/
Detailed Project Outline
Detailed Project Outline
Cassio DeSanctis drafted this outline based on the procedural directive. Note that although terms such as implementation are used in this outline, this is all about a planning, design, and plan approval exercise, and this outline (and this project) do not specify a complete development process resulting in implemented production systems. Of course a development process (and/or procurement) is eventually intended, but it is not documented here.
- Evaluation
- Scoping Document
- Business Plan
- Office Management Approval
- Implementation
Assuming that the evaluation results in a decision to implement:
- Implementation
- Determine Assurance Level (AL) to Mitigate Risks (assurance level per NIST 800-63)
- Use table of Potential Impacts and Probability of Occurrence
- Choose lowest level that can mitigate risks
- Use best judgment to determine appropriate AL
- Identify and Implement Technical Requirements corresponding to AL
- Level 1: allows PINs + challenge-response authentication
- Level 2: strong password (no PINs) + tunneled pwd authentication
- Level 3: one-time password device + PoP authentication protocol
- Level 4: hard-tokens + private key PoP authentication
- Use table of Potential Impacts and Probability of Occurrence
- Legally Bind Transaction to Individual or Entity
- Ensure submitting party knows Terms and Conditions
- Establish that submitting party is aware of obligations they are agreeing to (e.g. permits/logbooks)
- Make party take willful action to indicate desire to sign
- Chain of Custody Audit Trails
- Integrity of the transaction
- Record sending location
- Record sending individual / entity
- Date and time stamp of receipt
- Proof that agency sent a receipt
- Confirmation that individual received the "receipt"
- Handling of information once received
- Changes to information requires the re-collection of all information that are part of the audit trail in the original document
- Original documents should not be deleted when changes are made
- Changes to information must be tracked including the person making the change, time stamp and accompanying documentation
- Electronic Receipts
- Should be printable
- Indicates parties in the transaction and the agreement that was made
- Contains confirmation code that can be used in the future to locate receipt
- Requires audit trail to track that receipt was sent and received
- Use of Information
- ES should only be required when needed
- Should not collect more information than necessary
- User should be able to opt out to a paper process
- Inform users that information collected will be managed and protected under Privacy Act, Computer Security Act, Federal Information Security Management Act, etc
- Long-term Retention
- Must meet requirements of Federal Records Act and NARA's Record Mgmt Guidance for ES
- Permanently retained records must include the printed name of the signer and date of signature
- Plan for software obsolescence / migrations to newer version without affecting existing documents
- Review and Re-evaluation of ES Process
- Should be included in the implementation strategy
- Review quality indicators such as number of transactions, average completion time, resubmissions, etc
- Evaluate opportunities from changes in technology
- Integrity of the transaction
- Determine Assurance Level (AL) to Mitigate Risks (assurance level per NIST 800-63)