Download:
pdf |
pdfFIPS 199/NIST 800-60 System Categorization
SYSTEM INFORMATION
System Name
NCI Cancer Therapy Evaluation Program Enterprise System
(CTEP-ESYS)
IC
NCI
System Type
☐ General Support System ☒ Major Application ☐ Tier 2, 3, or 4
Date
12/4/2017
SDLC Status
Operational
Overall System Security Category
Overall Impact Levels (High Water Mark)
Page 1 of 5
Moderate
Confidentiality
Integrity
Availability
Moderate
Moderate
Moderate
FIPS 199/NIST 800-60 System Categorization
Template Rev. March 2017
The purpose of the National Cancer Institute (NCI) Cancer Therapy Evaluation Enterprise System(CTEPESYS) is to assure patient safety, meet the NCI CTEP scientific, administrative and operational program
mission, and all regulatory requirements for NCI CTEP clinical trials. Specifically, it is used to document,
track, monitor, and evaluate NCI clinical research activities. CTEP-ESYS project is the primary data
collection mechanism for NCI's vast clinical trials program. CTEP-ESYS collects safety and clinical results
data on ongoing cancer clinical trials (trials not yet completed). Data reporting and analysis in real time are
critical to ensuring adequate monitoring of the ongoing clinical research. CTEP-ESYS collects safety and
clinical results data on 1,500 ongoing cancer clinical trials (trials not yet completed) that monitor more than
30,000 patients per year in more than 17 disease areas. Timely data reporting and analysis also assure
effective planning for the required successor studies, thus accelerating the evaluation of promising new
agents and regimens for patients with cancer.
CTEP-ESYS does not collect any patient health information, but does collect non-identifiable patient metadata (i.e, zip codes, patient initials, and month/year of birth).
System Description
Page 2 of 5
FIPS 199/NIST 800-60 System Categorization
Template Rev. March 2017
System Contacts
Name
IC Chief Information Officer
Name
IC Information System Security Officer
Name
CTEP-ESYS Project Manager
Name
CTEP-ESYS System Owner
Name
IC Privacy Coordinator
Address
Phone
Email
Jeff Shilling
240-276-5549
[email protected]
Bruce Woodcock
240-276-5050
[email protected]
Mike Montello
240-276-6080
[email protected]
Scharla Estep
240-276-6325
[email protected]
Suzanne Milliard
240-781-3340
[email protected]
SIGNATURES
Page 3 of 5
X
X
M ik e M o n te llo
C TE P-E SYS Pro je ct M a n a g e r
Scharla Estep
CTEP-ESYS System Owner
X
X
Bruce Woodcock
Information System Security Officer
Su za n n e M illia rd
Priva cy C o o rd in a to r
FIPS 199/NIST 800-60 System Categorization
Template Rev. March 2017
INFORMATION TYPE(S), PROVISIONAL IMPACT LEVEL(S), ADJUSTED IMPACT LEVEL(S), RATIONALE
Category of Information (800-60)
Provisional Impact Levels
Confidentiality
Integrity
Availability
Confidentiality
Integrity
Availability
Low
Moderate
Low
Moderate
Moderate
Moderate
D.20.1 Research and Development
Rationale
Confidentiality was raised because of the presence of proprietary R&D information that should not be accessible to the public, and because
its unauthorized release or access could cause serious adverse impacts to the NCI, individuals, or agency assets. Integrity was also raised
because the reliability of the information contained in CTEP-ESYS must be high enough to ensure there are no serious disruptions or delays
of research activities that rely on the data. Effects on future funding could also be seriously impacted if the data in the system are unreliable.
Availability was raised to moderate due to the adverse event reporting requirements within the stipulated timeframe and also to ensure that
there are no serious delays or disruptions to the information system availability that could have a serious adverse impact on research
activities.
D.19.1 Scientific and Technical Research and
Innovation
Rationale
Low
Moderate
Low
Moderate
Moderate
Low
Confidentiality was raised because of the types of information available in the enterprise system, including protocols and protocol
attributes, drug inventory and site distribution records, adverse event reports, site audit reports, Investigational New Drug (IND)
submission records, Investigator registration details, and patient accrual details. Note that no patient identifying information is
stored in the system.
D.14.5 Health Care Research and Practitioner
Education
Page 4 of 5
Adjusted Impact Levels
Low
Moderate
Low
Moderate
Moderate
Low
FIPS 199/NIST 800-60 System Categorization
Template Rev. March 2017
INFORMATION TYPE(S), PROVISIONAL IMPACT LEVEL(S), ADJUSTED IMPACT LEVEL(S), RATIONALE
Category of Information (800-60)
Rationale
Rationale
Rationale
Page 5 of 5
Provisional Impact Levels
Adjusted Impact Levels
Confidentiality was raised to ensure adequate protection of the PII data that is collected, stored, and processed in the system. Most
of which is used for compliance reporting, program monitoring and planning purposes. Some of these data elements are for internal
use only and are reported to the FDA as required by law.
File Type | application/pdf |
File Title | FIPS 199/NIST 800-60 System Categorization |
Author | Franseen, Tiffany |
File Modified | 2017-12-18 |
File Created | 2017-12-18 |