Pia

Attach7_PIA-iCURE-HHS Approved.pdf

Intramural Continuing Umbrella of Research Experiences (iCURE) Applications (NCI)

PIA

OMB: 0925-0758

Document [pdf]
Download: pdf | pdf
PIA Assessment

1. OPDIV

NIH

2. PIA Unique Identifier

P-3643799-198981

2a. Name

NCI Local Network

3. The subject of this PIA is
which of the following?

General Support System

3a. Identify the Enterprise
Performance Lifecycle Phase Operational
of the system.
3b. Is this a FISMAReportable system?

Yes

4. Does the system include a
Website or online application
No
available to and for the use
of the general public?
Accept / Reject Status

Accept

Question 4 Comment

5. Identify the operator.

Agency

6. Point of Contact (POC)
POC Title

System Owner

POC Name

Cliff Wong

POC Organization

NCI/OD/CBIIT

POC Email

wongcc@mail.nih.gov

POC Phone

240-276-5132

Accept / Reject Status

Accept

Question 6 Comment

7. Is this a new or existing
system?

Existing

8. Does the system have
Yes
Security Authorization (SA)?

Accept / Reject Status

Accept

Question 8 Comment

8a. Date of Security
Authorization

08/31/2017

9. Indicate the following
reason(s) for updating this
PIA. Choose from the
following options.

PIA Validation (PIA Refresh/Annual Review)

Other

This General Support System (GSS) is established by the National
Cancer Institute (NCI), Office of the Director (OD), Center for
Biomedical Informatics and Information Technology (CBIIT). The
NCI Local Network (LAN) General Support System (GSS) is
aligned as a Tier 1 GSS to fulfill the purpose mandated by the NIH
IT System Realignment; streamline reporting for the Federal
Information Security Modernization Act (FISMA) 2014 and
facilitate efficiency. This Tier 1 General Support System (GSS) does
not itself have a website or online application; however, the NCI
LAN GSS contains significant subcomponents (subsystems) which
are essential to achieving the mission of the National Cancer
Institute (NCI). These Tier 2, 3, and 4 subsystems have unique and
specific Privacy Impact Assessments (PIAs); which may address
website(s); online applications; Personally Identifiable Information
(PII); applicability to Privacy Act System of Records Notice
(SORN) and the Paperwork Reduction Act (PRA) Information
Collection Request.

Accept / Reject Status

Accept

Question 9 Comment

Due to the scope of the NCI LAN GSS, it is not usable to list all
changes to the system within the format of this Privacy Impact
Assessment (PIA). However, all changes to the NCI Local Network
(LAN) GSS are managed within an established baseline system
configuration which adheres to federal standards and settings
10. Describe in further detail including configuration guidelines for desktops, firewalls, software,
any changes to the system
operating systems, environment, and other IT devices. NCI currently
that have occurred since the uses multiple repositories (e.g., JIRA, Collaborate) to maintain
last PIA.
Configuration Management artifacts and Collaborate to dynamically
generate and display real-time server information using SQL from
data. NCI uses a private implementation of ServiceNow to manage
all configuration change requests. The complete inventory of all
LAN systems, devices, and assets is maintained in various formats,
depending on the nature of the asset.
Accept / Reject Status

Question 10 Comment

Accept

11. Describe the purpose of
the system.

Due to the scope and purpose of this General Support System, the
NIH Senior Official for Privacy requests that the final Privacy
Impact Assessment be withheld from publication on an external
website. The purpose of the National Cancer Institute's (NCI) Local
Network (LAN) General Support System (GSS) is to provide
infrastructure, network services, and application hosting to support a
variety of cancer related research, education, and biomedical
initiatives. It is used to provide access and connectivity to NCI
computing devices and storage resources. Included within the NCI
LAN GSS authorization boundary are NCI Center for Biomedical
Informatics and Information Technology (CBIIT) supported servers,
end-user computers, network devices, and print services.
The National Cancer Institute (NCI) leads the National Cancer
Program and the National Institutes of Health (NIH), U.S.
Department of Health and Human Services (HHS) efforts to
dramatically reduce the prevalence of cancer and improve the lives
of cancer patients and their families, through research into
prevention and cancer biology, the development of new
interventions, and the training and mentoring of new researchers.
NCI Local Network (LAN) General Support System (GSS) has the
following subcomponents:
CBIIT Portfolio Manager System
Cancer Genome Anatomy Project
Cooperative Research and Development Agreements
DCEG Intramural
DCP Enterprise System Knowledgebase
Document Generation System
Early Detection Research Network
Electronic Telework System
Health Communications Internship Program
Introduction to Cancer Research Careers
Labmatrix (NCI)
Molecular Analysis for Therapy Choice (MATCH) application
NCI At Your Service
NCI Cancer Central Clinical Database
NCI Cloud Services
NCI DCTD M-PACT Tumor Sequencing Database Management
System (Genemed)
NCI Enterprise Security Program
NCI IMPAC II Extensions
NCI Mobile and Web Applications
NCI National Biomedical Imaging Archive
NCI OSFM Computer Aided Facility Management System
NCI Portfolio Management Application
NCI Public Websites
NCI SharePoint
NCI Unified Communications
OCPL Websites of Information for Public External
Office of Acquisition System E-Contracts

