SECURITY AND PRIVACY
Successfully implementing E-Government requires a level of trust on the
part of all transacting parties. Government agencies, private businesses, and
individual citizens must believe that electronic execution of private and/or
sensitive transactions (such as providing regulatory data, bidding on a
contract, or making a benefit claim) will be conducted in a way that ensures
protection of information. E-Government security and privacy protection
activities address the protection of the government assets involved in
E-Government. These actions protect and defend information and information
systems by ensuring confidentiality, availability, integrity, authentication,
and non-repudiation.
This section addresses development of DOLs z E-Government security
and privacy framework, implementation of PKI, and assessment of the impact of
privacy issues related to IT systems. As with the other components of the
E-Government Framework, these activities demonstrate how the Department is
implementing the Presidents Management Agenda.
DEVELOPING THE E-GOVERNMENT SECURITY
AND PRIVACY FRAMEWORK
Consistent with its approach to other major elements of the E-Government
Framework, the Department is taking a phased approach to its security and
privacy efforts. During the first phase, DOL developed a comprehensive cyber
security program in accordance with Federal legislation and policies, including
the Federal Information Security Management Act of 2002 (FISMA - Title III of
the E-Government Act of 2002) and the Privacy Act of 1974. Accomplishments
include the following:
- Conducting risk assessments of the Departments major
applications, general support systems, and financial systems, resulting in a
better understanding of security risks and an improved ability to address
them
- Developing system security plans for major applications, general
support systems, and financial systems
- Developing an enhanced computer security awareness training plan
- Demonstrating compliance with the National Institute of Standards and
Technology (NIST) Security Self-Assessment Guide (NIST 800-26) self-assessment
methodology at Levels 1 and 2, with substantial compliance at Levels 3 and
4
- Establishing the plans of action and milestones (POA&M) reporting
process; coordinating the annual review cycle with Inspector General audits;
and integrating POA&M reporting into the IT investment management
process
- Issuing the systems development life-cycle methodology, which
integrated IT security into each phase of the projects life cycle
- Developing the security and privacy IT budget crosscut fund
- Issuing revised DOL policy for computer security
- Developing computer security guidance and issuing the Computer
Security Handbook
- Initiating development of privacy impact criteria, which will be
integrated into the vulnerability assessment process.
During the first phase of its security and privacy efforts, DOL
successfully completed security baselining in accordance with NIST 800-26
guidelines. This assessment process showed that the Department was fully
compliant with Level 1 and Level 2 of the NIST self-assessment (framework
policies and procedures have been documented at the departmental level). The
Department also showed that it was substantively compliant with Levels 3 and 4
of the NIST framework through the implementation of procedures and testing at
the component agency level. That baselining effort has provided a foundation
for better measurement and comparison of risk across the Department, improved
allocation of resources for mitigation of the highest level risks, linking of
security improvement efforts to the DOL enterprise architecture, and validation
of the Departments capability to incorporate E-Government security
requirements.
During Phase II, DOL will conduct ongoing vulnerability analyses for a
majority of systems, continue implementation of the Computer Security Awareness
Program, and develop plans for higher degrees of compliance with the NIST
self-assessment framework. As DOLs security and privacy program
continues, the Department will continue to focus on the integration of IT
security into E-Government-related processes such as the systems development
life-cycle methodology and the IT capital planning and budget process.
The Department is progressing in its implementation of the security and
privacy framework, as evidenced by DOLs receipt of the second highest
overall grade and the highest of any cabinet department in a report on Federal
computer security by the House Government Reform Committees Subcommittee
on Government Efficiency, Financial Management and Intergovernmental
Relations6.
IMPLEMENTING PUBLIC KEY
INFRASTRUCTURE
In establishing an overall electronic signature capability, the
Department is implementing a common PKI capability across the enterprise.
The project ultimately will provide capabilities to address the internal PKI
needs of the Department. In many instances, this PKI implementation will
replace existing methods of authentication, provide improved encryption
capabilities, and provide a reliable method of electronic signature. Some
examples of intended use include desktop, remote access, and Web site
authentication; file and e-mail encryption; and eSignature of forms, files, and
e-mail. The PKI implementation will support, and in some cases require the use
of, smart cards as the storage medium for certificates certificates
issued to provide portability and improved security of subscribers
private keys. The PKI effort will meet departmental agencies long-term
needs for security and E-Government. It will be flexible enough to promote
agency mission needs but sufficiently rigorous to provide security for the
Departments most sensitive information. Finally, the Departments
PKI efforts will be consistent with the eAuthentication PPI.
ASSESSING THE IMPACT OF PRIVACY ISSUES ON IT
SYSTEMS
The Department will develop and implement an IT privacy impact
assessment methodology, consistent with the requirements of the E-Government
Act of 2002.
Using the Internal Revenue Services Privacy Impact Assessment as a
model, the Department will develop a system-level questionnaire based on
strategic policies, procedures, and industry best practices, mapped to a core
set of widely accepted privacy principles. The assessment questionnaire will
use a standardized self-assessment approach to determine whether the Department
is meeting Federal privacy requirements and internal agency rules. Because the
state of an agencys privacy requirements and activities may change over
time, the methodology devised for the questionnaire will have the flexibility
needed to evaluate this constantly changing privacy landscape.
The goals of the self-assessment methodology will be to provide the
Department with a current snapshot of an agencys privacy efforts at the
system level, to map compliance activities to specific regulatory and statutory
requirements, and to create a gap analysis. Such information should enable the
Department to mitigate privacy risks, liability, and exposure to achieve public
trust and confidence.
6 This report is available at
http://reform.house.gov/gefmir/hearings/2002hearings/1119_computer_security/computersecurityreportcard.doc
|