Background
The Employer Reporting System (ERS) is a web-based system for use by
employers covered under the Railroad Retirement and Railroad Unemployment
Insurance Acts (the Acts) in exchanging information with the Railroad Retirement
Board (RRB.)
Ultimately, the RRB will provide employers a paperless option(s) for filing
forms with the RRB; receiving notices from the RRB; and receiving and replying
to requests from the RRB. The web-based system will be provided to employers in
addition to other media available for exchanging information with the RRB. The
paper forms, systems, and processes that are currently being used to send and
receive forms via other media will still be available. The existing legacy
systems have their own security.
ERS includes a roles-based authorization access system, a Pin/password
authentication system, a security tracking and tracing system, and an e-mail
notification system. The roles-based access is determined for each application
on the system based on whether the applicant’s job duties (role) require access
to that application.
The ERS system security will be evaluated using the guidelines established by
NIST SP800-63. The ERS system will be part of the ‘Employer Reporting’
assessable unit and will be regularly tested and evaluated as part of that
assessment.
What is in this
report
This report is limited to issues of authentication. Authentication refers to
establishing the identity of an individual and their validity to access ERS.
This report begins with the determination of the required authentication
assurance level for ERS based on a risk assessment. E-authentication consists of
registration, identity proofing, and a token (in this case a password.) The
report describes how each of these aspects meets the required assurance level.
The report ends with a summary and list of references.
What is not
included in this report
This document describes our confidence in the identity of the users of ERS.
It does not address any security issues other than authentication. It should
also be noted that the validation processing for the mainframe database is not
part of this review. This edit-post processing is identical whether data is
received via paper, magnetic cartridge, or web forms. Authentication of users of
the web-based form DC-1 is not part of this discussion as that form resides on a
separate web site and utilize authentication and access controls established by
US Bank in conjunction with the US Treasury Department.
|