Computer System Security Requirements for IRS 1075: What You Need to Know

Any organization or agency that receives federal tax information (FTI) is now required to prove that their data protection policies meet IRS 1075 compliance standards. That means federal, state, county and local entities – as well as the contractors they employ – all fall within this scope.

What is IRS 1075?

IRS 1075 lays out a framework of compliance regulations to ensure federal tax information (FTI) is kept confidential. While this may sound simple enough, IRS 1075 is actually made up of a complex set of managerial, operational and technical security controls that must be continuously followed in order to maintain ongoing compliance.

The computer security framework was primarily developed using guidelines specified in NIST SP 800-30 Revision 1, Guide for Conducting Risk Assessments, and NIST SP 800- 53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations. Only applicable NIST SP 800-53 controls are included in IRS 1075 as a baseline.

IRS 1075 Sections

To ensure the intended level of protection, IRS 1075 is comprised of the following sections:

1. Introduction      
2. Federal Tax Information and Reviews    
3. Recordkeeping Requirement: IRC 6103(p)(4)(A)
4. Secure Storage: IRC 6103(p)(4)(B)         
5. Restricting Access: IRC 6103(p)(4)(C)
6. Other Safeguards: IRC 6103(p)(4)(D)
7. Reporting Requirements: IRC 6103(p)(4)(E)
8. Disposing of FTI: IRC 6103(p)(4)(F)
9. Computer System Security         
10. Reporting Improper Inspections or Disclosures  
11. Disclosure to Other Persons       
12. Return Information in Statistical Report

The complete document describing IRS 1075 requirements is available here.

The Breakdown

Focusing on Section 9: Computer System Security, reinforces a singular, simplified takeaway:

All agency information systems used for receiving, processing, storing or transmitting federal tax information must be hardened in accordance with the requirements in IRS 1075.

Agency information systems include the equipment, facilities and people that collect, process, store, display and disseminate information. This includes computers, hardware, software and communications, as well as policies and procedures for their use.

IRS 1075 requires organizations and agencies to protect FTI using core cybersecurity best practices like file integrity monitoring (FIM) and security configuration management (SCM). Both of these technologies depend upon first establishing a known secure baseline. Any deviations from this baseline signal authorized or unauthorized changes that could bring your systems out of compliance or expose them to attacks.

Requirements for all FTI-handling agencies

To stay safe – and IRS 1075 compliant – all organizations and agencies that handle federal tax information must do the following:

Determine the types of changes to the information system that are configuration controlled. Then, they can review proposed configuration-controlled changes to the information system and approve or disapprove such changes with explicit consideration for security impact analyses.           

Document configuration change decisions associated with the information system. First, they must implement approved configuration-controlled changes to the information system. Then, IRS 1075 requires that they retain records of configuration-controlled changes to the information system for the life of the system.  

Audit and review activities associated with configuration-controlled changes to the information system. This means establishing a Configuration Control Board that convenes when configuration changes occur.

Test, validate and document changes to the information system before implementing the changes in the operational system. This step cannot be missed. Testing regularly ensures that, despite operational changes, FTI-handling entities are always in compliance with IRS 1075 and kept safe.

How Tripwire Can Help

Protecting the systems that guard our federal tax information (FTI) is no small feat. Fortra’s Tripwire can help.

One of Tripwire’s most fundamental capabilities is establishing a secure baseline configuration for your system and tracking all changes against that baseline. Tripwire Enterprise ensures the integrity of your files and systems, keeping a record of all changes that take place and producing audit-ready reports to make proof of compliance easier.

Plus, with Tripwire’s Security Configuration Management (SCM) solution, organizations can get platforms and policies that enforce regulatory compliance standards out of the box. And Tripwire Enterprise Policy Manager makes sure it all comes together, granularly comparing the organization’s security baseline against a specified Tripwire compliance policy and presenting you with a scorecard showing you how your security policies measure up.

To learn more, download our guide: Gaining Control of Financial Services Cybersecurity Regulations.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.