ࡱ> z|y'` O'bjbj k$*$P@<|4&,F(+++++++$l-h/+++&&&+&+&&& /7 p&'+0&,&0 !H0&0&&++Q"&,$ Internal Revenue Service (IRS) Office of Safeguards Data Warehouse Documentation Requirements Introduction When an agency implements a data warehouse containing FTI, the agency must provide written notification to the IRS Office of Safeguards, identifying the security controls, including FTI identification and auditing within the data warehouse. The written notification shall be sent to the HYPERLINK "SafeguardReports@IRS.gov%20" \o "Email link to Safeguard Reports"SafeguardReports@IRS.gov mailbox at least 45 days before implementation. In addition, implementation of a data warehouse constitutes a significant change under section 7.1, triggering the requirement for the submission of a new SPR. The purpose of this document is to provide requirements for the information and documentation to include in the written notification to the IRS Office of Safeguards. This process will be used to assist the IRS in understanding and evaluating the state agencies data warehouse plans for compliance with IRS Publication 1075, and help ensure agencies build Publication 1075 security requirements into data warehouse implementations. How to Complete This Document Agencies should review the security controls and compliance inquiries included below and provide their complete response in Part 1 of the form. All submissions should be sent to the IRS Safeguards mailbox (HYPERLINK "SafeguardReports@irs.gov" \o "Email link to Safeguard Reports"SafeguardReports@irs.gov) with the subject line: Data Warehouse Notification. The information requested through this document is not meant to be all-encompassing and the IRS may require additional information from the agency in order to evaluate the planned data warehouse implementation. Document Workflow Upon submission of the table below, agencies may be contacted by the IRS to schedule a conference call for the IRS to provide feedback based on the agencys documentation and discuss the details of the agencys planned data warehouse implementation. Implementation of the Publication 1075 requirements in the data warehouse environment will be routinely evaluated during the state agencys onsite Safeguard review. Documentation Requirements Data Warehouse Notification Form Part 1Date:Agency:POC Name:POC Title:POC Phone / Email:[Please use this format (XXX) XXX-XXXX / E-Mail]POC Site / Location:Site / Location FTI:#Security ControlCompliance InquiryPublication 1075 ReferenceAgency Response1System and Services AcquisitionPlease describe how contractors are utilized in the data warehouse environment.Page 111 Acquisition security needs to be explored. As FTI is used within data warehousing environments, it will be important that the services and acquisitions have adequate security in place, including blocking information to contractors, where these contractors are not authorized to access FTI.