|
|
|
United States Department of Justice
Management Information System (MIS) Prepared By 29-SEPTEMBER-2006
Approval Signature Page
I recommend approval of the Antitrust Division Information Systems Support Group Management Information Systems Privacy Impact Assessment
I approve the Antitrust Division Information Systems Support Group Management Information Systems Privacy Impact Assessment
Table of Contents Section 1.0 The System and the Information Collected and Stored within the System. Section 2.0 The Purpose of the System and the Information Collected and Stored within the System. Section 3.0 Uses of the System and the Information. Section 4.0 Internal Sharing and Disclosure of Information within the System. Section 5.0 External Sharing and Disclosure Section 7.0 Individual Access and Redress Section 8.0 Technical Access and Security Appendix C: Abbreviations and Acronyms
The Department of Justice (DOJ) Antitrust Division (ATR) Information Systems Support Group (ISSG) Management Systems Staff (MSS) owns the ATR Management Information Systems (MIS) that is used to process, store and transmit information. The ATR MIS is a Sensitive But Unclassified (SBU) system has been implemented under the provisions of the Federal Information Security Management Act (FISMA, Public Law 107-347) and Department of Justice (DOJ) Order 2640.2E Information Technology Security.
The mission of the Antitrust Division is to promote and protect the competitive process and the American economy through enforcement of the antitrust laws. The antitrust laws apply to virtually all industries and to every level of business, including manufacturing, transportation, distribution, and marketing. They prohibit a variety of practices that restrain trade, such as price-fixing conspiracies, corporate mergers likely to reduce the competitive vigor of particular markets, and predatory acts designed to achieve or maintain monopoly power. The ATR-MIS supports the antitrust mission by providing a platform that enables the processing, storage and transmission of management and support, and historic mission-based information.
The Antitrust Division makes broad use of National, Government and Department standards in assuring the protection of Privacy Act systems under its control. A key part of the standards usage focuses on the FISMA-mandated (FISMA Sec. 303 (b)(1)(A)) Federal Information Processing Standards (FIPS) and associated National Institute of Standards and Technology (NIST) Special Publications (SPs). The Antitrust Division has developed a managed process to ensure that its security program is current with all applicable revisions and releases of FIPS, NIST SPs, and OMB Memoranda in order to protect its assets. This programmatic effort is complimented by scanning activities to ensure that the system's patches and fixes are fully current, and that its security configuration polices are not compromised.
ATR regards the protection of information security, as defined in 44 U.S.C. Section 3542, as a mandatory requirement in the enforcement of antitrust law in both criminal and civil enforcement actions. The MIS implementation and continuing enhancement of security safeguards and procedures is aligned with supporting all of ATR's security objectives via application of FISMA requirements and industry Best Practices.
The MIS PIA Framework provides programmatic information associated with the development and management of the MIS PIA. Document Compliance This MIS PIA complies with the Privacy Impact Assessment Official Guidance issued by the DOJ Office of Privacy and Civil Liberties, effective August 7, 2006. Document Organization This MIS PIA applies the DOJ Privacy Impact Assessment Template (v3) as follows:
Introduction; The following appendices are included:
Appendix A: ATR SOR Document Audience
This document is intended for public access in accordance with OMB M-03-22 Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, Attachment A/I.A.1. Document Change Control
The MIS PIA is subject to the MSS Configuration Control process as documented in the MSS Configuration Management Plan. MIS PIA Point of Contact
Mr. Thomas King Section 1.0 1.1 What information is to be collected? MIS stores ATR management and support, and mission-based information, as defined in the Federal Enterprise Architecture (FEA) Business Reference Model. The information is collected via executive operations as required by OMB Circular A-11 and the execution of antitrust enforcement activities. MIS applications currently include the Information in Identifiable Form (IIF) listed below, as defined in OMB Memorandum M-03-22/Attachment A/II.A.2.
1.2 From whom is the information collected? Information is collected from parties to, or targets of, criminal or civil antitrust investigations. Information is also collected from ATR Government and Contractor personnel who support the Division's mission.
Section 2.0
2.1 Why is the information being collected? The information is collected to support ATR's mission; specifically promotion and protection of the competitive process and the United States economy via the enforcement of antitrust laws. Information stored within MIS represents the institutional knowledge of the Division's spectrum of operations. Information is also collected to support ATR's executive operations.
2.2 What specific legal authorities, arrangements, and/or agreements authorize the collection of information?
2.3 Privacy Impact Analysis: Given the amount and type of information collected, as well as the purpose, discuss what privacy risks were identified and how they were mitigated. From an information technology perspective, privacy risks would result from a breach to ATR's security objectives as implemented on MIS, which could subsequently compromise the confidentiality, integrity, and availability of information. From an MIS perspective, this breach would occur, primarily, via unauthorized access that would enable an adversary to disclose, damage the integrity of, or prevent the availability of information used to support the enforcement of antitrust laws and executive operations.
