PRIVACY IMPACT ASSESSMENT



Similar documents
U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

Privacy Impact Assessment

Federal Trade Commission Privacy Impact Assessment for:

Integrated Financial Management Information System (IFMIS) Merger

Privacy Impact Assessment

INTERNational Connections Privacy Impact Assessment

FHFA. Privacy Impact Assessment Template FM: SYSTEMS (SYSTEM NAME)

OFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION

United States Citizenship and Immigration Services (USCIS) Enterprise Service Bus (ESB)

Privacy Impact Assessment

Department of the Interior Privacy Impact Assessment

Privacy Impact Assessment Forest Service Computer Base Legacy

Privacy Impact Assessment Of the. Office of Inspector General Information Technology Infrastructure Systems

Evaluation Report. The Social Security Administration s Cloud Computing Environment

PRIVACY IMPACT ASSESSMENT (PIA) For the

PRIVACY IMPACT ASSESSMENT TEMPLATE

Department of the Interior Privacy Impact Assessment

Controls Over EPA s Compass Financial System Need to Be Improved

Automated Threat Prioritization Web Service

Department of the Interior Privacy Impact Assessment Template

Privacy Impact Assessment. For. TeamMate Audit Management System (TeamMate) Date: July 9, Point of Contact: Hui Yang

Department of Homeland Security

Commodity Futures Trading Commission Privacy Impact Assessment

POSTAL REGULATORY COMMISSION

Privacy Impact Assessment for the. Standardized Tracking and Accounting Reporting System- Financial Management System (STARS-FMS)

PII Compliance Guidelines

PRIVACY IMPACT ASSESSMENT (PIA) GUIDE

Web Time and Attendance

PRIVACY IMPACT ASSESSMENT

March 17, 2015 OIG-15-43

Corporate Property Automated Information System CPAIS. Privacy Impact Assessment

Privacy Impact Assessment. For. Non-GFE for Remote Access. Date: May 26, Point of Contact and Author: Michael Gray

Privacy Impact Assessment. For Person Authentication Service (PAS) Date: January 9, 2015

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

Department of the Interior Privacy Impact Assessment (PIA) Updated February 2011

PRIVACY IMPACT ASSESSMENT

Privacy Impact Assessment For Management Information System (MIS) Date: September 4, Point of contact: Hui Yang

Privacy Impact Assessment (PIA) Waiver Review System (WRS) Version Last Updated: December 2, 2013

Privacy Impact Assessment (PIA) Consular Data Information Transfer System (CDITS) Version Last Updated: April 15, 2014

A. SYSTEM DESCRIPTION

LITIGATION SUPPORT SYSTEM (SYSTEM NAME)

Name of Project: Auditing Management Information System (AMIS) Program Office: Office of Inspector General, Auditing Division

Privacy Impact Assessment. For Education s Central Automated Processing System (EDCAPS) Date: October 29, 2014

8. Does this system collect, display, store, maintain or disseminate Personally Identifiable Information (PII)? Yes

A. SYSTEM DESCRIPTION

1. Contact Information. 2. System Information. Privacy Impact Assessment (PIA)

EPA Classification No.: CIO P-09.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: Review Date: 08/06/2015

May 2, 2016 OIG-16-69

Memorandum. ACTION: Report on Computer Security Controls of Financial Management System, FTA FE May 23, 2000.

Student Administration and Scheduling System

Federal Trade Commission Privacy Impact Assessment

A. SYSTEM DESCRIPTION

Department of the Interior Privacy Impact Assessment

Privacy Impact Assessment Consumer Complaint Management System II (CCMS II)

REMEDY Enterprise Services Management System

Federal Bureau of Prisons. Privacy Impact Assessment for the HR Automation System. Issued by: Sonya D. Thompson Deputy Assistant Director/CIO

Physical Access Control System

A. SYSTEM DESCRIPTION

A. SYSTEM DESCRIPTION

Results of Technical Network Vulnerability Assessment: EPA s Region 1

U.S. Securities and Exchange Commission. Mailroom Package Tracking System (MPTS) PRIVACY IMPACT ASSESSMENT (PIA)

