Network Infrastructure - General Support System (NI-GSS) Privacy Impact Assessment (PIA)



Similar documents
Privacy Impact Assessment (PIA)

Central Application Tracking System (CATS) Privacy Impact Assessment (PIA) Version 1.0. April 28, 2013

PRIVACY IMPACT ASSESSMENT

Privacy Impact Assessment. For. Non-GFE for Remote Access. Date: May 26, Point of Contact and Author: Michael Gray

Homeland Security Virtual Assistance Center

Final Audit Report. Report No. 4A-CI-OO

U.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS. Final Audit Report

A. SYSTEM DESCRIPTION

POSTAL REGULATORY COMMISSION

A. SYSTEM DESCRIPTION

Privacy Impact Assessment for the. Standardized Tracking and Accounting Reporting System- Financial Management System (STARS-FMS)

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

Department of the Interior Privacy Impact Assessment

FHFA. Privacy Impact Assessment Template FM: SYSTEMS (SYSTEM NAME)

United States Citizenship and Immigration Services (USCIS) Enterprise Service Bus (ESB)

Final Audit Report -- CAUTION --

U.S. DEPARTMENT OF COMMERCE UNITED STATES PATENT AND TRADEMARK OFFICE. Privacy Impact Assessment

Federal Trade Commission Privacy Impact Assessment

U.S. DEPARTMENT OF COMMERCE UNITED STATES PATENT AND TRADEMARK OFFICE. Privacy Impact Assessment

FedRAMP Standard Contract Language

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

Privacy Impact Assessment (PIA) for the. Certification & Accreditation (C&A) Web (SBU)

8. Does this system collect, display, store, maintain or disseminate Personally Identifiable Information (PII)? Yes

Integrated Financial Management Information System (IFMIS) Merger

General Support System

EPA Classification No.: CIO P-09.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: Review Date: 08/06/2015

CASE MATTER MANAGEMENT TRACKING SYSTEM

Privacy Impact Assessment

Privacy Impact Assessment. For Person Authentication Service (PAS) Date: January 9, 2015

Federal Trade Commission Privacy Impact Assessment. Conference Room Scheduling PIA

Department of Veterans Affairs VA Handbook Information Security Program

A. SYSTEM DESCRIPTION

8. Does this system collect, display, store, maintain or disseminate Personally Identifiable Information (PII)? Yes

Department of Homeland Security Web Portals

FSIS DIRECTIVE

IT SECURITY EDUCATION AWARENESS TRAINING POLICY OCIO TABLE OF CONTENTS

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Web Time and Attendance

Privacy Impact Assessment

Privacy Impact Assessment Forest Service Computer Base Legacy

8. Does this system collect, display, store, maintain or disseminate Personally Identifiable Information (PII)? Yes

A. SYSTEM DESCRIPTION

PRIVACY IMPACT ASSESSMENT TEMPLATE

Were there other system changes not listed above? No 3. Check the current ELC (Enterprise Life Cycle) Milestones (select all that apply)

Standards for Security Categorization of Federal Information and Information Systems

U.S. DEPARTMENT OF COMMERCE UNITED STATES PATENT AND TRADEMARK OFFICE. Privacy Impact Assessment

Federal Trade Commission Privacy Impact Assessment

U.S. DEPARTMENT OF COMMERCE UNITED STATES PATENT AND TRADEMARK OFFICE. Privacy Impact Assessment

Privacy Impact Assessment. For. TeamMate Audit Management System (TeamMate) Date: July 9, Point of Contact: Hui Yang

The Bureau of the Fiscal Service. Privacy Impact Assessment

Appendix 10 IT Security Implementation Guide. For. Information Management and Communication Support (IMCS)

Verizon Notification Service (VNS)

