Privacy Impact Assessment for the SENTINEL System
Privacy Impact Assessment for the SENTINEL System
Issued by: Monica E. Ryan, Senior Component Official for Privacy, FBI
Approved by: Erika Brown Lee, Chief Privacy and Civil Liberties Officer, U.S. Department of Justice
Date Approved: May 28, 2014
Approved by: Erika Brown Lee, Chief Privacy and Civil Liberties Officer, U.S. Department of Justice
Date Approved: May 28, 2014
Section 1: Description of the Information System
Introduction
In conducting investigations, employees of the Federal Bureau of Investigation (FBI) are required to record all activity and document all information using case files. The case file is the central system for holding these records and managing investigative resources. As a result, the case file includes documentation from the inception of a case to its conclusion. The FBI uses the case file to manage all criminal and intelligence gathering activities, as well as for personnel (support) and administrative matters.
The FBI currently uses paper as its system for maintaining records while electronically managing the information. SENTINEL, an automated case management system, will transform the way that the FBI does business by allowing the Bureau to move from a primarily paper-based case management system to an electronic record system. The FBI has prepared this Privacy Impact Assessment (PIA) to summarize the privacy issues arising from conversion of its paper-based records to an electronic system and the mitigations that have been undertaken in the creation and implementation of SENTINEL.
SENTINEL provides management for cases, records, tasks, workflow, and collected items, as well as search and reporting capabilities that will replace the current, paper-based case management system and its associated functions. SENTINEL provides FBI employees the ability to create case documents and submit them through an electronic workflow process. Supervisors, reviewers, and others involved in the approval process can review, comment, and approve the insertion of documents into the appropriate FBI electronic case files. Upon approval, the SENTINEL system serializes and uploads the documents into the SENTINEL repositories, where the documents will become part of the official FBI case file. SENTINEL maintains an auditable record of all transactions. SENTINEL provides web-based access for all authorized users and an improved search and indexing capability, yielding access to all relevant data to which the user is permitted access. SENTINEL documents and manages cases from inception to closure. The implementation of SENTINEL results in the consolidation and simplification of processes, and significantly reduces the dependence on paper forms and on the transfer and filing of those forms.
Information Collected
What type of information is collected?
The SENTINEL system will include investigative, intelligence, personnel (support), and administrative data collected by the FBI in the course of conducting its mission. The system will include numerous types of information that will either directly identify an individual (such as name, address, Social Security number, telephone number, e-mail address, photograph, or other unique identifying number, code, or characteristic) or that will indirectly identify an individual (such as gender, race, date of birth, place of birth, geographic indicator, license number, vehicle identifier including license plate, and other descriptors). Other information about individuals that may be in SENTINEL includes financial account numbers, and medical, educational or military records. Information may be about U.S. citizens, legal permanent residents, or foreign nationals. Information may also be about living or deceased individuals. Some information may be about minors.
For information relating to FBI employees in SENTINEL, the system will include name, e-mail address, work phone, security clearance, Social Security number, citizenship, date of birth, and place of birth, as well as the names of employees’ supervisors.
Information about individuals may appear in SENTINEL in structured fields or it may be included in areas where users can enter free text.
From Whom is the Information Collected?
Information in SENTINEL is collected from numerous sources. Some information may be collected directly from individuals, such as employment applicants, crime victims and witnesses, human sources, and members of the public. Other information may be provided by other law enforcement agencies, including state, local, tribal, and foreign, as well as by other government agencies, including civilian, military, and homeland security. Information may also be collected from private sector entities and open source intelligence (such as newspapers, the Internet, or television broadcasts).
Information in SENTINEL is collected from numerous sources. Some information may be collected directly from individuals, such as employment applicants, crime victims and witnesses, human sources, and members of the public. Other information may be provided by other law enforcement agencies, including state, local, tribal, and foreign, as well as by other government agencies, including civilian, military, and homeland security. Information may also be collected from private sector entities and open source intelligence (such as newspapers, the Internet, or television broadcasts).
Information on FBI employees is generally collected directly from them unless the FBI employee becomes the subject of an investigation. In that case, the employee is considered the same as any other individual under investigation.
In the law enforcement and intelligence contexts, if an individual is the subject or potential subject of an investigation or intelligence collection,it is often necessary to acquire information from sources other than the individual. At times, vital information can only be obtained from other sources that are familiar with the individual and his/her activities. In some cases, asking an individual directly for information could compromise ongoing investigations because the individual would then know that he or she is being investigated.
Why is the information collected?
The primary mission of SENTINEL is to provide the FBI with a browser-based solution for case management. Through the SENTINEL system, employees are able to perform all of the operations related to the creation and management of case-related work items, including action items, leads, collected item records, and the forms used for documenting investigations. Also, discovery of information contained in cases, both open and closed, is provided through search and display services. As a result, SENTINEL will contain information about individuals pertaining to investigations, and the information can be used to make potential linkages between incidents and investigations.
