IBPF

Privacy Impact Assessment for the International Biosecurity and Prevention Forum

Privacy Impact Assessment

for the International Biosecurity and Prevention Forum

Issued by: Jacqueline F. Brown, Acting FBI Privacy and Civil Liberties Officer

Reviewed by: Luke J. McCormack, Chief Information Officer, Department of Justice

Approved by: Joo Chung, Acting Chief Privacy and Civil Liberties Officer, Department of Justice

Date approved: 08/19/2013

Section 1:  Description of the Information System

Provide a non-technical overall description of the system that addresses:

(a) the purpose that the records and/or system are designed to serve;

(b) the way the system operates to achieve the purpose(s);

(c) the type of information collected, maintained, used, or disseminated by the system;

(d) who has access to information in the system;

(e) how information in the system is retrieved by the user;

(f) how information is transmitted to and from the system; and

(g) any interconnections with other systems.

The response should be written in plain language and should be as comprehensive as necessary to describe the system. If it would enhance the public’s understanding of the system, please include system diagram(s).

(a) Purpose that the records and/or system are designed to serve:

The International Biosecurity and Prevention Forum (IBPF) is a new United States Government initiative developed in collaboration with the International Criminal Police Organization, or INTERPOL, and other key international state actor and non-governmental organization partners from the international community, to prevent the misuse of biological agents as weapons of mass destruction. The IBPF is a unique, member-driven initiative that seeks to bring together the world’s leading experts from the health and security communities to share experience, expertise, best practices, and intelligence on key biosecurity and bioterrorism prevention issues.

The IBPF website is a repository of information and is designed to collect and disseminate both publicly-available and IBPF member-provided content. As a result of this interaction and sharing of information, international relationships can be created and members can work together to address their particular issues with regard to biosecurity and bioterrorism prevention and response.

(b) the way the system operates to achieve the purpose(s):

The IBPF is a dynamic international resource that will be comprised of three primary components: 1) a Web Portal; 2) conferences which provide members an opportunity to review and address international biosecurity and bioterrorism prevention progress and identify future priorities and goals; and 3) training and exercises that are designed from member-contributed content and allow for the evaluation and refinement of current biosecurity and bioterrorism prevention practices. The Web Portal is itself divided into two parts: (a) a public-facing portion to give general information about the IBPF, biosecurity, and how to join the members-only portion of the web portal, and (b) a members-only portion that serves as an information repository and the focal point for collaboration and innovation. This PIA addresses the two-part web portal.

The Web Portal consists of a secure unclassified on-line information sharing environment (hereafter referred to as “secure side”) for the discussion and distribution of projects, best practices, exercises and intelligence pertaining to biosecurity and bioterrorism prevention and response. The secure side is complemented by a publicly-accessible side (hereafter referred to as “public-side”) that allows visitors access to relevant biosecurity news, information about the IBPF, events, and resources.

All member-provided secure side content, with the exception of member commentary and forum comments, is reviewed independently by at least two site reviewers prior to publication to ensure that no sensitive information is being compromised. Member commentary and forum comments on the secure side will be reviewed by IBPF staff after they are posted and removed if deemed inappropriate.

(c) the type of information collected, maintained, used, or disseminated by the system:

Information sources include Really Simple Syndication (RSS) news feeds, open-source resources, and IBPF unclassified and non-sensitive member-provided content.

The public side will be used by the general public to gain basic information about biosecurity and bioterrorism prevention-related news, resources, events, and information about the IBPF. The following information will be automatically collected when individuals access the public side of the site:

  • The name of the domain and IP address from which the site is accessed;
  • The type of browser and operating system used to access the site;
  • The date and time the site is accessed;
  • The Internet address of the website from which the site is directly linked; and
  • The pages visited and the information requested on the site.

The secure side will be used by members to share projects, best practices, member resources, intelligence, meetings, exercises, and participate in discussion forums and comment sections with the greater IBPF membership.

(d) who will have access to the information in the system/project:

To access the secure side, potential users must be sponsored by an existing IBPF organization and request access before an account can be created. IBPF organizations will be chosen based upon prior organizational interactions with the FBI. The FBI’s Biological Countermeasures Unit, WMD Directorate will (1) confirm that the potential user works for the sponsor IBPF organization, and (2) check open source material to determine any security risks.

U.S. Government organization IBPF members include the FBI, Departments of Defense and State. International organizations include G8 Global Partnership members, the World Health Organization, the Food and Agriculture Organization, and the World Organization for Animal Health. Private organizations include the American Association for the Advancement of Science, the Federation of American Scientists, the Association of American Universities, and the Association of Public and Land-Grant Universities. Access to the secure side is username and password restricted, with valid accounts subject to access control list (ACL) restrictions concerning capabilities (i.e., what functions the user can enact) and data (i.e., what pre-published information the user can access). Those with access to information on the secure side include members, site reviewers, and site developers.