Review of the SEC s Systems Certification and Accreditation Process

A. SYSTEM DESCRIPTION

8. Does this system collect, display, store, maintain or disseminate Personally Identifiable Information (PII)? Yes

SMITHSONIAN INSTITUTION

A. SYSTEM DESCRIPTION

U.S. DEPARTMENT OF COMMERCE UNITED STATES PATENT AND TRADEMARK OFFICE. Privacy Impact Assessment

Federal Trade Commission Privacy Impact Assessment. for the: Secure File Transfer System

U.S. DEPARTMENT OF COMMERCE UNITED STATES PATENT AND TRADEMARK OFFICE. Privacy Impact Assessment

A. SYSTEM DESCRIPTION

A. SYSTEM DESCRIPTION

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

Department of the Interior Privacy Impact Assessment

Department of the Interior Privacy Impact Assessment

A. SYSTEM DESCRIPTION

8. Does this system collect, display, store, maintain or disseminate Personally Identifiable Information (PII)? Yes

BPA Policy Cyber Security Program

REMOTE ACCESS POLICY OCIO TABLE OF CONTENTS

Minimum Security Requirements for Federal Information and Information Systems

USDA. Privacy Impact Assessment. APHIS Enterprise Infrastructure General Support System (AEI GSS)

Privacy Impact Assessment (PIA)

Secure Gateway (EMSG)

Privacy Impact Assessment. For EDUCATE. Date October 28, Point of Contact: System Owner: Lisa Mendis Author: Michael Rohde

A. SYSTEM DESCRIPTION

DEPARTMENT OF STATE FISCAL YEAR 2008 PRIVACY IMPACT ASSESSMENT

How To Understand The System'S Purpose And Function

Federal Trade Commission Privacy Impact Assessment. for the: Gilardi & Co., LLC Claims Management System and Online Claim Submission Website

Department of Veterans Affairs VA Directive 6004 CONFIGURATION, CHANGE, AND RELEASE MANAGEMENT PROGRAMS

How To Understand The System Of Records In The United States

UNITED STATES DEPARTMENT OF AGRICULTURE FOOD SAFETY AND INSPECTION SERVICE WASHINGTON, DC INFORMATION SYSTEM CERTIFICATION AND ACCREDITATION (C&A)

A. SYSTEM DESCRIPTION

Department of Homeland Security Management Directive System MD Number: 4900 INDIVIDUAL USE AND OPERATION OF DHS INFORMATION SYSTEMS/ COMPUTERS

Permit Power of Attorney (PoA) to establish an agreement on behalf of the taxpayer

---Information Technology (IT) Specialist (GS-2210) IT Security Competency Model---

REMEDY Enterprise Services Management System

Federal Trade Commission Privacy Impact Assessment. for the: Analytics Consulting LLC Claims Management System and Online Claim Submission Website

DEPARTMENT OF VETERANS AFFAIRS VA HANDBOOK INCORPORATING SECURITY AND PRIVACY INTO THE SYSTEM DEVELOPMENT LIFE CYCLE

U.S. DEPARTMENT OF COMMERCE UNITED STATES PATENT AND TRADEMARK OFFICE. Privacy Impact Assessment

Federal Trade Commission Privacy Impact Assessment for:

Cybersecurity Risk Management Activities Instructions Fiscal Year 2015

Privacy Impact Assessment For Management Information System (MIS) Date: September 4, Point of contact: Hui Yang

Security Language for IT Acquisition Efforts CIO-IT Security-09-48

Department of the Interior Privacy Impact Assessment Template

CMS POLICY FOR THE INFORMATION SECURITY PROGRAM

Issue Based Management Information System (Redesign) is a Small Other system/application sponsored by LB&I.

OFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION

Privacy Impact Assessment for the. January 19, 2007

Department of the Interior Privacy Impact Assessment (PIA) Updated February 2011

Physical Access Control System

Transcription:

Network Infrastructure - General Support System (NI-GSS) Privacy Impact Assessment (PIA) System Categorization: Moderate Version 1.5 May 30, 2013 Prepared by: Security & Compliance Services (SCS) and Infrastructure and Operations (I&O)

DOCUMENT CHANGE CONTROL PRIVACY IMPACTASSESSMENT (PIA) VERSION DATE SUMMARY OF CHANGES NAME 1.0 10/21/2008 Initial Working Draft COACT Inc. 1.1 11/12/2008 Final COACT, Inc 1.2 5/4/2009 Changes in approval requirements IRM/Woodson 1.3 1/13/2011 Update /Review of Document IRM/Curtis 1.4 10/16/2012 Update /Review of Document ITS/I&O/Stewart 1.5 5/30/2013 Updated for Authorization SCS -1-

Purpose The Privacy Impact Assessment (PIA) is completed as a mandatory step in the certification and accreditation of IT systems, applications, and projects, that collect, process, store, and disseminate Personally Identifiable Information (PII). The PIA examines the ways in which PII data are managed and protected by the target of evaluation. NOTE This document was prepared in support of the system s Certification and Accreditation effort. The document was developed in accordance with, or following the guidance contained in, the following: The Privacy Act of 1974 (Public Law 92-132, 5 U.S. C. 552a). Federal Information Security Management Act of 2002 (Title III of P.L. 107-347). Section 208 of the E-Government Act of 2002 (Public Law 107-347, 44 U.S.C. Ch 36), April 17, 2003. Office of Management and Budget (OMB) Memorandum M-03-18, Implementation Guidance for the E-Government Act of 2002, August 1, 2003. OMB Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, September 26, 2003. OMB Memorandum M-06-15, Safeguarding Personally Identifiable Information, May 22, 2006. OMB Circular No. A-130, Revised, (Transmittal Memorandum No. 4): Management of Federal Information Resources, 28 November 2000. Computer Matching and Privacy Act of 1988 (Public Law 100-503). Department of the Treasury Publication, TD P 25-05, Privacy Impact Analysis Manual, dated July 2006-2-

Table of Contents PRIVACY IMPACTASSESSMENT (PIA) Page 1. SYSTEM IDENTIFICATION... 4 1.1 NAME OF SYSTEM, PROJECT, OR PROGRAM:... 4 1.2 RESPONSIBLE ORGANIZATION... 4 1.3 INFORMATION CONTACT(S)... 4 1.4 SECURITY CATEGORIZATION... 4 1.5 SYSTEM OPERATIONAL STATUS... 5 1.6 GENERAL DESCRIPTION/PURPOSE... 5 1.7 SYSTEM ENVIRONMENT... 6 1.8 FUTURE CHANGES TO NETWORK INFRASTRUCTURE (GSS)... 7 1.9 SYSTEM INTERCONNECTION/INFORMATION SHARING... 7 2. PRIVACY IMPACT ASSESSMENT... 7 2.1 PRIVACY ASSESSMENT... 7 2.2 DATA IN THE SYSTEM/APPLICATION... 8 2.3 SYSTEM OF RECORDS (SOR) NOTICE...10 2.4 SECURITY ASSESSMENT AND AUTHORIZATION (SA&A)...10-3-

PRIVACY IMPACT ASSESSMENT 1. SYSTEM IDENTIFICATION 1.1 NAME OF SYSTEM, PROJECT, OR PROGRAM: Network Infrastructure (NI) General Support System (GSS) 1.2 RESPONSIBLE ORGANIZATION Office of the Chief Financial Officer Office of the Comptroller of the Currency (OCC) 400 7 th Street, SW, Washington, DC 20024. 1.3 INFORMATION CONTACT(S) Names of persons knowledgeable about the system, the system and data owner, security personnel, etc.: See PTA (Privacy Threshold Analysis) document 1.4 SECURITY CATEGORIZATION The system was assessed in its Security Categorization Report (SCR) as, under guidance contained in Federal Information Processing Standards (FIPS) Publication (PUB) 199, Standards for Security Categorization of Federal Information and Information Systems, December 2003, as follows: Information Type Confidentiality Integrity Availability Services Delivery Support Information Moderate Moderate Moderate Rationale and Factors for Government Resource Management Information Moderate Moderate Low Disaster Management Mission Area Low Low Moderate Economic Development Mission Area Moderate Low Low Workforce Management Mission Area Low Low Low -4-

