Accessibility Skip to Top Navigation Skip to Main Content Home  |  Change Text Size  |  Contact IRS  |  About IRS  |  Site Map  |  Español  |  Help  
magnifying glass
Advanced Search   Search Tips

Integrated Enterprise Systems Management Tivoli System

 

Privacy Impact Assessment - Integrated Enterprise Systems Management Tivoli System

IESM System Overview

The Integrated Enterprise Systems Management (IESM) program provides for automated management and control of the IRS Information Technology Systems (ITS) infrastructure.

The Framework for the Tivoli system is provided by the Tivoli application suite and associated hardware.  These products remotely and proactively manage and monitor the network components, as well as XXXX, mainframe, and Windows 2003 systems to most effectively utilize corporate assets, enhance productivity, and provide proactive customer service.  Tivoli’s Framework is the base component for the Tivoli Managed Environment (TME), now referred to as the “Tivoli” product line.  Framework provides a set of common security services and support features that are used by the Tivoli application suite installed on the Framework. 

The IESM Privacy Impact Assessment (PIA) is limited to the data within the IESM system design.  This includes all data processed, managed, or stored.  The data includes internal source data, data received from other systems, and data created by the IESM system.

System of Record(s) Number

Treasury/IRS 34.037, the IRS Audit Trail and Security Records System.

I.  DATA IN THE SYSTEM

1.  Generally describe the information to be used in each of the following categories: Taxpayer, Employee, and other.

Taxpayer - The system does not collect, store, or transmit taxpayer information.

Employee - Name and telephone number of systems administrators are collected in an XXXXXX database for contact purpose when the critical systems maintenance need to be performed.  In addition, an audit log database is kept for tracking the security violations.

Other - A site specific Tivoli Enterprise Console (TEC), an XXXXXX database resides on TEC Server. This database collects and stores incoming TEC events from NetView, Windows 2003 Adapters, and Software Distribution that related to system performance.

2.  What are the sources of the information in the system?

Tivoli provides information for enterprise systems management, to include distribution of authorized IRS software applications to and from the National Transmittal Center (NTC). Other information in the system is generated by the Tivoli applications with no external system connectivity.  These data are derived from Tivoli application monitors residing on the servers located both within the IRS Trusted network, Security Technology Infrastructure Release (STIR) network and from the IRS Managed Services Provider.  These data are sent back to systems management consoles for administrator actions. Employee information for the TEC contacts database is collected from the employee.

a.  What IRS files and databases are used?

The IRS provides applications software via an electronic distribution method to the IRS service centers, computing centers, regional and district offices using the Tivoli Software Distribution.  The databases used are an internal database, which is provided by the Tivoli Software Distribution application. In addition, The IRS Enterprise Systems Management (ESM), Austin Texas has established a separate XXXXXX database which contains the names and telephone numbers of ESM related technical contacts for problem resolution and system administrators’ notification in cases of emergencies and other critical system problem resolution events. This is a database is manually maintained and is not populating using any automated processes. 

b.  What Federal Agencies are providing data for use in the system?

Only internal IRS systems.

c.  What State and Local Agencies are providing data for use in the system?  None.

d.  From what other third party sources will data be collected?

Other third party sources of data are provided by the IRS Managed Service Provider, which is sending collected systems performance related data to the IRS Tivoli tools, such as the Tivoli Distributed Monitor and Enterprise Console).  The information that is passed from the Managed Service provider to the Tivoli System is Enterprise Management Information Base (MIB) systems performance related data pertaining to performance and availability.  The information includes system performance related events from NetView Events, Windows 2003 Event Adapter, and Software Distribution.

e.  What information will be collected from the taxpayer/employee?

The system does not collect, store, or transmit taxpayer information.  Tivoli Distributed Monitoring/Remote Control monitors employee computers to detect and correct routine problems, detect and elevate non-routine problems to appropriate personnel, and escalate critical situations/problems to the centralized console.  An audit trail based on employee User ID is generated to detect unauthorized attempts at file access.  Tivoli uses notices to track administrator actions.  The notice data includes administrator User name, the Tivoli server being used, and the action taken.  Contact names and telephone numbers are collected from employees for the TEC contacts database.  

3.a.  How will data collected from sources other than IRS records and the taxpayer be verified for accuracy?

