ĐĎॹá>ţ˙ ƒţ˙˙˙€˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙ěĽÁ'` đż0§"bjbjLULU 50.?.?%˙˙˙˙˙˙¤ź ź ź ź ź ź ź . Ä8Nbň ĽŠ:Ä"ćććÁ.ď *¤,¤,¤,¤,¤,¤,¤$)¨h‘Ş„P¤ź ÁÁP¤ź ź ććŰm¤dˇˇˇ@ź ćź ć*¤ˇ*¤ˇˇÎʒ„ź ź ^žć~ °Ž€sl’ĚOHN—p¤ѤHĽž— Ť—Ťŕ^ž^ž¸Ťź ¤ˇP¤P¤§Ľň ň ň $ň ň ň Đ 4 "& ź ź ź ź ź ź e¤ Safeguards Technical Assistance Memorandum Protecting Federal Tax Information (FTI) in Databases through Labeling Introduction Databases are the central point for reviews conducted by the Office of Safeguards. Databases are used by the agencies to store Federal Tax Information (FTI) which is then retrieved using queries for use in applications, making the FTI accessible to end users and on the back end component by Databases Administrators (DBAs). It is recommended that FTI be kept separate from other information to the maximum extent possible to avoid inadvertent disclosures. obĚĺÓýever in situations where physical separation is impractical, IRS Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies, requires records to be clearly labeled to indicate that FTI is included in the record. The Office of Safeguards has observed a wide range of database data element labeling practices while reviewing labeling and auditing procedures. Per Exhibit 9 of Publication 1075, “Within the application, auditing must be enabled to the extent necessary to capture access, modification, deletion and movement of FTI by each unique user. This auditing requirement also applies to data tables or databases embedded in or residing outside of the application.” Agencies are responsible for implementing audit logging of FTI, which includes: identifying the data to be audited; creating audit logs as the data is accessed; and performing analytics and monitoring on those audit logs. The first step to effectively audit FTI access requires that data is properly labeled upon receipt. If the data is not properly labeled, the auditing function cannot be configured to be compliant. Organized, consistently applied labeling can help the agency better enforce access control to the data elements, easily identify what needs to be audited and logged, and be able to identify those network components which are required to be in compliance with Publication 1075. Mandatory Requirements for Data Labeling In order to utilize a database to store FTI, the agency must meet the following mandatory requirements and apply them to each database which contains FTI: Agencies must identify the FTI data they have and consistently apply labels to that data, in such a way that the data is easily identified even when commingled . A data labeling legend or other explanation