Business Context, Transaction Types and Volume
states have fish ticket programs (actually 26 of them) were developed for revenue purposes
examples: whiting in wa, salmon in ca
info flows into pacfin
state and pacfin program
dave is dev e reporting that emulates state programs, take current state systems and turn into e format with no change in management approach etc.
want to demonstrate utility of program and e format, but give states flexibility and time to adopt at their schedule
under whiting efp great deal of interest to track bycatch on near or real-time basis
propsed require shoreside catch under efp (in addition to state paper system) also report under the e-reporting
demo speed of reconciling, near real-time tracking of bycatch, dual reporting
under ammendment 10, which replaces efp program, will continue to require e-reporting, just for whiting
to the extent that states may want to use e reporting for black cod or other fisheries, we want to allow that
current whiting fishery fish ticket volume, 40 boats, 20 days of fishing, 15 landings per vessel times 40 boats
higher end of range would approach total fish tickets on west coast
More.... legislative or other policy mandates
A wide range of permit types are issued. Some representative examples are:
More....
New permit application volume nation-wide is estimated at __ new permits per year.
Permit renewal volume nation-wide is estimated at __ renewals per year.
Permit transfer volume nation-wide is estimated at __ transfers per year.
Business Drivers
Fisheries are managed regionally, but, many participants in the fishing industry are national or multinational in scope. It would be a convenience to these participants to offer a one-stop-shop for permits. Also, a one-stop-shop would facilitate maintenance of a single identifier for an industry participant who fishes or processes fish in multiple regions, and it would leverage efforts to improve data quality across regions. More.... The more could include what business benefit they derive from the permit and what business risk they incur if they break NMFS rules. Is this the spot for cycle times?
Business Risk in the Permit Context
NIST 800-30: Risk Management Guide for Information Technology Systems defines risk as a function of the likelihood of a given threat-source's exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. The threat and vulnerability identification process that follows is based on NIST 800-30.
Users and functionality
Permit holders range from large multinational corporations to small family businesses. But generally fishing and processing permit holders are technologically sophisticated, as the fishing industry is competitive and participants have strong incentives to leverage available technology. However, fishing is frequently a lifestyle choice of action-oriented individualists, and most of the participants would rather be on deck fishing than in the wheelhouse complying with record-keeping and report requirements. It is probably safe to assume that technology that makes record-keeping and reporting compliance less burdensome will be well accepted, while any technology that increases the burden would be unacceptable.
Data sensitivity and security FISMA and Privacy Act issues
In general these permit applications do not contain highly sensitive information. However, most have some personally identifying information (PII) and some few applications may contain proprietary business information.
Mitigating controls
Registration will be open to new permit applicants, existing permit holders, and agents of both. From the system perspective, there is little difference between permit holders and agents of permit holders. (Agents should file a notarized letter of authorization from each permit owner that the agent represents. The permit owner is responsible for transactions pertaining to their permit, and if they have delegated to an agent without submitting the authorization letter, that doesn't absolve them of any responsibility.) New permit applicants will not be identifiable with the same level of assurance as existing permit holders, but, as the permit application is processed, the confidence in the permit holder's identity will grow. And as a new permit applicant starts out with no value in the system, there is little at risk for these participants whose identity is less certain.
Existing permit holders may have considerable value in the system; for example, they may own fisheries quota that has significant market value. These existing permit holders must demonstrate knowledge of a secret permit access code (PAC) which was mailed by USPS mail to the permit owner's address of record. After a participant has registered and associated their permits with their username (through knowledge of one or more PACs), then the participant can access potentially sensitive permit information as well as renew or transfer permits. There are opportunities for mitigating controls in business processes, so the e-signature process does not necessarily have to address all of the transaction risk.
New permit applications generally involve processing rigor commiserate with the value of the permit. Permits for fisheries with low economic opportunity and/or low risk to the public resource generally receive only nominal scrutiny. Permits for fisheries with high economic opportunity and/or high risk to the public resource receive considerable scrutiny. In many cases this involves confirming vessel ownership with the US Coast Guard, verifying participation in prior fisheries through previously submitted state or federal fish tickets or logbooks, confirmation of business ownership, etc.
Permit renewals generally receive little scrutiny.
Permit transfers receive scrutiny commiserate with the complexity of the relevant fisheries management plan. For the more complex fisheries management regimes, changes to permit ownership patterns may have ripple effects. In the absence of complex ownership rules, permit transfers might receive little scrutiny.
Threat and Vulnerability Identification
Vulnerability |
Threat-source |
Threat Action |
Category of Harm |
Likelihood of Harm |
Impact of Harm |
---|---|---|---|---|---|
Impersonation in registration and/or transactions |
Common criminal/identity thief |
Impersonation using stolen identity credentials (registration credentials or NPS identity credentials) |
Inconvenience, distress or damage to standing or reputation |
Low: common criminals are unlikely to have subject-area expertise to discover a fraud opportunity and there are probably much more attractive targets |
Low: impersonated parties would be likely to notice and when detected, the impact could be effectively mitigated |
" |
" |
" |
Unauthorized release of sensitive information |
Low: successful identity theft could result in compromise of sensitive information from the victim's permit records |
Low: there isn't a great deal of sensitive information in permit records, and the impact would be limited to the party whose identity has been stolen |
Impersonation in registration and/or transactions |
Disgruntled industry employee |
Impersonation using stolen identity credentials (registration credentials or NPS identity credentials) |
Inconvenience, distress or damage to standing or reputation |
Moderate: an employee might have the means, motive, and opportunity, but risk exposure is not significantly different in electronic transactions than it is in paper transactions |
Low: impersonated parties would be likely to notice and when detected, the impact could be effectively mitigated |
" |
" |
" |
Unauthorized release of sensitive information |
Low: the employee with the means and opportunity already has access to sensitive information and is unlikely to find anything more interesting in permit data |
Low: there isn't a great deal of sensitive information in permit records, and the impact would be limited to the party whose identity has been stolen |
Impersonation in registration and/or transactions |
Competitor |
Impersonation using stolen identity credentials (registration credentials or NPS identity credentials) |
Inconvenience, distress or damage to standing or reputation |
Low: a competitor might have a motive, but an electronic system does not make them more likely to have means or opportunity. Risk exposure is not significantly different in electronic transactions than it is in paper transactions. |
Low: impersonated parties would be likely to notice and when detected, the impact could be effectively mitigated |
" |
" |
" |
Unauthorized release of sensitive information |
Low: release of sensitive information would increase the perpetrator's risk of exposure, which would only make sense if the motive were to cause harm, and not for gain. |
Low: there isn't a great deal of sensitive information in permit records, and the impact would be limited to the party whose identity has been stolen |
Repudiation to escape accountability |
Customer (fisher or processor) |
Signer claims "I didn't sign that" |
Inconvenience, distress or damage to standing or reputation |
Low: in most cases a customer who repudiated an e-signed document submission could then be prosecuted for fishing or processing without proper permits. There will generally be independent evidence of the fishing or processing activity (follow the fish.) |
Low: agency might expend effort to resolve, but the distress would be limited and short-term |
lines below are placeholders for possible further work |
|
|
|
|
|
|
|
|
Inconvenience, distress or damage to standing or reputation |
|
|
|
|
|
Financial loss or agency liability |
|
|
|
|
|
Harm to agency programs or public interest |
|
|
|
|
|
Unauthorized release of sensitive information |
|
|
|
|
|
Civil or criminal violations |
|
|