skip navigational linksDOL Seal - Link to DOL Home Page
Photos representing the workforce - Digital Imagery© copyright 2001 PhotoDisc, Inc.
www.dol.gov/cio
Search / A to Z Index
By Topic | By Audience | By Top 20 Requested Items | By Form | By Organization | By Location    
September 21, 2008    DOL Home > CIO  

Information Security

Overview

The primary objectives of the Department of Labor (DOL) information security effort are:

  • Ensuring the confidentiality of sensitive information processed by, stored in, and moved through information systems and applications belonging to the Department of Labor (DOL). Examples of sensitive information processed by DOL include: personally identifiable information and other Privacy Act protected records; pre-release economic statistics; information provided by companies and citizens under the assumption of confidentiality; and pre-award contract financial information.

  • Ensuring the integrity of the DOL information such that decisions and actions taken based upon the data processed by, stored in, and moved through DOL information systems can be made with the assurance that the information has not been manipulated, the information is not subject to repudiation, the source of the changes to information can be determined as best as possible.

  • Ensuring the availability of the DOL information systems and applications during routine operations and in crisis situations to support the DOL Mission.

The Department of Labor (DOL), Office of the Chief Information Officer (OCIO), maintains a team of security professionals responsible for the oversight of information security practices at the department. Their responsibility is to develop and maintain the programs that help the department meet its information security objectives.

Security Initiatives - The OCIO Security Officer is responsible for a wide variety of initiatives that continuously improve the information security stance of the department.

Guiding Policies - Listed here are many of the laws, regulations, and guidance that the OCIO Security Officer uses to generate internal guidance and perform oversight review and reporting.

Contact Us - If you are interested in finding out more information about the DOL OCIO Security programs or seek contact information of specific DOL component agencies.

Security Initiatives

  • Regulatory Compliance And Oversight

    The Department of Labor (DOL) OCIO is responsible for providing regulatory oversight for information technology (IT) security. This oversight includes the development of department-wide policy, procedures, and guidance for compliance with Federal laws, regulations, and guidelines, and sound security and privacy practices. Additionally, OCIO Security is responsible for reviewing security program documentation developed to ensure compliance and further enhance security practices across all component agencies. Documents reviewed include, but are not limited to:

    • Security Program Plans
    • Risk Assessments
    • System Security Plans
    • Contingency Plans
    • Certification and Accreditation Documents

    Government Information Security Reform Act (GISRA) Implementation and Reporting

    The OCIO Security team is responsible for compiling the Department's quarterly and annual reporting of information security under GISRA. This includes the collection, review, and aggregation of reports on the plans of action and milestones to mitigate security weaknesses, as well as the annual review of departmental security programs. DOL uses the National Institutes of Standards (NIST) Special Publication 800-26, Security Self-Assessment Guide for Information Technology Systems, to conduct this annual review.

    Computer Security Awareness and Training

    DOL OCIO Security is responsible for developing the department-wide minimum training requirements for all employees, computer security professionals, and executive management. This includes hosting the annual computer security awareness week and other activities throughout the year to bolster the IT security knowledge of DOL employees. DOL component agencies are required to add depth to the department-wide training requirement to bring system users up to speed on security requirements particular to the systems and applications they operate.

    Computer Security Incident Response

    The OCIO maintains a computer security incident response capability to address incidents across the department. The DOL Computer Security Incident Response Capability (CSIRC) functions in dual modes - proactive and reactive. The team proactively monitors federal and commercial computer incident response and homeland security groups (FedCIRC, CERT, etc.) to determine potential threats to DOL systems and newly discovered vulnerabilities in DOL systems and applications. The team then notifies the security officers at each component agency, and, as required, collects feedback on the mitigation of new vulnerabilities and threats.

    Furthermore, the OCIO CSIRT is responsible for response to anomalies and incidents related to computer security in DOL systems and applications. The OCIO coordinates anomaly reporting to determine if potential threat activity is directed against one component agency or across all of DOL. Additionally, the OCIO is responsible for coordinating incident reporting to outside organizations, including law enforcement and government-wide incident response.

    OCIO Process Synchronization

    Capital Planning

    The OCIO Security team routinely interacts with the OCIO Capital Planning team to ensure that the fiscal decisions related to IT across the department maintain and enhance our already strong information security posture. The Security team participates in the quarterly capital planning control reviews to follow the progress of projects and initiatives in progress and ensures continued compliance with security requirements and best practices.

    The OCIO Security team also ensures that the System Development Lifecycle Management (SDLCM) methodology is synchronized with the security requirements of sound systems development. Research indicates that there is a 10 fold cost savings when security is designed into a system or application from the outset as opposed to re-engineering after it is already operational.

    Enterprise Architecture

    The OCIO Security team is actively involved in the efforts of DOL to establish and manage an enterprise architecture. The team routinely reviews enterprise architecture guidance documents to ensure that they are in compliance with current security laws, regulations, guidelines, and best practices. Part of this effort is directed at maintaining a common and uniform architecture for security protection at DOL to maximize interoperability of component agency information systems. Furthermore, this commonality is extended to maximize government-wide information sharing and interoperability under the EGovernment initiative and the President's Management Agenda.

    Information Collection

    The OCIO Security team actively participates in the information collection efforts at DOL. Initiatives undertaken in support of the Paperwork Reduction Act (PRA) and the Government Paperwork Elimination Act (GPEA) strive to improve information sharing within and across federal departments and agencies and increase the use of electronic collection processes. The systems at DOL contain a wide variety of sensitive, but unclassified, information - personally identifiable information, corporate sensitive data, or leading economic indicators. Any efforts to increase information sharing or change information collection practices should carefully review the security impact of the effort and find ways to eliminate, as much as possible, the risk to compromise of this information.