document must be maintained by the agency, which identifies the labeling methodology applied and allows a reviewer to quickly identify which data elements are FTI in an individual table or database. #1 Proper FTI Labeling Agencies must determine their labeling approach and consistently apply this to all FTI data before it migrates into the agency’s IT environment. In order to properly label data, agencies must first determine how the data is to be identified. Typically, this includes identifying the data at the entry point into the agency’s environment. Although it is not a requirement to include source information in the labeling convention, this is strongly recommended in order to better track FTI throughout the IT environment. Data labeling can be accomplished in a variety of ways depending on the vendor. For example, one product allows for the configuration of data security based on sensitivity levels, composed of a combination of levels, compartments, and groups. With the level being the sensitivity, the compartment indicating the type of data, and the group which further separates the data and can indicate the origin. Another product allows for label-based access control (LABC), which enforces access at the row and column levels. Publication 1075 does not prohibit FTI data from being commingled with non-FTI data, given the proper controls are in place. obĚĺÓýever when data is commingled, it must be identified at the most minor level. For example, if data is commingled at the table level, i.e. a database which contains FTI and non-FTI data tables, the tables must be labeled in such a way so that it is readily apparent that those tables contain FTI. Additionally, if data is commingled within a table that includes FTI and non-FTI data, the FTI data must be explicitly labeled and identified as such. Labeling must be applied consistently. For example, if audit logs are migrated to a logging server accessible by an audit analysis application, the data elements must retain their labelling throughout the data movement process from the point that the data is received to wherever it moves within the network. The labels must never be removed from the data. Proper labeling allows an agency to easily identify the security requirements for the data and allow for data of different sensitivity to be stored together. This reduces administrative overhead from a database maintenance perspective, not having to maintain a database for each data sensitivity level. If FTI is not properly identified and labeled in the agency’s environment, it is likely that data will not be audited correctly. In databases