(e) how information in the system is retrieved by the user:

On the public facing website, users from the general public may click on links and open files visible on that side just by going to the site. A username and password is not needed to access the public information. On the secure side, a member must first sign in with a user name and password. This will allow members-only information to be visible to the approved user. Once logged into the secure side, a member can click on links, and download files contained on the secure side without needing any further authorization.

(f) how information is transmitted to and from the system:

Information is transmitted on the secure side by direct access; members will be able to view member-provided content, including member profile information. All transactions between browser and server are conducted using 256-bit encryption, including the login process.  Members will not have IBPF email addresses and the website will not be supporting any email for members.  IBPF will only facilitate email between members by providing IBPF members, on the secure side, a list of email addresses for members who have chosen to have their emails published on that list.

(g) any interconnections with other systems:

The IBPF website has no technical interconnections with other FBI projects or systems.

Users requesting to be members are required to provide:

  • Given / First name
  • Surname / Last name
  • Email address
  • Organization
  • Reference (name only)

Once a member account is created, the user is further asked to indicate his or her related specialties. The member profile also has fields for non-required (non-mandatory) information pertaining to:

  • Title
  • Phone number
  • Photo

Section 2:  Information in the System

2.1   Indicate below what information is collected, maintained, or disseminated.

(Check all that apply.)

Identifying numbers

Social Security

 

Alien Registration

 

Financial account

 

Taxpayer ID

 

Driver’s license

 

Financial transaction

 

Employee ID

 

Passport

 

Patient ID

 

File/case ID

 

Credit card

 

 

 

Other identifying numbers (specify):            

 

 

General personal data

Name

X

Date of birth

 

Religion

 

Maiden name

 

Place of birth

 

Financial info

 

Alias

 

Home address

 

Medical information

 

Gender

 

Telephone number

 

Military service

 

Age

 

Email address

 

Physical characteristics

 

Race/ethnicity

 

Education

 

Mother’s maiden name

 

Other general personal data (specify):            

 

 

Work-related data

Occupation

 

Telephone number

 

Salary

 

Job title

 

Email address

X

Work history

 

Work address

 

Business associates

 

 

 

Other work-related data (specify): Only first and last name, organization name, email address, and a reference (name only), are required to become a member. Other PII elements are optional.

Distinguishing features/Biometrics NONE

 

Fingerprints

 

Photos

 

DNA profiles

 

Palm prints

 

Scars, marks, tattoos

 

Retina/iris scans

 

  Voice recording/signatures

 

           Vascular scan

 

                Dental profile

 

Other distinguishing features/biometrics (specify):

System admin/audit data

User ID

X

Date/time of access

X

ID files accessed

X

IP address

X

Queries run

X

Contents of files

 

Other system/audit data (specify): This data is to be utilized for statistical purposes and to improve website functionality. None of this data will be used to identify an individual, but rather is used as a whole to identify general statistical information and site navigability.

Other information (specify)

 

         

         

 

2.2     Indicate sources of the information in the system. (Check all that apply.) 

Directly from individual about whom the information pertains

In person

 

Hard copy:  mail/fax

 

Online

X

Telephone

 

Email

 

 

 

Other (specify):                     

Government sources

Within the Component

X

Other DOJ components

X

Other federal entities

X

State, local, tribal

X

Foreign

X

 

 

Other (specify): Government members of the IBPF can potentially provide information from their government agency to the website.  

Non-government sources

Members of the public

 

Public media, internet

X

Private sector

 X

Commercial data brokers

 

 

 

 

 


Other (specify): Additional sources of information can come in the form of news, resources, and events available through public media and the internet.  Additionally, private sector members of the IBPF can potentially provide information from their private sector agency/organization to the website.    


2.3    Analysis: Now that you have identified the information collected and the sources of the information, please identify and evaluate any potential threats to privacy that exist in light of the information collected or the sources from which the information is collected. Please describe the choices that the component made with regard to the type or quantity of information collected and the sources providing the information in order to prevent or mitigate threats to privacy. (For example:  If a decision was made to collect less data, include a discussion of this decision; if it is necessary to obtain information from sources other than the individual, explain why.)

On the public side, the FBI will automatically collect a variety of data points from each visitor to the IBPF site.  The FBI automatically collects this type and amount of data because it was determined to be the minimum amount and least intrusive type of collection to enable security and site management operations to proceed efficiently.

