The primary objectives of the U.S. Department of Labor (DOL) information security effort are:
- Ensuring the confidentiality of sensitive information processed by, stored in, and moved through information systems and applications belonging to DOL. Examples of sensitive information processed by DOL include:
- Personally identifiable information (PII) and other Privacy Act protected records
- Pre-release economic statistics
- Information provided by companies and citizens under the assumption of confidentiality
- Pre-award contract financial information
- Ensuring the integrity of the DOL information such that decisions and actions taken based upon the data processed by, stored in, and moved through DOL information systems can be made with the assurance that the information has not been manipulated, the information is not subject to repudiation, the source of the changes to information can be determined as best as possible.
- Ensuring the availability of the DOL information systems and applications during routine operations and in crisis situations to support the DOL Mission.
The Office of the Chief Information Officer (OCIO), maintains a team of security professionals responsible for the oversight of information security practices at the department. Their responsibility is to develop and maintain the programs that help the department meet its information security objectives.
- Security Initiatives – The OCIO Security Officer is responsible for a wide variety of initiatives that continuously improve the information security stance of the department.
- Contact Us – If you are interested in finding out more information about the DOL OCIO Security programs or seek contact information of specific DOL component agencies.
Regulatory Compliance And Oversight
OCIO is responsible for providing regulatory oversight for Information Technology (IT) security. This oversight includes the development of department-wide policy, procedures, and guidance for compliance with Federal laws, regulations, and guidelines, and sound security and privacy practices. Additionally, OCIO Security is responsible for reviewing security program documentation developed to ensure compliance and further enhance security practices across all component agencies. Documents are reviewed on an annual or quarterly cycle, a list of those documents are outlined below:
- Annual Personally Identifiable Report (APIIR)
- Authorization and Accreditation
- Contingency and Disaster Recovery Plans
- Contingency Plan
- Contingency Test
- E-Authentication Risk Assessment
- Incident Response Plan
- Interconnection Security Agreements
- Memoranda of Understanding
- Plan of Action and Milestones
- Privacy Impact Assessment (PIA)
- Risk Assessments
- Security Program Plans
- System Security Plans
- Security Controls Assessments (SCA)
- Security Controls Monitoring
- Independent Verification and Validation
Federal Information Security Management Act (FISMA) Implementation and Reporting
The OCIO Security team is responsible for compiling the Department's quarterly and annual reporting of information security under FISMA. This includes the collection, review, and aggregation of reports on the quarterly plans of action and milestones (POA&M), to mitigate security weaknesses, eGovernment evaluations, and annual review of departmental security and privacy programs. DOL uses the National Institutes of Standards and Technology (NIST) Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems, to conduct this annual review.
Computer Security Awareness and Training
DOL OCIO Security is responsible for developing the department-wide minimum security training requirements for all employees, computer security professionals, and executive management. This includes hosting the annual computer security awareness training and other activities throughout the year to increase and reinforce the IT security knowledge of DOL employees. DOL component agencies are required to add depth to the department-wide security training requirement to bring system users up to speed on security requirements particular to the systems and applications they operate.
Computer Security Incident Response
DOL OCIO Security maintains a computer security incident response capability to address incidents across the department. The DOL Computer Security Incident Response Capability (CSIRC) functions in dual modes – proactive and reactive. The team proactively monitors federal and commercial computer incident response and homeland security groups (e.g., US-CERT) to determine potential threats to DOL systems and newly discovered vulnerabilities in DOL systems and applications. The team then notifies the security officers at each component agency, and, as required, collects feedback on the mitigation of new vulnerabilities and threats.
Furthermore, the DOLCSIRC is responsible for responding to anomalies and incidents related to computer security in DOL systems and applications. DOLCSIRC coordinates anomaly reporting to determine if potential threat activity is directed against one component agency or across DOL. Additionally, DOLCSIRC is responsible for coordinating incident reporting to outside organizations, including law enforcement and government-wide incident response.
OCIO Program Integration
DOL makes information security a priority. This emphasis integrates information security into the Department's Enterprise Architecture (EA), System Development Life Cycle Management and Manual (SDLCMM) and the Department's IT planning, management, and the Capital Planning and Investment Control process (CPIC).
The OCIO Security team routinely interacts with the OCIO Capital Planning team to ensure that the Department's IT fiscal decisions maintain its strong information security posture. Security is an integral part of the system development life cycle; therefore, the security team actively participates in the Select and Control process. In support of the Select process, the team reviews several iterations of the initiative's Major IT Business Case to ensure that the initiatives are in compliance with the latest security policies. During the Control process, the team participates in the quarterly capital planning control reviews to follow the progress of projects and initiatives, both in operations and in development for, to ensure continued compliance with security requirements and best practices.
The OCIO Security team is actively involved in the efforts of DOL to establish and manage enterprise architecture. Part of this effort is directed at maintaining a common and uniform architecture for security protection at DOL to maximize interoperability of component agency information systems. Furthermore, this commonality is extended to maximize government-wide information sharing and interoperability under the eGovernment initiative and the President's Management Agenda
The OCIO Security team actively participates in the information collection efforts at DOL. The systems at DOL contain a wide variety of sensitive, but unclassified, information – personally identifiable information (PII), corporate sensitive data, or leading economic indicators. Any efforts to increase information sharing or change information collection practices should carefully be reviewed for the security impact of the effort and find ways to eliminate, as much as possible, the risk of compromise to this information.
The OCIO Security team participates in several government-wide initiatives to share lessons learned and ensure compliance with the objectives of eGovernment on the President's Management Agenda. These activities include, but are not limited to:
- Promote use of the internet, other information technologies, and interagency collaboration in providing eGovernment services to provide increased opportunities for citizen participation in government
- Improve the government's ability to achieve agency missions and program performance goals;
- Reduce costs and burdens for businesses and other Government entities;
- Make the federal government more transparent and accountable; and,
- Provide better access to government information and services in a manner consistent with laws regarding protection of personal privacy, national security, records retention, access for persons with disabilities, and other relevant laws.