Versions Compared

Version Old Version 8 New Version Current
Changes made by

Larry Talley - NOAA Federal

Larry Talley - NOAA Federal

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

...

This sections documents design details that address these requirements.

Binding the Transaction to an Entity and Non-repudiation

Requirements 1 and 2 above are addressed in the design of three component parts of the system:

...

Technically the transaction data is bound to entity identity data by the signer's name captured in the electronic signature and also specified in the registration data, and by a shared identifier (permit number) in the registration data (electronic fish ticket agreement), the processor permit database, and in the e-ticket submissionssubmission. (See document binding and integrity for a broader discussion of these issues and alternatives.)

No authentication token and protocol issues are involved in this non-repudiation. Technical controls for document integrity and audit trails contribute to binding the transaction to the entity and non-repudiation, but those controls are more appropriately discussed in the next section.

Providing Chain of Custody Audit Trails

NMFS policy directive 32-110 specifies "...audit trails that ensure the chain of custody for the transaction. These audit trails should identify the sending location, sending individual or entity, date and time stamp of receipt, and other measures that will ensure the integrity of the document. These audit trails must validate the integrity of the transaction and prove: (1) that the connection between the submitter and NMFS has not been tampered with; and (2) how the document was controlled upon receipt by NMFS."

...

  1. The NMFS email interface program will run periodically (perhaps every 5 minutes), login to the postoffice, and open the inbox.
  2. The email interface program will consider every message currently in the inbox, and for each message:
    1. Log receipt of the email message into audit trail tables.
    2. If the email message is recognized (recognized messages were generated by e-ticket software and submitted by registered permit holders).
      1. Generate a unique e-ticket message identier.
      2. Handle possible return-receipt-requested.
      3. Extract e-ticket message payload(s) (zip attachments)
        1. For each e-ticket payload:
        2. Log receipt of payload into audit trail tables.
        3. Unzip and unmarshall the payload, creating an e-ticket object; if payload cannot be unzipped or unmarshalled the receipt is formed from the raw input data and unzip/unmarshall errors are noted and logged.
        4. Process the e-ticket object, inserting into the database (if possible) and creating a receipt (appropriate data checks are applied in this step and any errors noted in the receipt.)
        5. Return the receipt to the appropriate party.
        6. Log the result into audit trail tables.
  3. These audit trail data items should be written to audit trail tables by the email interface application using a database account which has insert privileges to the database but does not have update or delete privileges. (And update and delete privileges on the audit trail tables should be carefully controlled by the database administrator.)

Providing an Electronic Receipt or Acknowledgment of a Successful Submission

The proposed receipt process is as follows:

  1. After the data import program has interpreted (or attempted to interpret) the submitted e-logbook data, the data import program writes a receipt file. The proposed receipt will consist of
    Panel

    Dave or Dayna needs to describe the receipt and check that the statements below are accurate

  2. Assuming that the data import was successful, or at least successful enough that the e-ticket's permit could be ascertained, the receipt file will also be emailed directly by the data import program to the address of record for the permit holder
  3. If the receipt file cannot be emailed directly to the address of record for the permit holder the operator executing the data import program is notified so that they can take steps to inform the submitter

Collecting Only Necessary Information in the Electronic Signature Authentication Process

Since the proposed system relies heavily on mitigating controls, no additional information is collected specifically for the e-signature process.

Create a Long-Term Retention and Access Policy

Retention and access policies already exist for this logbook data under NOAA file series 1505-11, Catch Statistics Files. This section discusses the special records management considerations which arise due to incorporation of an electronic signature.

...

  • Create and maintain documentation of the systems used to create the records that contain electronic signatures.
    The West Coast E-fishticket system will be thoroughly documented with particular attention to e-signature aspects and audit trails that establish the trustworthiness of the e-signature.
  • _Ensure that the records that include electronic signatures are created and maintained in a secure environment that protects the records from unauthorized alteration or destruction._
    Panel

    Dave or Dayna needs to check that the statements below are accurate


    The fish ticket data, and the audit trail data supporting the trustworthiness of the e-signature, are implemented with the history mechanism described above to protect the records from unauthorized alteration or deletion. Furthermore the database is secured according to industry norms for important government data, including regular offsite backup and periodic permanent archiving of backups.
  • Implement standard operating procedures for the creation, use, and management of records that contain electronic signatures and maintain adequate written documentation of those procedures.
    Standard operating procedures will be implemented for the creation, use and management of these records.
  • Create and maintain records according to these documented standard operating procedures.
    The new standard operating procedures will be diligently followed. 
  • Train agency staff in the standard operating procedures.
    Agency staff will be trained.
  • Obtain official disposition authorities from NARA for both the records that contain electronic signatures and for the associated records which are necessary for trustworthy records.
    Electronic data submission adds audit trail data to the fish ticket records already covered under file series 1505-11 (Catch Statistics Files), and, establishes a link to an associated file series 1504-11(Fishing Vessel Permit Files). File series 1505-11 is sufficiently broad to accommodate the addition of audit trail data. The existing retention and access policies do not need to be revised, as the new audit trail data elements are component parts of the same database which stores the fish ticket records. File series 1504-11 provides disposition authority for the associated permit records which are used to establish confidence in the identity of the party applying an e-signature, and that file series needs no changes as a result of this new association.

...

  • 5.1 What new records may be created by electronic signature technology? and 5.2 How do agencies determine which of these electronic signature records to retain?
    The e-signature proposed does not create new types of records. It does add new data elements to existing records and create new associations between existing file series, but in this case the file series involved have been reviewed and no changes to existing retention and access policies are necessary. (The the guidance document was apparently written to cover a wide range of electronic signature technology; the e-signature technology proposed is on the simple end of the scale of technical sophistication.)
  • 5.3 Transferring electronic signature record material from contractors to agencies.
    Not applicable.
  • 5.4 When must an agency modify its records schedule to cover electronic signature records?
    No modification to the record schedule is necessary, as new records are not created by this e-signature, the e-signature itself requires no change to retention periods, and the e-signature does not significantly change the character of the record.
  • 5.5 Special considerations relating to long-term, electronically-signed records that preserve legal rights.
    The e-signature proposed does not depend on technologies or formats which are likely to become obsolete. The e-signature, it's associated audit trails, and the receipt are all stored as human readable text in relational database tables.
  • 5.6 NARA requirements for permanent, electronically-signed records.
    These are not permanent records, but, note that the receipt, which is stored as part of the e-signature, does contain the printed name of the signer as well as the date when the signature was executed.

Periodic Review and Re-Evaluation of the Electronic Signature Process

The proposed e-signature system should be reviewed annually for several years, as this technology is unfamiliar to the agency and our customers and we expect to learn from experience.