8.0 Information Systems With Public Access Components

Copyright(c), 1995 - Management Analytics - All Rights Reserved

This section provides guidelines for reviewing automated information systems that include public access capabilities. These systems must incorporate security procedures and controls to ensure data integrity and the protection of confidential information. For all systems with existing public access capabilities, the risk analysis should pay particular attention to the vulnerabilities associated with such capabilities.

All proposals for the acquisition of new systems or upgrades to existing systems should be accompanied by a complete and thorough feasibility study justifying such acquisition or upgrades. In addressing the functional requirements of the system or upgrades, the feasibility study should identify the security measures necessary to maintain data integrity and to satisfy confidentiality and security requirements. Risk analysis provides the basis for meeting these functional criteria. Below are special topics that agencies should address in feasibility studies proposing public access capabilities.

8.1 Risk Analysis

Identify the vulnerabilities associated with the existing or proposed system, including its public access capabilities. If the public access component of the system maintains sensitive information, identify the consequences of disseminating inaccurate or incomplete information. Identify the security procedures and controls that exist or that must be implemented to maintain the required standards of information integrity and access.

If the system maintains confidential information, identify the design features or security controls that must be incorporated to prevent public access to the confidential information.

8.2 Feasibility Study

In conducting the feasibility study for a system incorporating public access capabilities, address the following:

• Communication System. Describe the communication system that will be employed to provide the public access capability. Include the number of communication lines, the volume of traffic, and the communication capabilities, such as dial-up or dedicated lines. Describe the security procedures and controls designed to maintain information access and minimize or eliminate the possibility of disseminating inaccurate or incomplete information.
• Access Authority. Identify the criteria for information access. Is access to the information available to the general public? Identify the requirements and procedures that will be used to review and evaluate an applicant's request to access information.
• Training or Documentation. Identify any special training or documentation that is necessary to utilize the public access component.
• Licensing Agreements. Identify any licensing agreements or contracts related to information disclosure or availability. In the Feasibility Study Report summarize the terms and conditions of the contract or license. Indicate whether the information may be distributed or shared with third parties by those using the public access system.
• Agency Security Policies. Identify any other internal agency policies and procedures relative to the security of the information system.
• Contracting Responsibility. Agencies are responsible for negotiating Interagency Cooperation Agreements with public sector entities or other governmental agencies relative to accessing the public access component of the system. If a data center maintains custodial responsibility for the information and provides the technical capabilities for the public access component, the agency should maintain an Interagency Cooperation Agreement with the data center to provide the services. The Interagency Cooperation Agreement should address the security requirements necessary to protect the public access component of the system.