Business Context, Transaction Types and Volume
june council meeting pfmc taking up 2009/10 specs for groundfish requested dev and impl of logbook program for fixed gear groundfish both limited and oa... all line boats and pot boats
states declined to impl, although they are interested in success
all prior logbook programs on west coast were state
nmfs is going to impl federal logbook, not interested in designing a paper system
500 vessels, reporting daily when they fish, vessels may fish 9 months per year
More.... legislative or other policy mandates
Business Drivers
Near to real-time information on catch and bycatch is required as an element of national standard 1 (reduce bycatch)
have 7 or 8 overfished species, these are restricting ability of fleet to access OY sector allocations, ability to accurately track bycatch is critical to allow fleet to maximze OY
under current system logbook gets plugged into modeling future OY, where fishing is, patterns, and etc. takes 1.5 years to get logbook and observer data into the models
move to e-reporting, gps integration, all thats left is stock comp of hauls
More.... The more could include what business benefit they derive from the permit and what business risk they incur if they break NMFS rules. Is this the spot for cycle times?
Business Risk in the Permit Context
NIST 800-30: Risk Management Guide for Information Technology Systems defines risk as a function of the likelihood of a given threat-source's exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. The threat and vulnerability identification process that follows is based on NIST 800-30.
Users and functionality
Trawl fleet (whiting) is most technology sophisticated.
Longline has some 66-70 ft, also some 16' participating in live fishery in CA, no sophistication at all, using rod and reel,
e-reporting from vessel through VMS, but immediate plan is software on a PC that they send as email attachments from the vessel, as required at end of day or trip
some vessels don't currently have email
could accept some info transferred on thumb drive then take to home office and transfer via email
reconciling and corrections?
Data sensitivity and security FISMA and Privacy Act issues
data is confidential
Mitigating controls
Threat and Vulnerability Identification
Vulnerability |
Threat-source |
Threat Action |
Category of Harm |
Likelihood of Harm |
Impact of Harm |
|---|---|---|---|---|---|
Impersonation in registration and/or transactions |
Common criminal/identity thief |
Impersonation using stolen identity credentials (registration credentials or NPS identity credentials) |
Inconvenience, distress or damage to standing or reputation |
Low: common criminals are unlikely to have subject-area expertise to discover a fraud opportunity and there are probably much more attractive targets |
Low: impersonated parties would be likely to notice and when detected, the impact could be effectively mitigated |
" |
" |
" |
Unauthorized release of sensitive information |
Low: successful identity theft could result in compromise of sensitive information from the victim's permit records |
Low: there isn't a great deal of sensitive information in permit records, and the impact would be limited to the party whose identity has been stolen |
Impersonation in registration and/or transactions |
Disgruntled industry employee |
Impersonation using stolen identity credentials (registration credentials or NPS identity credentials) |
Inconvenience, distress or damage to standing or reputation |
Moderate: an employee might have the means, motive, and opportunity, but risk exposure is not significantly different in electronic transactions than it is in paper transactions |
Low: impersonated parties would be likely to notice and when detected, the impact could be effectively mitigated |
" |
" |
" |
Unauthorized release of sensitive information |
Low: the employee with the means and opportunity already has access to sensitive information and is unlikely to find anything more interesting in permit data |
Low: there isn't a great deal of sensitive information in permit records, and the impact would be limited to the party whose identity has been stolen |
Impersonation in registration and/or transactions |
Competitor |
Impersonation using stolen identity credentials (registration credentials or NPS identity credentials) |
Inconvenience, distress or damage to standing or reputation |
Low: a competitor might have a motive, but an electronic system does not make them more likely to have means or opportunity. Risk exposure is not significantly different in electronic transactions than it is in paper transactions. |
Low: impersonated parties would be likely to notice and when detected, the impact could be effectively mitigated |
" |
" |
" |
Unauthorized release of sensitive information |
Low: release of sensitive information would increase the perpetrator's risk of exposure, which would only make sense if the motive were to cause harm, and not for gain. |
Low: there isn't a great deal of sensitive information in permit records, and the impact would be limited to the party whose identity has been stolen |
Repudiation to escape accountability |
Customer (fisher or processor) |
Signer claims "I didn't sign that" |
Inconvenience, distress or damage to standing or reputation |
Low: in most cases a customer who repudiated an e-signed document submission could then be prosecuted for fishing or processing without proper permits. There will generally be independent evidence of the fishing or processing activity (follow the fish.) |
Low: agency might expend effort to resolve, but the distress would be limited and short-term |
lines below are placeholders for possible further work |
|
|
|
|
|
|
|
|
Inconvenience, distress or damage to standing or reputation |
|
|
|
|
|
Financial loss or agency liability |
|
|
|
|
|
Harm to agency programs or public interest |
|
|
|
|
|
Unauthorized release of sensitive information |
|
|
|
|
|
Civil or criminal violations |
|
|