Consular Electronic Application Center (CEAC) - US Department of ...

More documents

Recommendations

Info

Privacy Impact Assessment: Consular Electronic Application Center (CEAC) • System, Database and Web Administrators/Users Security • CEAC OpenNet users • CEAC Internet/Public users • CEAC System and Web Administrators Internal access to CEAC is limited to authorized DOS users that have a justified need for the information in order to perform official duties. To access the system, authorized users must be an authorized user of the DOS’ unclassified network. Access to CEAC requires a unique user account assigned by a supervisor. Each authorized user must sign a user access agreement before being given a user account. The authorized user’s supervisor must sign the agreement certifying that access is needed to perform official duties. The user access agreement includes rules of behavior describing the individual’s responsibility to safeguard information and prohibited activities (e.g. curiosity browsing). Completed applications are also reviewed and approved by the Information System Security Officer (ISSO) prior to assigning a logon. The level of access for the authorized user restricts the data that may be viewed and the degree to which data may be modified. A system use notification (“warning banner”) is displayed before logon is permitted, and recaps the restrictions on the use of the system. Activity by authorized users is monitored, logged, and audited. User access to information is restricted according to job responsibilities and requires managerial level approvals. Access control lists permit categories of information and reports that are to be restricted. Security Officers determine the access level needed by a user (including managers) to ensure it correlates to the user’s particular job function and level of clearance. The Department of State’s Consular Shared Tables (CST) application is used to maintain user accounts and user roles for the IVO application. Mandatory annual security/privacy training is required for all authorized users including security training and regular refreshment training. CEAC Internet/Public users will acknowledge the Rules of Behavior (ROB) and online Security Awareness issued before access is given to the CEAC Internet web pages. There are three types of Internet/Public Users: • Internet/public users with knowledge based shared data (data known to users and the system) - these users will not have unique user IDs and passwords assigned to them. These users will have information such as case ID and petitioner information or case ID and applicant ID or case ID and applicant name. The CEAC CTRAC for immigrant fee payment component will allow a login based on petitioner number and case ID or case ID and applicant ID in order to access the on-line invoice for payment of applicant or AOS fees. The IVAGENT and IVAPP will use the same type of access control. • Internet/public users without user accounts or shared data - these users will have access to some components to insert visa application data but will not be able to retrieve previously saved information or retrieve data on existing applications or visa cases. • Internet/public users with accounts – In the future a public user completing a visa application will be able to create a user account that would allow them to save partially completed applications and come back later to login to their account and complete it. These users may also be able to track the status of their application. The account management component of CEAC will provide the ability for public users to create their own account and manage their own password. CEAC PIA December 2008 10
Privacy Impact Assessment: Consular Electronic Application Center (CEAC) b. What privacy orientation or training for the system is provided authorized users? All users must pass computer security and privacy awareness training prior to receiving access to the system and must complete annual refresher training to retain access. c. Privacy Impact Analysis: Given the sensitivity of PII in the system, manner of use, and established access safeguards, describe the expected residual risk related to access. Several steps are taken to reduce residual risk related to system and information access. Access control lists, which define who can access the system, and at what privilege level, are regularly reviewed, and inactive accounts are promptly terminated. Additionally, the system audit trails that are automatically generated are regularly analyzed and reviewed to deter and detect unauthorized uses. (An audit trail provides a record of which particular functions a particular user performed--or attempted to perform--on an information system.) As a result of these actions, the residual risk is low. 11. Technologies a. What technologies are used in the system that involve privacy risk? CEAC operates under standard, commercially-available software products residing on a government-operated computing platforms not shared by other business applications or technologies. No technologies commonly considered to elevate privacy risk are employed in CEAC. b. Privacy Impact Analysis: Describe how any technologies used may cause privacy risk, and describe the safeguards implemented to mitigate the risk. No technologies commonly considered to elevate privacy risk are employed in CEAC. These applications use a secure protocol (SSL) and non-secure protocol to access CA’s web sites for the purpose of conducting consular business. The secure protocol (SSL) connection provides strong encryption (128-bit), and with some applications, user/client authentication is also required. 12. Security What is the security certification and accreditation (C&A) status of the system? The Department of State operates CEAC in accordance with information security requirements and procedures required by federal law and policy to ensure that information is appropriately secured. The Department has conducted a risk assessment of the system, identified appropriate security controls to protect against that risk, and implemented those controls. The Department performs monitoring, testing, and evaluation of security controls on a regular basis to ensure that the controls continue to work properly. In accordance with the Federal Information Security Management Act provision for the triennial recertification of this system, CEAC’s most recent date of authorization to operate CEAC PIA December 2008 11
Page 1 and 2: Privacy Impact Assessment: Consular
Page 9: Privacy Impact Assessment: Consular

Consular Electronic Application Center (CEAC) - US Department of ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?