Risks to privacy from the automated collection of information on the public side include (1) additional knowledge may be available from the combination of data in the system that otherwise would not be apparent, (2) information that is collected for one purpose is used for another unrelated purpose, and (3) individuals may not be aware of or consent to the information collection. In mitigation: (1) the FBI posts a Privacy Policy on the public and secure sides, as well as this PIA on the FBI’s website and a link to the PIA on the IBPF website, providing notice to visitors of this collection; (2) the FBI will only use and maintain the collected information as stated in the Privacy Policy; and (3) individuals can request access to their personal data as stated in the Privacy Policy.

On the secure side, personal privacy threats include: (1) data breach, (2) improper access to or misuse of data in the system, and (3) over-collection of PII.

The risk of data breach is mitigated in a number of ways. Data is received electronically via encrypted file formats. All users are subject to periodic, random auditing of account access and activity. The system resides in a secure facility with appropriate password authentication and other protections, and all data from the system is routinely backed up onsite and stored offsite.

In mitigation of the improper access to or misuse of data risk, access to the system is restricted to persons selected by IBPF organizations and vetted by the FBI using open source information. Also, access to and use of the system is subject to monitoring and auditing.  Further, information on the secure side is either solicited directly from members or provided by the members themselves with the understanding of its use. Before receiving access to provide information to the website, each member is reminded how the information is to be presented on the website, what information is allowed (unclassified, non-operational) and that such information may be used by the greater IBPF membership to further the IBPF mission with relation to biosecurity and bioterrorism prevention and response. Further, at every log-on to the secure side, members must acknowledge that (1) they have no reasonable expectation of privacy in using the site, (2) the U.S. Government may monitor the site, and (3) any information they put on the site may be used for any U.S. Government authorized purpose.

In order to mitigate the risk of over-collection, individuals requesting membership are only required to give their name, organization name, professional email address, and the name of the person who referred them as a prospective IBPF member. Although the site solicits additional information about members to post on the secure side to facilitate professional interactions, the solicited information is limited to the member’s professional capacity. For example, the site solicits business email address and phone number, but not personal email address and phone number. Further, the FBI is drafting a retention schedule for the secure side, to be submitted to the National Archives and Records Administration for approval, with a proposed retention of 10 years.  Member access requests will be managed under FBI retention schedule Classification 319U20, meaning all account information will be destroyed six years after the account is terminated or when no longer needed for investigative or security[1] purposes, whichever is later [see retention schedule]. Finally, the site is designed to periodically cull membership. All members are required to renew account passwords every 180 days, and account activity consisting of last successful log-in is recorded and available to privileged site

Section 3: Purpose and Use of the System

3.1  Indicate why the information in the system is being collected, maintained, or disseminated.  (Check all that apply.) 

Purpose

 

For criminal law enforcement activities

 

For civil enforcement activities

 

For intelligence activities

 

For administrative matters

 

To conduct analysis concerning subjects of investigative or other interest

X

To promote information sharing initiatives

 

To conduct analysis to identify previously unknown areas of note, concern, or pattern.

 

For administering human resources programs

 

For litigation

 

 

 

Other (specify):                


3.2   Analysis: Provide an explanation of how the component specifically will use the information to accomplish the checked purpose(s). Describe why the information that is collected, maintained, or disseminated is necessary to accomplish the checked purpose(s) and to further the component’s and/or the Department’s mission.

The website will host information from various IBPF members’ programs that address biosecurity and/or bioterrorism prevention and response. Such information then creates a repository of knowledge for the greater IBPF membership to view, identify as potentially relevant to their specific program, and work with that program’s member to craft a new program to address their specific need. Currently, no such interaction on a global scale takes place with regard to these topics. The website will be the foundation of such information sharing and will be the focal point for other IBPF components from which to operate (holding conferences, training events, and exercises). Taken together, the IBPF website supports the IBPF mission to prevent the misuse of biological agents as weapons of mass destruction by sharing biosecurity and bioterrorism prevention and response best practices.  Additionally, in furtherance of assisting other international programs to address their biosecurity and bioterrorism vulnerabilities by interacting with IBPF members, the IBPF website supports the FBI’s priorities to protect the United States from terrorist attack and support federal, state, local and international partners.

The IBPF site only requires provision of the minimum PII (personally identifiable information) necessary in order to validate users for access to the secure side and efficiently allow for interconnectivity within the IBPF membership in this professional environment.

3.3  Indicate the legal authorities, policies, or agreements that authorize collection of the information in the system. (Check all that apply and include citation/reference.)    

Authority

                 Citation/Reference

X

Statute

 28 U.S.C. § 534; 5 U.S.C. § 301.

 

Executive Order

         

 

Federal Regulation

         

 

Memorandum of Understanding/agreement

         

 

Other (summarize and provide copy of relevant portion)

         

 

The FBI’s general legal authority to collect records, 28 U.S.C. § 534, and its general administrative authority, 5 U.S.C. § 301, provide the authority for information collection on this Site. The Membership Agreement and relevant disclaimers govern what information is solicited from a prospective member or current member. All information provided to the IBPF website, aside from system administrative/audit data is voluntary.  Additionally, the user will be notified how such system administrative/audit data information will be used, by way of Privacy Statement and disclaimer.

