Accessibility Skip to Top Navigation Skip to Main Content Home  |  Change Text Size  |  Contact IRS  |  About IRS  |  Site Map  |  Español  |  Help  
magnifying glass
Advanced Search   Search Tips

Common Communications Gateway

 

Privacy Impact Assessment - Common Communications Gateway (CCG)

CCG System Overview

The Common Communications Gateway (CCG) is a general support system. CCG-collected data consists of system audit logs generated by network devices. The Internet Misuse Monitoring CCG components also tracks employee use of the Internet to ensure compliance with the IRS Policy on acceptable personal use of government information technology equipment/resources by IRS employees.  There is a separate PIA pending for Computer Security Incident Response Center Security Incident Management.  To ensure CCG-hosted applications appropriately protect privacy data, all applications are required to have a PIA that has been approved by the Office of Privacy Advocacy.

I. Data in the System

1. Generally describe the information to be used in the system in each of the following categories: Taxpayer, Employee, Other

*  Taxpayer and Employee:
There is no taxpayer or employee information used within the CCG. The CCG network devices (e.g. firewalls, intrusion detection systems, Internet Misuse Monitoring devices), however, may inadvertently capture taxpayer and/or employee information as it passes through the CCG network. Network device audit logs routinely record system and network metrics, faults, errors, and contextual information to help ensure the integrity, availability, efficiency of the CCG as well as provide enough information for adequate troubleshooting and system monitoring. The potential exists that some network or employee information could be captured as part of a response to an auditing trigger. Any taxpayer and/or employee data inadvertently captured would be contained as part of the network device audit logs and only be accessible by CCG network administrators in the performance of their duties. All CCG administrators must pass a IRS background investigation and be fully cleared. They are trained in the proper treatment and disposition of secure data. Additionally, all logs are protected both logically and physically to ensure only authorized personnel access. Logical protection includes identification and authentication of administrators and access controls limiting audit log viewing to CCG administrators. Physical protection includes storage in restricted rooms within Treasury approved buildings. Both the personnel possessing log access and the buildings in which the logs are stored comply with Treasury Department Publication (TDP) 71-10.  Administrators use audit logs to ensure the availability, integrity, and efficient operation of the CCG network.

*  Other:
While audit logs can potentially collect taxpayer and employee information (see above), this is not their purpose. They primarily collect system information such as fault status, performance metrics, and security events to ensure the proper operation of the CCG. Security events audited may include failed logins, abnormal TCP/IP packets, or sessions containing attack signatures. Any program or personally identifiable data from the user applications which is inadvertently collected during security processing is captured systemically and not routinely accessed by CCG system administrators. All audit logs are protected as described above.

2. What are the sources of the information in the system?

a. What IRS files and databases are used?

No.   IRS files or databases are used. Audit logs are generated automatically by network devices.

b. What federal agencies are providing data for use in the system?

Federal agencies do not provide data for use in the system.

c. What state and local agencies are providing data for use in the system?

State and local agencies do not provide data for use in the system.

d. From what other third party sources will data be collected?

Data is not collected from a third party source.

e. What information will be collected from the taxpayer/employee?

Taxpayer/employee information is transported by the CCG for use by specific applications with their own PIAs. Such data may be captured or collected in response to an auditing trigger such as detection of an abnormal packet, attack signature, or a denial of service attempt. Potentially any employee/taxpayer data passing through the CCG could be collected as part of, and in response to, an audit trigger if it happens to be near in time to the trigger.

3. a. How will data collected from sources other than IRS records and the taxpayer be verified for accuracy?

No data comes from sources outside of the IRS.

b. How will data be checked for completeness?

Audit logs are periodically and/or randomly checked.

c. Is the data current? How do you know?

Audit log data is current, as it is generally date/time stamped and generated in real time.

4. Are the data elements described in detail and documented? If yes, what is the name of the document?

Only taxpayer and employee data elements generated by hosted applications and sent through the CCG can be collected by a CCG audit mechanism. All such application data elements could potentially end up at some point within a CCG audit log. A detailed list of all taxpayer and employee data elements that the CCG could potentially collect can be found in the PIAs of all hosted applications. As such, this data belongs to the specific applications and is not used by the CCG.

II. Access to the Data

1. Who will have access to the data in the system (Users, Managers, System Administrators, Developers, Other)?

The CCG’s are located within the Detroit Computing Center (DCC) in Detroit, Michigan the Martinsburg Computing Center (MCC) in Martinsburg, WVA and Tennessee Computing Center (TCC) in Memphis, TN, where stringent physical security measures have been implemented to control access to the facility with additional control mechanisms in place for the computer areas within the facility. CCG administration occurs primarily from the IRS network management intranet facilities.   CCG firewall, intrusion detection and Internet misuse management occurs at the IRS New Carrollton Federal Building (NCFB) in Lanham, Maryland, and firewall management occurs within the physically secure Computer Security Incident Response Center (CSIRC) facilities at NCFB. Off-site storage is located within IRS/Treasury-approved physically secure buildings in these three locations.