Accept / Reject Status

Question 11 Comment

Accept

As a Tier 1 General Support System (GSS), NCI Local Network
(LAN) does not itself collect, maintain (store) or share information.
However, the NCI LAN GSS contains significant subcomponents
(subsystems) which are essential to achieving the mission of the
National Cancer Institute (NCI). These Tier 2, 3, and 4 subsystems
have unique and specific Privacy Impact Assessments (PIAs) which
address the type of information the specific system will collect,
maintain, store, and share. NCI Local Network (LAN) General
Support System (GSS) has the following subcomponents:
CBIIT Portfolio Manager System
Cancer Genome Anatomy Project
Cooperative Research and Development Agreements
DCEG Intramural
DCP Enterprise System Knowledgebase
Document Generation System
Early Detection Research Network
Electronic Telework System
Health Communications Internship Program
Introduction to Cancer Research Careers
Labmatrix (NCI)
Molecular Analysis for Therapy Choice (MATCH) application
NCI At Your Service
12. Describe the type of
NCI Cancer Central Clinical Database
information the system will NCI Cloud Services
collect, maintain (store), or NCI DCTD M-PACT Tumor Sequencing Database Management
share. (Subsequent questions System (Genemed)
will identify if this
NCI Enterprise Security Program
information is PII and ask
NCI IMPAC II Extensions
about the specific data
NCI Mobile and Web Applications
elements.)
NCI National Biomedical Imaging Archive
NCI OSFM Computer Aided Facility Management System
NCI Portfolio Management Application
NCI Public Websites
NCI SharePoint
NCI Unified Communications
OCPL Websites of Information for Public External
Office of Acquisition System E-Contracts
PRO-CTCAE
Secure Physical Access Control and Environmental Systems
Smokefree.gov Website(s) and Mobile Apps
TTC Technology Information Management System
e-Grants, web-Grants
Users log in to the various supported applications/systems on this
GSS using NIH Active Directory, which maintains its own unique
privacy impact assessment (PIA). The purpose of NIH Active
Directory is to authenticate and authorize all users and computers in
a Windows domain type network; assigning and enforcing
information security policies for all computers and installing or
updating software. NIH Active Directory collects unique user names

Accept / Reject Status

Accept

Question 12 Comment

13. Provide an overview of
the system and describe the
information it will collect,
maintain (store), or share,
either permanently or
temporarily.

The National Cancer Institute's (NCI) Local Network (LAN)
General Support System (GSS) provides infrastructure, network
services, and application hosting to support a variety of cancer
related research, education, and biomedical initiatives. It is used to
provide access and connectivity to NCI computing devices and
storage resources. The NCI LAN GSS provides a range of
supporting and shared services that enable NCI stakeholders to
operate applications, manage directory services, manage software
development services, maintain knowledge platforms and enable
common communications tools (i.e. unified communications,
WebEx), security operations and monitoring services, but does not
directly own the data stored, collected or processed by these
applications. Included within the NCI LAN GSS authorization
boundary are NCI Center for Biomedical Informatics and
Information Technology (CBIIT) supported servers, end-user
computers, network devices, and print services.
Users log in to the various supported applications/systems on this
GSS using NIH Active Directory, which maintains its own unique
privacy impact assessment (PIA). The purpose of NIH Active
Directory is to authenticate and authorize all users and computers in
a Windows domain type network; assigning and enforcing
information security policies for all computers and installing or
updating software. NIH Active Directory collects unique user names
and passwords (user credentials) and stores them in an encrypted
format. NIH Active Directory is an essential service which
facilitates and governs network access to various resources.

