Accessibility Skip to Top Navigation Skip to Main Content Home  |  Change Text Size  |  Contact IRS  |  About IRS  |  Site Map  |  Español  |  Help  
magnifying glass
Advanced Search   Search Tips

Computer Security Incident Response Center (CSIRC)

 

Privacy Impact Assessment – Computer Security Incident Response Center (CSIRC) Security Incident Management (SIM)

CSIRC System Overview

The system will provide the ability to correlate security events that occur within the IRS network in an automated fashion.  The information is obtained from various devices such as network security devices, and intrusion detection systems that support the IRS information automation.  Correlated security events allow the CSIRC analyst the ability to focus on the areas of greater threat.  No audit trail information is kept at this level.  If a security incident is suspected, another system is invoked to explore the audit trail information.
 
System of Records Number(s)

Treasury/IRS 34.037 IRS Audit Trail and Security Records System- Treasury/IRS

Data in the System

1. Describe the information (data elements and fields) available in the system in the following categories:

A. Taxpayer
B. Employee
C. Audit Trail Information (including employee log-in info)
D. Other (Describe)

A. No taxpayer information is collected.
B: No employee information is collected.
C. XXXXX XXXXXX does not collect audit trail information from any monitored system (only related network security events are recorded). No audit trail information is kept at this level.  If a security incident is suspected, another system is invoked to explore the audit trail information.
D.  None

2. Describe/identify which data elements are obtained from files, databases, individuals, or any other sources.

A. IRS
B. Taxpayer
C. Employee
D. Other Federal Agencies (List agency)
E. State and Local Agencies (List agency)
F. Other third party sources (Describe)

A: Obtained from network firewalls and intrusion detection systems owned, maintained and operated by IRS CSIRC.
B. None
C. None
D. None
E. None
F. None

3.  Is each data item required for the business purpose of the system?  Explain.

Yes.  The system must collect complete information from these devices in order to facilitate the CSIRC mission.

4. How will each data item be verified for accuracy, timeliness, and completeness?

The system is self checking.  Some data collected will be verified by CSIRC personnel against original information collected.

5. Is there another source for the data?  Explain how that source is or is not used.

Data as collected/stored/presented by the system will sometimes be checked by the analysts against original/unaltered data from the network security devices that provide the data.

6. Generally, how will data be retrieved by the user? 

Through authenticated, secure/encrypted communications from CSIRC analyst workstations to the system by login information.

7. Is the data retrievable by a personal identifier such as name, SSN, or other unique identifier? No.

Access to the Data

8. Who will have access to the data in the system (Users, Managers, System Administrators, Developers, Others)?

Systems administrators, CSIRC Analysts and Management only.

9. How is access to the data by a user determined and by whom? 

User name unique to each person accessing the system.  The CSIRC Manager will grant access and level of authority with the Online 5081 system.

10. Do other IRS systems provide, receive, or share data in the system?  If YES, list the system(s) and describe which data is shared.  If NO, continue to Question 12.

Yes, from network intrusion detection systems, firewalls, and other network sensors maintained and operated by IRS CSIRC.

11. Have the IRS systems described in Item 10 received an approved Security Certification and Privacy Impact Assessment?

Currently in process.

12.  Will other agencies provide, receive, or share data in any form with this system?

Yes, information collected by the system may be shared with authorized partner government agencies which have not been identified at this time - Department of Homeland Security is a strong possibility.  XXXXX XXXXX XXXXX XXXX XXXXX XXXX XXX XXX XXX XXXXXXXXXXXXXX XXXXXXXXXXXXXXX XXXXXXXXXXXXX  XXXXXX XXXXX XXXX XXXX XXXX XXXXX  No internal IRS data will be shared

Administrative Controls of Data

13.  What are the procedures for eliminating the data at the end of the retention period?

Data will be purged from the database at the end of the data retention period.  The target retention period is 90 days of data online and 6 years offline CSIRC is relying on the MCC to eliminate the offline storage after the retention time has been reached.  The TREASURY INFORMATION TECHNOLOGY SECURITY PROGRAM TD P 85-01, VOLUME II, HANDBOOK Part 1, Sensitive Systems, section 5.4.4.a.2.e states:

All firewall systems shall enable an audit capability to monitor firewall operation and substantiate investigations of real or perceived violations of local security policies.  XXXXX XXXXX XXXX XXXXX XXXX XXXXX XXXXX XXXX XXXXX XXXX XXXXX XXXXX XXXX XXXXX XXXX XXXXX XXXXX XXXX XXXXX XXXX XXXXX XXXXX XXXX XXXXX XXXX XXXXX XXXXX XXXX XXXXX XXXX and any system information the local security officer deems relevant.  Archived audit logs will be maintained for a minimum of 5 years.

Also see IRM 1.15.57 Item 12a.  These are derived data used for one-time inspection for unauthorized internet usage.  Extracts are retained elsewhere for use by the Agency in enforcement action, should that be necessary.  These can be destroyed when the agency determines that it no longer needs the data, or when it has been superceded.

14.  Will this system use technology in a new way?  If "YES" describe.  If "NO" go to Question 15.   No.

15.  Will this system be used to identify or locate individuals or groups?  If so, describe the business purpose for this capability.

No, the XXXXX XXXXX does not provide the capability to locate individuals or groups.  The system will be used to identify suspicious activity.  Information collected could be correlated once the investigation is begun with other sources which can identify an individual or group.  This system does not do so.

16. Will this system provide the capability to monitor individuals or groups? If yes, describe the business purpose for this capability and the controls established to prevent unauthorized monitoring.

Yes, but only via network traffic.  The system consolidates information collected from other CSIRC network monitoring devices already in place.  Unauthorized monitoring will be prevented through password authentication, encryption, and user access controls.  CSIRC is authorized as part of its mission to monitor network traffic.

17. Can use of the system allow IRS to treat taxpayers, employees, or others, differently?  Explain.

No.  The system is taking information that CSIRC currently collects to assist in the identification of the greater risks to address, investigate and correct.  All taxpayers, employees and others are treated the same based on IRS policy and legal statute during investigations which may use information gathered by this system.

18.  Does the system ensure "due process" by allowing affected parties to respond to any negative determination, prior to final action?

N/A, the system does not make final determination actions against affected parties.  Incidents are referred to enforcement groups, i.e. TIGTA and SHR.

19.  If the system is web-based, does it use persistent cookies or other tracking devices to identify web visitors?

The system does not use persistent cookies or other tracking devices.
 


Page Last Reviewed or Updated: December 10, 2004