with tables that only contain FTI (are not co-mingled), the FTI can be identified at the table level. In situations where FTI is comingled with non-FTI at the data element level, the FTI must be labeled at that level so that each FTI data element can be clearly identified as such. #2 Documenting Labeling Methodology The agency must document their labeling methodology and maintain a listing of how each element is labeled throughout each database which contains FTI. The agency can choose their own documentation approach, however a matrix is often most useful for documenting data labeling. Using a matrix allows the agency to not only map how data is labeled throughout the environment, but can also be used to map group permissions to the data elements. This will serve the dual purpose of documenting the methodology and ensuring that least privilege is applied. References Additional information can be found in the following documents: IRS Publication 1075, Tax Information Security guidelines for Federal, State and Local Agencies and Entities, ( HYPERLINK "http://www.irs.gov/pub/irs-pdf/p1075.pdf" http://www.irs.gov/pub/irs-pdf/p1075.pdf) Oracle Label Security Best Practices, An Oracle White Paper, June 2008, ( HYPERLINK "http://www.oracle.com/technetwork/database/focus-areas/security/twp-security-db-label-best-practice-134426.pdf" http://www.oracle.com/technetwork/database/focus-areas/security/twp-security-db-label-best-practice-134426.pdf ) IBM Informix 11.70, Label-based access control, ( HYPERLINK "http://publib.boulder.ibm.com/infocenter/idshelp/v117/index.jsp?topic=/com.ibm.sec.doc/ids_lb_002.htm" http://publib.boulder.ibm.com/infocenter/idshelp/v117/index.jsp?topic=/com.ibm.sec.doc/ids_lb_002.htm )     PAGE  PAGE 1 +stŠ   é ę ÉňB‹&>eEIJK:ëÇČÉĘď#eŃÔŐóĺŘĘŘÁˇÁŘĘ°¨°Áž™ŘŠžŘyŘhŠyžyŘĘŘÁŘW!jOJQJU^JaJmH sH !B*OJQJ^JaJmH ph˙sH !B*OJQJ^JaJmH phsH CJOJQJ^JaJmH sH  B*ph˙5OJQJ^JaJ>*OJQJ^J OJQJ^J6OJQJ^JaJOJQJ^JaJ5OJQJ^JaJmH sH OJQJ^JaJmH sH 5OJQJ\^JmH sH 5OJQJ^JmH sH "+stB C  ˛łČÉňŽ12%&=>DEJK‰Šúúřřřřňňňňňřřřříříëřřééňřňň  & F%7$8$H$$a$"Ś"ýýŠđńÉĘîď#de9 r!"ƒ"„"†"‡"‰"Š"Œ""–"—"˜"ůůůů÷÷÷÷÷÷÷÷ňňň÷÷÷÷÷÷÷÷éç÷„ü˙„&`#$ & F7$8$H$Ő 4 5 8 9 ‚ ƒ ˙ !n!o!Ł!¤!""}"~""‚"„"…"‡"ˆ"Š"‹""Ž"”"•"–"˜"™"Ÿ" "Ą"˘"Ł"Ś"§"óâÓâóĹóâóâÓâóâóâÓâóŔŔŔŔšśšśŠ Š’Š ó0JOJQJ^JmHnHu0JOJQJ^Jj0JOJQJU^J0J j0JU jU6OJQJ^JaJmH sH 0JOJQJ^JaJmH sH !jOJQJU^JaJmH sH OJQJ^JaJmH sH (˜"Ł"¤"Ľ"Ś"§"öôňňí & F„ü˙„&`#$301hP°Đ/ °ŕ=!° "° # $ %°°Đ°Đ Đ†$œž0H@ń˙H Normal,nCJOJQJ_HmH sH tH ^@2^ ! Heading 3¤d¤d@&[$\$5CJOJQJ\aJmH sH DA@ň˙ĄD Default Paragraph FontRió˙łR  Table Normalö4Ö l4Öaö (kô˙Á(No List .ţô˙ń.Appendix F*W@ň˙* Strong5\PB@P " Body Text¤d¤d[$\$OJQJaJmH sH jšł#j  Table Grid7:VÖ0˙˙˙˙˙˙6U@ň˙16  Hyperlink >*B*ph˙4 @B4 Footer  ĆŕŔ!.)