Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

« Previous Version 5 Next »

Business Context

from proposal...National Marine Fisheries Service issues permits to fishing industry individuals and corporations and also to individual recreational fishers.  More.... legislative or other policy mandates


Currently 6 vessels report electronically, could go up to 200 vessels, must transfer within 72 hours of landing, typically vessels land every few weeks, potential exists for daily reporting via VMS.... Good place for transaction volumes

Business Drivers

With e-signature fishers would be more accepting of electronic reporting.  Fishers have concerns about achieving compliance.  Drivers for wanting e-reporting... better data, faster data, less corrections....  Magnusen-Stephens driver for reducing cycle time?  More....  The more could include what business benefit they derive from the permit and what business risk they incur if they break NMFS rules.  Is this the spot for cycle times?

Business Risk in the Permit Context

NIST 800-30: Risk Management Guide for Information Technology Systems defines risk as a function of the likelihood of a given threat-source's exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization.  The threat and vulnerability identification process that follows is based on NIST 800-30.

Users and functionality Not sure about this label as it seem to be more about the registration process.  I think I would describe users more generically above in the context section.What are there characteristics (i.e., businesses, individuals, etc).  Level of automation in business and maybe even computer saavy.  What's the extent to which there intermediaries between users and government. 

These are mid-size vessels (vicinity of 70ft) that have GPS, VMS, and sophisticated fish-finding technology.  A number of the vessels have e-logbook software onboard integrated with track plotting systems.  This e-logbook application includes a unique identifier via a hardware dongle which could be used to identify data from the vessel.  An existing rule provides authority for optional electronic reporting.  E-Logbook Vendor Certification Guidelines are in the approval process that would allow a vendor to promote an e-logbook application as NMFS-approved for e-logbook compliance.

Functionality would be creation/maintenance of the e-logbook record, storage of the e-logbook records on portable media (floppy, cd, memory stick), and physical transfer of the portable media to NMFS... or, alternatively, email transmission of e-logbook records to NMFS.

Transactions: data sensitivity I would move the volume data up in biz context and leave this section to focus on FISMA and Privacy Act issues

E-Logbook data is fisheries confidential data under the trade secrets act.  Unless the e-signature requires it there is not likely to be PII in this data.  ...clarify....

Internal control processes aka mitigating controls?

In this case we have independent confirmation of the vessel's location through the VMS system.  The e-logbook software application licensing compliance dongle forms a unique identifier for each logbook page and it can tie the logbook page to a particular instance of the e-logbook software.  These vessels are permitted to fish and therefore have a prior "trusted relationship" with NMFS.  In many cases this prior relationship involves confirming vessel ownership with the US Coast Guard, verifying participation in prior fisheries through previously submitted state or federal fish tickets or logbooks, confirmation of business ownership, etc.  ...need more detail...

Threat and Vulnerability Identification



Threat Action

Category of Harm

Likelihood of Harm

Impact of Harm

Impersonation in e-logbook transactions

Disgruntled industry employee

Impersonation using stolen identity credentials

Inconvenience, distress or damage to standing or reputation

Moderate: an employee might have the means, motive, and opportunity, but risk exposure is not significantly different in electronic transactions than it is in paper transactions

Low: impersonated parties would be likely to notice and when detected, the impact could be effectively mitigated




Unauthorized release of sensitive information

Low: the employee with the means and opportunity already has access to sensitive information and is unlikely to find anything more interesting in e-logbook data

Low: the impact would be limited to the party whose identity has been stolen

Impersonation in e-logbook transactions


Impersonation using stolen identity credentials

Inconvenience, distress or damage to standing or reputation

Low: a competitor might have a motive, but an electronic system makes them less likely to have means or opportunity.  Risk exposure is reduced significantly in electronic transactions versus paper transactions.

Low: impersonated parties would be likely to notice during dockside interview process and subsequent data review, and when detected, the impact could be effectively mitigated




Unauthorized release of sensitive information

Low: risk of release of sensitive information is not significantly different than with a paper logbook

Low: the impact would be limited to the party whose physical media has been stolen

Repudiation to escape accountability

Customer (fisher)

Signer claims "I didn't sign that"

Inconvenience, distress or damage to standing or reputation

Low: in most cases a customer who repudiated an e-logbook submission could then be prosecuted for fishing without reporting.  There will generally be independent evidence of the fishing or processing activity (follow the fish, also follow the VMS track.)

Low: agency might expend effort to resolve, but the distress would be limited and short-term

lines below are placeholders for possible further work









Inconvenience, distress or damage to standing or reputation






Financial loss or agency liability






Harm to agency programs or public interest






Unauthorized release of sensitive information






Civil or criminal violations



  • No labels