[Note: Please be as detailed as possible in your responses] Please place you response here using this format2System and Services Acquisition/ Physical SecurityIdentify where the data warehouse is hosted and physically resides. Please indicate the locate as 1) state agency, 2) contractor site, 3) State Department of Information Technology (IT)Page 112 the physical security requirements resident throughout Publication1075 do apply to the physical space hosting the data warehouse hardware.3AuditingDescribe how the data warehouse is configured to capture audit trails for FTI actions.Pages 114 A data warehouse must capture all changes made to data, including additions, modifications, or deletions by each unique user.4AuditingDescribe how querying is tracked within the application that accesses the data warehousePages 48-49 Within the application, auditing must be enabled to the extent necessary to capture access, modification, deletion and movement of FTI by each unique user. This auditing requirement also applies to data tables or databases embedded in or residing outside of the application.5Media ProtectionDescribe how media that contains data from the data warehouse is disposed of once no longer required.Page 112 The agency shall have policy and procedures in place describing the cleansing process at the staging area and how the ETL process cleanses the FTI when it is extracted, transformed and loaded. Additionally, describe the process of object re-use once FTI is replaced from data sets. IRS requires all FTI is removed by a random overwrite software program.6Access ControlDescribe how logical access control is granted to the data warehouse?Page 113 Within the DW, the agency shall protect FTI as sensitive data and be granted access to FTI for the aspects of their job responsibility. The agency shall enforce effective access controls so that end users have access to programs with the least privilege needed to complete the job. 7Access ControlDescribe the different types of access control currently employed (role-based, data-level, etc.)Page 113 The agency shall set up access controls in their DW based on personnel clearances. Access controls in a data warehouse are generally classified as 1) General Users; 2) Limited Access Users; and 3) Unlimited Access Users. FTI shall always fall into the Limited Access Users category.8Access ControlDescribe how querying is controlled.Page 111 Only authorized users with a demonstrated need to know can query FTI data within the data warehouse.9Access ControlHow is data extracted from the data warehouse? Can the data be removed without going through an application front-end?Page 110 a DW is operated by query or search engine tool.10Contingency PlanningDescribe how backups are handled, including what is backed up, and according to what frequency.Page 112 Both incremental and special purpose data back-up procedures are required, combined with off-site storage protections and regular test-status restoration to validate disaster recovery and business process continuity. Standards