Every year, organizations struggle to know exactly how they should handle Federal Tax Information (FTI). The challenge is that many organizations don’t realize the repercussions associated with accidentally mishandling, storing, using, transmitting, or disposing of FTI. In fact, if your organization has FTI in its possession, then you must comply with all aspects of IRS-1075. A failure to comply with IRS-1075 could result in both legal action and associated criminal penalties.
What Is IRS-1075?
The Internal Revenue Service Publication 1075 (IRS-1075) is a set of guidelines that all organizations possessing FTI data must follow. The publication features information on the controls, safeguards, practices, and policies that organizations, as well as their contractors and recipient agencies, must follow if they are to successfully protect the confidentiality of FTI data. IRS-1075 also includes operational, managerial, and technical security controls. In order to be considered compliant with IRS-1075, organizations must be able to show the IRS that they are a) following the established guidelines, and b) capable of actively protecting the confidentiality of FTI information through established safeguards.
How Can Your Organization Remain Compliant With IRS-1075?
If your organization is to remain compliant with IRS-1075, then it must ensure that all FTI data is secure. To do this, your organization will need to implement certain processes, checks, measures, and safeguards to ensure that the FTI data remains confidential and safe. It is important to note that the rules denoted within IRS-1075 apply regardless of the size or significance of the FTI data. These rules also apply regardless of the storage method used (i.e. paper or electronic). Finally, IRS-1075 guidance is designed to cover every stage of the FTI data. From receipt to transfer, storage to usage, access to transmission, and finally its disposal, the data must remain safe, secure, and confidential at all stages.
As noted within IRS-1075, a few of the standardized safeguards and controls that organizations will need to follow, if they are to remain compliant, can be found in the following list.
Record Keeping Requirements.
A secure and accurate record-keeping system must be established. This record-keeping system should include all of the FTI records, any documents or data associated with the FTI records, and information regarding access rights to the data. As discussed within the secure storage controls, a log should be kept regarding the access, transfer, usage, storage, and eventual disposal of the FTI records.
Secure Storage.
This particular control refers to the specific details regarding the physical and electronic security of FTI data. IRS-1075 includes guidance regarding locks, vaults, safes, keys, authorized access, and secure transportation of the data. To remain compliant with this control, you will also need to review the security of your organization’s devices, media storage solution, and network.
Restricting Access.
FTI data should only be accessed by authorized parties. In this vein, if the data is stored digitally, then restricted access protocols will need to be followed to ensure that the network and subsequent data remain secure.
Reporting Requirements.
IRS-1075 requires periodic reports, including the SAR (Safeguard Activity Report) and the SPR (Safeguard Procedures Report) to be sent to a designated IRS point of contact for an internal review.
Training And Inspections.
Employees who are responsible for handling, storing, securing, transporting, or the disposal of FTI data must receive the appropriate security training. Additionally, employees will need to receive an annual certification. Annual inspections will also need to be conducted to ensure that the proper methods are implemented throughout the lifetime of FTI data.
Disposal.
Whether it is in physical or electronic form, the FTI data must be disposed of securely and properly in accordance with IRS-1075 guidelines.
Computer System Security.
This particular safeguard is incredibly complex. In fact, it is the area where most organizations are not in fact compliant with IRS-1075. This section includes cybersecurity best practices, such as File Integrity Monitoring (FIM) and Security Configuration Management (SCM).
If organizations are to remain compliant with all of the above controls, especially the computer system security safeguard, then they must complete an array of tasks. These security tasks include reviewing proposed configuration-controlled changes, conducting security impact analyses, and determining if any changes to the information system are necessary to ensure the security of FTI data. If changes are necessary, then the organization will need to implement them, test them for security weaknesses, and retain records of all changes. As part of their testing components, organizations are encouraged to conduct both internal and third-party audits. In short, whether your organization has a private data center, is using a hybrid data center, or is storing data in paper form, to remain compliant with IRS-1075, you must ensure that all rules are followed.
Complete A Compliance Check Today To Avoid Fines, Criminal Penalties, And Legal Action
Like other government guidelines, IRS-1075 will continue to evolve with each new revision. However, it is important to note that a failure to properly handle FTI data, and thus incur a breach of IRS-1075 rules and safeguards, could result in a hefty fine. The good news is that I.S. Partners, LLC has an auditing team that is here to help.
While this blog post has served as an introductory guide to IRS-1075, our team is standing by to offer an in-depth explanation of the purpose of each category, control, process, and safeguards. From start to finish, we can help you to properly secure FTI data so that it remains confidential, and your organization can sustain its IRS-1075 compliance.