Information Type Confidentiality Integrity Availability Income Security Mission Area Moderate Moderate Moderate Litigation and Judicial Activities Mission Area Moderate Moderate Moderate Knowledge Creation and Management Mission Area Low Low Low Regulatory Compliance and Enforcement Mission Area Moderate Moderate Low Overall Per Category Moderate Moderate Moderate SYSTEM OVERALL MODERATE 1.5 SYSTEM OPERATIONAL STATUS The system is currently Operational. 1.6 GENERAL DESCRIPTION/PURPOSE The OCC is a nationwide network facilitating the data processing needs of the OCC and supports OCC users throughout the country in carrying out their responsibilities to charter, regulate and supervise all national banks and federal savings associations. It provides the hardware, software, program code and business logic to support the operation and management of the OCC s technology services. In addition, the provides primary security services and data security mechanisms in support of OCC applications. These security services include Identification and Authentication (I&A), Logical Access Controls, and Auditing. Users employ the Identification & Authentication service when they first log into the network and then gain access to specific applications and general resources (e.g., network servers, network drives, print/file sharing, e-mail, intranet, and Internet access). The is essential to performing the OCC s mission. Without it, the supported major applications (MAs) and their missions would either be severely degraded or unable to function. This GSS supports the OCC in achieving its objectives, which are as follows: Ensure the safety and soundness of the national system of banks and savings associations. Foster competition by allowing banks to offer new products and services. -5-

Improve the efficiency and effectiveness of OCC supervision, including reducing regulatory burden. Ensure fair and equal access to financial services for all Americans. The NI-GSS primary location is the Ashburn Data Center in Virginia. 1.7 SYSTEM ENVIRONMENT The NI-GSS provides core and critical information technology support and services to OCC hosted applications and databases. The OCC uses a Wide Area Network (WAN) to maintain Internet across the organization s many locations with a Local Area Network (LAN) in the individual buildings. The OCC maintains a dedicated nationwide network to its data center. The OCC WAN consists of an AT&T Multi-Protocol Label Switching (MPLS) telecommunications network that supports the transfer of data between Headquarters, the Data Center, four district offices, the Ombudsman s office and 96 field/bank offices. The Network Operating System (NOS) and workstation clients are Microsoft based. The network transport is industry standard TCP/IP which primarily supports a Microsoft networking infrastructure. OCC data information is routed using OCC-owned equipment and does not travel through public networks. The OCC dedicated WAN telecommunication links are not encrypted. This vulnerability has been considered low risk because it would require accessibility to facilities, specialized equipment, and product specific expertise to monitor or access OCC data on WAN lines. The main components of the environment included in this documentation are the: Physical Environment of the OCC Facilities (Data Center, Large Offices, Field Offices) Storage Area Network (SAN) Mainframe Server (non-specific) Client Systems (Desktops, Laptops, and Mobile devices) Network Perimeter Devices and Boundary Protection Remote Access Devices Active Directory (AD) File/print servers Database Management Systems Messaging (Exchange, Blackberry Enterprise Server) Citrix VM ware -6-

1.8 FUTURE CHANGES TO NETWORK INFRASTRUCTURE (GSS) There are currently no future changes planned for the. 1.9 SYSTEM INTERCONNECTION/INFORMATION SHARING The OCC includes several interconnections with other information technology services. For Technical Detail see the OCC System Security Plan. 2. PRIVACY IMPACT ASSESSMENT 2.1 PRIVACY ASSESSMENT The following paragraphs detail the Privacy Assessment applicable to the Network Infrastructure (GSS). 2.1.1 Does this system collect any personal information in identifiable form about individuals? Yes No 2.1.2 Does the public have access to the system? Yes No 2.1.3 Has a PIA been completed in the past? Yes No 2.1.4 Has the existing PIA been reviewed within the last year? Yes No N/A 2.1.5 Have there been any changes to the system since the last PIA was performed? Yes No N/A -7-

