Business Context, Transaction Types and Volume
Ending overfishing and preventing it from occurring was the highest priority of the reauthorized Magnuson-Stevens Act of 2006 (MSRA), signed by President Bush in January 2007. In the MSRA Congress requires fishery managers to establish science-based, enforceable annual catch limits and accountability measures for all U.S. fisheries with a deadline for implementation of 2010 for all stocks currently subject to overfishing and 2011 for all others. The NMFS Northwest Region has seven or eight overfished stocks. Managment for protection of these overfished stocks is restricting the ability of the fleet to access full optimum yield sector allocations, and the ability to accurately track bycatch of overfished stocks is critical to allowing the fleet to maximize optimum yield.
The Pacific Fishery Management Council in the June 2008 meeting requested implementation of a logbook program for the 2009/10 groundfish fisheries. This logbook requirement would apply to fixed gear groundfish both limited and open access, in other words, all line boats and pot boats. Subsequent to this meeting the States involved declined to implement this logbook requirement, although they expressed support for the concept. As a result of the State's decisions NMFS will be implmenting a federal groundfish logbook. (All prior logbook programs on the West Coast were state programs.)
NMFS is not interested in developing a paper logbook program because the cycle time for getting data into play for management decisions is too long. (Current logbook data from other programs is available in fishery models approximately 1.5 years after the fishing events.)
There are approximately 500 vessels in the fisheries that will be covered by this program. The e-logbook conceptual design would have these vessels reporting daily when they fish. These vessels may fish for up to nine months per year, so transactions volumes could approach 500/day and 135,000/year.
Business Drivers
Near to real-time information on catch and bycatch is required as an element of national standard 1 (reduce bycatch). An electronic logbook program provides the best mechanism for aquiring near real-time catch and bycatch information. Logbook record-keeping and reporting requires vessel operator signatures for accountability. An e-signature feature is required to make e-logbook reporting feasible.
By near real-time we mean an elapsed time of less than 48 hours from the completion of the vessel fishing activity (retrieving the fishing gear) to data analysis in the agencies catch and bycatch monitoring systems.
Business Risk in the Permit Context
NIST 800-30: Risk Management Guide for Information Technology Systems defines risk as a function of the likelihood of a given threat-source's exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. The threat and vulnerability identification process that follows is based on NIST 800-30.
Users and functionality
The longline fleet has some technologically advanced vessels in the 65-70 foot range, but also some small vessels, perhaps as small as sixteen feet, fishing with rod and reel and potentially no technology aboard. The current conceptual design anticipates vessels hosting e-logbook software on a PC onboard the vessel and reporting as required (at the end of a day or trip) via email from the vessel, or alternatively, reporting by email from home after completion of a day-trip. (Media combinations might be acomodated; perhaps capturing the data on a PC, saving it to portable media such as a memory stick, taking the memory stick home after the day-trip, and transmitting the file from home via email.
Data sensitivity and security
Information collected pursuant to requirements of the MSA, including permit application information, is protected by its confidentiality provisions at § 402 and under its implementing regulations at 50 CFR Part 600 Subpart E, including NOAA Administrative Order (NAO) 216-100. Additional protections of the Privacy Act and FOIA apply to such data as well as those collected under the Halibut Act.
Mitigating controls
Perhaps the most significant mitigating control is that in commercial fisheries transactions, both parties to the transaction (typically the fisher and the fish processor) are permitted entities and each has some responsibility for accurate and complete record-keeping and reporting (for example, the fisher may be required to keep a logbook showing fishing efforts and catch, while the processor is required to report fish purchased). In these transactions it is typical for the parties to the transactions to have opposite and balancing interests (for example, when a fisher is selling fish to a processor, the fisher wants the amount paid to be high, while the processor wants the amount paid to be low). These multiple sources of information and counter-balanced incentives tend to make deception more difficult to initiate and sustain.
Another mitigating control is that under the authority of the Debt Collection Improvement Act (31 U.S.C. 7701), NMFS would collect Tax Identification Number information from individuals in order to issue, renew, or transfer fishing permits or to make nonpermit registrations.
Threat and Vulnerability Identification
Vulnerability |
Threat-source |
Threat Action |
Category of Harm |
Likelihood of Harm |
Impact of Harm |
|---|---|---|---|---|---|
Impersonation in registration and/or transactions |
Common criminal/identity thief |
Impersonation using stolen identity credentials (registration credentials or NPS identity credentials) |
Inconvenience, distress or damage to standing or reputation |
Low: common criminals are unlikely to have subject-area expertise to discover a fraud opportunity and there are probably much more attractive targets |
Low: impersonated parties would be likely to notice and when detected, the impact could be effectively mitigated |
" |
" |
" |
Unauthorized release of sensitive information |
Low: successful identity theft could result in compromise of sensitive information from the victim's permit records |
Low: there isn't a great deal of sensitive information in permit records, and the impact would be limited to the party whose identity has been stolen |
Impersonation in registration and/or transactions |
Disgruntled industry employee |
Impersonation using stolen identity credentials (registration credentials or NPS identity credentials) |
Inconvenience, distress or damage to standing or reputation |
Moderate: an employee might have the means, motive, and opportunity, but risk exposure is not significantly different in electronic transactions than it is in paper transactions |
Low: impersonated parties would be likely to notice and when detected, the impact could be effectively mitigated |
" |
" |
" |
Unauthorized release of sensitive information |
Low: the employee with the means and opportunity already has access to sensitive information and is unlikely to find anything more interesting in permit data |
Low: there isn't a great deal of sensitive information in permit records, and the impact would be limited to the party whose identity has been stolen |
Impersonation in registration and/or transactions |
Competitor |
Impersonation using stolen identity credentials (registration credentials or NPS identity credentials) |
Inconvenience, distress or damage to standing or reputation |
Low: a competitor might have a motive, but an electronic system does not make them more likely to have means or opportunity. Risk exposure is not significantly different in electronic transactions than it is in paper transactions. |
Low: impersonated parties would be likely to notice and when detected, the impact could be effectively mitigated |
" |
" |
" |
Unauthorized release of sensitive information |
Low: release of sensitive information would increase the perpetrator's risk of exposure, which would only make sense if the motive were to cause harm, and not for gain. |
Low: there isn't a great deal of sensitive information in permit records, and the impact would be limited to the party whose identity has been stolen |
Repudiation to escape accountability |
Customer (fisher or processor) |
Signer claims "I didn't sign that" |
Inconvenience, distress or damage to standing or reputation |
Low: in most cases a customer who repudiated an e-signed document submission could then be prosecuted for fishing or processing without proper permits. There will generally be independent evidence of the fishing or processing activity (follow the fish.) |
Low: agency might expend effort to resolve, but the distress would be limited and short-term |
lines below are placeholders for possible further work |
|
|
|
|
|
|
|
|
Inconvenience, distress or damage to standing or reputation |
|
|
|
|
|
Financial loss or agency liability |
|
|
|
|
|
Harm to agency programs or public interest |
|
|
|
|
|
Unauthorized release of sensitive information |
|
|
|
|
|
Civil or criminal violations |
|
|