3.4  Indicate how long the information will be retained to accomplish the intended purpose, and how it will be disposed of at the end of the retention period. (Reference the applicable retention schedule approved by the National Archives and Records Administration, if available.)

The website will retain member-provided content (not including information provided at membership signup) for the extent of the project, because such content directly supports the accomplishment of the intended purpose of the IBPF website. If such a member ceases to be a member of the IBPF, such member-provided content will remain on the website and be attributed to that member’s organizational point of contact who is also an IBPF member. If all members from an organization cease to be members, the organizational point of contact will be contacted to adjudicate the persistence of such member-provided content on the IBPF until another member can be established from that organization. With respect to discussion or comments, such information will remain associated with such member-provided content or discussion forums until such items are removed from the IBPF website for other time- and topic-sensitive reasons.  Additionally, such discussion or comments will remain attributable to a member after the person ceases to be a member of the IBPF.

Information gathered during membership signup, to include PII, will be retained in accordance with disposition authority GRS24, item 6a (FBI classification 319U20). This requires destruction of the data six years after the user account is terminated or when no longer needed for investigative or security purposes, whichever is longer. However, members who choose to cancel their membership with the IBPF will be deleted as members of the site. Account access is maintained by both:

  • Changing the account password at least every 180 days, and
  • Demonstrating site activity through content contributions, forum discussions and account login history.

Accounts can be disabled or deleted from the system by site reviewers. Account disabling is used to temporarily prevent user access to the site and to maintain data continuity when members change organizations or are on extended leaves. Member profile information is still retained and displayed for disabled accounts.  When an account is deleted, all user information including user name and password, member profile and other PII, is removed from the secure side web portal available to other users. Deleted member PII will be kept in the IPBF system, accessible only by site administrators with virtual private network (VPN) access to the server, in accordance with the disposition authority.

3.5   Analysis: Describe any potential threats to privacy as a result of the component’s use of the information, and controls that the component has put into place to ensure that the information is handled, retained, and disposed appropriately. (For example:  mandatory training for system users regarding appropriate handling of information, automatic purging of information in accordance with the retention schedule, etc.)

Improper access to or misuse of information on the site are potential threats to privacy. In mitigation of these risks, secure side user PII is shared only with other authenticated users on the secure side, and all such members are subject to the site User Agreement policies.  Further, name, sponsoring organization, and professional email address constitute the only PII required to be shared with other secure side users (although secure side users may share more PII if they wish). All secure side communications between the site and users’ browsers are conducted via Secure Socket Layer (SSL) on port 443 using 256-bit encryption. All PII and account information shared, other than the required name, organization, and email, is at the option of each individual member.

Privileged users of the site, also known as administrative users, who have access to additional PII and member records, are required to undergo information security training and adhere to FBI PII handling policies. All privileged users are FBI employees or FBI contractors – general members will not have administrative rights to the website. All PII and member provided comments on site information and forums collected as a result of members’ use of the secure side will be automatically purged in accordance with the appropriate retention schedule. Audit logs resulting from system activity, natural back-ups of the system, and the auditing procedures as described in the System Security Plan, will be automatically purged six months after initial capture, in accordance with the retention schedule. FBI is working with NARA to establish a retention schedule.

Section 4Information Sharing

4.1  Indicate with whom the component intends to share the information in the system and how the information will be shared, such as on a case-by-case basis, bulk transfer, or direct access.

 

Recipient

How information will be shared

Case-by-case

Bulk transfer

Direct access

Other (specify)

Within the component

 

 

X

         

DOJ components

 

 

X

         

Federal entities

 

 

X

         

State, local, tribal gov’t entities

 

 

X

         

Public

 

 

X

         

Private sector

 

 

X

         

Foreign governments

 

 

X

         

Foreign entities

 

 

X

         

Other (specify):

 

 

 

         

 

With regard to the public side, all information will be shared with the general public via the Internet. With regard to the secure side, information is available only to validated members of the IBPF and FBI members and administrative users including site reviewers and site developers. After IBPF members have been adjudicated and granted access, they will have direct access to other IBPF member-provided content and member contact information by way of the secure side. Potential IBPF members include all recipients listed above.

4.2  Analysis: Disclosure or sharing of information necessarily increases risks to privacy.  Describe controls that the component has put into place in order to prevent or mitigate threats to privacy in connection with the disclosure of information. (For example:  measures taken to reduce the risk of unauthorized disclosure, data breach, or receipt by an unauthorized recipient; terms in applicable MOUs, contracts, or agreements that address safeguards to be implemented by the recipient to ensure appropriate use of the information – training, access controls, and security measures; etc.)

