Updating of security procedures definition
The results from these existing reviews that agencies are subject to can be tailored to focus on FTI systems, and agencies are encouraged to submit copies with the SAR as a part of the Internal Inspections process.
Although the frequency of conducting risk assessments is determined by agency policy, the IRS requires this activity be conducted at a minimum of every three years or whenever there are significant changes to the information system receiving, processing, transmitting, or storing FTI.
It is important to perform risk assessments periodically due to changes in computer equipment and software, organizational policies and updated security requirements in Pub. Existing resources such as legislative, internal, and state-level audits that the agency is already subject to can be leveraged when conducting risk assessments to ensure efficiency and maximum use of agency resources.
The computer security controls outlined in the Section 9 of Pub.
1075 direct agencies to several key areas which focus on operational security.
However, agencies should consider applying the recommendations to all agency IT operations for enhanced security and compliance.
IRC Section 6103(p)(4)(E) requires agencies receiving FTI to file a report that describes the procedures established and used by the agency for ensuring the confidentiality of the information received from the IRS.