Uses of Information
The primary purpose of SENTINEL is to perform case management. SENTINEL also provides capabilities for search and intelligence analysis, although this is not the main focus of the system. The search and intelligence analysis capabilities provided by SENTINEL can be used to identify connections between cases and patterns of activity. SENTINEL will provide functionality to search and report against information contained within and across cases, which may reveal previously unknown relationships among individuals and groups under investigation. The search service includes Name Search capability (including name variations and foreign names), biographical information (e.g., country of birth, date of birth, weight, height), and Full Text Search capability, including support for different search types (Fuzzy, Wild Card, proximity, Boolean) and Sentinel returns results by predetermined relevancy/ranking factors.
The primary mission of SENTINEL is to provide the FBI with a browser-based solution for case management. Through the SENTINEL system, employees are able to perform all of the operations related to the creation and management of case-related work items, including action items, leads, collected item records, and the forms used for documenting investigations. Also, discovery of information contained in cases, both open and closed, is provided through search and display services. As a result, SENTINEL will contain information about individuals pertaining to investigations, and the information can be used to make potential linkages between incidents and investigations.
Uses of Information
The primary purpose of SENTINEL is to perform case management. SENTINEL also provides capabilities for search and intelligence analysis, although this is not the main focus of the system. The search and intelligence analysis capabilities provided by SENTINEL can be used to identify connections between cases and patterns of activity. SENTINEL will provide functionality to search and report against information contained within and across cases, which may reveal previously unknown relationships among individuals and groups under investigation. The search service includes Name Search capability (including name variations and foreign names), biographical information (e.g., country of birth, date of birth, weight, height), and Full Text Search capability, including support for different search types (Fuzzy, Wild Card, proximity, Boolean) and Sentinel returns results by predetermined relevancy/ranking factors.
The SENTINEL investigative case management solution also supports intelligence analysis functions. Intelligence analysts can leverage the data stored in SENTINEL and integrate it with other sources of information. SENTINEL supports direct queries using web interfaces as well as extraction, translation, and loading tools that enable the population of metadata repositories and data warehouses. These functions are necessary to support the FBI’s official investigative case files as well as investigative, intelligence, and analytical techniques and tools, such as link analysis, social network analysis, competing hypothesis testing, mapping, and complex queries and searches against the raw data.
The FBI’s Central Records System (CRS) notice is the umbrella Privacy Act System of Records Notice (SORN) that covers the FBI’s operational and non-operational case files (see 63 Federal Register 8671, February 20, 1998, as amended and updated). The SORN lists routine uses for the FBI’s case information. In addition, information in SENTINEL will be duplicated in other information technology systems in the FBI that rely on case information as the foundational documents for the system and, in limited cases, made accessible to other government agencies for analytical or other authorized purposes. (See Section 4.1.).
Accuracy of Information
Operational information will be verified or checked as part of the normal procedures associated with day-to-day tasks of the FBI Special Agents, Intelligence Analysts and other SENTINEL users. The procedures associated with criminal investigations, national security intelligence production, and scientific support performed by the FBI, which include multiple levels of oversight and review both internally and externally to the Bureau, ensure that information is checked for accuracy. SENTINEL’s workflow design will aid the review process. In addition, it is standard practice in law enforcement and intelligence analysis to corroborate and verify the accuracy of personal information from as many sources as are available before acting upon it—and that practice will be followed in the SENTINEL case management system as well. This practice is driven not only by the desire to protect the privacy of persons whose information is in SENTINEL, but also by the imperative to ensure that resources are properly used and focused where they will do the most good.
Disposition
Information from SENTINEL is subject to the National Archives and Records Administration (NARA). Information entered into SENTINEL is kept according to the appropriate record schedule for that individual record. The record schedule depends on and is determined by the type of data or the case classification. For example, a case in SENTINEL could be a Public Corruption case, Counterterrorism, or a Terrorism case. FBI’s Records Management Division (RMD) follows processes and procedures for disposition schedules depending on the type of record maintained within SENTINEL.
Information from SENTINEL is subject to the National Archives and Records Administration (NARA). Information entered into SENTINEL is kept according to the appropriate record schedule for that individual record. The record schedule depends on and is determined by the type of data or the case classification. For example, a case in SENTINEL could be a Public Corruption case, Counterterrorism, or a Terrorism case. FBI’s Records Management Division (RMD) follows processes and procedures for disposition schedules depending on the type of record maintained within SENTINEL.
Sharing
Internal Sharing
As a general rule, SENTINEL case information will be available to all FBI users with a need for the information in the performance of their duties, except where there are additional restrictions imposed by law or policy. For example, certain data will have limited access based on policy promulgated by the FBI’s Information Sharing Policy Board (ISPB). In addition, certain data may be limited based on the Case Manager’s discretion. Documents within the case file can be restricted from viewing by an employee with the authority to restrict. Access to information restricted by law or policy (e.g., federal grand jury material) or highly sensitive case file information (espionage, public corruption information, source identity) will also be limited. Finally, individuals under the supervision of the FBI, such as other government agency (OGA) and contractor personnel, will have limited access to case information based on law, memoranda of understanding, Attorney General Guidelines, and FBI policy notices and directives.
