Get documents about "Vol. 2, No. 1
Shared by: 28e67f4eea39e297
Categories
Tags
-
Stats
- views:
- 20
- posted:
- 6/15/2009
- language:
- English
- pages:
- 5
Document Sample
UNITED STATES NUCLEAR REGULATORY COMMISSION
tion digest
O IG Informa
Volume 2, Number 1
NUREG/BR-0304 May 2004
To tell or not to tell
This issue of the OIG Safeguards Information • Documents released OIG has received
Information Digest is (SGI) concerns the physi- through the Freedom many allegations
intended to make new cal protection of operating of Information Act and has conducted
and veteran NRC em- power reactors, spent fuel (FOIA) process 14 investigations in
ployees more aware of shipments, or the physical • The mail the recent past relat-
the problems protection of special • Discussion of sensitive ing to the inadvertent
that can be en- nuclear material. information in public release of safe-
countered meetings or public guards information,
when working Proprietary infor- places information through
with sensitive mation (PROPIN) • Documents left on the FOIA, classified
unclassified concerns trade se- printers or in the copy information, and offi-
information. crets, commercial, machine cial use only infor-
There have been occa- and financial information. • Documents left on a mation.
sions in the past few desk
years when sensitive Official Use Only (OUO) • Unsecured However, in each
NRC information has information concerns floppy case, these releases
been released to the agency records, privacy disks were deemed not to
public. It is important data, and investigative re- • Improperly be deliberate and
that you, as a Govern- ports. disposed willful acts.
ment employee, are information
aware of what types of Be mindful of the avenues in a recycle
information you are ob- through which sensitive box
ligated to disclose and information can be inad- • Unsecured safes
which types must be vertently released: • Shared computer
protected. passwords
Inside this issue:
• E-mails
Prohibited Disclosure • Agencywide Docu-
To Tell Or Not To Tell 1
ments Access and
The following are the Management System OIG Audit Reports 2-4
types of information (ADAMS) Credit Repair Scam 4-5
that should not be di- • Telephone conversa-
vulged to those without tions
a need to know. The • Unattended computer
NRC handles three terminals with sensi-
types of sensitive un- tive information on the
classified information: screen
PAGE 2 OIG INFORMATION DIGEST
OIG Audit Reports
OIG Audit Reports Continue more than 700 non-public physical protection of special nu-
to Focus on Preventing Inap- documents which included clear material. SGI is to be pro-
propriate Release of Informa- proprietary information sub- tected in accordance with NRC’s
tion mitted by licensees and per- sensitive unclassified informa-
sonal information such as tion security program. In accor-
Preventing the inadvertent re- employee social security dance with NRC
lease of sensitive NRC informa- numbers and Management Direc-
tion to the public has been an birth dates. tive and Handbook
ongoing concern for NRC in re- 12.6, "NRC Sensitive
cent years. Examples of such • Release of an Of- Unclassified Informa-
releases, while not frequent, ficial Use Only tion Security Pro-
have occurred often enough to (OUO) prelimi- gram," SGI must be communi-
indicate that prevention de- nary draft of the Yucca cated over secure telecommuni-
mands an ongoing, rigorous ef- Mountain Review Plan. cations equipment, not be proc-
fort by the agency to keep em- essed on the local area network,
ployees aware of their responsi- • Distribution of documents be properly marked, and include
bilities and to review and im- including safeguards infor- a cover sheet to facilitate its rec-
prove procedures for protecting mation (SGI) pertaining to ognition.
this information. NRC’s force-on-force secu-
rity testing program. OIG found that NRC’s program
Since 1999, the Office of the In- to protect SGI had three weak-
spector General has issued four • Verbal disclosure of SGI per- nesses: (1) The benefit of the
audit reports specifically ad- taining to the force-on-force SGI designation as sensitive un-
dressing the need to protect program during an indus- classified information was not
sensitive agency information try-sponsored meeting. clear, (2) NRC and licensee rep-
from inadvertent release to the resentatives had inappropriately
public. Some themes in these One of these audits was initiated released SGI to unauthorized
reports reflect the need to pro- in response to a congressional individuals because of handling
vide training, consolidate and request, one was in response to errors and differing interpretation
clarify guidance, and maintain a request from the NRC Chair- of what constitutes SGI, and (3)
records of inadver- man, and two were initiated by NRC lacked a central authority
tent releases so that OIG. The following are summa- for controlling, coordinating, and
trends can be identi- ries of these four audit reports, communicating SGI program re-
fied. The reports de- beginning with the most recent. quirements.