and guidelines for these processes are bound by agency policy, and are tested and verified.11Contingency PlanningList what medium backups are stored to and where those backups are located.Page 112 On line data resources shall be provided adequate tools for the back-up, storage, restoration, and validation of data. Agencies will ensure the data being provided is reliable.12System and Information IntegrityIs data or tables that contain FTI comingled with other non-FTI data? If yes, please describe how the FTI is tagged to denote it as FTI.Page 30 In the case of a data warehouse, FTI can be commingled if the proper security controls are installed. This would require data monitoring software that can administer security down to application, databases, data profiles, data tables, or data columns and rows, and data elements. The FTI within any of the above must be back-end labeled and tagged with an IRS identifier. The same would pertain to any reports generated from the data warehouse.13System and Information IntegrityPlease describe and attach a visual description of how data flows from the IRS to the data warehouse environment, at the server level.Page 39 A chart or narrative describing the flow of FTI through the agency from its receipt through its return to the IRS or its destruction, how it is used or processed, and how it is protected along the way. Indicate if FTI is commingled or where FTI may be replicated, reproduced, transcribed, duplicated, backed up, distributed or printed. Indicate all points where contactors have access to FTI. Data Warehouse Notification Form Part 2Date:Reviewers Name:Approval Decision:Comments#Security ControlIRS CommentsAgency Response1Agency Response, Date X/XX/2012: Note: Please update the date above and place your response here. Please follow this format for the remainder of the document. 2        PAGE \* MERGEFORMAT 1 4BCQ]^_`mn 뷦}cL; hChCCJOJQJ^JaJ-hoh<0JB*CJOJQJ^JaJph2jh>-h0/>*CJOJQJU^JaJ#hoh">*CJOJQJ^JaJ,jhoh">*CJOJQJU^JaJ hCh<CJOJQJ^JaJh0uCJOJQJ^JaJ h/+hCCJOJQJ^JaJhCCJOJQJ^JaJ hu h hu hG hu h5{\ hu hC4^_`mn w x gd5qd7$8$H$gdCd7$8$H$gdCgdu dgdCgdu $'N' a m r z t v w x   % & ' e f ͼͫttcR=)jhoh"CJOJQJU^JaJ hYh0uCJOJQJ^JaJ hChSBCJOJQJ^JaJ hChqpCJOJQJ^JaJh0uCJOJQJ^JaJ hu h< hCh<CJOJQJ^JaJ hChGCJOJQJ^JaJ hChCJOJQJ^JaJ hCh/+CJOJQJ^JaJ hCh;kCJOJQJ^JaJ hCh.CJOJQJ^JaJf O«šykZIBkI1I hChqpCJOJQJ^JaJ hu h< hCh<CJOJQJ^JaJ hChSBCJOJQJ^JaJh0uCJOJQJ^JaJ#hYh0u5CJOJQJ^JaJh0u5CJOJQJ^JaJ hYh0uCJOJQJ^JaJ-hoh0u0JB*CJOJQJ^JaJph)jhoh"CJOJQJU^JaJ/jh>-h0/CJOJQJU^JaJ hoh"CJOJQJ^JaJOR[^ow@J޼޼޼ޝޏzvo`N`#h:h5q5B*PJ\^Jphh5q5B*PJ\^Jph h5qh5qh?p hu h?phWCJOJQJ^JaJh"CJOJQJ^JaJ hChqpCJOJQJ^JaJh2>CJOJQJ^JaJ hChCJOJQJ^JaJ hChSBCJOJQJ^JaJ hCh<CJOJQJ^JaJ hCh.CJOJQJ^JaJr_I$d$7$8$H$Ifa$gdAd$7$8$H$IfgdA{kd$$Ifl489   t 6]09644 lap 6]ytA$d$Ifa$gdAmW$d$7$8$H$Ifa$gdAd$7$8$H$IfgdAkd$$Ifl402 8 h. t09644 laytAmW$d$7$8$H$Ifa$gdAd$7$8$H$IfgdAkd=$$Ifl402 8 h. t09644 laytAmW$d$7$8$H$Ifa$gdAd$7$8$H$IfgdAkd$$Ifl402 8 h. t09644 laytA?mW$d$7$8$H$Ifa$gdAd$7$8$H$IfgdAkds$$Ifl402 8 h. t09644 laytA&=>npqr45=?bchñ}}lYlOBhEfhkOJQJ^JhoNOJQJ^J$h0uhoN5B* OJQJ^Jphp!h0uhoNB* OJQJ^Jphph0uhoN5OJQJ^Jh0uhoNOJQJ^JhoNhoN5OJQJ^JhoN5OJQJ^J#hhoN5CJOJQJ^JaJhoN5CJOJQJ^JaJ!huMh5qB* OJQJ^Jphph5qB* OJQJ^Jphph:h5q5OJQJ^J?