It is essential to FBI law enforcement and national security missions that all FBI employees involved in case work have the maximum access permitted by law to all case-related information in SENTINEL in order to coordinate related cases, discover relationships among seemingly disparate subjects, and, in general, to “connect the dots” and identify gaps in the FBI’s mission coverage.
Other system record categories, those not involving criminal and national security cases and intelligence, will have additional access restrictions related to the particular category of records, sensitivity of the information, and need to know. Examples include: personnel records (such as those relating to FBI employee recruitment, background investigation/re-investigation, management, and performance) are restricted to human resource (HR) personnel, and even as to HR personnel access to each personnel file is limited to the appropriate HQ and field office HR personnel; and the only Enterprise Directory System (EDS) attributes that are exposed to the general user population are names, office assignment, telephone number and office email (any other personally identifying information is either not used in SENTINEL or is limited to a small number of admin personnel who are responsible for assigning roles and other office assignments); sensitive contractual/procurement information is limited to those working on the particular issues; and background investigations of non-FBI personnel (e.g., White House personnel and presidential appointments) are restricted.
SENTINEL provides case and lead statistics, document text/attributes, case information and indexing information, and law enforcement information to a number of discrete systems within the FBI to enable them to perform specific functions related to law enforcement and national security investigations and intelligence collection and analysis. This sharing feature is performed through electronic interfaces to which each authorized user has access through icons on his or her desktop, or through similar technology. SENTINEL also shares case file information with data warehouses, such as the Data Integration and Visualization System (DIVS), and the Foreign Terrorist Tracking Task Force (FTTTF). These warehouse systems are designed to provide authorized FBI and task force users federated1 query capability to a number of FBI and other federal agency data sets for broad-based searches and analyses.
In addition, SENTINEL provides administrative data to those FBI systems that are involved in hiring and employee management of FBI employees. The systems that may receive Sentinel data have their own access controls as an additional privacy feature. The functions and the information collected by each system are described in approved PTAs or PIAs listed on the FBI OGC internal website or published on the FBI’s Internet website. SENTINEL receives information on FBI personnel from several systems. Information from the Enterprise Directory System, for example, is used for managing the system’s access controls capability. Information from QuickHire, an online system that is used to complete, review, and process job applications, uploads information into SENTINEL to be indexed.
External Sharing
Given the mandate for robust information sharing with law enforcement and intelligence community partners, SENTINEL will share information with state and local law enforcement organizations as well as with other federal law enforcement and intelligence agencies. In some cases, sharing will occur by direct access and data transfers to certain OGAs. That said, information will only be shared to the extent that sharing is legally permissible and appropriate. Certain information may be marked with caveats regarding dissemination restrictions (such as medical and juvenile information). Information subject to Privacy Act protections will only be shared as permitted by the Privacy Act, including routine uses established for the FBI Central Records System (JUSTICE/FBI-002) or other applicable system of records notices. (This includes disclosures to individuals with direct access, who will not be given access unless appropriate disclosure authority exists and who must agree to follow the rules of behavior applicable to FBI systems (which include privacy protection rules) and who receive yearly training on these rules). In addition, any direct access to SENTINEL by external users (primarily Task Force Officers (TFOs)) is controlled by rules defined by the FBI’s Information Sharing Policy Board (ISPB). Security groups (there currently are 17) have been created to limit access to a set of agreed upon case classifications determined by each group’s need to know.
Transmission of Information
FBI personnel (including task force members, contractors, and a limited number of other similarly situated individuals) will have direct access to the SENTINEL system through the FBI’s Enterprise Architecture. Information that the FBI shares with other organizations within the Department of Justice can be transmitted in several different ways. It can be electronically shared on removable electronic media that is password protected and/or encrypted or on a network; it can be sent via secure e-mail (assuming classifications allow it); it can be faxed, printed, or mailed/shipped. Information may be shared in quantities as small as partial documents or via bulk file transfers.
Limited authorized personnel at certain OGAs will have access to SENTINEL as well. These agencies will be required to sign a Memorandum of Understanding (MOU) and, where appropriate, have an Interconnection Security Agreement (ISA) in place to address security and privacy requirements prior to data access becoming available. FBI MOUs, which are subjected to legal review before being finalized, must contain appropriate privacy clauses in order to be approved. In addition, as with internal users, all external users of SENTINEL will sign a set of Rules of Behavior prior to being granted access.
All users with direct access and recipients of SENTINEL data will be responsible for protecting the privacy interest of individuals consistent with law enforcement business practice, including protection of government employees’ and contractors’ information. Also, all users and recipients of SENTINEL data will be responsible for compliance with all applicable federal, state, and local laws and agency policies and practices established for the protection of individuals’ privacy. Access controls and filter rules based on policy and MOUs with the sharing system will ensure that information sharing will be customized and customizable for each recipient in order to protect privacy and ensure that only information that legally can be shared is made available.
Section 2: Information in the System
2.1 Indicate below what information is collected, maintained, or disseminated.
(Check all that apply.)
(Check all that apply.)
