Business Context, Transaction Types and Volume
In the Northwest Region the states have existing fish ticket programs (actually 26 of them). These were originally developed for revenue purposes, but the fish tickets have become multi-purpose documents, functioning as a receipt between buyer and seller, as a record of catch (and sometimes of effort) for fisheries management, as documentation of participation in a fishery, as a record of gross profit for calculation of crew shares, as documentation of value for economic analysis, and of course the original purpose of government tax records.
Examples of state fish tickets include whiting in Washington and Salmon in California. The information captured on fish tickets has been standardized to the point that PACFIN can aggregate fish ticket data from each state into a regional database.
Whiting fisheries in the Northwest Region are currently operating under an Exempted Fishing Permit (the shoreside whiting EFP). The whiting EFP recognizes that there is a need to track bycatch on a near real-time basis, and proposed electronic reporting, or an e-ticket program, as a mechanism. Under this proposal the e-ticket reporting is in parallel with the state's traditional paper fish tickets. PSMFC is currently developing this e-ticket program, emulating and coexisting with state fish ticket programs, capturing data into the PACFIN database directly from participating processors without going through the states (the states may subsequently data-enter from the paper copies into their own local databases, or, they may download data from PACFIN to complete their local databases.) This pilot project is emulating state programs with no change in management approach, data elements, etc. This approach anticipates that the new system will demonstrate the utility of e-tickets (near real-time tracking of catch and bycatch, speed of reconciling, increased efficiency) while allowing states flexibility and time to adopt at their convenience.
Under ammendment 10, which replaces the Whiting EFP program, e-reporting of whiting will continue to be required. As the program gains maturity and acceptance it is hoped that the states may want to use e reporting for black cod or other fisheries.
The current whiting fishery fish ticket volume is 40 boats for up to 20 days of fishing, for a ceiling of approximately 800 transactions. The potential of e-ticket transactions would eventually approach the total volume of fish tickets on the West Coast.
Business Drivers
Near to real-time information on catch and bycatch of overfished species is required as an element of National Standard 1 (NS1). For the Whiting fishery an e-ticket provides the most effective mechanism for acquiring near real-time catch and bycatch information. Fish ticket record-keeping and reporting regulations require processor and vessel operator signatures for accountability. An e-signature feature is required to make e-ticket reporting (without a corresponding paper document for signatures) feasible.
By near real-time we mean an elapsed time of less than 48 hours from the completion of the vessel offload to data analysis in the agencies catch and bycatch monitoring systems.
Business Risk in the Permit Context
NIST 800-30: Risk Management Guide for Information Technology Systems defines risk as a function of the likelihood of a given threat-source's exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. The threat and vulnerability identification process that follows is based on NIST 800-30.
Users and functionality
The trawl fleet (whiting) is most technology sophisticated fleet in the Northwest Region, but, by regulation fish tickets are reported by processors. Most processors are large permanent shoreside facilities, but some are the "white van fleet", without a fixed base of operations or any technology beyond a cell phone.
Data sensitivity and security
Information collected pursuant to requirements of the MSA is protected by its confidentiality provisions at § 402 and under its implementing regulations at 50 CFR Part 600 Subpart E, including NOAA Administrative Order (NAO) 216-100. Additional protections of the Privacy Act and FOIA apply to such data as well as those collected under the Halibut Act.
Mitigating controls
Perhaps the most significant mitigating control is that in commercial fisheries transactions, both parties to the transaction (typically the fisher and the fish processor) are permitted entities and each has some responsibility for accurate and complete record-keeping and reporting (for example, the fisher may be required to keep a logbook showing fishing efforts and catch, while the processor is required to report fish purchased). In these transactions it is typical for the parties to the transactions to have opposite and balancing interests (for example, when a fisher is selling fish to a processor, the fisher wants the amount paid to be high, while the processor wants the amount paid to be low). These multiple sources of information and counter-balanced incentives tend to make deception more difficult to initiate and sustain.
Another mitigating control is that under the authority of the Debt Collection Improvement Act (31 U.S.C. 7701), NMFS would collect Tax Identification Number information from individuals in order to issue, renew, or transfer fishing permits or to make nonpermit registrations.
The vessels and processors involved are permitted and therefore have a prior "trusted relationship" with NMFS. In many cases this prior relationship involves confirming vessel ownership with the US Coast Guard, verifying participation in prior fisheries through previously submitted state or federal fish tickets or logbooks, confirmation of business ownership, etc.
Threat and Vulnerability Identification
Vulnerability |
Threat-source |
Threat Action |
Category of Harm |
Likelihood of Harm |
Impact of Harm |
|---|---|---|---|---|---|
Impersonation in registration and/or transactions |
Common criminal/identity thief |
Impersonation using stolen identity credentials (registration credentials or NPS identity credentials) |
Inconvenience, distress or damage to standing or reputation |
Low: common criminals are unlikely to have subject-area expertise to discover a fraud opportunity and there are probably much more attractive targets |
Low: impersonated parties would be likely to notice and when detected, the impact could be effectively mitigated |
" |
" |
" |
Unauthorized release of sensitive information |
Low: successful identity theft could result in compromise of sensitive information from the victim's permit records |
Low: there isn't a great deal of sensitive information in permit records, and the impact would be limited to the party whose identity has been stolen |
Impersonation in registration and/or transactions |
Disgruntled industry employee |
Impersonation using stolen identity credentials (registration credentials or NPS identity credentials) |
Inconvenience, distress or damage to standing or reputation |
Moderate: an employee might have the means, motive, and opportunity, but risk exposure is not significantly different in electronic transactions than it is in paper transactions |
Low: impersonated parties would be likely to notice and when detected, the impact could be effectively mitigated |
" |
" |
" |
Unauthorized release of sensitive information |
Low: the employee with the means and opportunity already has access to sensitive information and is unlikely to find anything more interesting in permit data |
Low: there isn't a great deal of sensitive information in permit records, and the impact would be limited to the party whose identity has been stolen |
Impersonation in registration and/or transactions |
Competitor |
Impersonation using stolen identity credentials (registration credentials or NPS identity credentials) |
Inconvenience, distress or damage to standing or reputation |
Low: a competitor might have a motive, but an electronic system does not make them more likely to have means or opportunity. Risk exposure is not significantly different in electronic transactions than it is in paper transactions. |
Low: impersonated parties would be likely to notice and when detected, the impact could be effectively mitigated |
" |
" |
" |
Unauthorized release of sensitive information |
Low: release of sensitive information would increase the perpetrator's risk of exposure, which would only make sense if the motive were to cause harm, and not for gain. |
Low: there isn't a great deal of sensitive information in permit records, and the impact would be limited to the party whose identity has been stolen |
Repudiation to escape accountability |
Customer (fisher or processor) |
Signer claims "I didn't sign that" |
Inconvenience, distress or damage to standing or reputation |
Low: in most cases a customer who repudiated an e-signed document submission could then be prosecuted for fishing or processing without proper permits. There will generally be independent evidence of the fishing or processing activity (follow the fish.) |
Low: agency might expend effort to resolve, but the distress would be limited and short-term |
lines below are placeholders for possible further work |
|
|
|
|
|
|
|
|
Inconvenience, distress or damage to standing or reputation |
|
|
|
|
|
Financial loss or agency liability |
|
|
|
|
|
Harm to agency programs or public interest |
|
|
|
|
|
Unauthorized release of sensitive information |
|
|
|
|
|
Civil or criminal violations |
|
|