scribed instances
where information OIG-04-A-04, Audit of NRC’s OIG-03-A-01, Review of NRC’s
was inadvertently released to Protection of Safeguards In- Handling and Marking of Sen-
the public. formation (January 8, 2004) sitive Unclassified Information
(October 16, 2002)
Examples included the inappro- This audit sought to determine
priate: whether NRC adequately de- The objective of this review was
fines SGI, prevents the inappro- to assess NRC’s program for the
• Release of names and iden- priate release of SGI to anyone handling, marking, and protec-
tifying information in two who should not have access to tion of OUO information. OUO
Freedom of Information Act it, and ensures the protection of is one category of sensitive un-
(FOIA) responses resulting SGI. SGI deals with information classified information that in-
in legal action against NRC. related to the physical protection cludes personnel records, pri-
of operating power reactors, vacy data, investigative reports,
• Release through ADAMS of spent fuel shipments, or the and predecisional or internal
VOLUME 2, NUMBER 1 PAGE 3
OIG Audit Reports (con’t from page 2)
NRC data. This category of in- The objective of this review was ess was taking into considera-
formation requires special han- to assess the cause of an unau- tion the need to protect sensitive
dling to ensure only limited inter- thorized release of non-public data from unauthorized release.
nal distribution and no disclo- information to the Agencywide
sure to the public. Some OUO Documents Access and Man- The audit found that NRC’s
information is intended to be re- agement System (ADAMS) pub- guidance and policies concern-
leased to the public after certain lic library. ADAMS is NRC’s ing sensitive information were
conditions have been met such electronic record keeping sys- scattered among many manage-
as official approval of the docu- tem that maintains the official ment directives, manuals, and
ment. records of the agency. ADAMS other documents. This in-
is also NRC’s public information creased the potential for staff to
OIG found that NRC’s guidance dissemination miss or misapply pertinent guid-
for protecting OUO documents system that ance and that inadvertent re-
from inadvertent public release places publicly leases of sensitive information
was inadequate. Specifically, available records occur because staff have varied
the use of OUO cover sheets on NRC’s public levels of training and awareness
was left to the discretion of the Web server. regarding the handling of this in-
document originator. In addi- The ADAMS formation.
tion, individual pages of docu- Public Library contains duplicate
ments were not always marked copies of publicly available offi- Agency Actions in Response
and were therefore vulnerable to cial agency records copied from to OIG Audits
public disclosure if separated the ADAMS Main Library.
from the cover sheet. Consis- Each of these audit reports con-
tent markings were not used on The audit found that ADAMS tained recommendations to NRC
sensitive unclassified docu- software controls were inade- for strengthening controls to pro-
ments that were marked, which quate to prevent the unauthor- tect sensitive information from
added to the confusion sur- ized release of documents, the inadvertent release. Some
rounding the proper marking and ADAMS security plan did not en- changes that NRC has imple-
handling of sensitive unclassi- tirely identify risks to the system mented as a result of these rec-
fied information. and was not finalized, and com- ommendations include:
Auditors also munication was ineffective sub-
found that many sequent to the unauthorized re- • Redesign of OUO and SGI
employees lease of non-public documents. cover sheets to clearly illus-
were not knowl- trate and explain required
edgeable about OIG/98A, Review of NRC Con- document markings and ac-
NRC’s guid- trols To Prevent the Inadver- cess requirements.
ance and requirements in this tent Release of Sensitive In-
area because training on han- formation (February 2, 1999) • Revision of several manage-
dling, marking, and protecting ment directives to clarify
sensitive unclassified informa- This audit sought to determine if agency guidance concerning
tion was not provided to all NRC NRC’s management controls for OUO protection.
employees and contractors on a protecting sensitive information
regular basis. from inadvertent release were • Revision of ADAMS operat-
adequate and whether NRC was ing procedures to adequately
OIG-01-A-16, Review of the implementing the agency’s guid- control the process for copy-
Unauthorized Release of ance to protect this information ing documents from the Main
Documents to the ADAMS from inadvertent release. The Library to the Public Library.