    Government-Wide Outreach

    The OCIO Security team participates in several government-wide initiatives to share lessons learned and ensure compliance with the objectives of EGovernment on the President's Management Agenda. These activities include, but are not limited to:

    • Risk Grading - the government seeks to establish a universal risk grading methodology to allow (?)
    • Policy and Guidance Review - the OCIO security team routinely reviews policies and guidance from the Office of Management and Budget (OMB) and NIST to provide (?)
    • EGovernment Initiative Oversight - DOL is designated as the lead agency for GovBenefits. In this capacity, the OCIO Security team reviews the GovBenefits security practices to maximize the security posture of this critical government-wide initiative.
    • CIO Council
    • Committee on National Security Systems

    Guiding Policies

    The Office of the Chief Information Officer uses the following Laws, Regulations, and Guidance when setting the department's policies, procedures, and practices:

    • Public Law (PL) 93-579, 5 U.S.C. 552a, the Privacy Act of 1974 (5 U.S.C. 552a)
    • PL 100-235, "Computer Security Act of 1987"
    • PL 100-503, the Computer Matching and Privacy Protection Act
    • PL 104-106, Division E, the Information Technology Management Reform Act (Clinger-Cohen Act) of 1996
    • PL 106-398, Title X, Subtitle G, the Government Information Security Reform Act (GISRA)
    • 5 CFR Part 930, Subpart C OPM Regulations Implementing Training Requirements of Computer Security Act of 1987
    • 29 CFR Part 71, DOL Regulations Implementing the Privacy Act
    • Office of Management and Budget (OMB) Circular No. A-130, Revised (Transmittal Memorandum No. 4), "Management of Federal Information Resources, " November 30, 2000.
    • OMB Circular No. A-123, "Management Accountability and Control," June 21, 1995.
    • OMB Memorandum M-00-07, "Incorporating and Funding Security in Information Systems Investments", February 28, 2000.
    • OMB Memorandum M-01-08, "Guidance on Implementing the Government Information Security Reform Act", January 16, 2001.
    • OMB Memorandum M-01-24, "Reporting Instructions for the Government Information Security Reform Act", June 22, 2001.
    • OMB Memorandum M-02-01, "Guidance for Preparing and Submitting Security Plans of Action and Milestones", October 17, 2001.
    • National Security Telecommunications and Information Systems Security Instruction (NSTISSI) No. 1000, "National Information Assurance Certification and Accreditation Process (NIACAP),"April 2000.
    • NSTISSI 4009, "National Information Systems Security (INFOSEC) Glossary," January 1999.
    • National Institute of Standards and Technology (NIST) Special Publication (SP) 500-165, "Software Verification and Validation: Its Role in Computer Assurance and Its Relationship with Software Project Management Standards," September 1989.
    • NIST SP 800-4, "Computer Security Considerations in Federal Procurements: A Guide for Procurement Initiators, Contracting Officers, and Computer Security Officials, March 1992.
    • NIST SP 800-6, "Automated Tools for Testing Computer System Vulnerability," December 1992.
    • NIST SP 800-12, "An Introduction to Computer Security: The NIST Handbook," October 1995.
    • NIST SP 800-14, "Generally Accepted Principles and Practices for Securing Information Technology Systems", September 1996
    • NIST SP 800-16, "Information Technology Security Training Requirements: A Role- and Performance-based Model", April 1998
    • NIST SP 800-18, "Guide for Development of Security Plans for Information Technology Systems", December 1998
    • NIST SP 800-27, Engineering Principles for Information Technology Security (A Baseline for Achieving Security), June 2001
    • FIPS Publication 31, "Guidelines for Automatic Data Processing Physical and Risk Management," June 1974.
    • FIPS Publication 65, "Guideline for Automatic Data Processing Risk Analysis," August 1, 1993.
    • FIPS Publication 87, "Guidelines for ADP Contingency Planning," March 27, 1981.
    • FIPS Publication 101, "Guideline for Life Cycle Validation, Verification, and Testing of Computer Software," June 6, 1983.
    • FIPS Publication 112, "Password Usage," May 30, 1985.
    • FIPS Publication 113, "Computer Data Authentication," May 30, 1985.
    • Department of Labor Systems Development and Life Cycle Management Manual, Version 2.0, July 2000
    • U.S. Department of Labor Information Technology Architecture, January 2000
    • U.S. Department of Labor Computer Security Handbook
    • U.S. Department of Labor Manual Series-9 (DLMS-9, Information Technology, Security - 400)

Home
About OCIO
OCIO Programs
Resources Library
E-Gov Report-2007
Privacy Impact Assessments
    IT Strategic Plan 2005-2009
    Information Quality
    Laws and Regulations
    Related Sites
    Frequently Asked Questions
    OCIO Contacts
    CIO Mission
    Back to Top Back to Top
    www.dol.gov/cio
    www.dol.gov
    Frequently Asked Questions | Freedom of Information Act | Customer Survey
    Privacy & Security Statement | Disclaimers | E-mail to a Friend
    U.S. Department of Labor
    Frances Perkins Building
    200 Constitution Avenue, NW
    Washington, DC 20210
    		 Phone Numbers
    1-866-4-USA-DOL
    TTY: 1-877-889-5627
    Contact Us