Flying Fox wrote:
They talk about encrypting in transit too in addition to "static" encryption. I just scanned the doc so my question is even if you encrypt the file, can you send the encrypted file over the clear in regular email, or even the email itself has to be secure?
"Applicability of Encryption Requirements: Electronic Mail
IRS Publication 1075 states e-mail systems shall not be used to transmit FTI data. Under the circumstances where there is an agency business requirement to use e-mail to transmit FTI, both the FTI data and message itself must be encrypted to protect the confidentiality of FTI."
Most email servers will screen out encrypted attachments as Spam anyway.
Back to the document.
"External (outside agency LAN)
All FTI that is transmitted over the Internet, including via e-mail to external entities must be encrypted. This includes all FTI data transmitted across an agency’s Wide Area Network (WAN).
Applicability of Encryption Requirements: Application Sessions
All application user sessions, whether those be client/server or web-based applications, that access FTI from a back-end database or other server shall be encrypted and provide end-to-end encryption, i.e., from workstation to point of data.
It is recommended that all data transmissions between the server and the workstation occur over a VPN that employs FIPS 140-2 compliant end-to-end encryption. If a VPN solution is not feasible, then an alternate end-to-end encryption mechanism such as using HTTPS protocol and Secure Sockets Layer (SSL)v3 (TLS) encryption is acceptable. SSL encryption should be based on a certificate containing a key no less than 128 bits and FIPS 140-2 compliant."
The important thing to take away is that HTTPS using TLS 1 or SSL 3 is sufficient for transmission across the Internet. This makes things infinitely easier, and most of this is server config. Just clarify where your responsibility ends and the client's begins. Figuring out when it's "not your problem anymore" is the key thing.
It also suggests that VPNs, presumably IPSec VPNs, be used whenever possible, which I agree with. The second part leaves the door open for SSL-VPNs, so that could be an option with the correct configuration.
The end-to-end encryption will have to be taken on a per application basis. Some may default to using encryption for communication and some may not.
I also found out Firefox can be FIPS compliant, so that cool. (https://developer.mozilla.org/en/NSS/FI ... xplanation
"Applicability of Encryption Requirements: FTI Data at Rest
While encryption of data at rest is an effective defense-in-depth technique, encryption is not currently required for FTI while it resides on a system (e.g., in files or in a database) that is dedicated to receiving, processing, storing or transmitting FTI, is configured in accordance with the IRS Safeguards Computer Security Evaluation Matrix (SCSEM) recommendations and is physically secure restricted area behind two locked barriers. This type of encryption is being evaluated by the IRS as a potential policy update in the next revision of the Publication 1075.
However, if a system is used to receive, process, store or transmit FTI that also serves a secondary function not related to FTI processing (e.g., a workstation used to download FTI files from Secure Data Transfer system also serves as an employee’s user workstation), and this system does not meet the IRS SCSEM recommendations for secure configuration and physical security, the FTI residing on that system should be encrypted using FIPS 140-2 compliant encryption. This can be accomplished for example, using the Encrypting File System (EFS) on Windows 2000, XP and 2003 Server systems with the AES encryption algorithm."
You're servers don't need full disk encryption, provided they are configured and secured correctly, but workstations do need, at least, an encrypted folder. The article goes on to talk about how the IRS uses full disk encryption for laptops since everything gets encrypted, so take that as you will. [Edit: Full disk encryption will be easier for users as they won't have to worry about accidently placing data where it shouldn't be.]
TrueCrypt can create encrypted folders or EFS, as mentioned, can be used. I actually use TrueCrypt to secure passwords and such as work on my workstation.
The above is just my interpretation of the linked document. I don't have any direct experience with the IRS, but everything seems reasonable enough.