Accept / Reject Status

Accept

Question 13 Comment

14. Does the system collect,
maintain, use or share PII?

No

Accept / Reject Status

Accept

Question 14 Comment

As a Tier 1 General Support System (GSS), the NCI Local Network
(LAN) does not itself collect, maintain (store) or share information.
However, the NCI LAN GSS contains significant subcomponents
(subsystems) which are essential to achieving the mission of the
National Cancer Institute (NCI). These Tier 2, 3, and 4 subsystems
have unique and specific Privacy Impact Assessments (PIAs) which
address the type of information the specific system will collect,
maintain, store, and share, including personally identifiable
information (PII).

15. Indicate the type of PII
that the system will collect
or maintain.

Accept / Reject Status

Question 15 Comment

16. Indicate the categories of
individuals about whom PII
is collected, maintained or
shared.

Accept / Reject Status

Question 16 Comment

17. How many individuals'
PII is in the system?

10,000-49,999

Accept / Reject Status

Question 17 Comment

18. For what primary
purpose is the PII used?

No

Accept / Reject Status

Question 18 Comment

19. Describe the secondary
uses for which the PII will
be used (e.g. testing, training
or research)
Accept / Reject Status

Question 19 Comment

20. Describe the function of
the SSN.
Accept / Reject Status

Question 20 Comment

20a. Cite the legal authority
to use the SSN.
21. Identify legal authorities
governing information use
and disclosure specific to the
system and program.
22. Are records on the
system retrieved by one or
more PII data elements?

No

Accept / Reject Status

Question 22 Comment

22a. Identify the number and title of the Privacy Act System of Records Notice (SORN) that is
being used to cover the system or identify if a SORN is being developed.
Published:
Published:
Published:

In Progress

23. Identify the sources of
PII in the system.
Accept / Reject Status

Question 23 Comment

23a. Identify the OMB
information collection
approval number and
expiration date.
24. Is the PII shared with
other organizations?
Accept / Reject Status

Question 24 Comment

24a. Identify with whom the PII is shared or disclosed and for what purpose.
Within HHS

Other Federal Agency/
Agencies

State or Local Agency/
Agencies

Private Sector

24b. Describe any
agreements in place that
authorizes the information
sharing or disclosure (e.g.
Computer Matching
Agreement, Memorandum of
Understanding (MOU), or
Information Sharing
Agreement (ISA)).
24c. Describe the procedures
for accounting for
disclosures.

25. Describe the process in
place to notify individuals
that their personal
information will be
collected. If no prior notice
is given, explain the reason.
Accept / Reject Status

Question 25 Comment

26. Is the submission of PII
by individuals voluntary or
mandatory?
Accept / Reject Status

Question 26 Comment

27. Describe the method for
individuals to opt-out of the
collection or use of their PII.
If there is no option to object
to the information collection,
provide a reason.
Accept / Reject Status

Question 27 Comment

28. Describe the process to
notify and obtain consent
from the individuals whose
PII is in the system when
major changes occur to the
system (e.g., disclosure and/
or data uses have changed
since the notice at the time
of original collection).
Alternatively, describe why
they cannot be notified or
have their consent obtained.
Accept / Reject Status

Question 28 Comment

29. Describe the process in
place to resolve an
individual's concerns when
they believe their PII has
been inappropriately
obtained, used, or disclosed,
or that the PII is inaccurate.
If no process exists, explain
why not.
Accept / Reject Status

Question 29 Comment

30. Describe the process in
place for periodic reviews of
PII contained in the system
to ensure the data's integrity,
availability, accuracy and
relevancy. If no processes
are in place, explain why
not.
Accept / Reject Status

Question 30 Comment

31. Identify who will have access to the PII in the system and the reason why they require access.

Users

Administrators

Developers

Contractors

Others

32. Describe the procedures
in place to determine which
system users (administrators,
developers, contractors, etc.)
may access PII.
Accept / Reject Status

Question 32 Comment

33. Describe the methods in
place to allow those with
access to PII to only access
the minimum amount of
information necessary to
perform their job.
Accept / Reject Status

Question 33 Comment

34. Identify training and
awareness provided to
personnel (system owners,
managers, operators,
contractors and/or program
managers) using the system
to make them aware of their
responsibilities for
protecting the information
being collected and
maintained.
Accept / Reject Status

Question 34 Comment

35. Describe training system
users receive (above and
beyond general security and
privacy awareness training).
Accept / Reject Status