Homeland Security Virtual Assistance Center

A. SYSTEM DESCRIPTION

Privacy Impact Assessment May 2014

Privacy Impact Assessment (PIA) Consular Affairs Enterprise Service Bus (CAESB) Last Updated: May 1, 2015

United States Department of State Global Financial Management System (GFMS) Privacy Impact Assessment

STATE OF NORTH CAROLINA

Privacy Impact Assessment

e-performance System

A. SYSTEM DESCRIPTION

Audit of Case Activity Tracking System Security Report No. OIG-AMR

8. Does this system collect, display, store, maintain or disseminate Personally Identifiable Information (PII)? Yes

Privacy Impact Assessment for the Volunteer/Contractor Information System

ERIC - A Guide to an Introduction

Network Infrastructure - General Support System (NI-GSS) Privacy Impact Assessment (PIA)

Department of Homeland Security Office of Inspector General. Audit of Application Controls for FEMA's Individual Assistance Payment Application

8. Does this system collect, display, store, maintain or disseminate Personally Identifiable Information (PII)? Yes

Department of Homeland Security Web Portals

DEPARTMENT OF HOUSING AND URBAN DEVELOPMENT. [Docket No.

Financial Management Service. Privacy Impact Assessment

Federal Trade Commission Privacy Impact Assessment for:

HARPER, RAINS, KNIGHT & COMPANY, P.A. CERTIFIED PUBLIC ACCOUNTANTS & CONSULTANTS RIDGELAND, MISSISSIPPI

U.S. Securities and Exchange Commission. Integrated Workplace Management System (IWMS) PRIVACY IMPACT ASSESSMENT (PIA)

OFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12

SYSTEM NAME: Digital Identity Access Management System (DIAMS) - P281. SYSTEM LOCATION: U.S. Department of Housing and Urban Development, 451 Seventh

Verizon Notification Service (VNS)

EPA Could Improve Its Information Security by Strengthening Verification and Validation Processes

United States Department of State Privacy Impact Assessment IIP Program Management and Outreach System (IIP-PMOS ITAB Number 2600)

A. SYSTEM DESCRIPTION

United States Department of State Privacy Impact Assessment Risk Analysis and Management

Federal Trade Commission Privacy Impact Assessment. for the: Gilardi & Co., LLC Claims Management System and Online Claim Submission Website

CTR System Report FISMA

AUDIT REPORT. The Energy Information Administration s Information Technology Program

Fiscal Year 2007 Federal Information Security Management Act Report

Privacy Impact Assessment. For Rehabilitation Services Administration Management Information System (RSA-MIS) Date: November 19, 2014

8. Does this system collect, display, store, maintain or disseminate Personally Identifiable Information (PII)? Yes

Department of the Interior Privacy Impact Assessment

Compliance Tracking and Management System

Improved Security Planning Needed for the Customer Technology Solutions Project

Transcription:

PRIVACY IMPACT ASSESSMENT Submit in Word format electronically to: Linda Person (person.linda@epa.gov) Office of Environmental Information System Name: The Inspector General Enterprise Management System (IGEMS) - Full Preparer: Maria Martir Office: OIG Date: 9/4/2013 Phone: 202-566-2692 This project is in the following life cycle stage(s): Definition Development/Acquisition Implementation Operation & Maintenance Termination Note: Existing Systems require an updated PIA when there is a significant modification or where changes have been made to the system that may create a new privacy risk. For a listing of significant modifications, see OMB Circular A-130, Appendix 1, Section (c) (1) (a-f) at http://www.whitehouse.gov/omb/circulars/a130/a130appendix_i.aspx I. Data in the System 1. What data/information will be collected/contained in the system? The integrated system, Inspector General Enterprise System (IGEMS) feature the following modules: project management, case and hotline management, project analysis, resource management (which includes users name, and work hours), knowledge management/collaboration management, project/cost accounting, workflow management, document management, reports and analysis, time management, and COOP (emergency) data management. The Investigations and Hotline modules contain names, locations and other personal identifiers of individuals involved or participating in the OIG investigative process. Examples are names, social security numbers, date of birth, telephone number, and addresses. The COOP module contains EPA OIG employee emergency contact information. The Assignment module contains Office of Inspector General (OIG) employees; individuals who request audits or special projects; names of individual auditees. 2. What are the sources and types of the data/information in the system? 1