The risk of compromise of data, or the theft of backup tapes, in mitigated by several steps. Physical security, such as guards, access badges and security cameras help ensure there is no unauthorized access to component facilities. Unauthorized access to the system itself is addressed by network intrusion detection systems, firewalls log monitoring, malware detection and correction software. To prevent unauthorized use by agency employees, audit logs are kept and checked at regular intervals. Unauthorized use by a Federal employee will be subject to strict penalties.
ATR implements FISMA security controls as mandated in FIPS 200, "Minimum Security Requirements for Federal Information and Information Systems," and amplified in NIST SP 800-53, "Recommended Security Controls for Federal Information Systems." The MIS implementation of these controls and associated risks and mitigation is reflected in FISMA and Justice Management Division-mandated documentation.
Section 3.0
3.1 Describe all uses of the information. The information that MIS applications process, store and transmit are used to support the Division's mission, including files such as public court and administrative filings, complaints, indictments, and final judgments, as well as statements of policy and interpretations, staff manuals, guidelines, press releases, speeches, Congressional testimony, work product, and business review letters. Management and support records include identification of personnel who work on the Division's cases and the number of labor hours invested in these cases. The MIS stores a body of historic information in Oracle databases that are accessible to authorized Division users via the Intranet or through tools such as Business Objects.
Information used in MIS Applications that is subject to the Privacy Act maps to the following NIST SP 800-60 information and information types. The related MIS applications used to process, transmit, and store the information are also provided.
3.2 Does the system analyze data to assist users in identifying previously unknown areas of note, concern, or pattern? (Sometimes referred to as data mining.) Data mining including pattern-based querying, is employed in the course investigations using the tools of litigation support, economic analysis and management information systems. The scope of data mining is limited to DOJ Order 2640.2E requirements for Least Privilege (NIST SP 800-53/AC-6) and Need-to Know (addressed via NIST SP 800-53/AC-2). As management information applications store historic data for the explicit purpose of knowledge management, data mining in the form of, for example, searches for patterns of conduct by specific corporations and / or individuals across historic investigative data, is an important asset in the conduct of new investigations.
3.3 How will the information collected from individuals or derived from the system, including the system itself be checked for accuracy? The historic mission-based information provided to MIS is processed, stored, and transmitted as-is. MIS applications include transaction validation controls (e.g., an end date does not precede an associated start date) and certain format validation controls (e.g., number of digits in a Social Security Number) for management and support information.
3.4 What is the retention period for the data in the system? Has the applicable retention schedule been approved by the National Archives and Records Administration (NARA)? There is no schedule for retiring data out of the MIS. Consultations between ATR and NARA are ongoing on the issue of historical records and how they should be addressed, given that the ATR MIS serves both current operational needs as well as long term "knowledge management" requirements preserving institutional history and facilitating research on historical matters which relate to current matters. Consequently, ATR expects to be constantly enhancing the historical data in this repository, rather than archiving and removing it from the system.
3.5 Privacy Impact Analysis: Describe any types of controls that may be in place to ensure that information is handled in accordance with the above-described uses. The key MIS controls to assure that information is handled in accordance with its prescribed use include:
Implementation of these controls is documented in the MIS System Security Plan that addresses all of the areas identified above, including how ATR employees are granted system access based upon their organizational role and need to know, authorizing officials, technical aspects of authentication management, software use and engineering, and the auditing of access files to ensure the protection of data maintained by ATR.
ATR is required to address continual statutory and Department-level requirements to substantiate that its handling of information is compliant. For example, ATR was recently required to provide submissions in support of DOJ Memorandum Privacy and Safeguarding of Personally Identifiable Information dated 10-July-2006. Furthermore, ATR issued ATR Directive 2710.4 Safeguarding Sensitive Information dated 11-July -2006 to assure Division compliance. From a technical perspective FISMA-mandated Continuous Monitoring requirements (NIST SP 800-53/CA-7) provide assurance that privacy-applicable controls are consistent with the MIS Certification and Accreditation status.
Section 4.0 4.1 With which internal components of the Department is the information shared? ATR shares MIS data, as appropriate, with the
4.2 For each recipient component or office, what information is shared and for what purpose? All the information described in Section 1.1 may be shared. The purpose of this sharing is outlined below.
4.3 How is the information transmitted or disclosed? No other DOJ components have end-user access to MIS. Information is:
4.4 Privacy Impact Analysis: Given the internal sharing, discuss what privacy risks were identified and how they were mitigated. The fundamental privacy risk lies in unauthorized disclosure based on methods of sharing. The two methods and the mitigation of potential risks are as follows:
All DOJ components are subject to DOJ Order 2640.1 and DOJ Order 2640.2E and the associated Information Technology Security Standards.
