What is IRS Publication 1075?
IRS Publication 1075, commonly referred to as, “Pub 1075,” lays out the guiding principles for the protection and confidentiality of Federal Tax Information (FTI). Pub 1075 contains the managerial, operational and technical security controls that must be implemented if FTI is present within a company’s information systems.
The framework for Pub 1075 was developed using guidelines from NIST SP 800-30 (Revision 1, Guide for Conducting Risk Assessments) and NIST SP 800-53 (Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations) with the objective of preventing unauthorized access and unauthorized disclosure of FTI. Pub 1075 was last updated September 2016, and is modified based on the emergence of new requirements that pertain to the confidentiality of FTI. If an organization handling FTI is contacted by the IRS, they must reliably demonstrate the ability to safeguard all confidential information.
What constitutes Federal Tax Information (FTI)?
FTI broadly includes, without limitation, federal tax returns and return information, returns or return information received directly from the IRS or obtained through an authorized secondary source, such as Social Security Administration (SSA), Federal Office of Child Support Enforcement (OCSE), Bureau of the Fiscal Service (BFS), Centers for Medicare and Medicaid Services (CMS), or another entity acting on behalf of the IRS. The IRS categorizes FTI as “sensitive but unclassified” information that may contain Personally Identifiable Information (PII). Sensitive PII includes any combination of the following: the name of a person from a filed return, a taxpayer mailing address, taxpayer identification number, telephone number, social security number, etc.
Who is subject to Pub 1075 requirements?
Organizations who have information systems that receive, process, store or transmit FTI are subject to Pub 1075. Agencies or agents that legally receive FTI directly from either the IRS or from secondary sources are also liable, as well as debt collectors and other agencies that procure contractor services.
Key Elements
Pub 1075’s section titled, “Computer System Security,” categorizes the NIST SP 800-53 control requirements in 18 comprehensive categories. Pub 1075 highlights the importance of enterprise security policies, the authorized use of FTI and secure data transfer. Other essential elements listed in Pub 1075 include data segregation, encryption, log monitoring, configuration monitoring, training and screening requirements and a detailed system security plan. Each of the key elements listed throughout the requirements are crucial for the protection of FTI in the IT environment.
See Schneider Downs’ continuing series for more detail on IRS Publication 1075 and control requirements.
References:
https://www.irs.gov/pub/irs-pdf/p1075.pdf
https://www.irs.gov/pub/irs-pdf/p4761.pdf