www.dol.gov
|
U.S. Department of Labor E-Government Strategic Plan Successfully implementing E-Government requires a level of trust on the part of all transacting parties. Government agencies, private businesses, and individual citizens must believe that electronic execution of private and/or sensitive transactions (such as providing regulatory data, bidding on a contract, or making a benefit claim) will be conducted in a way that ensures protection of information. E-Government security and privacy protection activities address the protection of the government assets involved in E-Government. These actions protect and defend information and information systems by ensuring confidentiality, availability, integrity, authentication, and non-repudiation. This section addresses development of DOLs z E-Government security and privacy framework, implementation of PKI, and assessment of the impact of privacy issues related to IT systems. As with the other components of the E-Government Framework, these activities demonstrate how the Department is implementing the Presidents Management Agenda. DEVELOPING THE E-GOVERNMENT SECURITY AND PRIVACY FRAMEWORK Consistent with its approach to other major elements of the E-Government Framework, the Department is taking a phased approach to its security and privacy efforts. During the first phase, DOL developed a comprehensive cyber security program in accordance with Federal legislation and policies, including the Federal Information Security Management Act of 2002 (FISMA - Title III of the E-Government Act of 2002) and the Privacy Act of 1974. Accomplishments include the following:
During the first phase of its security and privacy efforts, DOL successfully completed security baselining in accordance with NIST 800-26 guidelines. This assessment process showed that the Department was fully compliant with Level 1 and Level 2 of the NIST self-assessment (framework policies and procedures have been documented at the departmental level). The Department also showed that it was substantively compliant with Levels 3 and 4 of the NIST framework through the implementation of procedures and testing at the component agency level. That baselining effort has provided a foundation for better measurement and comparison of risk across the Department, improved allocation of resources for mitigation of the highest level risks, linking of security improvement efforts to the DOL enterprise architecture, and validation of the Departments capability to incorporate E-Government security requirements. During Phase II, DOL will conduct ongoing vulnerability analyses for a majority of systems, continue implementation of the Computer Security Awareness Program, and develop plans for higher degrees of compliance with the NIST self-assessment framework. As DOLs security and privacy program continues, the Department will continue to focus on the integration of IT security into E-Government-related processes such as the systems development life-cycle methodology and the IT capital planning and budget process. The Department is progressing in its implementation of the security and privacy framework, as evidenced by DOLs receipt of the second highest overall grade and the highest of any cabinet department in a report on Federal computer security by the House Government Reform Committees Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations6. IMPLEMENTING PUBLIC KEY INFRASTRUCTURE In establishing an overall electronic signature capability, the
Department is implementing a common PKI capability across the enterprise. ASSESSING THE IMPACT OF PRIVACY ISSUES ON IT SYSTEMS The Department will develop and implement an IT privacy impact assessment methodology, consistent with the requirements of the E-Government Act of 2002. Using the Internal Revenue Services Privacy Impact Assessment as a model, the Department will develop a system-level questionnaire based on strategic policies, procedures, and industry best practices, mapped to a core set of widely accepted privacy principles. The assessment questionnaire will use a standardized self-assessment approach to determine whether the Department is meeting Federal privacy requirements and internal agency rules. Because the state of an agencys privacy requirements and activities may change over time, the methodology devised for the questionnaire will have the flexibility needed to evaluate this constantly changing privacy landscape. The goals of the self-assessment methodology 6 This report is available at
http://reform.house.gov/gefmir/hearings/2002hearings/1119_computer_security/computersecurityreportcard.doc |
||||||||
|