Audit Trail System
· Name of project
Audit Trail System
· Unique project identifier
· Privacy Impact Assessment (PIA) Contact
Office of IT Enterprise Business Support
Social Security Administration
6401 Security Boulevard
Baltimore, MD 21235
· System background description or purpose
The Audit Trail System (ATS) is a Social Security Administration (SSA) certified and accredited General Support System that ensures stewardship of the Social Security trust funds and supports the agency’s security and integrity review functions by detecting and preventing fraudulent and improper payments. To do this, ATS collects and maintains transactions of various agency electronic systems that could potentially compromise agency records or funds by providing an automated means to execute a high volume of transactions to identify, deter, and prevent instances of fraud and abuse. This includes using data for internal and external audits, and investigations of possible fraudulent uses of the agency’s various programmatic and external public-facing systems or applications used by SSA employees, the American public, and trusted partners.
· Describe the information we collect, why we collect the information, how we use the information, and with whom we share the information.
ATS provides an automated and integrated system facility for the maintenance and retrieval of audit records for the purposes of deterring, detecting, and investigating instances of fraud and abuse.
The scope of the system encompasses the daily collection of data each time an employee, contractor, or member of the public performs an auditable task or transaction from various agency programmatic and public-facing systems or applications. ATS collects and stores auditable data from these various programmatic and public-facing systems or applications in accordance with agency-specific and general records schedules approved by the National Archives and Records Administration. Each record contains the personal identification number (PIN) of the employee entering the transaction as well as the date, time, and application-specific data.
The Center Directors for Security and Integrity and their staff in the Deputy Commissioner for Operations, the Office of Audit and the Office of Investigations in the Office of Inspector General, and the Office of Anti-Fraud Programs and their staff in the Deputy Commissioner for Analytics, Review, and Oversight are the primary users of ATS. These users can request data for a specific PIN, a specific Social Security number or a specific office or module.
ATS does not have interconnections to other organizations nor other systems outside of the SSA Firewall for sharing information. The ATS system is not accessible to members of the public.
· Describe the administrative and technological controls we have in place to secure the information we collect.
We have conducted authentication and security risk analyses on the ATS system boundary. The latter includes an evaluation of security and audit controls proven effective in protecting the information collected, stored, processed, and transmitted by our information systems. These include technical, management, and operational controls that permit access to those users who have an official “need to know.” Audit mechanisms are in place to record sensitive transactions as an additional measure to protect information from unauthorized disclosure or modification.
We protect the information in the ATS by requiring authorized employees to use a unique PIN to access information in the system. We store computerized records in secure areas that are accessible to those employees who require the information to perform their official duties. We implemented appropriate configuration settings in ATS to ensure agency PIN and password requirements are technically enforced. All of our employees who have access to our information systems that maintain personal information must sign a sanctions document annually that acknowledges penalties for unauthorized access to, or disclosure of, such information.
· Describe the impact on individuals’ privacy rights.
We collect information only where we have specific legal authority to do so in order to administer our responsibilities under the Social Security Act. When we collect personal information from individuals, we advise them of our legal authority for requesting the information, the purposes for which we will use and disclose the information, and the consequences of their not providing any or all of the requested information. The individuals can then make informed decisions as to whether or not they should provide the information.
· Do we afford individuals an opportunity to consent to only particular uses of the information?
When we collect information from individuals, we advise them of the purposes for which we will use the information. We further advise them that we will disclose this information without their prior written consent only when we have specific legal authority to do so (e.g., the Privacy Act).
· Does the collection of this information require a new system of records under the Privacy Act (5 U.S.C. § 552a) or an alteration to an existing system of records?
ATS does not require a new Privacy Act system of records or an alteration to an existing system of records. ATS uses information collected and maintained for business purposes related to other Privacy Act systems of records such as the Master Beneficiary Record (60-0090); the Supplemental Security Income Record and Special Veterans Benefits (60-0103); and the Personal Identification Number (PIN) File (60-0214).
PIA CONDUCTED BY PRIVACY OFFICER, SSA:
Mary Ann Zimmerman DATE
Acting Executive Director
Office of Privacy and Disclosure
PIA REVIEWED BY THE SENIOR AGENCY PRIVACY OFFICIAL, SSA:
/signed/ Daniel F. Callahan for 12/21/2017
Asheesh Agarwal DATE
Senior Agency Official for Privacy