The IBPF website site is housed at a certified FISMA facility under their low-baseline compliant policies to NIST 800-53 standards for physical and logical server access. This reduces physical access to PII data, and limits direct data access to site developers possessing VPN access, and application site reviewers requiring account and password access. User access to PII is restricted to secure side IBPF members with valid accounts. Members must comply with the Membership Agreement policy governing information provided to the website, the use of such information, and the voluntary providing of PII. Failure to comply will result in loss of membership and site access.

Compliance with website policies is determined through two person review of all content posted to the website and active moderation of the forums. Daily server logs are also maintained and actively reviewed by project personnel once a week for errors in the operations of the system and illegal attempts to gain access to the secure side website. Server logs include all site and server access by IP address, unique ID, web page, file requested and/or operation performed. Access to these logs is limited to the privileged users, who require VPN tokens to access the logs in read-only mode. Any additional analysis or alteration requires the log files to be downloaded; the original files cannot be altered. In addition, to protect PII and other user information, all member communications with the website are encrypted using SSL in transit.

In addition, the company the IBPF servers are rented from monitors all network traffic twenty-four hours a day, seven days a week and notifies IBPF server administrators of any network attacks or failures.

Section 5:  Notice, Consent, and Redress

5.1  Indicate whether individuals will be notified if their information is collected, maintained, or disseminated by the system. (Check all that apply.)

X

Yes, notice is provided pursuant to a system of records notice published in the Federal Register and discussed in Section 7.

 

Yes, notice is provided by other means.    

Specify how:               

 

No, notice is not provided.

Specify why not:              


5.2  Indicate whether and how individuals have the opportunity to decline to provide information.  

X

Yes, individuals have the opportunity to decline to provide information.

Specify how:   All information collected outside of system admin/audit data is provided at the user’s direction. The user provides information by way of a form, which identifies that by clicking “Submit” to submit information contained in the form, they are abiding by the User Agreement. If a user chooses not to provide information, they do not have to fill out a form and do not have to click “Submit”.

 

No, individuals do not have the opportunity to decline to provide information.

Specify why not:              


5.3  Indicate whether and how individuals have the opportunity to consent to particular uses of the information. 

 

Yes, individuals have an opportunity to consent to particular uses of the information.

Specify how:    

  

X

No, individuals do not have the opportunity to consent to particular uses of the information.

Specify why not: When the user agrees to the terms of the disclaimers provided, they click a button signifying such agreement. Such agreement does not allow the user to consent to particular uses of the information. However, the user is informed within such disclaimers how all provided information is to be used.  

  


5.4  Analysis: Clear and conspicuous notice and the opportunity to consent to the collection and use of individuals’ information provides transparency and allows individuals to understand how their information will be handled. Describe how notice for the system was crafted with these principles in mind, or if notice is not provided, explain why not. If individuals are not provided the opportunity to consent to collection or use of the information, explain why not.

The Privacy Policy and User Agreement make clear the intended uses of information provided by the user. The site Privacy Policy and User Agreement policy documents are accessible from each page of the website. Additionally, all forms completed by the user containing PII contain critical terms of use agreement clauses, direct links to the User Agreement and Privacy Policy documents, and instruct the user to submit the form only if he or she agree to these terms. Further, at every logon to the secure side, members must acknowledge that they have no reasonable expectation of privacy in using the site, the U.S. Government may monitor the site, and any information they put on the site may be used for any U.S. Government authorized purpose.

Section 6: Information Security

6.1  Indicate all that apply.

 

A security risk assessment has been conducted.

 

X

Appropriate security controls have been identified and implemented to protect against risks identified in security risk assessment.  Specify: FISMA-compliant physical access and network monitoring, encrypted communications from server to user browser, on-disk access restricted to site reviewers and developers requiring account access, and application ACL are restricted to members with active, valid accounts. Additionally, username and password is required to access the secure side of the website, and passwords must contain nine or more characters, with upper and lower case letters, and containing at least one or more numbers or symbols.  Lastly, the system will require members to change passwords at least every 180 days.

 

X

Monitoring, testing, or evaluation has been undertaken to safeguard the information and prevent its misuse. Specify:  The IBPF website server is monitored by automatic processes 24 hours a day, 7 days a week as required by FISMA requirements for physical and network access with all server access logged, and all records from the system are actively reviewed by a person at least once a week. Application ACL is logged for security and performance improvement purposes, and the log is actively checked at least monthly for performance. Application software, including capability and data access, is tested as part of the contractor’s Capability Maturity Model Integration process.

 

X

The information is secured in accordance with FISMA requirements. Provide date of most recent Certification and Accreditation: Server is located at a FISMA compliant facility. C&A process is pending.