Identifying numbers
| |||||
Social Security
|
X
|
Alien Registration
|
X
|
Financial account
|
X
|
Taxpayer ID
|
X
|
Driver’s license
|
X
|
Financial transaction
|
X
|
Employee ID
|
X
|
Passport
|
X
|
Patient ID
|
X
|
File/case ID
|
X
|
Credit card
|
X
| ||
Other identifying numbers (specify): FBI ID; Selective Service Number; Military ID; Naturalization Number
|
General personal data
| |||||
Name
|
X
|
Date of birth
|
X
|
Religion
|
X
|
Maiden name
|
X
|
Place of birth
|
X
|
Financial info
|
X
|
Alias
|
X
|
Home address
|
X
|
Medical information
|
X
|
Gender
|
X
|
Telephone number
|
X
|
Military service
|
X
|
Age
|
X
|
Email address
|
X
|
Physical characteristics
|
X
|
Race/ethnicity
|
X
|
Education
|
X
|
Mother’s maiden name
|
X
|
Other general personal data Such as hair/eye color; photographs
|
Work-related data
| |||||
Occupation
|
X
|
Telephone number
|
X
|
Salary
|
X
|
Job title
|
X
|
Email address
|
X
|
Work history
|
X
|
Work address
|
X
|
Business associates
|
X
| ||
Other work-related data (specify): Company/Business Name and Type.
|
Distinguishing features/Biometrics
| |||||
Fingerprints
|
Photos
|
X
|
DNA profiles
| ||
Palm prints
|
Scars, marks, tattoos
|
X
|
Retina/iris scans
| ||
Voice recording/signatures
|
Vascular scan
|
Dental profile
| |||
Other distinguishing features/biometrics (specify): There is a possibility that other biometric images may be uploaded as .jpg or similarly formatted files. However, Sentinel is not the designated repository for this type of data.
|
System admin/audit data
| |||||
User ID
|
X
|
Date/time of access
|
X
|
ID files accessed
|
X
|
IP address
|
X
|
Queries run
|
X
|
Contents of files
| |
Other system/audit data (specify): Operating System Syslog data; Database activity / Object (e.g. Document; Lead, etc.) IDs
|
Other information (specify)
|
The SENTINEL system will include investigative, intelligence, personnel (support), and administrative data collected by the FBI in the course of conducting its mission.
|
2.2 Indicate sources of the information in the system. (Check all that apply.)
Directly from individual about whom the information pertains
| |||||
In person
|
X
|
Hard copy: mail/fax
|
X
|
Online
|
X
|
Telephone
|
X
|
Email
|
X
| ||
Other (specify): Results of interview of individual recorded on FD-302 by interviewing Special Agent; applicant information provided by Quickhire / SF-86 data; Consent forms
|
Government sources
| |||||
Within the Component
|
X
|
Other DOJ components
|
X
|
Other federal entities
|
X
|
State, local, tribal
|
X
|
Foreign
|
X
| ||
Other (specify): Cable traffic provided via Interface with the State Department. Other information provided to the FBI via liaison with OGAs.
|
Non-government sources
| |||||
Members of the public
|
X
|
Public media, internet
|
X
|
Private sector
|
X
|
Commercial data brokers
|
X
| ||||
Other (specify): Other investigative or intelligence information provided to the FBI via liaison/interview with non-government sources.
|
2.3 Analysis: Now that you have identified the information collected and the sources of the information, please identify and evaluate any potential threats to privacy that exist in light of the information collected or the sources from which the information is collected. Please describe the choices that the component made with regard to the type or quantity of information collected and the sources providing the information in order to prevent or mitigate threats to privacy. (For example: If a decision was made to collect less data, include a discussion of this decision; if it is necessary to obtain information from sources other than the individual, explain why.)
SENTINEL will contain sensitive information about individuals that is collected to support the FBI’s multi-faceted mission. Given the wide scope of this mission, the critical importance of collecting information in support of it, and the uncertainties and vagaries inherent in law enforcement investigations and in threat detection and prevention, the risks exist that too much personal information about individuals will be collected, and that much of it will prove to be inaccurate and/or irrelevant. To mitigate these risks, FBI internal policy provides that personal information may be collected only if it serves a valid law enforcement or national security purpose, or is relevant to an FBI personnel or administrative function. Furthermore, an approval process will be used so that supervisors and other reviewers approve the insertion of documents into appropriate files. Use of this approval process ensures that only personally identifiable information that pertains specifically to FBI approved matters will be collected and used in SENTINEL. Part of this approval process will be to corroborate and verify the accuracy of personal information from available sources. In addition, security controls, including role-based access control and controls related to data sharing will be used to manage access to personally identifiable information and ensure that only individuals with appropriate need-to-know have access to data.
Furthermore, the investigative process is designed to ensure that any information that does prove to be inaccurate and/or irrelevant is retained only for record purposes. Rules have been put in place to ensure that documents are appropriately marked or, in some cases, purged. Training will be provided to all Bureau personnel on the need to ensure that only information that is necessary for mission-related purposes is collected and maintained.