The exchange of messaging data between the Tivoli Management Agents throughout STIR and the Integrated Enterprise Management System (IESM) is provided by the Tivoli Management Framework mechanism in real-time mode.  Tivoli Management Framework-based applications operate using primarily TCP/IP and are a mechanism for system performance determination and operational status. The TCP/IP process provides for guarantee delivery of all network packets.  There is no Taxpayer data involved; it is strictly systems performance related information.

b.  How will data be checked for completeness?

The data are system performance event data received in real-time, which is difficult to verify for completeness.  TCP/IP guarantees that all of the data packets transmitted reach their final destination, but actual data verification is not available with this technology.

c.  Is the data current?  How do you know?

Data is real-time information which is coming from the functional networks and devices.

4.  Are the data elements described in detail and documented?  If yes, what is the name of the document?

Computer system and network data collected is described in Tivoli documentation.  Each IRS organization that wishes to electronically distribute software to IRS offices via Tivoli Software Distribution is responsible for documenting their applications and the data elements used.  Data collected in audit trails is documented in Tivoli documentation and the vendor documentation for the host operating systems. Detailed data are described in the Enterprise Systems Management (ESM) Data Model View (Document No. PRIME-ESM-MODL-DMV), Version 3.0, dated January 16, 2003.

 

II.  ACCESS TO THE DATA

 

1.    Who will have access to the data in the system (Users, Managers, System Administrators, Developers, Other)?

 

Tivoli contains only systems/operations data.  Tivoli System administrator at the System Management Center and field offices have appropriate access to remotely distributed application code and network monitoring information as described in their job descriptions.  Security personnel have access to audit trail information.  Help Desk and technical support staff have access to network monitoring information.  Technicians at the National Office who have to transmit applications software to field offices have access to the executable application code that is to be transmitted.  TEC administrators have access to the TEC contacts database.  TEC contacts and their managers have access to the TEC contacts database for purposes of inputting/updating the information about themselves contained in the database.

 

2.  How is access to the data by a user determined? Are criteria, procedures, controls, and responsibilities regarding access documented?

 

Yes, there are procedures in place which in granting access to the IRS related systems, such as: IRS form 5081, Access requirements and addendum, Form 12222, IESMP Access Request.  Procedures are included in Integrated Enterprise Systems Management Projects (IESMP) Security Procedure No. 3, "IESMP Access Request".  The forms list the Tivoli responsibilities and accesses required by each Tivoli administrator.  Normal users of IRS systems do not have access to Tivoli. The site Senior Tivoli System Administrator (STSA) is the single point of contact for each Region, Computing Center, Service Center and National Office.  The STSA follows the Form 5081/Form 12222 procedures for system administrator or user approved for access to the Tivoli systems.  This information identifies the appropriate authorization role(s) assigned to the system administrator by the ESM/STSA administrators.

All approvals for the granting of access to IRS systems are made by the Senior IRS manager.

3. Will users have access to all data on the system or will the user's access be restricted? Explain.

Technicians, system administrators, and security personnel have access granted based on the criteria established based on the predetermined authorized security level of the user. The system level of the privileged user is controlled through predefined roles and responsibilities. TEC administrators have access to the TEC contacts database for making emergency contacts.  TEC contacts and their managers have access to the TEC contacts database for purposes of inputting / updating the information about themselves contained in the database.  They do not have access to information other than their own.

4.  What controls are in place to prevent the misuse (e.g. browsing) of data by those having access?

The TEC database is only accessible to system administrators who have permissions to access the TEC XXXXXX database management system.  Access information is contained in audit log file for review by system administrators. The Tivoli System audit logs are forwarded to the Security Auditing & Analysis System (SAAS) when proposed Computer Security Incident Response Center (CSIRC) functional audit requirements are identified. There is no taxpayer information involved with the system.

5. a. Do other systems share data or have access to data in this system?  If yes, explain.

