The IRS 1075 publication lays out a framework of compliance regulations to ensure federal tax information, or FTI, is treated with adequate security provisioning to protect its confidentiality. This may sound simple enough but IRS 1075 puts forth a complex set of managerial, operational and technical security controls you must continuously follow in order to maintain ongoing compliance.
Any organization or agency that receives FTI needs to prove that they’re protecting that data properly with IRS 1075 compliance. Federal, state, county and local entities – as well as the contractors they employ – are all within its scope.
IRS 1075 is comprised of the following sections:
- Federal Tax Information and Reviews
- Recordkeeping Requirement: IRC 6103(p)(4)(A)
- Secure Storage: IRC 6103(p)(4)(B)
- Restricting Access: IRC 6103(p)(4)(C)
- Other Safeguards: IRC 6103(p)(4)(D)
- Reporting Requirements: IRC 6103(p)(4)(E)
- Disposing of FTI: IRC 6103(p)(4)(F)
- Computer System Security
- Reporting Improper Inspections or Disclosures
- Disclosure to Other Persons
- Return Information in Statistical Report
The complete document describing IRS 1075 requirements is available here.
All agency information systems used for receiving, processing, storing or transmitting FTI must be hardened in accordance with the requirements in IRS 1075. Agency information systems include the equipment, facilities and people that collect, process, store, display and disseminate information. This includes computers, hardware, software and communications as well as policies and procedures for their use.
The computer security framework was primarily developed using guidelines specified in NIST SP 800-30 Revision 1, Guide for Conducting Risk Assessments, and NIST SP 800- 53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations. Only applicable NIST SP 800-53 controls are included in IRS 1075 as a baseline. Applicability was determined by selecting controls required to protect the confidentiality of FTI.
Let’s focus on Section 9: Computer System Security.
IRS 1075 requires organizations and (Read more...)
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by David Jamieson. Read the original post at: https://www.tripwire.com/state-of-security/regulatory-compliance/computer-system-security-requirements-for-irs-1075-what-you-need-to-know/