Section 3: Purpose and Use of the System
3.1 Indicate why the information in the system is being collected, maintained, or disseminated. (Check all that apply.)
Purpose
| |||
X
|
For criminal law enforcement activities
|
X
|
For civil enforcement activities
|
X
|
For intelligence activities
|
X
|
For administrative matters
|
X
|
To conduct analysis concerning subjects of investigative or other interest
|
X
|
To promote information sharing initiatives
|
To conduct analysis to identify previously unknown areas of note, concern, or pattern. Sentinel is not used for data mining purposes.
|
X
|
For administering human resources programs
| |
X
|
For litigation
| ||
X
|
Other (specify): For background and clearance investigation matters
|
3.2 Analysis: Provide an explanation of how the component specifically will use the information to accomplish the checked purpose(s). Describe why the information that is collected, maintained, or disseminated is necessary to accomplish the checked purpose(s) and to further the component’s and/or the Department’s mission.
The primary purpose of SENTINEL is to perform case management in an electronic environment. The FBI uses its case files to manage all criminal and intelligence gathering activities as well as personnel and administrative matters. The FBI currently uses paper as its system for maintaining records while electronically managing the information. SENTINEL, an automated case management system, will transform the way that the FBI does business by allowing the Bureau to move from a primarily paper-based case management system to an electronic record system.
The primary purpose of SENTINEL is to perform case management in an electronic environment. The FBI uses its case files to manage all criminal and intelligence gathering activities as well as personnel and administrative matters. The FBI currently uses paper as its system for maintaining records while electronically managing the information. SENTINEL, an automated case management system, will transform the way that the FBI does business by allowing the Bureau to move from a primarily paper-based case management system to an electronic record system.
SENTINEL provides FBI employees the ability to create case documents and submit them through an electronic workflow process. Supervisors, reviewers, and others involved in the approval process can review, comment, and approve the insertion of documents into appropriate FBI electronic case files. Upon approval, the SENTINEL system serializes and uploads the documents into the SENTINEL repositories, where the documents will become part of the official FBI case file. SENTINEL maintains an auditable record of all transactions. SENTINEL provides intranet-based access for all users and an improved search and indexing capability, yielding access to all relevant data. SENTINEL results in the consolidation and simplification of processes and significantly reduces the dependence on paper forms and on the transfer and filing of those forms. SENTINEL has been designed specifically to further the collection, use, and maintenance of information the FBI needs to carry out its mission activities.
3.3 Indicate the legal authorities, policies, or agreements that authorize collection of the information in the system. (Check all that apply and include citation/reference.)
Authority
|
Citation/Reference
| |
X
|
Statute
|
FBI’s authority to carry out its responsibilities resides in a variety of statutes. A few examples include:
5 U.S.C. part III 28 U.S.C. chapter 33 National Security Act of 1947 Intelligence Reform and Terrorism Prevention Act of 2004 National Security Act of 1959 Classified Information Procedures Act Foreign Intelligence Surveillance Act of 1978 USA Patriot Act of 2001 USA Patriot Improvement and Reauthorization Act of 2005 U.S. Code Title 18 |
X
|
Executive Order
|
FBI’s authority to carry out its responsibilities resides in a variety of executive orders. A few examples include:
Executive Order 10450 Executive Order 12139 Executive Order 12333 Executive Order 12949 Executive Order 13388 |
X
|
Federal Regulation
|
FBI’s authority to carry out its responsibilities resides in a variety of federal regulations, including 5 C.F.R. chapter I, subchapter B and 28 C.F.R. parts 0 to 43.
|
X
|
Memorandum of Understanding/agreement
|
Memoranda of Understanding and Interconnection Security Agreements exist to memorialize external sharing agreements.
|
Other (summarize and provide copy of relevant portion)
|
3.4 Indicate how long the information will be retained to accomplish the intended purpose, and how it will be disposed of at the end of the retention period. (Reference the applicable retention schedule approved by the National Archives and Records Administration, if available.)
Disposition of records within the SENTINEL system will use the same processes and procedures established by the FBI Records Management Division (RMD) for the disposition of existing hard and soft copy records. The FBI’s data is divided into multiple classifications (e.g., public corruption cases, counterterrorism cases), which will be retained in the SENTINEL system. The exact period of retention is determined by the type of data and/or case classification. Information will be disposed of in accordance with General Records Schedules issued by NARA, or in accordance with specific records schedules approved by NARA for particular case classifications.
3.5 Analysis: Describe any potential threats to privacy as a result of the component’s use of the information, and controls that the component has put into place to ensure that the information is handled, retained, and disposed appropriately. (For example: mandatory training for system users regarding appropriate handling of information, automatic purging of information in accordance with the retention schedule, etc.)
3.5 Analysis: Describe any potential threats to privacy as a result of the component’s use of the information, and controls that the component has put into place to ensure that the information is handled, retained, and disposed appropriately. (For example: mandatory training for system users regarding appropriate handling of information, automatic purging of information in accordance with the retention schedule, etc.)
