Personal Appearance & Equipment

Data Incident Response

I. Introduction

Incidents are defined as events, realized or suspected, that put the security of COM information at risk. It is critical that incidents are promptly reported and responded to in the appropriate manner. Incidents may be classified as computer-related, confidential information-related, or both; incidents may also be public information-related.

A computer incident is defined as any real or suspected event which might compromise the integrity, availability, or confidentiality of COM systems or data. Incidents include any violation of information security policies, acceptable use policies, or standard computer security practices. Examples of incidents include but are not limited to: installation of malicious software, loss of COM equipment, information spillage, improper transmittal of COM data, or unauthorized access to COM systems. Incident Triage

In the event of an incident, the user must first identify what type of incident occurred in order to determine the proper way to proceed. Users should follow these steps to accurately identify and react to incidents:

Triage Steps:

  1. If an incident involves any type of computing equipment, user must immediately contact the Annapolis Data Center (ADC) Help Desk at (410) 260-7400. Refer to Section III.
  2. If an incident involves or potentially involves confidential information, user must immediately contact their management, and then promptly contact the IRS Compliance Manager; if the IRS Compliance Manager is unavailable, user should contact the ORM Risk Hotline ((410) 260- 6083 or hotline@marylandtaxes.gov). Refer to Section IV.
  3. If an incident involves both computing equipment and confidential information, user must contact the ADC Help Desk first, then the IRS Compliance Manager immediately following.1 In this scenario, Sections III and IV run concurrently.
  4. If incident involves public information only, user should contact their management. Refer to Section VI.

II. Computer Incident

If an electronic security incident may have occurred or may be imminent, the user must immediately contact their supervisor/manager and the ADC Help Desk at (410) 260- 7400.

All available incident information must be given to the ADC Helpdesk. The following information should be reported:

  • Name (unless reporting anonymously)
  • What happened (the nature or type of incident)
  • When it happened
  • Where it happened
  • Impact of the incident

Management may assist in the reporting of the incident information to the ADC Help Desk. See ITD Incident Response Procedures for more information regarding computer security incidents. If the computer incident involves confidential information, continue to Section IV.

III. Incident – Confidential Information

Upon discovering a possible improper inspection or disclosure of confidential information, the user should immediately contact their management, and then promptly contact the ORM Risk Hotline at ((410) 260-6083 or hotline@marylandtaxes.gov).

COM Management should assist the user in documenting and reporting the required information and expect to provide all relevant information to ORM. Users and their respective management are responsible for ensuring that the incident information provided is reported accurately and timely.

Note: Timely notification is the most important factor, not the completeness of the incident information. Additional information will be secured via conversations and documentation exchanged between the impacted division and ORM.

Note: Any incident involving information spillage should be considered to involve confidential information.

The focus of ORM’s review of the incident will be to identify processes, procedures, or systems which may be inadequate, or which contributed to the incident, and to ensure that the proper authorities are notified (e.g., TIGTA, SSA, etc.) as appropriate. If an incident involves information spillage, ORM will coordinate with ITD to ensure that the effected system(s) has been scrubbed of any misplaced data.

Based on the analysis of the incident, ORM may make recommendations to COM Management suggesting modifications to security policies, procedures, or controls so that data is more adequately protected. The IRS Compliance Manager will coordinate with division personnel to ensure appropriate follow-up and remediation actions are taken.

*If FTI is involved, continue to Section V.

IV. Incident – Federal Tax Information

Upon discovering a possible improper inspection or disclosure of Federal Tax Information (FTI) – this includes any information provided to us by the Internal Revenue Service, the Treasury Bureau of Fiscal Service, and the Social Security Administration (collectively “federal authorities”)– the user must immediately contact their Appointing Authority and the ORM Risk Hotline. The user’s Appointing Authority must also notify the Deputy Comptroller.

The user’s Appointing Authority should assist the user in documenting and reporting the required information on the Federal Tax Information Incident Response Form.

COM Management—with the assistance of the IRS Compliance Manager—is responsible for ensuring that the required information is reported accurately and timely to the Deputy Comptroller and the appropriate federal authority(s). Federal authorities should be notified immediately—no later than within twenty-four hours—after the identification of a possible incident involving FTI. COM Management should not wait to determine if FTI was involved. If any FTI may have been involved, the agency must contact the appropriate federal authority(s) immediately.

If the incident involves a realized or suspected breach or loss of Treasury-provided information, they must immediately notify the Fiscal Service’s IT Service Desk at (304) 480-4777 and/or itservicedesk@fiscal.treasury.gov. COM users shall ensure both the COM Help Desk and ORM are immediately notified of any incident.

If the incident involves a realized or suspected breach or loss of SSA-provided information, they must notify the State official responsible for Systems Security designated in the agreement between the Annapolis Data Center and SSA within one hour. If, for any reason, the responsible State official is unable to notify the SSA Regional Office or the SSA Systems Security Contact within one hour, the responsible State Agency official or delegate must report the incident by contacting SSA’s National Network Service Center (NNSC) toll free at 877-697-4889 on behalf of the Data Exchange Coordinator (DEC) for his/her region (select “Security and PII Reporting” from the options list). As the final option, in the event SSA contacts and NNSC cannot be reached, the organization is to contact SSA’s Office of Information Security, Security Operations Center at 1-866-718-6425. The State official will provide updates as they become available to SSA contact, as appropriate. Refer to the worksheet provided in the agreement between ADC and SSA to facilitate gathering and organizing information about an incident.

Note: Timely notification is the most important factor, not the completeness of the Federal Tax Information Incident Response Form.

COM Management will cooperate with the applicable federal investigators according to associated MOUs, SLAs, etc., providing data and access as needed to determine the facts and circumstances of the incident. The focus of the federal authority’s investigation of the unauthorized access or data breach incident will be to identify processes, procedures, or systems within COM with inadequate security controls. Based upon the analysis of the incident, COM may be required by the federal authority(s) to modify security policies, procedures, or controls to more appropriately protect FTI in the possession of COM. The federal authority(s) will coordinate with COM to ensure appropriate follow-up actions taken by COM have been completed to ensure continued protection of FTI in the possession of COM.

Once the situation has been appropriately reported, the IRS Compliance Manager will meet with the user and COM Management involved in an effort to complete the Incident Review section of the Federal Tax Information Incident Response Form.

V. Incident – Public Information

If there is an incident involving public information, the user should report the event to their management; management must notify their division director. These incidents should be investigated and resolved within the division where the incident occurred.

For public information incidents, a COM Incident Review may be performed by the IRS Compliance Manager at the discretion of the applicable division director.

VI. Notification of Affected Individuals

Based on the details of the incident, it may be necessary to notify affected individuals whose information may have been compromised. COM Management will decide what type of notification will be required based on the details of the incident.

If the incident involved FTI, COM must inform the appropriate federal authority(s) of the applicable notification activities planned, preferably prior to making notification to the impacted individuals. In addition, COM must inform the related federal authorities of any pending media releases relating to the incident, to include sharing the text of publication, prior to its release.

VII. Notification of Affected Individuals

Based on the details of the incident, it may be necessary to notify affected individuals whose information may have been compromised. COM Management will decide what type of notification will be required based on the details of the incident.

If the incident involved FTI, COM must inform the appropriate federal authority(s) of the applicable notification activities planned, preferably prior to making notification to the impacted individuals. In addition, COM must inform the related federal authorities of any pending media releases relating to the incident, to include sharing the text of publication, prior to its release.

VIII. CANCELLATION

None.