Friday, December 21, 2007

CSAT Security Vulnerability Analysis News

I periodically go back and spot check some areas of the CSAT Frequently Asked Questions page of the DHS web site. There is no way to tell when this page changes since it is the only DHS web page that I can find that does not have a “This page was last modified on…” listing on the page. One of the ways that I do this is to check on the SVA listings.

FAQ # 803 used to answer the question “When will I be notified if I have to complete a SVA?”. It used to say that DHS would begin notifying users by mail in September 2007 that they needed to complete an SVA. Yesterday there was no FAQ #803. Instead FAQ # 1284 now answers that question with: “In early 2008, DHS will begin notifying users by mail that they need to proceed to completion of the SVA or that their participation is complete.” This is obviously directed at the 40,000+ facilities that are expected to complete a Top Screen before the end of January 2008.

Another new FAQ also showed up; FAQ #1265 answers the question: “Is it possible to review a copy of the SVA or SSP template prior to CSAT registration?” The answer to that question is:

“For security reasons, only authorized users that have been assigned usernames and passwords through the CSAT User Registration process can have access to the Top Screen tool. After submitting the necessary information through Top Screen, DHS will notify those facilities that will need to complete a SVA. The SVA and SSP templates are not yet finalized but will also be restricted to access by registered CSAT users whose Top Screen results obliges their use of the tools."

Since there has been no indication of DHS publishing an SVA template for the 100 or so companies that should have completed them from the initial Top Screen submission requirement in June 2007, I have half expected that DHS would not allow general access to those templates. I would be very interested in hearing the rationale DHS uses to restrict access to this template. I am not talking about actual access to the SVA tool inCSAT and I am certainly not asking about access to the methodology used to evaluate the data reported with that tool.

What I would be interested in seeing is a .PDF document outlining the procedure for entering the data into the SVA tool in CSAT much the same way DHS did for the CSAT Registration tool and the Top Screen tool. This would serve at least two purposes; 1) allow facilities to prepare their SVA documentation to facilitate entry into the SVA tool, 2) allow writers like myself to review and comment on those instructions.

If the facilities knew the requirements for entering data into the SVA tool as they went into their SVA process they could prepare their SVA documentation in such a manner as to allow the straight forward cutting and pasting from their documentation into the on-line tool. They could also shape their analysis process to provide the precise type data that DHS was looking for in their SVA tool

The feedback from writers like me could allow DHS to modify their instructions so that they had a better chance at communicating the requirements that DHS intended to the end users in an efficient manner. As a professional instruction writer (12 years writing manufacturing instructions, laboratory procedures, and facility SOPs) I know how hard it is to get clear, comprehensive instructions done in a single pass. What was perfectly clear to the writer may be imprecise and unclear to the ultimate user. Multiple critical reviews by outsiders makes is easier to get clear instructions into the hands of the people that will use the tool.

I hope that DHS reconsiders and publishes a .PDF SVA User’s Guide on their web site. This would help to make a complex process a little bit simpler to complete.

No comments:

/* Use this with templates/template-twocol.html */