Internally, there is a risk that users without a need to know the information will be able to gain inappropriate access to SENTINEL data. However, this risk should be minimized by the use of role-based access control. In addition, all users of SENTINEL will receive “appropriate use” training and sign a set of Rules of Behavior prior to being granted access. SENTINEL will have a detailed auditing capability that will be integrated with the existing Enterprise Security Operations Center (ESOC), and audit logs will be reviewed regularly. There is also a risk that, with the “single sign on” capability planned for SENTINEL, authorized SENTINEL users will thereby gain access to other interfaced systems to which they should not have access. This risk will be mitigated by preserving role-based access controls to these interfaced systems. Permission will be needed for access to various internal systems and that permission will not be granted without a need to know and appropriate training. Finally, there is always the risk that trusted authorized users will betray that trust and misuse the data to which they have access. That risk will be mitigated by extensive supervisory controls—including a supervisor’s enhanced ability to more effectively monitor a subordinate’s workload—as well as a robust auditing program. The following are examples of role based access controls in place:
A. General roles and privileges:
A. General roles and privileges:
1. Supervisor - Assign leads; approve documents; view squad current workload.
2. Evidence Control Technician – manages evidence (charge in / out; inventory; disposition).
3. Organization Unit Administrator (OU Admin) – manage lead routing rules for their offices; make office squad assignments).
4. Lead Manager – re-route leads within their office.
5. Operational Support Technician (OST/Admin) – upload externally approved documents.
6. Non-FBI (Contractor; TFO) – view case info based on case classification rules.
B. Contextual Roles: Access to information during the drafting and review process is limited to members of that particular workflow; within the workflow, there are separate roles (mentioned above) that can perform different functions, such as editing and approving documents for serialization into the case file.
C. Workflow roles: Author/Co-author (can draft and edit documents); Reviewer (can review and comment on draft documents); Supervisor/Approver (can approve and sign documents for serialization / make into an official record).
D. Access Control rules:
2. Evidence Control Technician – manages evidence (charge in / out; inventory; disposition).
3. Organization Unit Administrator (OU Admin) – manage lead routing rules for their offices; make office squad assignments).
4. Lead Manager – re-route leads within their office.
5. Operational Support Technician (OST/Admin) – upload externally approved documents.
6. Non-FBI (Contractor; TFO) – view case info based on case classification rules.
B. Contextual Roles: Access to information during the drafting and review process is limited to members of that particular workflow; within the workflow, there are separate roles (mentioned above) that can perform different functions, such as editing and approving documents for serialization into the case file.
C. Workflow roles: Author/Co-author (can draft and edit documents); Reviewer (can review and comment on draft documents); Supervisor/Approver (can approve and sign documents for serialization / make into an official record).
D. Access Control rules:
1. Default case2 opening rules – restrict or prohibit cases for certain case classifications (e.g., 67E and 67F personnel matters) as well as restrictions applied to non-FBI background investigations (e.g., presidential appointments).
2. Legal caveats – limit marked documents to case participants of the case the document is filed into (e.g.; grand jury matters; medical matters, etc).
3. Special Access Group (SAG) - restrict access to case data for non-FBI employees based on case classifications and need to know.
4. Sensitive Procurement Information – restricted access to protect contractual matters.
2. Legal caveats – limit marked documents to case participants of the case the document is filed into (e.g.; grand jury matters; medical matters, etc).
3. Special Access Group (SAG) - restrict access to case data for non-FBI employees based on case classifications and need to know.
4. Sensitive Procurement Information – restricted access to protect contractual matters.
Section 4: Information Sharing
4.1 Indicate with whom the component intends to share the information in the system and how the information will be shared, such as on a case-by-case basis, bulk transfer, or direct access.
Recipient
|
How information will be shared
| |||
Case-by-case
|
Bulk transfer
|
Direct access
|
Other (specify)
| |
Within the component
|
X
|
X
|
X
| |
DOJ components
|
X
|
X
| ||
Federal entities
|
X
|
X
| ||
State, local, tribal gov’t entities
|
X
| |||
Public
|
X
| |||
Private sector
|
X
| |||
Foreign governments
|
X
| |||
Foreign entities
|
X
| |||
Other (specify):
|
X
|
Individuals with an FBINet account who have been specifically authorized for SENTINEL access will have access to SENTINEL. This may include individuals in other federal agencies and task force officers.
|
4.2 Analysis: Disclosure or sharing of information necessarily increases risks to privacy. Describe controls that the component has put into place in order to prevent or mitigate threats to privacy in connection with the disclosure of information. (For example: measures taken to reduce the risk of unauthorized disclosure, data breach, or receipt by an unauthorized recipient; terms in applicable MOUs, contracts, or agreements that address safeguards to be implemented by the recipient to ensure appropriate use of the information – training, access controls, and security measures; etc.)
The risk that users outside the FBI who access or share information with SENTINEL will not adequately protect information using the appropriate security and privacy policies and procedures defined for SENTINEL operations is mitigated through the use of MOUs, which contain mandatory privacy provisions and, where appropriate, through Information Sharing Agreements (ISAs). The MOUs, which must pass legal review before being finalized, will address not only privacy requirements, but also training, auditing, and access controls. The FBI will monitor system access which will help mitigate the risk of inappropriate access to or use of the system. In many instances, the MOUs may require that further use of FBI information by external recipients be cleared through FBI program managers to ensure that the information is timely, accurate, and relevant, and cannot be used to interfere with ongoing enforcement efforts or the FBI’s ability to protect its sources and methods.
