Business Context
from proposal...National Marine Fisheries Service issues permits to fishing industry individuals and corporations and also to individual recreational fishers. More.... legislative or other policy mandates
Permits Types and Volumes
...
Volume
Currently 6 vessels report electronically, could go up to 200 vessels, must transfer within 72 hours of landing, typically vessels land every few weeks, potential exists for daily reporting via VMS.... Good place for transaction volumes
Business Drivers
Fisheries are managed regionally, but, many participants in the fishing industry are national or multinational in scope. It would be a convenience to these participants to offer a one-stop-shop for permits. Also, a one-stop-shop would facilitate maintenance of a single identifier for an industry participant who fishes or processes fish in multiple regions, and it would leverage efforts to improve data quality across regions. With e-signature fishers would be more accepting of electronic reporting. Fishers have concerns about achieving compliance. Drivers for wanting e-reporting... better data, faster data, less corrections.... Magnusen-Stephens driver for reducing cycle time? More.... The more could include what business benefit they derive from the permit and what business risk they incur if they break NMFS rules. Is this the spot for cycle times?
...
Users and functionality Not sure about this label as it seem to be more about the registration process. I think I would describe users more generically above in the context section.What are there characteristics (i.e., businesses, individuals, etc). Level of automation in business and maybe even computer saavy. What's the extent to which there intermediaries between users and government.
Registration will be open to new permit applicants, existing permit holders, and agents of both. From the system perspective, there is little difference between permit holders and agents of permit holders. (Agents should file a notarized letter of authorization from each permit owner that the agent represents. The permit owner is responsible for transactions pertaining to their permit, and if they have delegated to an agent without submitting the authorization letter, that doesn't absolve them of any responsibility.) New permit applicants will not be identifiable with the same level of assurance as existing permit holders, but, as the permit application is processed, the confidence in the permit holder's identity will grow. And as a new permit applicant starts out with no value in the system, there is little at risk for these participants whose identity is less certain.
Existing permit holders may have considerable value in the system; for example, they may own fisheries quota that has significant market value. These existing permit holders must demonstrate knowledge of a secret permit access code (PAC) which was mailed by USPS mail to the permit owner's address of record. After a participant has registered and associated their permits with their username (through knowledge of one or more PACs), then the participant can access potentially sensitive permit information as well as renew or transfer permits. There are opportunities for mitigating controls in business processes, so the e-signature process does not necessarily have to address all of the transaction risk.
...
These are mid-size vessels (vicinity of 70ft) that have GPS, VMS, and sophisticated fish-finding technology. A number of the vessels have e-logbook software onboard integrated with track plotting systems. This e-logbook application includes a unique identifier via a hardware dongle which could be used to identify data from the vessel. An existing rule provides authority for optional electronic reporting. Regulations in process would provide vendor guidelines and certification process that would allow a vendor to promote an e-logbook application as NMFS-approved for e-logbook compliance.
Functionality would be creation/maintenance of the e-logbook record, storage of the e-logbook records on portable media (floppy, cd, memory stick), and physical transfer of the portable media to NMFS... or, alternatively, email transmission of e-logbook records to NMFS.
...
Transactions: data sensitivity I would move the volume data up in biz context and leave this section to focus on FISMA and Privacy Act issues
...
In general these permit applications do not contain highly sensitive information. However, most have some personally identifying information (PII) and some few applications may contain proprietary business information.
New permit application volume nation-wide is estimated at __ new permits per year.
Permit renewal volume nation-wide is estimated at __ renewals per year.
Permit transfer volume nation-wide is estimated at __ transfers per yearE-Logbook data is fisheries confidential data under the trade secrets act. Unless the e-signature requires it there is not likely to be PII in this data. ...clarify....
Internal control processes aka mitigating controls?
New permit applications generally involve processing rigor commiserate with the value of the permit. Permits for fisheries with low economic opportunity and/or low risk to the public resource generally receive only nominal scrutiny. Permits for fisheries with high economic opportunity and/or high risk to the public resource receive considerable scrutinyIn this case we have independent confirmation of the vessel's location through the VMS system. The e-logbook software application licensing compliance dongle forms a unique identifier for each logbook page and it can tie the logbook page to a particular instance of the e-logbook software. These vessels are permitted to fish and therefore have a prior "trusted relationship" with NMFS. In many cases this prior relationship involves confirming vessel ownership with the US Coast Guard, verifying participation in prior fisheries through previously submitted state or federal fish tickets or logbooks, confirmation of business ownership, etc.
Permit renewals generally receive little scrutiny.
Permit transfers receive scrutiny commiserate with the complexity of the relevant fisheries management plan. For the more complex fisheries management regimes, changes to permit ownership patterns may have ripple effects. In the absence of complex ownership rules, permit transfers might receive little scrutiny ...need more detail...
Threat and Vulnerability Identification
...