Section 5.0
5.1 With which external (non-DOJ) recipient(s) is the information shared? Information is shared with
Private Sector:
5.2 What information is shared and for what purpose?
Private Sector
5.3 How is the information transmitted or disclosed? Information that is shared with the FTC is transmitted via a secure system interconnection that uses security mechanisms and services embedded in commercial-off-the-shelf software.
Private Sector
5.4 Are there any agreements concerning the security and privacy of the data once it is shared? The provisions regarding the sharing of information with FTC are documented in the ATR-FTC Memorandum of Understanding.
Private Sector
5.5 What type of training is required for users from agencies outside DOJ prior to receiving access to the information? There are no antitrust-specific courses offered to employees of other agencies that receive information from the Antitrust Division. However, all Federal Agencies are required to implement Standards of Ethical Conduct for Employees of the Executive Branch (5 CFR 2635) via Rules of Behavior per Office of Management and Budget (OMB) Circular A-130, Appendix III, Security of Federal Automated Information Resources. 5.6 Are there any provisions in place for auditing the recipients' use of the information? There are no provisions in place at this time for auditing the recipients' use of information. However, if ATR suspected or became aware of misuse, it would use its full authority promptly to resolve the issue.
5.7 Privacy Impact Analysis: Given the external sharing, what privacy risks were identified and describe how they were mitigated. The predominant privacy risk attributable to sharing data with the FTC lies in a breach to confidentiality. To mitigate this risk ATR and FTC have instituted several technical, operational and management controls. Secure transfer protocols are deployed in the transmission of information; access authorized controls are enforced and reviewed using a documented procedure; and a Memorandum of Understanding is in place.
Private Sector
6.1 Was any form of notice provided to the individual prior to collection of information? If yes, please provide a copy of the notice as an appendix. (A notice may include a posted privacy policy, a Privacy Act notice on forms, or a system of records notice published in the Federal Register Notice.) If notice was not provided, why not? The ATR System of Records SORN listing is provided at Appendix A, ATR SOR, of this PIA. Any Privacy Act information that may be collected is related to Division law enforcement purposes.
6.2 Do individuals have an opportunity and/or right to decline to provide information? No. Any Privacy Act information that may be collected is related to Division law enforcement purposes.
6.3 Do individuals have an opportunity to consent to particular uses of the information, and if so, what is the procedure by which an individual would provide such consent? No. Any Privacy Act information that may be collected is related to Division law enforcement purposes.
6.4 Privacy Impact Analysis: Given the notice provided to individuals above, describe what privacy risks were identified and how you mitigated them. The predominant privacy risk lies in improper disclosure. All DOJ government and contractor staff are aware of penalties regarding improper use of information per Entry On Duty training materials and Rules of Behavior.
Section 7.0 7.1 What are the procedures which allow individuals the opportunity to seek access to or redress of their own information? Individuals can make a request for access to or amendment of their records under the Privacy Act unless the particular System of Records is exempted from the access and amendment provisions.
7.2 How are individuals notified of the procedures for seeking access to or amendment of their information? Notice of individual's rights under the Privacy Act is provided through publication in the Federal Register of a System of Records Notice and in Departmental regulations describing the procedures for making access/amendment requests.
7.3 If no opportunity to seek amendment is provided, are any other redress alternatives available to the individual? No. 7.4 Privacy Impact Analysis: Discuss any opportunities or procedures by which an individual can contest information contained in this system or actions taken as a result of agency reliance on information in the system. Information on Government employees or contractors may be addressed through a written request for correction if necessary. This process also applies to business or private individuals who may request a correction to publicly available information. An individual may file a lawsuit under the Privacy Act after following appropriate administrative processes.
Section 8.0 8.1 Which user group(s) will have access to the system? The following three user groups have access to MIS:
8.2 Will contractors to the Department have access to the system? If so, please submit a copy of the contract describing their role with this PIA. Contractors have access to the system in the capacities referenced in Section 8.1. Contract documents are available but not attached and may be provided by the ATR Point of Contact.
8.3 Does the system use "roles" to assign privileges to users of the system? MSS implements three basic roles for MIS;
8.4 What procedures are in place to determine which users may access the system and are they documented? The procedures in place to determine which users may access the system are documented in the MIS System Security Plan that addresses all of the areas identified in Section 3.5 of this PIA, including how ATR employees are granted system access based upon their organizational role and need to know, authorizing officials, technical aspects of authentication management, and software use and engineering to ensure the protection of data maintained by ATR. The MIS System Security Plan also includes details regarding password management, account management, and auditing for each user group, in accordance with DOJ Order 2640.2E.