Section 5: Notice, Consent, and Redress
- Indicate whether individuals will be notified if their information is collected, maintained, or disseminated by the system. (Check all that apply.)
X
|
Yes, notice is provided pursuant to a system of records notice published in the Federal Register and discussed in Section 7.
| |
X
|
Yes, notice is provided by other means.
|
Specify how: Notice is also provided in accordance with 5 U.S.C. § 552a(e)(3) of the Privacy Act for certain categories of records that have not been exempted from this requirement, such as administrative and personnel (support) records and background investigations.
|
No, notice is not provided.
|
Specify why not:
|
- Indicate whether and how individuals have the opportunity to decline to provide information.
X
|
Yes, individuals have the opportunity to decline to provide information.
|
Specify how: For administrative/support information, individuals may, in certain instances and with various consequences, have the ability to decline to provide information when they complete the forms that collect their information.
|
X
|
No, individuals do not have the opportunity to decline to provide information.
|
Specify why not: For operational information, individuals do not have an opportunity and/or right to decline to provide information.
|
5.3 Indicate whether and how individuals have the opportunity to consent to particular uses of the information.
X |
Yes, individuals have an opportunity to consent to particular uses of the information.
|
Specify how: For administrative/support information, individuals may, in certain instances and with various consequences, have the ability to consent to particular uses when they complete forms that collect information.
|
X
|
No, individuals do not have the opportunity to consent to particular uses of the information.
|
Specify why not: For operational information, individuals do not have an opportunity to consent to particular uses of the information.
|
5.4 Analysis: Clear and conspicuous notice and the opportunity to consent to the collection and use of individuals’ information provides transparency and allows individuals to understand how their information will be handled. Describe how notice for the system was crafted with these principles in mind, or if notice is not provided, explain why not. If individuals are not provided the opportunity to consent to collection or use of the information, explain why not.
Individuals are provided some general degree of notice of the existence of case files through publication of the Central Records System (CRS) system of records notice that covers the FBI’s operational and non-operational case files (see 63 Federal Register 8671, February 20, 1998), including the information in SENTINEL. For operational data, individuals are not given specific notice of the collection as it might jeopardize law enforcement investigations or reveal classified information such as sources and methods of collection. For non-operational data or administrative/support data, individuals should receive any required notice when they complete forms used to provide their information (e.g., an FBI employment application). The FBI Business Process Re-engineering (BPR) E-Forms initiative is currently reviewing all FBI forms and will ensure that the forms are in compliance with Privacy Act requirements.
Section 6: Information Security
6.1 Indicate all that apply.
X
|
As part of the system development, security engineering has been integrated into the system. Independent security code reviews were conducted during the course of development. In addition, Security Division conducted vulnerability scans using a set of industry standard tools to identify and isolate security vulnerabilities. In preparation for granting an Authority to Operate (ATO), Security Division conducted a formal independent security risk assessment. Technical and non-technical evaluation of the system was completed by the Security Division to verify that security controls are correctly implemented and effective. These risks were included in the C&A report presented to the Designated Accrediting Authority (DAA).
| |
X
|
Appropriate security controls have been identified and implemented to protect against risks identified in security risk assessment.
All major security vulnerabilities identified by the security risk assessment have been reviewed and resolved to ensure system secure operations. All other vulnerabilities have been addressed with mitigation plans to ensure that only an acceptable level of risk is taken by the FBI. | |
X
|
Monitoring, testing, or evaluation has been undertaken to safeguard the information and prevent its misuse. Specify: Throughout the development process, the SENTINEL test team continuously tested the code, including the data access controls. In addition, independent tests and reviews were conducted by a contractor Independent Verification and Validation team and the Security Division (Certification and Accreditation team (C&A). Audit logs will be provided to the Enterprise Security Operations Center (ESOC) on a daily basis for monitoring of potential system misuse
| |
X
|
The information is secured in accordance with FISMA requirements. Provide date of most recent Certification and Accreditation: The current Sentinel Authority to Operate expires on December 27, 2014.
| |
X
|
Auditing procedures are in place to ensure compliance with security standards. Specify, including any auditing of role-based access and measures to prevent misuse of information:
Local monitoring of audit logs occurs as part of routine SENTINEL operations, and events can be escalated for ESOC analysis. All Operating System, Database and Get/Put logs are provided to the ESOC on a daily basis. The Enterprise Operations Center will perform network level monitoring.
System audit logs are reviewed on a daily basis by the Security Administrator with auditor privileges. Audit logs can only be accessed by the Information Systems Security Officer and specific privileged users. Audit reports of specific events can be requested. General users cannot view, change, or delete the audit logs. The system will meet the requirements contained in the FBI certification and accreditation handbook, and relevant NIST information security standards and Special Publications.