The data sources of the privacy information are EPA OIG investigators, auditors, program evaluators, Hotline manager, OIG managers and staff. IGEMS contains information relating to audits, evaluations, investigations, hotline complaints and COOP emergency contact information of EPA OIG employees. 3. If the system has been modified, are the original personally identifiable information (PII) elements still being collected or contained in the system? If no, what are the elements currently being collected? When did the collection of the original PII elements stop? How was the old data removed from the system? IGEMS undergoes upgrades and enhancements. Original PII information from audits, investigations and hotline complaints are maintained in the system. Exiting EPA OIG employees emergency information are removed from the system. 4. How will the information be used by the Agency? IGEMS automates the workflow, tracks projects, cases, and cost information associated with problems, abuses, and deficiencies relating to EPA programs and operations, as well as progress of corrective actions that are reported to the EPA Administrator and Congress. IGEMS also monitors project progress and tracks measures and results. Data is used to support EPA OIG mission and goals and in pursuant of the Inspector General Act of 1978. 5. Why is the information being collected? (Purpose) The EPA Office of Inspector General (OIG) uses IGEMS data to report on the efficiency of EPA programs and operations. The OIG provides independent audit, evaluation, investigative and advisory services that promote economy, efficiency, and effectiveness, and help to prevent and detect fraud, waste, and abuse in order to add value in EPA programs and operations. The OIG has further interpreted this statutory mission through its strategic and annual performance goals for contributing to environmental quality, human health, and good government in order to inspire public confidence in the integrity of EPA operations. The COOP (emergency) contact information of OIG personnel are collected to contact employees in case of an emergency or other event that may require their assistance. II. Access Controls for the Data 1. To ensure user authentication, does the system have limited login attempts or require security question answers? If yes, when the user becomes locked out how will they gain access to the system? Yes, the system is limited to 3 login attempts before account lock out using the agency s active directory group policy. To gain access to the system after locked, employees need to contact either the OIG s Technical Support team or the agency s help desk to unlock accounts. 2. How often are passwords required to be changed? Passwords are required to be changed every 90 days based on the agency s policy. 3. Who will have access to the data/information in the system (internal and external parties)? If contractors, are the Federal Acquisition Regulations (FAR) clauses included in the contract (24.104 Contract clauses; 52.224-1 Privacy Act Notification; and 52.224-2 Privacy Act)? EPA OIG employees have access to the data based on their position on the organizational structure and roles granted to them. There are a few individuals such as the database administrator and IGEMS Administrators who have more access to the data. 2

4. How will you educate individuals/users having authorized access about the misuse of PII data? Will users receive privacy training before gaining access to the system? Users sign the Rules of Behavior (ROB) agreement and take annual training on IT Security Awareness training and PII. Users also follow a procedure for requesting access/release of data. 5. Has the data in the system been encrypted according to the National Institute of Standards and Technology (NIST) requirements? (Note: this requirement is for sensitive PII only) The data is not encrypted at the database level (data at rest) but we use the Secure Socket Layer web server certificates to encrypt the PII data in transit. 6. Do other systems share or have access to information in this system? If yes, who authorized the sharing? If information is being shared, please provide a copy of any agreements that were issued. (i.e., System Administrators, System Developers, System Managers) Yes, the Management Audit Tracking System (MATS) interfaces with IGEMS. A representative from the Office of Planning, Analysis and Accountability, Office of the Chief Financial Officer, EPA, has access to audit data which feeds into MATS. Access is strictly to MATS-related data. There is an existing Memorandum of Understanding (MOU) and Interconnection Security Agreement (ISA) signed on 2/2/2012 between representatives of OIG and OCFO. This person has her own account to the DB. 7. Will other agencies, state or local governments, or other external parties (i.e., non-epa) share or have access to information in this system? If so, what type of agreement was issued? (i.e., ISA, MOU, etc.) (If any agreements were issued, the Privacy Program needs a copy for its records). 8. Will data and/or processes be converted from paper to electronic? If so, what controls are in place to protect the data from unauthorized access or use? 9. Will data be shared from a system of records (SOR) with another federal agency? If so, has a computer matching agreement been initiated? III. Attributes of the Data 1. Explain how the use of the data is both relevant and necessary to the purpose for which the system is being designed. (Provide an example or explain) The data collected is relevant and necessary to track individual audit, program evaluation, and investigative assignments, time, and cost associated with the OIG assignments. IGEMS is an application that supports EPA OIG mission and goals. 2. How is the system designed to retrieve information by the user? Will it be retrieved by personal identifier? If yes, what identifier(s) will be used. (A personal identifier is a name, social security number or other identifying symbol assigned to an individual, i.e. any identifier unique to an individual.) Access to IGEMS is restricted to EPA OIG employees. IGEMS uses Active Directory credentials to authenticate the user. It uses the user s position in the organization and special roles and privileges to authenticate 3