Public Library, (September 24, audit also sought to determine if
2001) the ADAMS development proc-
PAGE 4 OIG INFORMATION DIGEST
Oig audit reports (Cont. from page 3)
• Mandatory annual employee
training concerning the pro-
tection of sensitive unclassi-
fied information.
• Improved cross-referencing of
management directives to fa-
cilitate employee awareness
of agency guidance concern-
ing the protection of sensitive
information.
Credit repair scam (Article from the National Consumer’s League)
In the last issue of the OIG Infor- The following tips are intended to quest a copy. There may be a
mation Digest, we provided in- help you avoid falling victim to this small fee, if your State law does
formation concerning identity type of scam: not provide for one free report a
theft. A lesser known scam that year. However, it doesn’t cost
is targeting individuals across No one can erase negative infor- anything to question or dispute
the country is referred to as the mation if it’s accurate. Only in- items in your report. Follow the
credit repair scam. This scam correct information can be re- instructions provided by the
involves people that currently moved. Accurate information stays credit bureau. The major credit
have a problem with their credit on your record for 7 years from the bureaus are:
ratings or have had problems in time it’s reported (10 years for Equifax, 800-685-111,
the past. bankruptcy). Even information www.equifax.com;
about bills you fell behind on but Experian, 800-682-7654,
The Scam now are paid will remain on your www.experian.com; and
report for these time periods. Trans Union, 800-916-8800,
Everyday, companies nation- www.transunion.com. Contact
wide appeal to consumers with Credit repair services can’t ask all three, as the information each
poor credit histories. They for payment until they’ve kept has may vary.
promise, for a fee, to their promises. Federal
clean up your credit re- law also requires credit re- You can add an explanation to
port so you can get a pair services to give you an your report. If there is a good
car loan, a home mort- explanation of your legal reason why you
gage, insurance, or rights, a detailed written weren’t able to
even a job. The truth contract, and 3 days to pay bills on time
is, they can't deliver. cancel (this applies to for- (job loss, sudden
After you pay them hundreds or profit services, not to nonprofit or- illness, etc.) or
thousands of dollars in up-front ganizations, banks and credit un- you refused to
fees, these companies do noth- ions, or the creditors themselves). pay for something because of a
ing to improve your credit report; legitimate dispute, give the
many simply vanish with your You can correct mistakes on credit bureau a short statement
money . your credit report yourself. If you to include in your file.
were recently denied credit be-
cause of information in your credit
report, you have the right to re-
VOLUME 2, NUMBER 1 PAGE 5
Organization
UNITED STATES NUCLEAR REGULATORY
COMMISSION
Office of the Inspector General
11545 Rockville Pike
Mail Stop T 5D28
Rockville, MD 20851
Hotline: 800-233-3497
Fax: 301-415-5091
We’re on the
Web!!
Credit Repair scam (cont. from page 4)
Know that you can’t create a vices are offered for free or at a ployees who are experiencing
second credit file. Fraudulent very low cost. To find the near- financial problems are referred
companies sometimes offer to est CCCS office, call toll-free, to local credit counseling agen-
provide consumers with different 800-388-2227, or go to www. cies.
tax identification or social secu- nfcc.org.
rity numbers in order to create a All inquiries and services to the
new credit file. This practice, EAP are kept confidential within
called “file segregation,” is ille- As an NRC employee, you are the law and all records are pro-
gal, and doesn’t work. entitled help from the NRC tected by law (42 CFR Part 2).
Employee Assistance Pro-
If you have credit problems, gram (EAP). There are bene-
get counseling. Your local fits provided by the EAP if you
Consumer Credit Counseling are experiencing financial diffi-
Service (CCCS) can provide ad- culties and do not know who to
vice about how to build a good turn to for help. The EAP will
credit record. The CCCS may provide assessment, referral,
also be able to make payment and short-term problem resolu-
plans with your creditors if tion for a number of personal
you’ve fallen behind. These ser- and worksite-based issues. Em-
Related docs