Yes – The Tivoli systems audit logs are forwarded to SAAS for analysis and archiving when the proposed Cyber Security auditing requirements have been identified. The Data Communication Utilities (DCU) is used as the communications infrastructure for supporting Tivoli system's management data.  It is also be used to transmit IRS authorized software distributions. SENTENCE REDACTED. The data in the TEC database is accessible by the Tivoli TEC application. The audit log files are found internally within the Tivoli Management Framework and externally in the Modernized System Infrastructure. The current design of the IRS Modernized System Infrastructure and Tivoli System has the capability to record the activities of the Tivoli agents and Tivoli administrators along with other system related information. The Modernized System Infrastructure collects, and sends, to SAAS, audit logs of those events and elements as identified in the proposed Cyber Security functional audit requirements. Information is exchanged between the ESM Tivoli System and the Modernized System Infrastructure over a trusted LAN within a secure facility. This management LAN is separate from the production LAN. Information is transported to the TEC over the management LAN using the Tivoli Framework application, which has previously received IRS security certification. SENTENCES REDACTED.   A full description of the Tivoli Framework can be found in the Enterprise Systems Management (ESM) Application Model View (Document No. PRIME-ESM-DOC-AMV), Version 3.0D, dated November 18, 2002, and the Enterprise Systems Management (ESM) Technology Model View (Document No. PRIME-ESM-MODL-TMV), Addendum 2 (Modernized Technology Refresh in Integrated Enterprise System Management [IESM] & Performance Management Analysis and Reporting [PMAR]), Version 1.2, dated May 10, 2005.

In addition, in accordance with federal regulations, data sharing may occur with other law enforcement and government agencies in accordance with established IRS procedures. These agencies could be:  IRS TIGTA, GAO, USDOJ, etc on a specific need to know basis.

b.  Who will be responsible for protecting the privacy rights of the taxpayers and employees affected by the interface?

The Director End Users Equipment and Services and designees are responsible for assuring that the system is indeed used as for the purpose that it was designed. Any Privacy Act information that is contained within the Tivoli System is protected and only authorized personnel are allowed to view it.  This information is safeguarded by the security features of the operating systems, Tivoli application and applicable federal regulations.

6.a.  Will other agencies share data or have access to data in this system (International, Federal, State, Local, Other)? 

 Yes, in accordance with federal regulations, data sharing may occur with other law enforcement and government agencies in accordance with established IRS procedures. These agencies could be:  IRS TIGTA, GAO, USDOJ,  on a specific need to know basis.

b.  How will the data be used by the Agency?

The data are used for “official use only” in accordance with established IRS and federal regulations for the identification and possible law enforcement action in cases of misuse.

c. Who is responsible for assuring proper use of the data?

The Director End Users Equipment and Services and designees are responsible for the assuring the proper use of the data.

d. How will the system ensure that agencies only get the information they are entitled to user IRC 6103?  Not Applicable.

III. ATTRIBUTES OF THE DATA

1.  Is the use of the data both relevant and necessary to the purpose for which the system is being designed?

Yes, the purpose of the system is to provide Enterprise Management for the IRS and the data is a key part in ensuring the objective is met.  In addition, the system is collecting on the performance data that is required for the proper management and administration of the system.  System modifications are made in accordance with IRS established requirements.

2.a.  Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected?  No.

b.  Will the new data be placed in the individual's record (taxpayer or employee)?  No.

c.  Can the system make determinations about taxpayers or employees that would not be possible without the new data?  

 No, the Tivoli System at present does not have the capability to make this determination.

d.  How will the new data be verified for relevance and accuracy? Not Applicable

3.a.  If data is being consolidated, what controls are in place to protect the data from unauthorized access or use?  

 No data is being consolidated at present.  SENTENCE REDACTED  The data is system performance data and does not contain any taxpayer or employee information, and does not have the capability to affect individual personal records.

b.  If processes are being consolidated, are the proper controls remaining in place to protect the data and prevent unauthorized access?  Explain.

Not applicable, no processes are being consolidated.

4.  How will the data be retrieved?  Can it be retrieved by personal identifier? If yes, explain.

Yes, Audit trail data can be retrieved by personal identifier (user ID).  TEC contact data can be retrieved by personal identifier (employee name and telephone number). 

What are the potential effects on the due process rights of taxpayers and employees of:
a.  Consolidation and linkage of files and systems; 

 No taxpayer data or employee monitoring is currently planned or occurring unless an event which would indicate misuse or inappropriate use.

b.  Derivation of data; Not Applicable

c.  Accelerated information processing and decision-making;

Tivoli Distributed Monitoring software monitors system resources and services, detects and corrects routine problems, detects and elevates non-routine problems to appropriate personnel, and escalates critical situations/problems to the centralized console.  Tivoli Enterprise Console serves as a source of rules that elevates system or network problems to helpdesk personnel.  It interfaces with Tivoli Framework components to correlate events and takes automated actions to system performance events before they become critical.  Enterprise system utilizes the Tivoli Software Distribution application to distribute COTS software.

d.    Use of new technologies

The most radical feature of Tivoli is that it provides a single interface to multiple vendor operating systems.  SENTENCE REDACTED.