Question 35 Comment

36. Do contracts include
Federal Acquisition
Regulation and other
appropriate clauses ensuring
adherence to privacy
provisions and practices?
Accept / Reject Status

Question 36 Comment

37. Describe the process and
guidelines in place with
regard to the retention and
destruction of PII. Cite
specific records retention
schedules.
Accept / Reject Status

Question 37 Comment

38. Describe, briefly but with
specificity, how the PII will
be secured in the system
No Pii
using administrative,
technical, and physical
controls.
Accept / Reject Status

Question 38 Comment

39. Identify the publiclyavailable URL.
Accept / Reject Status

Question 39 Comment

40. Does the website have a
posted privacy notice?
Accept / Reject Status

Question 40 Comment

40a. Is the privacy policy
available in a machinereadable format?

41. Does the website use
web measurement and
customization technology?
Accept / Reject Status

Question 41 Comment

41a. Select the type of website measurement and customization technologies is in use and if it is
used to collect PII. (Select all that apply).
Web Beacons
Collects PII?
Web Bugs
Collects PII?
Session Cookies
Collects PII?
Persistent Cookies
Collects PII?
Other ...
Collects PII?

42. Does the website have
any information or pages
No
directed at children under the
age of thirteen?
Accept / Reject Status

Question 42 Comment

42a. Is there a unique
privacy policy for the
website, and does the unique
privacy policy address the
process for obtaining
parental consent if any
information is collected?

43. Does the website contain
links to non-federal
government websites
external to HHS?
Accept / Reject Status

Question 43 Comment

43a. Is a disclaimer notice
provided to users that follow
external links to websites not
owned or operated by HHS?

REVIEWER QUESTIONS: The following section contains Reviewer Questions which are not to
be filled out unless the user is an OPDIV Senior Officer for Privacy.
1. Are the questions on the
PIA answered correctly,
accurately, and completely?

Yes

Reviewer Notes
Accept / Reject Status

Accept

Question 1 Comment

2. Does the PIA
appropriately communicate
the purpose of PII in the
Yes
system and is the purpose
justified by appropriate legal
authorities?
Reviewer Notes

Not applicable.

Accept / Reject Status

Accept

Question 2 Comment

3. Do system owners
demonstrate appropriate
understanding of the impact
of the PII in the system and
provide sufficient oversight
to employees and
contractors?

Yes

Reviewer Notes

Not applicable.

Accept / Reject Status

Accept

Question 3 Comment

4. Does the PIA
appropriately describe the
PII quality and integrity of
the data?

No

Reviewer Notes

Not applicable.

Accept / Reject Status

Accept

Question 4 Comment

5. Is this a candidate for PII
minimization?

No

Reviewer Notes
Accept / Reject Status

Accept

Question 5 Comment

6. Does the PIA accurately
identify data retention
procedures and records
retention schedules?

No

Reviewer Notes

Not applicable.

Accept / Reject Status

Accept

Question 6 Comment

7. Are the individuals whose
PII is in the system provided No
appropriate participation?
Reviewer Notes

Not applicable.

Accept / Reject Status

Accept

Question 7 Comment

8. Does the PIA raise any
concerns about the security
of the PII?

No

Reviewer Notes
Accept / Reject Status

Accept

Accept / Reject Status

Accept

Question 8 Comment

9. Is applicability of the
Privacy Act captured
correctly and is a SORN
published or does it need to
be?

No

Reviewer Notes

Not applicable.

Accept / Reject Status

Accept

Accept / Reject Status

Accept

Question 9 Comment

10. Is the PII appropriately
limited for use internally and No
with third parties?
Reviewer Notes

Not applicable.

Accept / Reject Status

Accept

Question 10 Comment

11. Does the PIA
demonstrate compliance
with all Web privacy
requirements?

No

Reviewer Notes

Not applicable.

Accept / Reject Status

Accept

Question 11 Comment

12. Were any changes made
to the system because of the
completion of this PIA?

No

Reviewer Notes
Accept / Reject Status

Accept

Question 12 Comment

General Comments

Status and Approvals
IC Status

IC Approved

OSOP Status

HHS Approved

OPDIV Senior Official for
Privacy Signature
HHS Senior Agency Official
for Privacy


File Typeapplication/pdf
File TitleNCI Local Network PIA[1]
AuthorHorovitch-Kelley, Vivian (NIH/NCI) [E]
File Modified2018-10-15
File Created2018-10-15

© 2024 OMB.report | Privacy Policy