2.2 DATA IN THE SYSTEM/APPLICATION PRIVACY IMPACTASSESSMENT (PIA) 2.2.1 What elements of PII are collected and maintained by the system? The GSS provides infrastructure for Information Technology (IT) capabilities provisioning to OCC employees, contractors, national banks and other financial regulatory entities at any given time in the present and future. This is a GSS that provides for the transmission of data from internal or external sources to the appropriate OCC system. The OCC uses individual s first and last name in the email system to establish email accounts. 2.2.2 Why is the information being collected? Employee and contractor information (names) are collected from individuals when the individual requests an email account within the OCC email system. This information is collected for purposes of user identification and authentication. 2.2.3 What are the sources of the information in the system? Information is NOT collected from any other source than the individual. 2.2.4 How will the data collected from sources other than Federal agency records or the individual be verified for accuracy? Each individual is responsible for the accuracy of information submitted. Information collected in support of hosted applications is contained in the individual application PIA. 2.2.5 Who will have access to the data and how is access determined? Information Technology Service (ITS) staff maintains the OCC. The email system administrator has unrestricted access to email accounts for the purpose of maintaining and supporting the system, creating and deleting accounts, and performing restoration activities. All activities of the System Administrator (SA) are recorded and subject to audit. Other system operations and maintenance access is determined by enforcement of role based access controls and least privilege (limiting access to an absolute minimum necessary for mission accomplishment). Details are contained in the OCC System Security Plan. Application SAs and database administrators (DBAs) are granted access to hosted major applications using least privilege and role based access controls -8-

(RBAC) that limit access to their specific major application and or associated database. Details are contained in individual application system security plans (SSP) and PIAs. 2.2.6 Describe the administrative and technological controls that are in place or that are planned to secure the information being collected. Administrative Controls: o Position Descriptions detailing specific duties and responsibilities o Sensitivity Determinations o Least Privilege o Security (and Privacy) Awareness and Training Technological Controls o Role Based Access Control o Audit o Security Analysis and Reviews 2.2.7 What opportunities will individuals have (if any) to decline to provide information or to consent to particular uses of the information? Individuals requesting email accounts within the OCC are asked to provide their names to establish an email account. The application for an email account is voluntary, however if the individual does not provide their name, an individual email account cannot be established for them. Information regarding application acquisition of PII is contained in individual PIAs. 2.2.8 What is the life expectancy of the data and how will it be disposed of when it is no longer needed? Within the OCC email system, accounts are active until the individual is no longer assigned or employed by OCC. When no longer required, accounts are deleted from the system by the email administrator. OCC maintains media sanitization procedures consistent with TD P 15-71 for electrical and optical storage devices. Devices are cleared, sanitized and checked for PII and SBU data before being reallocated to use by the system. Media devices that cannot be sanitized are destroyed using approved procedures detailed in TD P 15-71. -9-

Specific procedures for FISMA Systems are contained in individual application PIAs and SSPs. 2.2.9 Is the system owned, operated, and maintained by a contractor? Yes No 2.3 SYSTEM OF RECORDS (SOR) NOTICE Does the collection of this information require a new system of records under the Privacy Act (5 U.S.C. 552a) or an alteration to an existing system of records? Yes No Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources (Revised) (Transmittal Memorandum No. 4), December 2000, Appendix I, paragraph 4c (1) details which actions that may require a New or Altered System of Records Report. The OCC is covered by one or more of the following System of Record Notices as published in the Federal Register / Vol. 77, No. 64 / Tuesday, August 3, 2012 / Notices. 2.4 SECURITY ASSESSMENT AND AUTHORIZATION (SA&A) Has the system been certified and accredited within the last three years? Yes No Date ATO granted: 05/30/2013-10-

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information