*  Users:
CCG users are those taxpayers and/or employees who rely on the availability and integrity of the CCG to connect to the web applications. CCG users also are the hosted web application owners who rely on CCG to provide a protected and highly available Internet connection for their web applications.  No users have access to any CCG network devices. The CCG network devices, however, automatically and appropriately route user traffic to the right web application and provide levels of protection against system failures and Internet-based attacks.

*  System Administrators (SA):
Authorized and fully-cleared CCG administrators have access to audit logs which may potentially contain some taxpayer and/or employee information collected in the course of system security administration, but which is not part of the CCG function.

*  Developers:
Developers do not have access to the audit logs.

*  Others:
Network and system auditors such as the Inspector General for Tax Administration (TIGTA) and General Accounting Office (GAO) may have access to the logs as part of their official oversight duties.

2. How is access to the data by a user determined? Are criteria, procedures, controls, and responsibilities regarding access documented?

Users (defined above) are not allowed access.

3. Will users have access to all data on the system or will the user’s access be restricted?  Explain.

Users are not allowed access.

4. What controls are in place to prevent the misuse (e.g. browsing) of data by those having access?

System administrators have complete access to the CCG audit logs that may potentially contain some taxpayer and/or employee information. Administrators must pass a IRS background investigation and be fully cleared in accordance with TDP 71-10. The supervisors of CCG administrators ensure they receive proper training and act in accordance with Treasury and IRS security directives and standard operating procedures.  All administrators are trained to protect any taxpayer and/or employee data they may find in system audit logs. Administrators are trained to ensure such information is kept secure and not disclosed to others.

5. a. Do other systems share data or have access to data in this system? If yes, explain.

No other systems share or have access to CCG audit logs. CCG administrators may use the audit logs to report system performance or provide problem and/or system status. CCG administrators are trained to delete any taxpayer and/or employee information they may come across while preparing reports shared with others. Such data would have been inadvertently collected as part of the system security process, but is not owned, used, or accessed by CCG.

b. Who will be responsible for protecting the privacy rights of the taxpayers and employees affected by the interface?

CCG administrators and supervisors are responsible for protecting the privacy rights of taxpayers and employees. They do this by ensuring proper control of CCG audit logs. They are trained in the proper disposition of such data that may have been collected as part of the CCG transmission and security function.

6. a. Will other agencies share data or have access to data in this system (International, Federal, State, Local, Other)?

GAO, TIGTA, and other potential IRS auditors may access CCG device audit logs as part of a system-wide audit.

b. How will the data be used by the agency?

The data will be used for audit purposes.

c. Who is responsible for assuring proper use of the data?

Trusted agents as defined within the audit charter governing the audit and in line with the agency’s responsibilities will ensure proper use of the CCG audit logs.

d. How will the system ensure that agencies only get the information they are entitled to under IRC 6103?

The hosted applications employ the necessary controls that ensure this requirement. The CCG only provides a part of the medium of transmission.

III. Attributes of the Data

1. Is the use of the data both relevant and necessary to the purpose for which the system is being designed?

CCG audit logs are necessary to ensure the integrity, availability, and efficient operation of the CCG. Some audit triggers capture contextual network information in order to provide insight into what may have caused an error code, fault status, or security event. Such contextual information could potentially contain taxpayer and/or employee information and may in some cases be necessary to understand the cause or effect of a system failure, security event, or other abnormality.  CCG administrators view audit logs through encrypted tunnels between the CCG network devices and the administrator’s remote interface. The encrypted links ensure the confidentiality of audit logs as they are transported and access controls on the CCG devices ensure only authorized administrators can view the audit logs.

2. a. Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected?

Audit log data contains data elements that pass through the CCG when an audit mechanism is triggered and so would be derived data. At most, the CCG audit logs would contain data elements that are in use by the CCG-hosted applications and identified in their PIAs.  However, such data is not part of the functionality of the CCG or otherwise used by this system.

b. Will the new data be placed in the individual’s record (taxpayer or employee)?

No audit log data would be placed in any individual’s record. Any data collected would be retained within the CCG audit logs and protected as described in previous sections.  Audit log data is archived for at least five years in accordance with TDP 71-10. Audit logs are physically protected throughout their lifecycle. Destruction of tapes will occur in accordance with TDP 71-10.

c. Can the system make determinations about taxpayers or employees that would not be possible without the new data?

The CCG cannot make determinations about taxpayers or employees. Any taxpayer and/or employee information potentially collected in the CCG audit logs would be fragmented, incomplete, or otherwise damaged, unusable or unrecognizable by other applications or systems.

d. How will the new data be verified for relevance and accuracy?

There is no new data generated. Any taxpayer and/or employee information potentially collected would be derived from hosted web applications.

3. a. If data is being consolidated, what controls are in place to protect the data from unauthorized access or use?

