Versions Compared

Version Old Version 2 New Version 3
Changes made by

Larry Talley - NOAA Federal (Unlicensed)

Larry Talley - NOAA Federal (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

E-signature Evaluation

Business Context, Transaction Types and Volume

In the Northwest Region the states have existing fish ticket programs (actually 26 of them).  These were originally developed for revenue purposes, but the fish tickets have become multi-purpose documents, functioning as a receipt between buyer and seller, as a record of catch (and sometimes of effort) for fisheries management, as documentation of participation in a fishery, as a record of gross profit for calculation of crew shares, as documentation of value for economic analysis, and of course the original purpose of government tax records.

Examples of state fish tickets include whiting in Washington and Salmon in California.  The information captured on fish tickets has been standardized to the point that PACFIN can aggregate fish ticket data from each state into a regional database. 

Whiting fisheries in the Northwest Region are currently operating under an Exempted Fishing Permit (the shoreside whiting EFP).  The whiting EFP recognizes that there is a need to track bycatch on a near real-time basis, and proposed electronic reporting, or an e-ticket program, as a mechanism.  Under this proposal the e-ticket reporting is in parallel with the state's traditional paper fish tickets. PSMFC is currently developing this e-ticket program, emulating and coexisting with state fish ticket programs, capturing data into the PACFIN database directly from participating processors without going through the states (the states may subsequently data-enter from the paper copies into their own local databases, or, they may download data from PACFIN to complete their local databases.)  This pilot project is emulating state programs with no change in management approach, data elements, etc.  This approach anticipates that the new system will demonstrate the utility of e-tickets (near real-time tracking of catch and bycatch, speed of reconciling, increased efficiency) while allowing states flexibility and time to adopt at their convenience.

Under ammendment 10, which replaces the Whiting EFP program, e-reporting of whiting will continue to be required.  As the program gains maturity and acceptance it is hoped that the states may want to use e-ticket reporting for black cod or other fisheries.

The current whiting fishery fish ticket volume is 40 boats for up to 20 days of fishing, for a ceiling of approximately 800 transactions.  The potential of e-ticket transactions would eventually approach the total volume of fish tickets on the West Coast.

Business Drivers

Near to real-time information on catch and bycatch of overfished species is required as an element of National Standard 1 (NS1).  For the Whiting fishery an e-ticket provides the most effective mechanism for acquiring near real-time catch and bycatch information.  Fish ticket record-keeping and reporting regulations require processor and vessel operator signatures for accountability.  An e-signature feature is required to make e-ticket reporting (without a corresponding paper document for signatures) feasible.

By near real-time we mean an elapsed time of less than 48 hours from the completion of the vessel offload to data analysis in the agencies catch and bycatch monitoring systems.

Business Risk in the Permit Context

Considerations of business risk may benefit from categorization according to FIPS 199 which provides a common framework for expressing information security concerns throughout the federal government.  This system has a FIPS 199 security categorization as follows:

  • Low confidentiality requirements -- loss of confidentiality would be expected to have a limited adverse effect on organizational operations, assets, or individuals. A breach of confidentiality would damage our relationship with our constituency and could impact our ability to collect accurate data with which to manage fisheries.  This could cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced.  It could also expose us to litigation and professional disrepute.
  • Moderate integrity requirements -- among other things data from this system could be used to establish individual fishing quotas based on historical participation in a fishery. Individual fishing quotas have value, and it is critical to maintain access controls, change tracking, and auditability.  The moderate level is specified to recognize that loss of integrity could result in significant financial harm to individuals.
  • Low availability requirements -- a temporary loss of availability would be expected to have a limited adverse effect. Transactions dependent on this data are not particularly time-sensitive, and business requirements could be met via manual methods during a temporary system outage.

NIST 800-30: Risk Management Guide for Information Technology Systems defines risk as a function of the likelihood of a given threat-source's exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization.  The threat and vulnerability identification process that follows is based on NIST 800-30.

...

Users and functionality

...

Business Risk in the Permit Context

Considerations of business risk may benefit from categorization according to FIPS 199 which provides a common framework for expressing information security concerns throughout the federal government.  This system has a FIPS 199 security categorization as follows:

  • Low confidentiality requirements -- loss of confidentiality would be expected to have a limited adverse effect on organizational operations, assets, or individuals. A breach of confidentiality would damage our relationship with our constituency and could impact our ability to collect accurate data with which to manage fisheries.  This could cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced.  It could also expose us to litigation and professional disrepute.
  • Moderate integrity requirements -- among other things data from this system could be used to establish individual fishing quotas based on historical participation in a fishery. Individual fishing quotas have value, and it is critical to maintain access controls, change tracking, and auditability.  The moderate level is specified to recognize that loss of integrity could result in significant financial harm to individuals.
  • Low availability requirements -- a temporary loss of availability would be expected to have a limited adverse effect. Transactions dependent on this data are not particularly time-sensitive, and business requirements could be met via manual methods during a temporary system outage.

NIST 800-30: Risk Management Guide for Information Technology Systems defines risk as a function of the likelihood of a given threat-source's exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization.  The threat and vulnerability identification process that follows is based on NIST 800-30.

Data sensitivity and security

...