Privacy Impact Assessment
FLTCIP System
Page 16
OPM Form 5003
A formal development process exists for the systems that support FLTCIP.
The FLTCIP System is constantly reviewed for risk and during any changes,
the Contractor's change control board considers risks to the system and to
individual’s data.
8.2. Describe what privacy training is provided to users either
generally or specifically relevant to the project.
Annual training is provided to all existing FLTCIP Contractor employees as a
condition of employment. All Contractor employees receive annual Security
and Privacy Awareness Training. This training addresses the requirements of
the Privacy Act and HIPAA Privacy and Security Rules, allowable uses and
disclosures of information, and reasonable safeguards. Security training
examines appropriate administrative, physical, and technical safeguards. The
Contractor’s human resources department coordinates the on-line training
and maintains documentation of completion for each employee. This training
is also administered at time of hire.
8.3. What procedures are in place to determine which users may
access the information and how does the project determine who has
access?
The FLTCIP Contractor has separate business units handling system
management, programming, and quality assurance. Users with access to the
Contractor’s transactional systems all have unique IDs. The Contractor
ensures separation of duties of individuals as necessary to prevent collusion
for malicious purposes, documents the separation of duties, and implements
this separation through assigned system access authorization and controls
for this separation via automated control programs. The Contractor requires
documentable evidence of its separation of duties, and information system-
specific permissions separate how users have access to the system.
The Contractor requires its management to review access authorization to
applications and systems. These access requests must be documented and
approved, and access is reviewed on a regular basis for appropriateness.
Additionally, the Contractor’s administration accounts are closely monitored.