Audit logs may be consolidated on a central backup server. Access controls (password protection, file access rights, need-to-know, physical access restrictions, encrypted links, etc.) and CCG administrator supervision and training protect the data from unauthorized access or use. No personally identifiable data intentionally exists here.

b. If processes are being consolidated, are the proper controls remaining in place to protect the data and prevent unauthorized access? Explain.

Processes are not being consolidated.

4. How will the data be retrieved? Can it be retrieved by personal identifier? If yes, explain.

No. Audit logs are accessed in a variety of ways including time/date stamp, IP address, error code, and event name. In some cases string searches can be performed. If an audit mechanism collected contextual information containing a personal identifier, such an identifier could be accessed using a string search for that specific identifier, but such information would be unknown to exist, and such access is not a function of the CCG.

5. What are the potential effects on the due process rights of taxpayers and employees of:

a. consolidation and linkage of files and systems;

There will be no effect on the due process rights of taxpayers or employees by consolidation of audit logs. The purpose of audit logs is to monitor and ensure network availability, integrity, and proper operation so that taxpayers and employees can access the hosted network applications. Audit logs contain no new taxpayer and/or employee data.

b. derivation of data;

There will be no effect on the due process rights of taxpayers or employees by a change in the derivation of data. The CCG is designed to host numerous applications. Hosted applications may change or evolve with no effect on the audit logs of CCG systems, which are generated by the same auditing triggers.

c. accelerated information processing and decision making;

There will be no effect on the due process rights of taxpayers or employees due to accelerated information processing and decision making. Accelerated information processing and decision making could potentially provide additional meaning from audit logs and help ensure a quicker response time to network faults and abnormal events.

d. use of new technologies;  n/a

e. How are the effects to be mitigated?

No negative effects are produced that require mitigation.

IV. Maintenance of Administrative Controls

1. a. Explain how the system and its use will ensure equitable treatment of taxpayers and employees.

The CCG connects web applications serving the taxpayer and assisting employees to the Internet. Numerous network, personnel, and physical security controls help ensure the confidentiality, availability, and integrity of the hosted web applications. Network controls include redundancy of systems to provide high availability, access control restrictions to ensure authorized use, and intrusion detection to ensure system integrity. Personnel controls include background checks, training, and enforcement of standard operating procedures. Physical controls include locked doors, guarded facilities, and badged personnel.

b. If the system is operated in more than one site, how will consistent use of the system and data be maintained in all sites?

The CCG is located within a protected area within the DCC, MCC and TCC.  CCG administration occurs primarily from the NCFB Maryland facility, Network Mangement center and CSIRC Operations Center.  Management personnel located at the IRS New Carrollton Federal Building in Lanham, Maryland manage the intrusion detection system, and Treasury Communications System (TCS) administrators assist in the management of the telecommunications architecture.   

c. Explain any possibility of disparate treatment of individuals or groups.

Since the CCG does not process personal information, there is no possibility of disparate treatment of individuals or groups.

2. a. What are the retention periods of data in this system?

Audit logs are retained for a minimum of five years in accordance with TDP 71-10.

b. What are the procedures for eliminating the data at the end of the retention period? Where are the procedures documented?

Audit data may provide insight into network vulnerabilities and incidents and as such requires appropriate disposal. Disposal procedures are outlined in Internal Revenue Manual (IRM) 25.10.1 and TDP 71-10.

c. While the data is retained in the system, what are the requirements for determining if the data is still sufficiently accurate, relevant, timely, and complete to ensure fairness in making determinations?

Audit logs contain no personally identifiable information that is used by the system. Therefore, the data’s accuracy or completeness is irrelevant to the purpose and functionality of the CCG. There is no potential effect on data or individuals.

3. a. Is the system using technologies in ways that the IRS has not previously employed (e.g., Caller-ID)?

No. Audit logs pertaining to device operation, network use, and intrusion detection have been used for several years.

b. How does the use of this technology affect taxpayer/employee privacy?

The use of this technology as implemented has no affect on taxpayer/employee privacy.

4. a. Will this system provide the capability to identify, locate, and monitor individuals? If yes, explain.

No. The CCG network has the ability to identify, locate, and monitor traffic passing through the CCG. Mitigating factors listed below prevent the capability to identify, locate, and monitor individuals.

b. Will this system provide the capability to identify, locate, and monitor groups of people? If yes, explain.

No (see above).

c. What controls will be used to prevent unauthorized monitoring?

Three mitigating factors help ensure that individuals and/or groups are not identified and monitored:
1) The CCG has not been configured to act in this way;
2) CCG administrators are trained not to do this and their actions are supervised;
3) Web application owners encrypt sensitive individual data that pass through the CCG to/from/through the Internet.

5. a. Under which Systems of Record notice (SOR) does the system operate? Provide number and name.

Treasury/IRS 34.037 IRS Audit Trail and Security Records System

b. If the system is being modified, will the SOR require amendment or revision? Explain.

No. The purpose of the CCG is to transmit, but not to store, access, retrieve, or collect personally identifiable data as part of its function.
 


Page Last Reviewed or Updated: November 04, 2004