@˘Q.  Page Number4@b4 Header  ĆŕŔ!8ţOň˙q8  Char Char OJQJ_HLZ@‚L  Plain TextCJOJQJmHnHsHtHB'ň˙‘B Comment ReferenceCJaJ8˘8  Comment TextCJ@jĄ˘@ Comment Subject5\H™ÂH  Balloon TextCJOJQJ^JaJbţOń˙Ňb Default 7$8$H$-B*CJOJQJ^J_HaJmH phsH tH dţOâd msolistparagraph „Đ^„Đ OJPJQJaJmH nHsH tHf0@ŃŇf 0 List Bullet  & F Ćh„„^„`„B*OJQJ^Jph˙@ţO@  List Paragraph „Đ^„Đ<ţOň˙<  Char Char25CJ\aJ6ţOň˙!6  Char Char1CJaJFV@ň˙1F FollowedHyperlink >*B*ph€€§0˙˙˙˙ ˙˙ z™ ˙˙ z™ ˙˙ z™> ’§„+stBC ˛łČÉňŽ1 2 % & = > D E JK‰ŠđńÉĘîď#de9r˜Ł¨$Ź$Ź$Ź$Ź $Ź$Ź$Ź$Ź$Ź$Ź$Ź$Ź$Ź$Ź$Ź$Ź$Ź$Ź$Ź$Ź$Ź$Ź$Ź$Ź$Ź$Ź$Ź$Ź$Ź $Ź$Ź$Ź$Ź$Ź$Ź$Ź$Ź$Ź$Ź$Ź$Ź$Ź†Ź$Čă+stBC ˛łČÉňŽ1 2 % & = > D E JK‰ŠđńÉĘîď#de9rƒ„†‡‰ŠŒ–—˜Ł¤Ľ¨˜0€€€˜0€€€˜0€€€˜0€€€˜0€€€˜0€€€˜0€€€˜0€€€˜0€€€˜0€€€˜0€€€˜0€€€˜0€€€˜0€€€˜0€€€˜% 0€€€˜0€€€˜% 0€€€˜ 0€€€˜0€€€˜0€€€˜0€€€˜0€€€˜0€€€˜0€€€˜0€€€˜0€€€˜0€€€˜0€€€˜0€€€˜0€€€˜0€€€˜0€€€˜0€€˜0€€˜0€€˜0€€˜0€€˜0€€˜ 0€€˜ 0€€˜ 0€€¨‘0Ȩ‘0Ȩ‘0Ȩ‘0Ȩ‘0ż¨‘0€¨‘0ż¨‘0€¨‘0Ȩ‘0€¨‘0€˜0€€˜0€€¨‘0Ȩ‘0­ $$$'Ő§"Š˜"§"Ś"Ô 4‚˙nŁ}§X˙€X˙€X˙€  '!•!˙•€đ8đ@ń˙˙˙€€€÷đ’đđ0đ( đ đđB đS đżË˙ ?đ˙˙ OLE_LINK2 OLE_LINK1¨++¨9 A ž Ś 4 < Ůၨ#É×JQT].0\sQXp~$ 0 g y Ď é đ  S f  + “ ž |ŒV•“˘Š•Ęß'j,8iw$3:F¨::::::::::::::::::::::::::¨¨5ĺ°?šGԉ›˙˙˙˙˙˙˙˙˙sč ć É)’˙˙˙˙˙˙˙˙˙‰˙˙˙ÔpJUÍ#N|‰˘v˙˙˙˙˙˙˙˙˙ĐM¸„zˆ_˙˙˙˙˙˙˙˙˙D#ć@‡ĘŢ˙˙˙˙˙˙˙˙˙oqD 6DŢ˙˙˙˙˙˙˙˙˙&kˇ Žę‚Ŕ˙˙˙˙˙˙˙˙˙}Fü TŒŘ˙˙˙˙˙˙˙˙˙GÜ6DŢ˙˙˙˙˙˙˙˙˙ÜLÓŔÇüÍ˙˙˙˙˙˙˙˙˙á kšLŃ˙˙˙˙˙˙˙˙˙\%Ř1đs˙˙˙˙˙˙˙˙˙Ŕ}žň÷„6˙˙˙˙˙˙˙˙˙tJť|X1˙˙˙˙˙˙˙˙˙P@Ý"nג€˙˙˙˙˙˙˙˙˙.Ń$šŸÜš˙˙˙˙˙˙˙˙˙6F'2üŞ˙˙˙˙˙˙˙˙˙‹ß)äő„î˙˙˙˙˙˙˙˙˙qNĐ;`ç ˙˙˙˙˙˙˙˙˙Mź> ˙‹(J@žVY˙˙˙˙˙˙˙˙˙ŸJč@T‹°A˙˙˙˙˙˙˙˙˙lžAČťNL˙˙˙˙˙˙˙˙˙šNßAŠF˙˙˙˙˙˙˙˙˙[đCęĽÜ=˙˙˙˙˙˙˙˙˙ @\D\(Ő˙˙˙˙˙˙˙˙˙Ş/ěE2üŞ˙˙˙˙˙˙˙˙˙!9GLłD’˙˙˙˙˙˙˙˙˙ŰL˝HFɌV˙˙˙˙˙˙˙˙˙Űq˝JŽœÖf˙˙˙˙˙˙˙˙˙]yęLę#Y˙˙˙˙˙˙˙˙˙˙\ęP<“˜ś˙˙˙˙˙˙˙˙˙!5ÇSÎUâç˙˙˙˙˙˙˙˙˙œožT„‰Đ$˙˙˙˙˙˙˙˙˙KŘUžŻ.˙˙˙˙˙˙˙˙˙ @\D]1°noqD …IhGÜtJť‰˙˙˙[đCD#ć6F'Ş/ěEœožT\%P@Ý"ÜLÓj{Qq]yęL.Ń$ýxš\lžA!5ÇSŔ}žÁOk‹(J@=q~;ĐM¸e[ir3Ťa!9Gß0V}üV4Z@˘{qNĐ;                          Đ0ŠŃ4˘Ě e˜- `WXëČčjJ¤'źcHKJ)Ę‚Şp         žőw                 ´Áž<řCâŸë ňZZH̨ä˝Zp~‘ÄL^żä2ĘOd)         Ȩ@ó¸-ŕ >Đ@˛úŽzˇÉ¸éĄĘ>H ĐddRAQý$q`ÝB óRvQ”ůxŘ8ŔOčĐ N'˘—5m6yŞ'Ţ;‚:Î* @D 3ŢKv™œ0F4Ä(˘ ™Lă!!xŸ"ľĚDv€Gtˇ"3Gz#R Ľ#šsß ĽIW$‹\$zXŘK a7%R Ľ#li%“jTFPĐ N''iđm(0\'ŔOčŐ?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnţ˙˙˙pqrstuvţ˙˙˙xyz{|}~ţ˙˙˙ý˙˙˙ý˙˙˙‚ţ˙˙˙ţ˙˙˙ţ˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙Root Entry˙˙˙˙˙˙˙˙ ŔF€0‘sl’Ě„€1Table˙˙˙˙˙˙˙˙őŤWordDocument˙˙˙˙˙˙˙˙50SummaryInformation(˙˙˙˙oDocumentSummaryInformation8˙˙˙˙˙˙˙˙˙˙˙˙wCompObj˙˙˙˙˙˙˙˙˙˙˙˙q˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙ţ˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙ţ˙ ˙˙˙˙ ŔFMicrosoft Office Word Document MSWordDocWord.Document.8ô9˛q