X

Auditing procedures are in place to ensure compliance with security standards. Specify, including any auditing of role-based access and measures to prevent misuse of information: Daily server logs are maintained and actively monitored by project personnel once a week. Server logs include all site and server access by IP address, unique ID, web page, file requested and/or operation performed. Access to these logs is limited to a subset of server administrators who require VPN tokens to access the logs in read-only mode. Any additional analysis or alteration requires the log files to be downloaded; the original files cannot be altered.

 

X

Contractors that have access to the system are subject to provisions in their contract binding them under the Privacy Act. [FBI BCU is actively in the process of modifying the statement of work to include language on the Privacy Act and the resulting provisions.]

X

Contractors that have access to the system are subject to information security provisions in their contracts required by DOJ policy. [FBI BCU is actively in the process of modifying the statement of work to include the security provisions required by DOJ policy.]

X

The following training is required for authorized users to access or receive information in the system:

 

 

General information security training

 

Training specific to the system for authorized users within the Department.

 

Training specific to the system for authorized users outside of the component.

X

Other (specify): Administrative personnel are required to take FBI INFOSEC training.  General members do not have any required training but agree to a membership agreement outlining the system policies.           


6.2  Describe how access and security controls were utilized to protect privacy and reduce the risk of unauthorized access and disclosure.

The server is located in a secure FISMA-compliant facility. Access to member-provided content and user PII is restricted to site developers, site reviewers, and IBPF members, all of whom are required to have valid, active accounts consisting of username, password, and application ACL restricting the user’s access to site capability and data. Users are required to abide by the Membership Agreement, with non-compliance resulting in loss of access and membership. Daily server logs are maintained and reviewed by project personnel at a minimum once a week. Server logs include all site and server access by IP address, unique ID, web page, file requested and/or operation performed. Access to these logs is limited to a subset of server administrators who require VPN tokens to access the logs in read-only mode. Any additional analysis or alteration requires the log files to be downloaded; the original files cannot be altered. Also, all website administrative personnel are required to take FBI INFOSEC training.

In addition, initial security testing will be performed with the MVM scanning tool, which is intended to highlight any identified security vulnerabilities within the IBPF system. After the initial scan, repeat scans will be performed on a monthly basis, or upon any updates to the Drupal deployment, the software backbone of the website (new modules, configuration changes, etc). Results of these scans will be submitted to the ISSO (Information System Security Officer).

Additionally, Drupal provides a status page which allows quick review of installed modules within the system, and indicates when an update has been released to address newly-identified security vulnerabilities or other defects. This page will be monitored at least once per week (more frequently if exploits are discovered) to ensure that Drupal modules are up-to-date and appropriately patched.

Section 7:  Privacy Act

7.1  Indicate whether a system of records is being created under the Privacy Act, 5 U.S.C. § 552a.  (Check the applicable block below and add the supplementary information requested.)

Yes, and this system is covered by an existing system of records notice.

Provide the system name and number, as well as the Federal Register citation(s) for the most recent complete notice and any subsequent notices reflecting amendment to the system: JUSTICE/FBI—003 Bureau Mailing Lists, 70 Fed. Reg. 7,513 (Feb. 14, 2005).    

  

Yes, and a system of records notice is in development.

 

 

No, a system of records is not being created.

 


7.2  Analysis:  Describe how information in the system about United States citizens and/or lawfully admitted permanent resident aliens is or will be retrieved.

IBPF member profile PII for IBPF members, to include U.S. Persons, will be maintained on the secure side in a profile list format retrievable by all other IBPF members by name or organization. All IBPF members have the option to provide, at a minimum, their first and last name, professional email address, and organization they work for, or provide additional information as well.  Reference information is not required for a profile. If they choose to provide more PII, they can then choose whether to make that additional PII visible to all IBPF members, or keep it hidden.

Appendix A: IBPF Privacy Policy

PRIVACY POLICY

LAST MODIFIED: August 23, 2012
Please Read Carefully Before Using This Website:

This International Biosecurity and Prevention Forum (the “IBPF”) Web Portal is a website (the “Site”) created and managed by the United States Federal Bureau of Investigation (the “FBI”). The Site was created to allow the professional international community to collaborate and easily access biosecurity and bioterrorism prevention and response information, to include news, resources, projects and best practices. This policy covers personally identifiable information (“PII”) collected or stored by the IBPF on its server(s) in relation to the Site. Consistent with its data retention policy, the Site collects and retains the least amount of PII necessary to fulfill the IBPF’s operational needs. The FBI’s general legal authority to collect records, 28 U.S.C. § 534, and its general administrative authority, 5 U.S.C. § 301, provide the authority for information collection on this Site.

