...
from proposal...National Marine Fisheries Service issues permits to fishing industry individuals and corporations and also to individual recreational fishers. More.... legislative or other policy mandates
Volume
Currently 6 vessels report electronically, could go up to 200 vessels, must transfer within 72 hours of landing, typically vessels land every few weeks, potential exists for daily reporting via VMS.... Good place for transaction volumes
Business Drivers
With e-signature fishers would be more accepting of electronic reporting. Fishers have concerns about achieving compliance. Drivers for wanting e-reporting... better data, faster data, less corrections.... Magnusen-Stephens driver for reducing cycle time? More.... The more could include what business benefit they derive from the permit and what business risk they incur if they break NMFS rules. Is this the spot for cycle times?
...
These are mid-size vessels (vicinity of 70ft) that have GPS, VMS, and sophisticated fish-finding technology. A number of the vessels have e-logbook software onboard integrated with track plotting systems. This e-logbook application includes a unique identifier via a hardware dongle which could be used to identify data from the vessel. An existing rule provides authority for optional electronic reporting. Regulations in process would provide vendor guidelines and certification process E-Logbook Vendor Certification Guidelines are in the approval process that would allow a vendor to promote an e-logbook application as NMFS-approved for e-logbook compliance.
...
Vulnerability | Threat-source | Threat Action | Category of Harm | Likelihood | Impact |
|---|---|---|---|---|---|
Impersonation in registration and/or transactions | Common criminal/identity thief | Impersonation using stolen identity credentials (registration credentials or NPS identity credentials) | Inconvenience, distress or damage to standing or reputation | Low: common criminals are unlikely to have subject-area expertise to discover a fraud opportunity and there are probably much more attractive targets | Low: impersonated parties would be likely to notice and when detected, the impact could be effectively mitigated |
" | " | " | Unauthorized release of sensitive information | Low: successful identity theft could result in compromise of sensitive information from the victim's permit records | Low: there isn't a great deal of sensitive information in permit records, and the impact would be limited to the party whose identity has been stolen |
Impersonation in registration and/or e-logbook transactions | Disgruntled industry employee | Impersonation using stolen identity credentials (registration credentials or NPS identity credentials ) | Inconvenience, distress or damage to standing or reputation | Moderate: an employee might have the means, motive, and opportunity, but risk exposure is not significantly different in electronic transactions than it is in paper transactions | Low: impersonated parties would be likely to notice and when detected, the impact could be effectively mitigated |
" | " | " | Unauthorized release of sensitive information | Low: the employee with the means and opportunity already has access to sensitive information and is unlikely to find anything more interesting in permit e-logbook data | Low: there isn't a great deal of sensitive information in permit records, and the impact would be limited to the party whose identity has been stolen |
Impersonation in registration and/or e-logbook transactions | Competitor | Impersonation using stolen identity credentials (registration credentials or NPS identity credentials ) | Inconvenience, distress or damage to standing or reputation | Low: a competitor might have a motive, but an electronic system does not make makes them more less likely to have means or opportunity. Risk exposure is not reduced significantly different in electronic transactions than it is in versus paper transactions. | Low: impersonated parties would be likely to notice during dockside interview process and subsequent data review, and when detected, the impact could be effectively mitigated |
" | " | " | Unauthorized release of sensitive information | Low: risk of release of sensitive information would increase the perpetrator's risk of exposure, which would only make sense if the motive were to cause harm, and not for gain. | Low: the impact would be limited to the party whose identity physical media has been stolen |
Repudiation to escape accountability | Customer (fisher or processor) | Signer claims "I didn't sign that" | Inconvenience, distress or damage to standing or reputation | Low: in most cases a customer who repudiated an e-signed document logbook submission could then be prosecuted for fishing or processing without proper permitsreporting. There will generally be independent evidence of the fishing or processing activity (follow the fish, also follow the VMS track.) | Low: agency might expend effort to resolve, but the distress would be limited and short-term |
lines below are placeholders for possible further work |
|
|
|
|
|
|
|
| Inconvenience, distress or damage to standing or reputation |
|
|
|
|
| Financial loss or agency liability |
|
|
|
|
| Harm to agency programs or public interest |
|
|
|
|
| Unauthorized release of sensitive information |
|
|
|
|
| Civil or criminal violations |
|
|