8.5 How are the actual assignments of roles and rules verified according to established security and auditing procedures? Individuals have specific roles that limit them to the data they enter or have specific rights to address. Actual assignments of roles and rules are established for ATR in its MIS System Security Plan that addresses such areas as how ATR employees are granted system access based upon their organizational role and need to know, authorizing officials, technical aspects of authentication management, software use and engineering, and the auditing of access files to ensure the protection of data maintained by ATR. The assignment of roles and rules are verified via the implementation of FIPS 200 Access Controls (AC) and Audit and Accountability (AU) families of controls. Additionally, the use of JMD-mandated COTS tools for Security Configuration Policy compliance enables this verification. For example, these tools identify whether:
8.6 What auditing measures and technical safeguards are in place to prevent misuse of data? The following in-place auditing measures and technical safeguards are applied to prevent misuse of data. It should be emphasized that under the FISMA requirement for Continuous Monitoring (NIST SP 800-53/CA-7), ATR constantly evaluates new technologies and procedures to enhance these capabilities. The primary auditing measures and technical safeguards in place to prevent misuse of data are associated with access and authentication controls to prevent unauthorized disclosure and subsequent potential misuse of data. These controls include:
The above references auditing measures and technical safeguards are:
Consistent with its use of Best Practices to harden its operations, ATR also considers the following additional controls as interfacing with auditing and technical measures:
8.7 Describe what privacy training is provided to users either generally or specifically relevant to the functionality of the program or system? All employees are required to complete online information systems security training as part of annual training for DOJ employees. A certificate of completion is logged for employees after successful completion of the training. Also, new employees receive training on the use of particular MIS applications before they are granted access to the system. Users are reminded periodically about Division policies in these areas and their requirements to comply with these policies.
8.8 Is the data secured in accordance with FISMA requirements? If yes, when was Certification & Accreditation last completed?
8.9 Privacy Impact Analysis: Given access and security controls, what privacy risks were identified and describe how they were mitigated. Privacy risks associated with unauthorized disclosure of information are mitigated through implementation of technical controls associated with "need-to-know" and "least privilege," ensuring that users have no more privileges to data than required to effect their official duties. In addition, deterrent controls in the form of warning banners, privileged rules of behavior, confidentiality agreements and auditing are in place. Finally, exit procedures for departing employees and contractors include the prompt disabling of accounts and access rights to all data.
9.1 Were competing technologies evaluated to assess and compare their ability to effectively achieve system goals? Yes. As the ATR Management Information System was initially developed many years ago, software tools were competitively identified to ensure the best and most cost effective products were chosen. In subsequent years, as ATR has upgraded and improved its MIS, enhancements have been developed and deployed by ATR staff. With all acquisitions of new or upgraded hardware, software or other products, a cost-benefit analysis has been performed in accordance with DOJ requirements. MIS investments are pursued in accordance with the relevant provisions of the Department of Justice Systems Development Life Cycle Guidance and Federal Acquisition regulations.
9.2 Describe how data integrity, privacy, and security were analyzed as part of the decisions made for your system. The following items are considered key in analyzing data integrity, privacy, and security for MIS applications:
9.3 What design choices were made to enhance privacy?
MIS is used to process, store, and transmit information that supports Antitrust Division operations for management and support, and historic mission-specific purposes. Securing this information and assuring its proper use is critical to the success of these operations.
MIS applications are secured via access authorization, authentication rules, and audit controls. These technical controls are supplemented by procedural controls such as Account Management Reviews, Rules of Behavior, Confidentiality Agreements, and Security Awareness and Training to mitigate risks regarding unauthorized access and subsequent potential privacy violations. The proposed Defense-in-Depth implementation will increase the robustness of MIS security services, i.e., access controls, confidentiality, integrity, and non-repudiation.
ATR has consistently regarded the privacy ramifications of information that is processed, stored, and transmitted on MIS as critical in supporting antitrust enforcement activities and executive operations. The MIS solution is aligned with supporting all of ATR's security objectives via application of FISMA requirements and industry Best Practices. Management review, continual enhancement, and FISMA-mandated continuous monitoring of MIS technical and procedural controls are of the utmost importance in maintaining application hardening and continuity of operations.
Last publication of complete notice
E-Government Act of 2002, Public Law 107-347, Section 208(b)
OMB Memorandum M-06-19 Reporting Incidents Involving Personally Identifiable
Information Incorporating the Cost for Security in Agency Information
Technology Investments (12-July-2006)
Information Assurance Technical Framework, Version 3.1, September 2002
FIPS 201-1 Personal Identity Verification (PIV) of Federal Employees
and Contractors
NIST SP 800-92 Guide to Computer Security Log Management (DRAFT)
DOJ Order 3011.1 Compliance with the Privacy Act
American National Standard ANSI INCITS 359-2004 Role Based
Access Control document (DRAFT).
Appendix C: Abbreviations and Acronyms
|