Here is how we handle information about your visit to this Site:

A. Information Collected and Stored Automatically

If you visit our site to read or download information, we (the FBI) automatically collect and store the following information about your visit:

  • The name of the domain (for example, “xcompany.com” if you use a private Internet access account or “yourschool.edu” if you are connecting from a university’s domain) and IP address (a number that is automatically assigned to your computer when you are using the Internet) from which you access the Site;
  • The type of browser and operating system used to access the Site;
  • The date and time you access the Site;
  • The Internet address of the website from which you linked directly to the Site; and
  • The pages you visit and the information you request on the Site.

B. If You Send Us Personal Information

You do not have to provide any personal information to visit the public portion of this website. If you choose to identify yourself by sending an e-mail message to an address on this Site or by filling out a form or membership request and submitting it through this Site, we will use that information to respond to your message or to fulfill the stated purpose of the communication. The FBI does not collect or use information for commercial marketing.

As a stipulation to obtaining membership and gaining access to the secure portion of this website, you must provide your personal information via an online registration process. The information that you provide may include your name, affiliated organization, email address, phone number and biographical information. We may also collect information about you from other sources, such as public records or bodies, or private organizations in order to verify your identity. After entering your information, you will receive informational communications from us. Depending on your requests for services from the IBPF, additional information may also be collected. It is at your discretion and determination whether to provide personal information to us.

We may share information you give us with contractors acting on our behalf or with another government agency if your inquiry relates to that agency. In other limited circumstances, such as responses to requests from Congress and private individuals, we may be required by law to disclose information you submit. If you provide comments in response to a request for public comments, we may make those comments as well as your identity available to the public in a publication or by posting them on our website. Where possible, we may give you more specific guidance at the point of collection regarding how your personal information may be used or disclosed.

Electronically submitted information is maintained and destroyed according to the principles of the Federal Records Act and the regulations and records schedules of the National Archives and Records Administration and in some cases may be covered by the Privacy Act and subject to the Freedom of Information Act. A discussion of your rights under these laws can be found at http://publications.usa.gov/USAPubs.php?PubID=6080.

Remember that e-mail is not necessarily secure against interception. If your communication is sensitive or includes personal information, you may prefer to send it by postal mail instead.

C. Use of the Information

1. Your Control of Your Profile
By default, only your name, your email address, and the name of your affiliated organization are available to everyone visiting the secure side of this IBPF site. You can alter your profile to display more or less information to all secure side visitors as you choose. The FBI is not responsible for any use of your personal information by parties with whom you have chosen to share such information.

2. Your Control Over Member Submitted Content
Personal information (name, organization) is collected so that, when you use the Secure Side, you may provide Member Submitted Content (as defined in the Terms of Use) and communicate with other parties. Other users of the Secure Side will see messages and documents you submit to the Secure Side. We are not responsible for any use of your Member Submitted Content by parties with whom you have chosen to share such content.

3. Periodic Contacts
We may occasionally use your name and email address to send you notifications regarding the Site or information consistent with the mission of the IBPF.

4. Other Permitted Uses of Your Information
We may disclose part or all of your personal information if we determine, in good faith, that the law requires or compels such disclosure, or in accordance with the FBI Bureau Mailing Lists system of records notice, JUSTICE/FBI-003, 70 Fed. Reg. 7513, or the Bureau’s blanket routine uses, 72 Fed. Reg. 3410, including to a federal, state, local, joint, tribal, foreign, international, or other public agency/organization, where such disclosure serves law enforcement interests.

We may disclose aggregated data and statistics in order to describe the Site to prospective members, organizations, and other third parties, and for other lawful purposes. This allows us to gather and publish statistics about users, to improve our website and to enhance our services.

5. Your Choices
We do not require you to provide personal information in order to visit the public portion of this Site. However, if you choose not to provide personal information, your ability to use all of the Site’s services, including the Secure Side, will be limited and you may not receive the information that you request. By choosing to provide personal information, you agree to the terms of this Privacy Policy.

Access and control over most personal information submitted by you to the Site is available through an account management link. You may modify or delete select portions of your profile information by using the account management link. Removed information may persist in backup copies. If you provide comments or discussions to the Secure Side, you cannot remove such communications.

6. Access to Your Personal Data
FBI records can be requested through both the Freedom of Information Act (FOIA) and the Privacy Act. Please read this page carefully to ensure you are making the correct request.  The Freedom of Information Act allows any person—except fugitives, federal agencies, and foreign intelligence agencies—to request information about organizations, businesses, investigations, historical events, incidents, groups, or deceased persons. The Privacy Act allows U.S. citizens and lawfully admitted aliens to request information on themselves or another living person. To use the FOIA or Privacy Act to request information held by the IBPF, please visit http://www.fbi.gov/foia/requesting-fbi-records.

