This is part of an on-going series of blog posts about the
new Chemical Facility Anti-Terrorism Standards (CFATS) personnel surety plan
(PSP) User
Manual. This manual sets forth the instructions for using the new PSP tool
in the on-line Chemical Security Assessment Tool (CSAT). Other blogs in this
series include:
Groups and Submitters Overview
Again, because the PSP tool involves the handling and access
of personally identifiable information (PII) steps have to be taken to ensure
that only those personnel with a need-to-know have access to that information.
With the multiple ways that information may be submitted ISCD set up the PSP
tool to require the formation of Groups and to only allow designated personnel
to view the PII of personnel within that group. This required the establishment
of PSP Submitters (separate from the Submitter used in other CSAT tools) so
that a single PSP Submitter would only be able to access PII from the Group to
which they are assigned.
Groups
As a default every CSAT account will initially have a single
Group; called the Corporation Group. If a PSP Submitter(s) is authorized to
have access to the PII on all of the affected personnel at a facility, then
only the Corporation Group is necessary. However, if a facility is going to
have to submit data on contractors or other companies, then it is likely that
other Groups will have to be created. Or if a facility is going to use an
outside company to submit data of facility personnel, but corporate HR will be
submitting data on personnel from other facilities, then multiple Groups will probably
have to be established.
The User Manual explains it this way:
“The Department expects an Authorizer
will carefully consider the best group structure so information about affected
individuals can be protected from unauthorized disclosure. Specifically, the
Department expects the Authorizer will create one or more groups if needed so
PSP Submitter(s) will (1) have access to only those records about affected
individuals they should have access to, and (2) not have access to those
records about affected individuals they should not. Several examples of how
groups might be constructed to align with a facility’s (or its designees’)
business operations are provided in Appendix C [pg 24]. It is also possible
that the best group structure for some facilities may be to not create any
additional groups at all and rely on the default “Corporation” group.”
The User Manual
provides instructions on how to:
• Create a Group (pg 11);
• Edit a Group’s Name;
• Merge a Group in to the
Corporation Group; and
• Remove a Group
PSP Submitters
As I noted earlier the PSP Submitter(s) will be entering PII
into the PSP tool for all data submissions under Option 1 (Full data
submission) or Option 2 (Data submission on holders of DHS vetted ID). This is
a separate CSAT position from the Submitter who has been submitting data in the
Top Screen, Security Vulnerability Analysis (SVA) or Site Security Plan (SSP)
tools in CSAT. A Submitter may be assigned to the role of PSP Submitter. For
the rest of this post I will be referring to the PSP Submitter as ‘Submitter’.
When a facility first tries to access the PSP tool, the only
person that will be able to effect that access is the Authorizer. The
Authorizer can submit data in the Corporation Group (and only that Group) so it
is possible that a facility may not need to have a Submitter. More likely,
however, we would see the Authorizer designate a Submitter for the Corporation
Group and any other Groups that the Authorizer sets up.
The important thing to remember is that a Submitter can only
be assigned to a single Group and will only be able to see or submit data for
that Group. This is going to have to be taken into account as Groups are
established.
For companies that have multiple CFATS covered facilities
under a single Authorizer should remember that the Corporation Group for the
Authorizer would appear to apply to all facilities under that Authorizer
(though this is not explicitly stated in the User Manual). Separate Submitters
could be designated for each covered facility under the Corporation Group, but
they would be able to see the PII for all individuals from any facility
submitted under the Corporation Group.
Submitters from outside of the company may be designated.
This would be useful when an outside organization is doing the data submission
for a facility or when contractors/vendors are doing data submissions for their
employees that would have access to the facility. The Appendix C description of
Group organization would seem to suggest that DHS would prefer to see these
outside organizations submitting data under separate Groups. This would
certainly make sense where more than one outside organization would be
submitting data, as it would limit the visibility of the PII to those for whom
the organization had submitted data.
PII Liability
While all submitters are going to be governed by the Rules
of Behavior (ROB; discussed in the previous post in this series) about access
to the PSP Tool and the data contained in that tool, facilities will do well to
remember that the data collected prior to data submission is also covered by
Federal, State, and local privacy and data protection rules. Since the data
that the Submitters are entering into the system is not yet covered by the ROB,
the Submitters need to be fully trained about, and in compliance with, those
other rules.
Commentary
For many facilities the single Corporation Group with a
single Submitter will certainly be sufficient. The larger the organization the
less likely that is going to be true. For companies with multiple locations and
a number of contractors and vendors that require unaccompanied access to
critical areas of the facility, I seriously suggest that the corporate security
manager set up a meeting with all of the affected facility security managers
and DHS Chemical Security Inspectors to try to work out the details of how the
organization is going to organize its PSP data submission program. This meeting
needs to be done early in the process; it would probably be best done before
the SSP revisions are made.
Remember, it is fairly easy to set up Groups. If you end up
setting up too many Groups initially, you can always reduce the number of
groups by merging them later. Setting up new Groups after data submission has
started will be very difficult as there is not currently any method for moving some
data from one Group to another.
Posts
No comments:
Post a Comment