5.  How are the effects to be migrated?  Not applicable

IV.  MAINTENANCE OF ADMINISTRATIVE CONTROLS

1.a.  Explain how the system and its use will ensure equitable treatment of taxpayers and employees.  Not Applicable

b.  If the system is operated in more than one site, how will consistent use of the system and data be maintained in all sites?

The Tivoli System Configuration Management Plan is used.  Consistent Tivoli administrator usage is controlled by a combination of the central Tivoli management server and limitations imposed on them by the applications themselves and the Tivoli Systems implementation architecture.  Users and administrators are required to adhere to established rules of behavior in accordance with established IRS policies.

c.  Explain any possibility of disparate treatment of individuals or groups.

The system does not have the capability to treat groups differently.   In the future should, additional capabilities such as monitoring would require updates to the system PIA.

2.a.  What are the retention periods of data in this system?

Audit data are backed up and retained on magnetic tape for six years.  TEC contact database data are modified when the contact changes.

b.  What are the procedures for eliminating the data at the end of the retention period?  Where are the procedures documented?

At the end of the retention period, magnetic tapes are erased (degaussed) and re-used. Retention periods are defined in IRM 1.15.3, Disposing of Records.  Degaussing is documented in IRM 25.10, Information Systems Security.  The TEC contact database information has no retention period.  Data is deleted when the contact person changes.

c.  While the data is retained in the system, what are the requirements for determining if the data is still sufficiently accurate, relevant, timely, and complete to ensure fairness in making determinations?

The Tivoli system is continuously updated and/or refreshed with new information from its applications and managed servers.  All data received is acted upon in real-time and ensure timeliness and accuracy. The data first received is logged and processed according to the TEC rule base.  When the proper criteria are matched, an action is taken. Operational personnel carry out their duties based on rule base criteria.

3.a.  Is the system using technologies in ways that the IRS has not previously employed (e.g. Caller-ID)?

Yes.  The Tivoli System is implementing the Tivoli suite of Enterprise Systems Management applications.  IT supports automated software distribution of authorized IRS applications from ESM SD Ops and NTC, monitoring of computer resources and administrator actions, and use an automated system to provided limited system management.  In addition, it provides the capability to inventory the IRS systems, provide automated user administration and security management, and manage the computer network routers and switches. 

Tivoli Workload Scheduler provides a job scheduling function that has been performed by other technologies.  There are two basic aspects to job scheduling in TWS: the database and the plan. The database contains all the definitions for scheduling objects, such as jobs, job streams, resources, and workstations. It also holds statistics of job and job-stream execution, as well as information on the user ID that created an object and when an object was last modified. The plan contains all job-scheduling activity planned for a period of 1 day. In TWS, the plan is created every 24 hours and consists of all the jobs, job streams, and dependency objects that are scheduled to execute for that day. All job streams with a run cycle are automatically scheduled and included in the plan. As the day goes by, the jobs and job streams that do not execute successfully can be rolled over into the next day’s plan.

PARAGRAPH REDACTED.

b.  How does the use of this technology affect taxpayer/employee privacy?

Taxpayer data are not be affected, except that Tivoli software can override native operating system control features.  While the use of auditing can detect this, those same audit files collect information about employee activities on the system, e.g. unauthorized access attempts.

4.a.  Will this system provide the capability to identify, locate, and monitor individuals? If yes, explain.

Yes, the system uses Identification and Authentication to allow access.  A user can be monitored by their identification (user ID) through audit/log files and the Tivoli notice groups.  Users are monitored to ensure that no unauthorized or questionable access or attempts to access are made. The contacts database is used to locate and contact the individuals identified to TEC for certain events.

b.  Will this system provide the capability to identify, locate, and monitor groups of people? If yes, explain.

Yes, in a general way.  The Tivoli System utilities can monitor all employees logged onto a specific system in a particular region.  However, it cannot, for example, monitor only activities of employees based on race, religion, etc.

c.  What controls will be used to prevent unauthorized monitoring?

The greatest potential for misuse is with the system administrators.  However, via extensive audit trails, the security personnel can track the activities of all administrators.  SENTENCES REDACTED.
 


Page Last Reviewed or Updated: July 07, 2005