![]() ![]() |
![]() |
|
![]() |
www.dol.gov/cio
|
![]() |
![]() |
![]() |
October 21, 2008 DOL Home > CIO > Privacy Impact Assessments |
Workload Management Systems (WMS) Abstract
OverviewThe Workload Management Systems are a collection of workload systems used to manage resources in the Office of the Solicitor. The WMS contains in-house developed databases that tracks all significant legal activities referred by DOL client program agencies to the various components of the Solicitor's Office. Legal activities include case work (trial and appeals litigation) as well as other legal workload matters (legal opinion and advice, legislative reviews, and regulation and standards reviews). Data collected through the workload systems are used to analyze the volume, diversity, trends, and impact of the workload in the SOL divisions and field offices. These systems provide information needed to manage SOL resources, to monitor performance, and to provide SOL’s client agencies (DOL program offices) with updated information on the work being done in their respective program areas. IntroductionDOL is responsible for ensuring the confidentiality, integrity, and availability of the information contained within its information systems. DOL must at times collect, use, analyze, and store PII from its employees and customers. DOL remains vigilant in protecting all its information technology resources, but this is especially true of those systems containing PII. Ideally, the PIA should be performed during the development phase of a system life cycle. A PIA should also be conducted at any time when the system is significantly modified, or the sensitivity of the data contained within the system is changed. Characterization of the InformationThe following questions are intended to define the scope of the information requested and/or collected as well as reasons for its collection as part of the program, system, or technology being developed. The Workload Management Systems contain protected/sensitive personally identifying information (PII). The Workload Management Systems contain PII on members of the public. This PII information includes SSN, name, mailing address, residential address, and place of work. These members of the public include claimants (for injuries and medical conditions), judges, and appellants. . FOIA System
SOLAR
Time Distribution
PII is collected from DOL client program agencies. PII information for a specific matter/case is reviewed by the supervisor assigned to the matter/case.
Various statutes that permit DOL program agencies to accomplish the agency mission. Privacy risks would result from a breach to WMS implemented security safeguards, which could subsequently compromise the confidentiality, integrity and availability of information that is collected through WMS. The risk of data compromise, or the theft of backup tapes, is mitigated by several security controls. Physical security, such as guards strategically positioned throughout the DOL FPB, access badges and surveillance cameras help ensure there is no unauthorized access to SOL offices. Unauthorized access to the WMS is addressed by GSS (ECN/DCN and MSHA) network intrusion detection systems, port scans, firewall log monitoring, malware detection and correction software. WMS audit logs are reviewed on a weekly basis for indications of suspicious activity, or anomalies that may indicate misuse of system resources or access permissions. WMS data files are backed up by ECN/DCN GSS and MSHA GSS network personnel incrementally on a daily basis with a full backup created weekly. SOL implements security controls per OCIO Security guidance, and as defined in the Federal Information Processing Standards (FIPS) Publication (PUB) 200, Minimum Security Requirements for Federal Information and Information Systems, and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Recommended Security Controls for Federal Information Systems. Implementation of these controls and associated risks and mitigation is reflected in the WMS System Security Plan (SSP), and Risk Assessment (RA). Uses of the PIIThe following questions are intended to clearly delineate the use of information and the accuracy of the data being used. FOIA System
SOLAR
Time Distribution
Legislative Project Tracking System
Crystal Reports is used to generate office level and management reporting. SSN is not reflected in any management reporting.
No. NA The key security controls to ensure that PII is handled in accordance with the above described uses include: Technical Class Controls
Operational Class Controls
Implementation of the above security controls is documented in the WMS SSP, v1.5, December 28, 2007 that addresses all of the areas identified above, including how SOL employees are granted system access based upon their organizational role and need to know, authorizing officials, technical aspects of authentication management, software use and engineering, and the auditing of access files to ensure the protection of data maintained by the WMS. WMS are required to continual address statutory and Department-level requirements to substantiate its handling of information through the workload systems and to ensure it is compliant. From a technical perspective, continuous monitoring requirements provide assurance that privacy-applicable controls are consistent with DOL OCIO Security Certification and Accreditation. RetentionThe following questions are intended to outline how long information will be retained after the initial collection. Data in WMS is retained indefinitely.
Yes Whenever large amounts of personal data are stored for an extended period of time, and especially when tied to a system with the intelligence to tailor this data, there is a significant privacy risk. This risk is proportionally increased by the length of time in which the data are retained. In the case of WMS, the data are indefinitely retained, leading to a substantially high-level of risk of comprise. Internal Sharing and DisclosureThe following questions are intended to define the scope of sharing within the Department of Labor.
SOLAR – PII is shared within SOL through management reporting. SSN is not reflected in any management reporting. TD – PII is shared within SOL through management reporting. FOIA Appeals - PII is shared with the DOL program agency who originally denied the FOIA request. Through management reports, transmittal letters, and online screens The privacy risk lies in unauthorized disclosure based on methods of sharing. The two methods and the mitigation of potential risks are as follows:
External Sharing and DisclosureThe following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state and local government, and the private sector.
None
NA
NA NoticeThe following questions are directed at notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information. Yes. Federal Register Volume 67: No. 67: SOLAR (DOL/SOL-7) and FOIA Appeals (SOL-9) only. Yes. Based on the invocation of the Privacy Act of 1974
Yes. Based on the invocation of the Privacy Act of 1974 The predominant privacy risk lies in improper disclosure. All SOL Federal and contractor support staff are aware of penalties regarding improper use of WMS information (e.g., system access notification, computer security awareness training Contractor Confidentiality/Non-Disclosure Agreement, Employee Computer Network (ECN)/Departmental Computer Network (DCN) Network Access Request Form and Rules of Behavior). Access, Redress, and CorrectionThe following questions are directed at an individual’s ability to ensure the accuracy of the information collected about them. Members of the public can gain access to their information via a FOIA request Procedures are contained in the DOL Guide for Requesting FOIA Records (http://www.dol.gov/dol/foia. Notification is provided on the DOL website at http://www.dol.gov/dol/foia. N/A. Individuals may file an appeal with the DOL Office of the Solicitor. Privacy risks associated with unauthorized disclosure of information are mitigated through:
Technical Access and SecurityThe following questions are intended to describe technical safeguards and security measures.
SOL Access Control Family procedures are in place and documented in accordance with the DOL Computer Security Handbook. Yes. SOL development/support contractors have access to the system.
Privacy training is provided and included as part of the DOL annual Computer Security Awareness Training (CSAT) The following in-place auditing measures and technical safeguards are applied to prevent misuse of data. These controls include:
Privacy risks associated with unauthorized disclosure of information are mitigated through implementation of technical controls associated with need-to-know and least privilege, ensuring that users have no more privileges to data than required to affect their official duties. In addition, deterrent controls in the form of warning banners, rules of behavior, confidentiality agreements and auditing are in place. Exit procedures for departing SOL employees include the prompt disabling of accounts. . TechnologyThe following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, RFID, biometrics, and other technology. WMS is in the Operations and Maintenance Phase. The project development life cycle used is the DOL Systems Development Life Cycle Management Guide.
No. As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information? SOL has completed the PIA for WMS which is currently in operation. SOL has determined that the safeguards and controls for this moderate system adequately protect the information referenced in the WMS System Security Plan, v1.5, dated December 28, 2007. SOL has determined that it is collecting the minimum necessary information for the proper performance of a documented agency function.
|
||||||||||||||||||||||||||||||||||||
|