OIG — General Support System (GSS)

Overview

The GSS is owned by the OIG Branch of Information Technology (BIT).

The purpose of the GSS is to provide word processing, databases, graphics, spreadsheets, TeamMate (storage and processing of investigative case tracking and audit electronic work papers), Freedom of Information Act (FOIA) database, E-mail capabilities, and Intranet/Internet access for the agency. It also provides access to e-OIG, DOL applicataions, WestLaw, and Lexis/Nexis systems.

The OIG WAN is part of DOLNet, the consolidated Department of Labor WAN that will service all DOL agencies. Currently all traffic traverses Verizon Business’s vBNS MPLS IP based network. At the National Office two DS3 circuits are shared as the hub of DOLNet and therefore is the hub of the OIG WAN. All of the other 29 cities are connected to DOLNet via T-1 circuits in unshared sites: Baton Rouge, LA; Columbus, OH; Roanoke, VA; Jacksonville, FL; Sunrise, FL; Hattiesburg, MS; Pittsburgh, PA; Las Vegas, NV, Meriden, CT; Detroit, MI; West Covina, CA; Ventnor City, NJ; Mountainside, NJ; North Capital Street; St. Louis, MO; Houston, TX and Buffalo, NY, and with multi-OC3 circuits in DOL shared sites: Boston, MA; Silver Springs, MD (BYTEGRID); San Francisco, CA; Philadelphia, PA; Dallas, TX; Chicago, IL; New York, NY; Cleveland, OH; Denver, CO; Seattle, WA; Kansas City, MO and Atlanta, GA.

The LAN system accesses the Internet through a 100MB connection to Verizon Business’s Internet Access point located in the OASAM computer room, 200 Constitution Avenue, N.W., Washington, DC; the OASAM data center in Atlanta GA (for COOP) and the ByteGrid data center (cloud email failover) located in Silver Spring, MD. This connection services OIG users' non-DOL e-mail needs and allows access to the Internet. OIG regional and sub-regional offices access the Internet via DOLNet. Access to Departmental systems and services and internal DOL e-mail is provided through a connection between OIG's network and the DCN (Departmental Computer Network). All access is monitored and controlled by a firewall. The firewall forces all incoming requests to specific computers that are setup to handle the requests (web access will only go to the Internet web server, e-mail will only go to the SMTP server, etc.) The routers that connect the GSS to the DOL Information Technology Center (ITC) LAN(s) and WAN(s) are the demarcation point.

The GSS is connected to the following external systems:

  • DOL Network
  • GSS and OASAM DOLNET

 

Characterization of the Information

The following questions are intended to define the scope of the information requested and/or collected as well as reasons for its collection as part of the program, system, or technology being developed.

Specify whether the system collects personally identifiable information (PII) on DOL employees, other federal employees, contractors, members of the public (U.S. citizens), foreign citizens, or minor children.

The GSS contains PII for all OIG employees and members of the public.

  • What are the sources of the PII in the information system?

 

The OIG employees provide the PII as part of their investigative or audit activities.

The GSS is an operational IT system that supports the OIG mission. Therefore, the GSS maintains information relative to federal employee and authorized contractors to provide safe and effective access to OIG IT resources.

  • What is the PII being collected, used, disseminated, or maintained?

 

First and/or last name, Date of birth, Place of birth, SSN, Military, immigration, or other government-issued identifier, Photographic identifiers (i.e., photograph image, x-rays, video), Biometric identifier (i.e., fingerprint, voiceprint, iris), Other physical identifying information (e.g., tattoo, birthmark), Vehicle identifier (e.g., license place, VIN), Driver’s license number, Residential address, Personal phone numbers (e.g., phone, fax, cell), Mailing address (e.g., P.O. Box), Personal e-mail address, Business address, Business phone number (e.g., phone, fax, cell), Business e-mail address, Medical record number, Financial account information, Certificates (e.g., birth, death, marriage), Legal documents or notes (e.g., divorce decree, criminal records) and/or Educational records.

In regard to GSS operational needs, the GSS has records of the federal employee and contractor names, business contact information and network logon credentials.

  • How is the PII collected?

 

The OIG employees provide the PII as part of their investigative or audit activities.

The OIG employees and/or HR personnel provide their information to the GSS system administrators in order to permit the employee or contractor to perform their duties.

  • How will the information be checked for accuracy?

The information is checked by the user

- Agent or auditor in the course of their activity documentation.
- The employee/contractor in the course of their services.

  • What specific legal authorities, arrangements, and/or agreements defined the collection of information?

Pursuant to the Inspector General Act of 1978, (Pub. L. 95-452, § 1, Oct. 12, 1978, 92 Stat. 1101), as amended by Section 812 of the Homeland Security Act of 2002 (Pub. L. No. 107-296), authorizes the Inspector General to conduct audits and investigations that relate to the OIG’s mission.