the user and restrict access. In addition, IGEMS uses SSL Web Server certificates to secure the server and encrypt transmission of data. In the Investigations and Hotline modules, data may be retrieved using names and other identifiers of subjects, complainants and witnesses interviewed during investigations; others involved in the investigative process; and investigative case file numbers. In the Assignments and Timesheets module, data may be retrieved by employee names or assignment numbers. In the COOP module, data may be retrieved by organizational chain. 3. Has the system undergone a risk analysis to identify harms that may result from technical failures, malevolent third parties or human error? Yes_x No (Note: The risk analysis will help identify possible risks to the data in the system.) Yes. 4. Do individuals have the opportunity to decline to provide information or to consent to particular uses of the requested information? Yes_x_ No If yes, how is notice given to the individual? (Privacy policies must clearly explain where the collection or sharing of certain information may be optional and provide users a mechanism to assert any preference to withhold information or prohibit secondary use.) Yes. IGEMS has Rules of Behavior (ROB) for all users. Each user has an opportunity to accept or decline the set of rules. If the user declines, the user does not get access to any IGEMS data. The system also displays a system warning each time users access the system of unauthorized use and access to the system and its consequences. They click I Agree or I Disagree. 5. Where is the on-line privacy policy posted? A privacy policy warning note is displayed at the application logon screen. IV. Maintenance and Administrative Controls 1. Has a record control schedule been issued for the records in the system or the system itself? If so, provide the schedule number. (You may check with the record liaison officer (RLO) for your AA-ship or Tammy Boulware, Headquarters Records Officer, to determine if there is a retention schedule for the subject records. All systems must have a record control schedule.) Yes, IGEMS is covered under EPA Records Schedule 700 (investigations), 703 (Hotline), 707 (Audits, Timesheets). 2. While the data are retained in the system, what are the requirements for determining that the information collected remains sufficiently accurate, relevant, timely, and complete to ensure fairness in making determinations? The managers review the data for accuracy prior to making decisions. The OIG developed a data quality policy which ensures that proper management responsibilities are in place to comply with EPA s Information Quality Guidelines (OMB Section 515). Annually, the Deputy Inspector General of the OIG certify as a part of the OIG Annual Performance Report, that all data reported through OIG information systems meets the EPA data quality standards. In addition, IGEMS generate management reports such as monthly status, assignment costs, and quality assurance reports, which serve as tools for reviewing data quality. 4

3. Will this system provide the capability to identify, locate, or monitor individuals? If yes, explain. Yes, IGEMS provides the capability to identify, locate, or monitor individuals by tracking each user to OIG audits, investigative cases and hotline complaints. 4. Does the system use any persistent tracking technologies? 5. Under which System of Records (SOR) notice does the system operate? Provide the name of the system and its SOR number if applicable. All Agency SORs are posted at http://www.epa.gov/privacy/notice/. (A SOR is any collection of records under the control of the Agency in which the data is retrieved by a personal identifier. The SOR must contain the same categories of records and cover the same routine uses as your system.) a. Inspector General Enterprise Management System (IGEMS) Investigative Module. EPA-40 b. Inspector General Enterprise Management System (IGEMS) Hotline Module. EPA-30 c. Inspector General Enterprise Management System (IGEMS) Audit, Assignment, and Timesheet Modules. EPA-42 d. EPA Personnel Emergency Contact Files. EPA-44 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information