...
NIST 800-30: Risk Management Guide for Information Technology Systems defines risk as a function of the likelihood of a given threat-source's exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. The threat and vulnerability identification process that follows is based on NIST 800-30.
Users and functionality
...
Registration will be open to new permit applicants, existing permit holders, and agents of both. From the system perspective, there is little difference between permit holders and agents of permit holders. New permit applicants will not be identifiable with the same level of assurance as existing permit holders, but, as the permit application is processed, the confidence in the permit holder's identity will grow. And as a new permit applicant starts out with no value in the system, there is little at risk for these participants whose identity is less certain.
Existing permit holders may have considerable value in the system (the market value of an individual fishery quota may exceed $ .) However, these existing permit holders must demonstrate knowledge of a secret permit access code (PAC) which was mailed by USPS mail to the permit owner's address of record. After a participant has registered and associated their permits with their username (through knowledge of one or more PACs), then the participant can renew or transfer permits.
New permit applications and permit renewals will be open to all registered parties.
...
Transactions: data sensitivity and volume
...
Internal control processes
...