@UVmW$d$7$8$H$Ifa$gdAd$7$8$H$IfgdAkd$$Ifl402 8 h. t09644 laytAVWlmmW$d$7$8$H$Ifa$gdAd$7$8$H$IfgdAkd$$Ifl402 8 h. t09644 laytAmnopmmd$7$8$H$IfgdkdD$$Ifl402 8 h. t09644 laytApqseRRRRRd$7$8$H$Ifgdkd$$Ifl40a897    t6]6]09644 lap6]6]yt5q kd$$Ifl4ra2 D%8N V  t209644 lap2yt5q5bd$7$8$H$Ifgd?pd$7$8$H$IfgdY[FGI457vwxy{>?B     $!%!(!#####%%%%&9&B&F&V&۩ۗیhoN5OJQJ^J#h0uhoN5B*PJ\^JphhoNOJQJ^Jh0uhoNOJQJ^Jh0uhoNOJQJ^JhoNhoN5OJQJ^Jh0uhoN5OJQJ^Jh0uhkOJQJ^JhkOJQJ^J7WXH55555d$7$8$H$Ifgdkd $$Iflra2 D%8N V t09644 layt5qXY[dH555d$7$8$H$Ifgdkd $$Iflra2 D%8N V t09644 layt5qEFG5kd $$Iflra2 D%8N V t09644 layt5qd$7$8$H$Ifgd0HGIR5kd $$Iflra2 D%8N V t09644 layt5qd$7$8$H$IfgdG5kdk $$Iflra2 D%8N V t09644 layt5qd$7$8$H$Ifgd 234d$7$8$H$Ifgd0Hd$7$8$H$Ifgd457FH555d$7$8$H$IfgdkdE $$Iflra2 D%8N V t09644 layt5q5kd$$Iflra2 D%8N V t09644 layt5qd$7$8$H$Ifgd0Hwxd$7$8$H$Ifgda wd$7$8$H$Ifgdxy{=>H55555d$7$8$H$Ifgdkd$$Iflra2 D%8N V t09644 layt5q>?BWH555d$7$8$H$Ifgdkd$$Iflra2 D%8N V t09644 layt5q   5kd$$Iflra2 D%8N V t09644 layt5qd$7$8$H$Ifgdo:   g #!$!d$7$8$H$Ifgdo:d$7$8$H$Ifgd$!%!(!I!!H555d$7$8$H$Ifgdkd$$Iflra2 D%8N V t09644 layt5q!###5kda$$Iflra2 D%8N V t09644 layt5qd$7$8$H$Ifgd0H###F$%%d$7$8$H$Ifgd0Hd$7$8$H$Ifgd%%%%&H::)$d$Ifa$gdzd7$8$H$gdCkd;$$Iflra2 D%8N V t09644 layt5q& &&&r\$d$7$8$H$Ifa$gdzd$7$8$H$Ifgdzzkd$$Ifl89   t 6]09644 lap 6]ytoN&&"&#&nX$d$7$8$H$Ifa$gdzd$7$8$H$Ifgdz}kd$$Ifl0= 8 o- t09644 laytoN#&$&7&8&nX$d$7$8$H$Ifa$gdzd$7$8$H$Ifgdz}kdN$$Ifl0= 8 o- t09644 laytoN8&9&:&C&kk$d$7$8$H$Ifa$gdz}kd$$Ifl0= 8 o- t09644 laytoNC&D&F&W&d&t&eRRRRd$7$8$H$Ifgdzkd~$$Ifl40= 8 o-  t$@a$@a09644 lap$@a$@aytoNt&u&w&)d$7$8$H$IfgdzkdN$$Ifl4\W= l8 /@  t(09644 lap(yt9>V&w&y&&''' '!'#'$'%'''('*'+'-'.'0'1'H'I'J'K'L'M'N'O'̿̿{hWjhCUmHnHuh>-mHnHuhCjhCUh0/jh0/U h/+h?pCJOJQJ^JaJh:hoNOJQJ^JhoNOJQJ^Jh:hoN5OJQJ^Jh0uhoNOJQJ^Jh0uhoN5OJQJ^Jw&x&y&&''''?kdv$$Ifl\W= l8 /@ t09644 layt9> $Ifgdzd$7$8$H$Ifgdz'''' '!'"'#'Hkd:$$Ifl\W= l8 /@ t09644 layt9>d$7$8$H$Ifgdz#'$'&''')'*','-'/'0'L'M'N'O'$a$gdC dgdCd7$8$H$gdC 21h:p</ =!"#$% 51h0:pqp= /!"#$% DyK yK ../Local Settings/Temp/PK3405.tmp/SafeguardReports@IRS.govyX;H,]ą'cDyK yK ../Local Settings/Temp/PK3405.tmp/SafeguardReports@irs.govyX;H,]ą'c$$If!vh59#v9:V l4   t 6]09659p 6]ytA$$If!vh5 5h.#v #vh.:V l4 t0965 5h.ytA$$If!vh5 5h.#v #vh.:V l4 t0965 5h.ytA$$If!vh5 5h.#v #vh.:V l4 t0965 5h.ytA$$If!vh5 5h.#v #vh.:V l4 t0965 5h.ytA$$If!vh5 5h.#v #vh.:V l4 t0965 5h.ytA$$If!vh5 5h.#v #vh.:V l4 t0965 5h.ytA$$If!vh5 5h.