the system administrators in July 1999.

  2. Copies of the ERCS Accreditation Memo, ERCS Certification Statement, ERCS Security Evaluation Report, ERCS Technical Contingency Planning Document (TCPD), and Unconditional Security Certification Transmittal Memorandum for ERCS were provided to all the ERCS Functional Coordinators in August 1999.

  3. All end users have access to the ERCS Security Features Users Guide via a menu option on ERCS.

4.7.2.4.4  (10-01-2003)
Official Use Only

  1. Most of the C2 certification documentation is marked "Official Use Only" .

  2. The purpose of the designation " Official Use Only" is to prevent distribution to, or use by, any person who does not have a need to know the information.

  3. The designation "Official Use Only " may apply to information on any media, including paper, magnetic tape or disk, microfilm, microfiche, etc.

  4. Additional information can be found in IRM 1.16.8, Physical Security Standards Handbook.

4.7.2.5  (10-01-2003)
Authorized Access

  1. ERCS users are authorized to access only those accounts required to accomplish their official duties. Instances of employees attempting to access their own (or spouse's) account will be treated as administrative offenses. Additionally, users must not access the account of a friend, relative, celebrity, or any account in which they have a personal or financial interest.

4.7.2.5.1  (10-01-2003)
Requesting Access

  1. To obtain access to ERCS, each user (LMSB and SB/SE) must complete an OL5081, accessible via the web at: https://ol5081.enterprise.irs.gov:8443. LMSB users should select the ERCS subapplication entitled, ERCS-TCC-LMSB-Area XX. The area would be the particular SB/SE providing support. SB/SE users should select the ERCS subapplication entitled, ERCS-TCC-SBSE-Area XX. The area would be the user's area.

  2. Access to more than one ERCS database MUST be coordinated with the area ERCS FC prior to submitting either an OL5081 or a paper form 5081.

  3. All OL5081 or paper forms 5081 must always be routed through the manager, the ERCS Functional Coordinator, and the system administrator.

4.7.2.5.2  (10-01-2003)
Outside Access

  1. Requests for access by persons outside of LMSB or SB/SE, or W&I; i.e., Disclosure, etc., should rarely occur and require Territory Manager approval.

  2. Requests for access by persons outside the Internal Revenue Service; i.e., the Treasury Inspector General for Tax Administration (TIGTA), formerly the Inspection Service, require the approval of the Headquarters Office ERCS Analyst.

4.7.2.5.3  (10-01-2003)
Passwords

  1. Every user must have a unique login, a unique 8-character systemically generated employee ID, and a password.

  2. The user is systemically prompted to change the password when the user first logs into the system and every 120 days thereafter.

  3. Passwords should be eight characters long. They should contain a combination of letters and at least one number, at a minimum. Symbols "@" or "#" cannot be used. However, symbols "$" or "?" can be used.

  4. Every user must log onto ERCS at least once every 45 days. Failure to do so will result in the ERCS account being locked. The account will need to be unlocked prior to being able to access ERCS.

  5. If a user fails to log onto ERCS at least once during a 90-day period, the user will be removed from ERCS. A new OL5081 will need to be prepared as outlined in IRM 4.7.2.5.1 above.

  6. The password is to be protected. It should not be shared.

4.7.2.5.4  (10-01-2003)
Delegating Permissions

  1. The system administrator will establish the user with the appropriate UNIX permissions.

  2. The ERCS Functional Coordinator will assign the new user to the appropriate user group with access to the appropriate AAC(s). Levels of permissions available to ERCS users are:

    • READ,

    • WRITE (update capability),

    • FIRST LEVEL approval,

    • SECOND LEVEL approval, and/or

    • BACKUP approval.

  3. The manager has the ability to delegate temporary access to his/her AAC.

  4. To reduce the risk of fraud or abuse of taxpayer rights, a manager should delegate only temporary READ and APPROVE permissions to a technical employee who is serving as an acting group manager and carrying inventory.

4.7.2.5.5  (10-01-2003)
"Dummy" Employees

  1. "Dummy" or phantom employees are nonexistent employees that were created locally in the past for a variety of reasons. Some of the reasons they were used was to monitor in-transit cases, monitor unassigned cases, monitor claims, control "transitional " manager's inventory, etc.

  2. The use of "dummy" employees as an aid in managing inventory should not occur. Users who feel they have a need to monitor should work with their ERCS Functional Coordinator and, if necessary, the ERCS Functional Coordinator work with the ERCS Hotline staff to try to provide a solution.