Users will directly access the SENTINEL application through their FBINET workstation. SENTINEL supports single-sign on. After logging into FBINET, an authorized user will launch the SENTINEL application by clicking on the desktop SENTINEL icon. An authorized user’s FBINET (Active Directory) identifier will be passed to the SENTINEL application for authentication. The application will first verify that the FBINET user id has an active SENTINEL account before assigning roles and allowing the user the appropriate access to the application. Not all FBINet accountholders will have SENTINEL accounts. All FBI employees (including both agent and support personnel) will be granted SENTINEL accounts. Other FBI personnel (including contractors and task force officers (TFOs) must have their access request approved by an FBI supervisor and must be granted an Accessor ID (ACID). Similarly, authorized other government agency (OGA) personnel must have their access request approved by an FBI supervisor and must be granted an ACID. Contractors, TFOs and OGA personnel with ACIDs will be assigned into role-based access groups and be provided limited access to case information in SENTINEL based on FBI policy. Any new FBI employee will be automatically granted access to SENTINEL when they are provided an FBINET account. System Access Requests (SARs) for approving SENTINEL accounts for any new non-FBI personnel will be processed through the existing Enterprise Process Automation System (EPAS).
As described above, SENTINEL is a case management system and enables FBI employees the ability to create case documents and submit them through an electronic workflow process. Supervisors, reviewers, and others involved in the approval process can review, comment, and approve the insertion of documents into appropriate FBI electronic case files. Upon approval, the SENTINEL system serializes and uploads the documents into the SENTINEL repositories, where the documents will become part of the official FBI case file. SENTINEL will use the FBI’s public key infrastructure (PKI) services to apply digital signatures on electronic documents that will become a part of the official case file. The digital signature ensures information authenticity, integrity, confidentiality, and non-repudiation guarding against improper information modification or destruction of official records. Any SENTINEL user who does not have a PKI card or personal identification number (PIN) will still be able to search for information in SENTINEL, based on their access privileges. However, they will not be able to digitally complete or sign documents in SENTINEL.
| |
SENTINEL will also use secure socket layer (SSL) encryption to protect the confidentiality and integrity of information. Other controls that will be used to protect data and system integrity include host-and network-based intrusion detection systems, security administration tools, and malicious code detection software.
Strong physical security mechanisms will be in place at sites where the main systems reside in order to protect against inappropriate information access and use.
| ||
X
|
Contractors that have access to the system are subject to provisions in their contract binding them under the Privacy Act.
| |
X
|
Contractors that have access to the system are subject to information security provisions in their contracts required by DOJ policy.
| |
X
|
The following training is required for authorized users to access or receive information in the system:
| |
X
|
General information security training
| |
Training specific to the system for authorized users within the Department.
| ||
Training specific to the system for authorized users outside of the component.
| ||
Other (specify):
|
- Describe how access and security controls were utilized to protect privacy and reduce the risk of unauthorized access and disclosure.
Users authenticate to the system using single sign on based upon their FBINET log in. Only approved, authorized users are then given FBINet accounts and thus access to SENTINEL. Authorized users must be listed in the FBI’s Electronic Directory Service (EDS).
Once in the system, SENTINEL supports multiple levels of data protection. Due to their sensitivity, certain case classifications are automatically limited to case participants or individuals in the Office of Origin. Furthermore, case managers have the discretion to limit access to their cases by name or organizational unit, subject to approval from their respective program manager.
The system also employs data protection for documents or other information marked by legal caveats (such as tax information or grand jury information). Only individuals listed on an access list (e.g. a grand jury list) will have access to this information. Finally, certain groups (e.g. JTTF TFOs or OGA personnel) will be further restricted to a limited set of case classifications. The set of classifications for each of these groups is defined by policy and legal requirements and is managed by the Information Sharing Policy Board (ISPB) and division policy groups.
The risk of inappropriate use of information is further mitigated through the use of auditing to monitor user’s activities. The use of these controls in combination with policy and procedural controls, including privacy and security training, acknowledgment of Rules of Behavior, use of levels of review of information, and, if necessary, disciplinary action, protects the privacy of information in SENTINEL.
Section 7: Privacy Act
7.1 Indicate whether a system of records is being created under the Privacy Act, 5 U.S.C. § 552a. (Check the applicable block below and add the supplementary information requested.)
X
|
Yes, and this system is covered by an existing system of records notice.
Provide the system name and number, as well as the Federal Register citation(s) for the most recent complete notice and any subsequent notices reflecting amendment to the system: FBI Central Records System, 63 Fed. Reg. 8671 (Feb. 20, 1998), as amended 66 Fed. Reg. 8425 (Jan. 31, 2001), 66 Fed. Reg. 17,200 (Mar. 29, 2001), 72 Fed. Reg. 3410 (Jan. 25, 2007).
|
Yes, and a system of records notice is in development.
| |
No, a system of records is not being created.
|
7.2 Analysis: Describe how information in the system about United States citizens and/or lawfully admitted permanent resident aliens is or will be retrieved.
Information will be retrieved by personal identifier, such as name, social security number, or date of birth, through a key word search or by a case number.
End Notes
1A federated query allows for a simultaneous search of multiple searchable resources.
2 The term “case” here is used to describe how non-investigative matters (e.g., personnel and administrative information) are organized with the associated case classification and retention policy.
Comments
Post a Comment