Categorization starts with a kick off meeting (C&A Analysis, ISSO, AO, System Owner and Information Owner)
System is categorized based on information type (Process, store or Transmit)
FIPS 199-Overall system categorization is based on the high-water mark of the CIA-Low, Moderate or High. FIPS 199, SP 800-60
Initial Risk Assessment Report -Threat, vulnerability, Impact and recommendation. SP 800-30 and SP 800- 37
PTA –To determine if system deals with PII.PTA is positive if PII is collected if not PTA is negative
PIA is conducted if PTA is positive-Identify risk for collecting PII and recommend safeguards
SORN is developed if system deal with PII-SORN is publish for public comments (purpose for collecting PII, ensure accuracy and how the PII is protected)
E-authentication is applicable when system is accessible remotely. This identify the appropriate authentication mechanism base on risk-single, multifactor etc… SP 800- 63
Categorization starts with a kick off meeting (Security Analyst, ISSO, AO, System Owner and Information Owner)
System is categorized based on information type (Process, Store or Transmit)
FIPS 199-Overall system categorization is based on the high watermark of the CIA-Low, Moderate or High. SP 800-60
PTA –To determine if system deals with PII. PTA is positive if PII is collected if not PTA is negative. SP 800-122
PIA is conducted if PTA is positive-Identify risk for collecting PII and controls in place to protect the PII. PIA applies to system (Federal Facilitated Market Place website) and SORN applies to program (e.g. Obamacare-the Affordable Care Act). Federal Facilitated Market Place website is one of the numerous systems that support the Obamacare. SP 800-122
TPWA: OMBMemorandum 10-23 requires that agencies assess third-party Websites and applications to ensure privacy before using them. Example CMS page on Facebook. CMS needs to complete TPWA on Facebook before creating a Facebook page
SORN is generally required when a group of records maintained by a federal system contains PII and that PII is retrieved by information unique (name, address, email address, telephone number, social security number, etc.) to the individual whose PII is being retrieved(SORN identifies purpose for collecting PII, ensuring accuracy and how the PII is protected). SORN applies to Programs (e.g. Obamacare) not systems.
OMB Number: The Paperwork Reduction Act mandates that all federal government agencies receive approval from OMB—in the form of a “control number”—before promulgating a paper form, website, survey or electronic submission that will impose an information collection burden on the general public (Only applicable from 10 people and above). This only applies if the agency is collecting the information directly from the public not from another agency or system.
E-authentication is applicable when system is accessible remotely. This identify the appropriate authentication mechanism base on risk- single multifactor etc… SP 800-63.
PHASE
DEVILEVABLES
PUBLICATIONS
LIFE CYCLE
CATEGORIZATION
FIPS199Risk Assessment ReportE-AuthenticationPrivacy ThresholdAnalysis (PTA)Privacy Impact Analyst (PIA) System Of Records Notice (SORN)