D. Children’s Online Privacy Protection Act (COPPA)

The Site is not designated nor intended to collect information from children under the age of 18. The FBI is especially concerned about protecting children’s privacy. We hope parents and teachers are involved in children’s Internet explorations. It is particularly important for parents to guide their children when children are asked to provide personal information online. We do not knowingly collect information from children under the age of 18. If you are younger than age 18, you may use our Site only with the permission and involvement of your parent or guardian. If a child chooses to provide personally identifying information to us through e-mail or otherwise, it will only be used to enable us to respond and will not be retained.

E. Cookies

“Cookies” are small bits of text that are either used for the duration of a session (“session cookies”) or saved on a user’s hard drive in order to identify that user, or information about that user, the next time the user logs on to a website (“persistent cookies”). Certain pages on the IBPF website and its sub-domains use persistent cookies to provide streamlined navigation and for statistical analysis. We also use session cookies as part of a voluntary web customer satisfaction survey that will appear to a small percentage of our website visitors as they leave the FBI’s site. Session cookies are deleted from the FBI’s servers soon after your session ends and are not collected or saved. Our customer satisfaction survey uses a persistent cookie that is stored on your computer’s hard drive. This cookie ensures that we won’t invite you to take a customer satisfaction survey within 90 days of completing a survey.

You can set up your web browser to inform you when cookies are set or to prevent cookies from being set. You can still use our website if you do not accept the cookies, but you may be unable to use certain cookie-dependent features. You can find directions to help you disable cookies in some of the most popular desktop browsers and mobile browsers by following the instructions on the USA.gov web measurement and customization opt out help site.

F. Security, Intrusion, and Detection

For site security purposes and to ensure that this service remains available to all users, all network traffic is monitored in order to identify unauthorized attempts to upload or change information or otherwise cause damage or conduct criminal activity. To protect the system from unauthorized use and to ensure that the system is functioning properly, individuals using this computer system are subject to having all of their activities monitored and recorded by personnel authorized to do so by the FBI (and such monitoring and recording will be conducted). Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals evidence of possible abuse or criminal activity, system personnel may provide the results of such monitoring to appropriate officials. Unauthorized attempts to upload or change information or otherwise cause damage to this service are strictly prohibited and may be punishable under applicable federal law.

We maintain a variety of physical, electronic, and procedural safeguards to protect your personal information. For example, we use commercially reasonable tools and techniques to protect against unauthorized access to our systems. Also, we restrict access to Personal Information to those who need such access in the course of their duties for us. Your own efforts to protect against unauthorized access play an important role in protecting the security of your personal information. You should be sure to sign off when finished using a shared computer, and always log out of any site when viewing personal information. We may have links to other outside websites that we do not control. We are not responsible for the content or privacy policies of these sites, and users should check those policies on such sites.

G. Disclaimer for Hypertext Links

Neither the FBI nor its contributors are responsible for the content of any off-site pages that are referenced by or that reference to the IBPF’s website. The user specifically acknowledges that neither the FBI nor its contributors are responsible for any defamatory, offensive, misleading, or illegal conduct of other users, links, or third parties and that the risk of injury from the foregoing rests entirely with the user. Links from the IBPF website on the World Wide Web to other sites or from other sites to the IBPF website do not constitute an endorsement by the FBI or IBPF. These links are for convenience only. It is the responsibility of the user to evaluate the content and usefulness of information obtained from other sites.

H. Disclaimer for FBI Information

All information provided by the FBI or IBPF on this website is made available to provide immediate access for the convenience of interested persons. While the FBI and IBPF make reasonable efforts to the ensure accuracy, relevance, timeliness, and completeness of the information on this website, human or mechanical error remain possibilities. Therefore, the FBI and IBPF do not guarantee the accuracy, relevance, timeliness, or completeness of the information. Neither the FBI, nor any of the sources of the information, shall be responsible for any error or omission, or for the use of, or the results obtained from the use of this information.

I. Disclaimer of Endorsement

Reference herein to any specific commercial products, processes, or services by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the U.S. government.

J. Changes to Our Privacy Policy

We reserve the right to modify or amend this Policy at any time by posting the revised privacy policy on the Site. Therefore, each time you access the Site, you should note the date this Policy was last modified. If you do not or cannot agree to the amended Policy, your only option is to cease all use and access of the Site.

K. How to Contact Us

If you would like to request additional information regarding this Policy, or have questions regarding the same, please visit our Contact Us page. For more details, please read the Privacy Policy for the U.S. Department of Justice website, which also applies to the FBI:  http://www.justice.gov/privacy-file.htm.

[1] The FBI will only use member access request information for investigative purposes in accordance with the Privacy Policy (Appendix A). Member access request information is used for security purposes.