  • Privacy Impact Analysis

There is minimal risk to the PII. A firewall monitors and prevents unauthorized users from accessing OIG’s internal network from the Internet. There are no public access accounts. All access is monitored and controlled by firewalls.

USES OF THE PII

The following questions are intended to clearly delineate the use of information and the accuracy of the data being used.

  • Describe all the uses of the PII

 

The PII is used for investigation/audit support documentation needs and for employee/contractor emails and network access.

  • What types of tools are used to analyze data and what type of data may be produced?

 

Tools are not used to analyze the data. The data is used solely to support investigations and audit reports.

  • Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?

 

No.

  • If the system uses commercial or publicly available data, please explain why and how it is used.

 

No, the system is used to allow the agents and auditors to perform their duties.

  • Privacy Impact Analysis

 

All system controls (as verified in the system FISMA activities) are used to protect the information. These controls are in-place and are maintained.

RETENTION

The following questions are intended to outline how long information will be retained after the initial collection.

  • How long is information retained in the system?

The information resides on the GSS until the investigative or audit reports are until the case is closed.

  • Privacy Impact Analysis

The risk is minimal.

  • How is it determined that PII is no longer required?

The Agent closes the case due to final judicial proceeding completion.

  • What efforts are being made to eliminate or reduce PII that is collected, stored, or maintained by the system if it is no longer required?

Not applicable.

  • Privacy Impact Analysis

The agent is required by the OLRFI Case Management policy and procedures to remove the cases after it is closed.

1.1 INTERNAL SHARING AND DISCLOSURE

The following questions are intended to define the scope of sharing within the Department of Labor.

  • With which internal organization(s) is the PII shared, what information is shared, and for what purpose?

None. All investigative information is shared through the eOIG (major application, see eOIG PIA) and all audit information is shared through the Teammate (major application, see Teammate PIA)

  • How is the PII transmitted or disclosed?

It is not.

  • Privacy Impact Analysis

The risk is through the loss or theft of the agent/auditor’s laptop. The laptop is fully disk encrypted using the OMB approved PointSec Encryption software. There is no significant risk.

EXTERNAL SHARING AND DISCLOSURE

The following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state and local government, and the private sector.

  • With which external organization(s) is the PII shared, what information is shared, and for what purpose?

There is not external sharing.

  • Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.

Not applicable

  • How is the information shared outside the Department and what security measures safeguard its transmission?

Not applicable

  • Privacy Impact Analysis

There is no significant risk.

NOTICE

The following questions are directed at notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information.

  • Was notice provided to the individual prior to collection of PII?

No.

  • Do individuals have the opportunity and/or right to decline to provide information?

No.

  • Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?

No.

  • Privacy Impact Analysis

There is no significant risk.

ACCESS, REDRESS, AND CORRECTION

The following questions are directed at an individual’s ability to ensure the accuracy of the information collected about them.

  • What are the procedures that allow individuals to gain access to their information?

The users access the email properties to verify the information.

Not applicable

  • What are the procedures for correcting inaccurate or erroneous information?

To correct any erroneous information, the user is to notify the Branch of Information Technology (BIT).

Not applicable

  • How are individuals notified of the procedures for correcting their information?

The user is notified via email or phone.

Not applicable

  • If no formal redress is provided, what alternatives are available to the individual?

Not applicable

  • Privacy Impact Analysis

There is no significant risk.

TECHNICAL ACCESS AND SECURITY

The following questions are intended to describe technical safeguards and security measures.

  • What procedures are in place to determine which users may access the system and are they documented?

Users are given user ids and passwords.

  • Will Department contractors have access to the system?

Some contractors may have access to the GSS.

  • Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?

Users must take the Computer Security Awareness Training and sign the Rules of Behavior.

  • What auditing measures and technical safeguards are in place to prevent misuse of data?

Users are assigned specific access rights depending on their roles.

  • Privacy Impact Analysis

There is minimal risk to the PII. A Firewall monitors and prevents unauthorized users from accessing OIG’s internal network from the Internet. There are no public access accounts. All access is monitored and controlled by Firewall. Additional monitoring of access from the Internet is provided by Internet Service Provider sensors.

TECHNOLOGY

The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, RFID, biometrics, and other technology.

  • What stage of development is the system in, and what project development life cycle was used?

The GSS is in the Operation and Maintenance phase. The OIG follows the DOL System Development Lifecycle Management Manual (SDLCMM).

  • Does the project employ technology which may raise privacy concerns? If so please discuss their implementation?

No.

DETERMINATION

As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information?

The Office of Inspector General (OIG) has completed the PIA for the OIG General Support System (GSS) which is currently in operation. The OIG has determined that the safeguards and controls for this moderate system adequately protect the information referenced in the GSS System Security Plan dated September 2008.

The OIG has determined that it is collecting the minimum necessary information for the proper performance of a documented agency function.