Business Context
National Marine Fisheries Service issues permits to fishing industry individuals and corporations and also to individual recreational fishers.
Permits Types
A wide range of permit types are issued. Some representative examples are:
Business Drivers
Fisheries are managed regionally, but, many participants in the fishing industry are national or multinational in scope. It would be a convenience to these participants to offer a one-stop-shop for permits. Also, a one-stop-shop would facilitate maintenance of a single identifier for an industry participant who fishes or processes fish in multiple regions, and it would leverage efforts to improve data quality across regions.
Business Risk in the Permit Context
NIST 800-30: Risk Management Guide for Information Technology Systems defines risk as a function of the likelihood of a given threat-source's exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. The threat and vulnerability identification process that follows is based on NIST 800-30.
Users and functionality
Registration will be open to new permit applicants, existing permit holders, and agents of both. From the system perspective, there is little difference between permit holders and agents of permit holders. New permit applicants will not be identifiable with the same level of assurance as existing permit holders, but, as the permit application is processed, the confidence in the permit holder's identity will grow. And as a new permit applicant starts out with no value in the system, there is little at risk for these participants whose identity is less certain.
Existing permit holders may have considerable value in the system (the market value of an individual fishery quota may exceed $ .) However, these existing permit holders must demonstrate knowledge of a secret permit access code (PAC) which was mailed by USPS mail to the permit owner's address of record. After a participant has registered and associated their permits with their username (through knowledge of one or more PACs), then the participant can renew or transfer permits.
New permit applications and permit renewals will be open to all registered parties.
Transactions: data sensitivity and volume
Internal control processes
Threat and Vulnerability Identification
Vulnerability |
Threat-source |
Threat Action |
Category of Harm |
Likelihood |
Impact |
|---|---|---|---|---|---|
Impersonation in registration and/or transactions |
Common Criminal, Identity Thief |
Impersonation using stolen identity credentials (registration credentials or NPS identity credentials) |
Inconvenience, distress or damage to standing or reputation |
Low: general criminals won't have subject area expertise to discover a fraud opportunity and there are probably much more attractive targets |
Low: impersonated parties would be likely to notice quickly and impact could be mitigated |
Impersonation in registration and/or transactions |
Disgruntled industry employee |
Impersonation using stolen identity credentials (registration credentials or NPS identity credentials) |
Inconvenience, distress or damage to standing or reputation |
Moderate: an employee would have the means, but risk exposure is not significantly different in electronic transactions than it is in paper transactions |
Low: impersonated parties would be likely to notice and impact could be mitigated |
Impersonation in registration and/or transactions |
Competitor |
Impersonation using stolen identity credentials (registration credentials or NPS identity credentials) |
Inconvenience, distress or damage to standing or reputation |
Low: a competitor might have an opportunity to profit from fraud, but risk exposure is not significantly different in electronic transactions than it is in paper transactions |
Low: impersonated parties would be likely to notice and impact could be mitigated |
Repudiation to escape accountability |
Customer (fisher or processor) |
Signer claims "I didn't sign that" |
Inconvenience, distress or damage to standing or reputation |
Low: in most cases a customer who repudiated an e-signed document submission could then be prosecuted for failure to file the repudiated document |
Low: agency might expend effort |
|
|
|
Financial loss or agency liability |
|
|
|
|
|
Harm to agency programs or public interest |
|
|
|
|
|
Unauthorized release of sensitive information |
|
|
|
|
|
Civil or criminal violations |
|
|
|
|
|
Inconvenience, distress or damage to standing or reputation |
|
|
|
|
|
Financial loss or agency liability |
|
|
|
|
|
Harm to agency programs or public interest |
|
|
|
|
|
Unauthorized release of sensitive information |
|
|
|
|
|
Civil or criminal violations |
|
|
|
|
|
Inconvenience, distress or damage to standing or reputation |
|
|
|
|
|
Financial loss or agency liability |
|
|
|
|
|
Harm to agency programs or public interest |
|
|
|
|
|
Unauthorized release of sensitive information |
|
|
|
|
|
Civil or criminal violations |
|
|
|
|
|
Inconvenience, distress or damage to standing or reputation |
|
|
|
|
|
Financial loss or agency liability |
|
|
|
|
|
Harm to agency programs or public interest |
|
|
|
|
|
Unauthorized release of sensitive information |
|
|
|
|
|
Civil or criminal violations |
|
|