#v #vh.:V l4 t0965 5h.ytA$$If!vh5597#v#v97:V l4    t6]6]0965597p6]6]yt5qR$$If!vh555N 55V#v#v#vN #v#vV:V l4  t2096555N 55Vp2yt5q$$If!vh555N 55V#v#v#vN #v#vV:V l t096555N 55Vyt5q$$If!vh555N 55V#v#v#vN #v#vV:V l t096555N 55Vyt5q$$If!vh555N 55V#v#v#vN #v#vV:V l t096555N 55Vyt5q$$If!vh555N 55V#v#v#vN #v#vV:V l t096555N 55Vyt5q$$If!vh555N 55V#v#v#vN #v#vV:V l t096555N 55Vyt5q$$If!vh555N 55V#v#v#vN #v#vV:V l t096555N 55Vyt5q$$If!vh555N 55V#v#v#vN #v#vV:V l t096555N 55Vyt5q$$If!vh555N 55V#v#v#vN #v#vV:V l t096555N 55Vyt5q$$If!vh555N 55V#v#v#vN #v#vV:V l t096555N 55Vyt5q$$If!vh555N 55V#v#v#vN #v#vV:V l t096555N 55Vyt5q$$If!vh555N 55V#v#v#vN #v#vV:V l t096555N 55Vyt5q$$If!vh555N 55V#v#v#vN #v#vV:V l t096555N 55Vyt5q$$If!vh555N 55V#v#v#vN #v#vV:V l t096555N 55Vyt5q$$If!vh59#v9:V l   t 6]09659p 6]ytoN$$If!vh5 5o-#v #vo-:V l t0965 5o-ytoN$$If!vh5 5o-#v #vo-:V l t0965 5o-ytoN$$If!vh5 5o-#v #vo-:V l t0965 5o-ytoN$$If!vh5 5o-#v #vo-:V l4  t$@a$@a0965 5o-p$@a$@aytoN&$$If!vh55 5/5@#v#v #v/#v@:V l4  t(09655 5/5@p(yt9>$$If!vh55 5/5@#v#v #v/#v@:V l t09655 5/5@yt9>$$If!vh55 5/5@#v#v #v/#v@:V l t09655 5/5@yt9>666666666vvvvvvvvv666666>6666666666666666666666666666666666666666666666666hH666666666666666666666666666666666666666666666666666666666666666666J@J G[QNormal dCJ_HaJmH sH tH \@\ u Heading 1d7$8$@&H$5CJOJQJ^JaJDAD Default Paragraph FontRi@R 0 Table Normal4 l4a (k( 0No List jj 5{\ Table Grid7:V044 C0Header  H$66 C0 Char Char2CJaJ4 @"4 C0Footer  H$616 C0 Char Char1CJaJHOBH C No SpacingCJ_HaJmH sH tH D>@AD u Title$a$5CJOJQJ^JaJDaD u Char Char5CJOJQJ^JaJFqF u Char Char35CJOJQJ^JaJ6U@6 "0 Hyperlink >*B*phO 44^_`mnwx ? @ U V W l m n o p q s 5 b  W X Y [ d EFGIRG 23457Fwxy{=>?BWg#$%(IF "#$789:CDFWdtuwxy !"#$'*-0LP0ȑ0ȑ0ȑ0ȑ0ȑ0ȑ0ȑ0ȑ0ȑ0ȑ0ȑ0ȑ0ȑ0ȑ0ȑ0ȑ0ȑ0ȑ0ȑ0ȑ00 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ȑ0) ȑ0) ȑ0) ȑ0) ȑ0)ȑ0)ȑ0) ȑ0+ ȑ0+ ȑ0+ ȑ0+ ȑ0+ ȑ0- ȑ0- ȑ0- ȑ0- ȑ0- 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 00 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 000 0 0 0 000 00 0 0ȑ00ȑ00ȑ00ȑ00@0ȑ00p  ))))))))), f OV&O'&>?VmpXG4x> $!!#%&&#&8&C&t&w&'#'O' !"#$%'()*+,-./0123456789:;<=?@AN'eOXX $&,!8@0(  B S  ?Qq r s { #$$&&'')*,-/0KMP$$&&'')*,-/0MP @ Y d GR5Fy?WI y#$$&&'')*,-/0KPmnrs !%'  { | g i o p r s u v ~  W Y Z [ c d EGHIQR3567=>wyz{=?ABMN#%'(./#P;2W`u zACrm<w"/+>-4^8o:2>9>=@3:E0HaH:MoNG[Q=T$>U5{\\e?p5qCt0ua w |\iW/\^uk0/;kGqpCCN[ oC@hASB.) ? @ U V W l m n o p q s 5 b  W X Y [ d EFGIRG 3457Fwxy{=>?BWg#$%(IF "#$789:CDFWdtuwxy "#P3@dLO@UnknownGz Times New Roman5Symbol3& z ArialWArialMTTimes New Roman7&@ Calibri"1h]]88!n4d2qHX $PG2>Office of Safeguards Data Warehouse Documentation RequirementsInternal Revenue Service (IRS)ChristaOh+'0 ( 8D d p |@Office of Safeguards Data Warehouse Documentation Requirements Internal Revenue Service (IRS)NormalChrista2Microsoft Office Word@F#@t;/7@t;/7՜.+,D՜.+,|8 hp  Booz Allen Hamilton8' ?Office of Safeguards Data Warehouse Documentation Requirements Title 8@ _PID_HLINKSA\ j;../Local Settings/Temp/PK3405.tmp/SafeguardReports@irs.gov j;../Local Settings/Temp/PK3405.tmp/SafeguardReports@IRS.gov   !"#$%&'()*+,-./0123456789:;<=>?@ABDEFGHIJKLMNOQRSTUVWXYZ[\]^_`abcdefghjklmnoprstuvwx{Root Entry F`w/7}Data C1TableP0WordDocumentkSummaryInformation(iDocumentSummaryInformation8qCompObjq  FMicrosoft Office Word Document MSWordDocWord.Document.89q