4.7.2.6  (07-31-2000)
Audit Trail

  1. C2 security requires the system be able to record and protect from destruction or modification a record of selected activities. The record includes:

    • Time and date of activity

    • Identification of the user

    • Source of the input (e.g., terminal ID)

    • Opening of files

    • Initiation of programs

    • Addition and/or deletion of data

4.7.2.6.1  (07-31-2000)
ERCS Audit Trail

  1. The ERCS audit trails record many of the activities of users, ERCS Functional Coordinators, and system administrators. The ERCS audit trail is written prior to the database update. If the write to the audit trail fails and the database update fails, the audit trail will remain.

  2. Audit trail information is not available to end users. Managers should consult the ERCS Functional Coordinator for assistance in those special circumstances when this information might be needed. The ERCS Functional Coordinator and the system administrator are able to selectively review the activities of the users and generate reports based on various selection criteria through the use of a "read_trails" program.

4.7.2.6.2  (10-01-2003)
ERCS Audit Trail Types

  1. Following are the audit trail types available:

    1. Requests audit trails are generated when records are requested on ERCS.

    2. Updates audit trails are generated for most AMSOC and AMSTU type updates to ERCS records (those requiring managerial approval).

    3. Permissions audit trails are generated when ERCS user type access or AAC access permissions are changed.

    4. Approvals audit trails are generated when managers approve or disapprove ERCS updates, requests, and AMSOCS.

    5. The Employee audit trails are generated for any change in the employee record.

    6. Research audit trails are generated any time a group user accesses a record that the user does not have permission to access.

    7. The Menus audit trails are generated when an ERCS user enters or leaves the ERCS Main Menu or when an ERCS user is denied access to the ERCS Main Menu.

    8. Ace Reports audit trails are generated when an ERCS authorized user runs a report from the selection "Local Reports" from the Login Menu. An ERCS Functional Coordinator or an ERCS user with special permissions to access this menu option are the only individuals that can run these reports.

4.7.2.7  (10-01-2003)
ERCS Audit Trail Review

  1. The audit trails should be reviewed on a regular basis to look for possible problems and/or system misuse including:

    1. UNAX — unauthorized access of taxpayer accounts, and

    2. Anomalies — irregularities, discrepancies, and/or deviation from the norm.

  2. The ERCS Audit Trail Guide provides an introduction to ERCS, an overview of security, and instructions for audit trail review. The guide also provides samples of audit trails, questions that relate to both the text and the samples, and a source of answers to the questions. The guide can be accessed via the web at: http://orion.grb.ser.irs.gov/PROJECTS/EXAM/DOCS/ERCS_DOCS/exam_cvr.html.

4.7.2.7.1  (10-01-2003)
Who Does the Review

  1. The Functional Security Coordinator (FSC) will be responsible for reviewing the ERCS audit trails.

    1. Each SB/SE area will designate one individual as the Functional Security Coordinator to review the area's ERCS audit trails. LMSB will designate one individual as the Functional Security Coordinator to review LMSB's ERCS audit trails. More than one individual may be designated as the FSC for the Area/LMSB as workload requires.

    2. The FSC cannot be an ERCS user, ERCS Functional Coordinator, or system administrator.

4.7.2.7.2  (07-31-2000)
Time of Review

  1. At a minimum, the audit trails will be reviewed monthly.

4.7.2.7.3  (07-31-2000)
Documenting the Review

  1. The FSC should prepare a report documenting what was reviewed, how it was reviewed, observations (inconsistencies identified, security violations, etc.) and conclusions, resolutions, and recommendations, if any.

4.7.2.7.4  (07-31-2000)
Retention of Review

  1. Audit trails that have been printed and the documentation of the audit trail review should be kept for the same amount of time as the back-up of the audit trails is kept — three years.

4.7.2.7.5  (07-31-2000)
Reporting Findings

  1. Potential UNAX violations must be referred immediately to the Treasury Inspector General for Tax Administration (TIGTA), 1-800-366-4484.

4.7.2.8  (07-31-2000)
Employee Audit Reviews

  1. ERCS provides security for employee audits. An employee audit occurs when an employee becomes the subject of an audit. The employee audit features prevent the following:

    1. The removal or update of information by a user who is being audited,

    2. The removal or update of audit information by a user whose spouse is being audited,

    3. The access of employee audit information by unauthorized persons, and

    4. The addition of an employee audit return to ERCS for an employee who should not be audited in the area.

  2. If an ERCS user attempts any of the above, the proper authorities in the area are notified.


More Internal Revenue Manual