U.S. DEPARTMENT OF LABOR
Employment and Training Administration
Washington, D. C. 20210

CLASSIFICATION

UIS

CORRESPONDENCE SYMBOL

TEUDPR

ISSUE DATE

December 12, 1996

RESCISSIONS

None

EXPIRATION DATE

December 31, 1997

DIRECTIVE

:

UNEMPLOYMENT INSURANCE PROGRAM LETTER NO. 08-97
 

TO

:

ALL STATE EMPLOYMENT SECURITY AGENCIES
 

FROM

:

MARY ANN WYRSCH
Director
Unemployment Insurance Service
 

SUBJECT

:

Risk Analysis Training - Spring 1997

  1. Purpose. To provide information on upcoming Risk Analysis Training.

  2. References. 

    a.  Unemployment Insurance Program Letter (UIPL) No. 12-95, Risk Analysis Project.

    b.  UIPL No. 34-87, Revised Policy and Guidance on Internal Security Risk Analysis-Vulnerability Assessment.

    c.  ETA Handbook No. 376, Guidelines for Internal Security in UI Operations.

  3. Background. Since fiscal year (FY) 1982, DOL has allocated resources for the Internal Security (IS) program. As part of their IS program, UIPL No. 34-87 recommends that State Employment Security Agencies (SESAs) complete an analysis of UI program risk covering the vulnerability of all UI program operations whenever major system changes occur but not less than once every three years.

    To address ongoing internal security and control concerns, in FY 1994 the Department of Labor (DOL) issued a Request for Proposal to all SESAs to carry out a Risk Analysis project on a competitive basis. The State of California's proposal was selected as the best meeting the criteria, and DOL entered into a cooperative agreement with the California Economic Development Department (EDD) to conduct the project beginning October 1, 1994. UIPL No. 12-95, dated January 5, 1995, provided information about the Risk Analysis Project.

    UIPL No. 12-95 also identified the specific project objectives and products which will be available as a result of the Risk Analysis Project including the assessment of training needs of SESAs.

    To date, the California EDD has completed three of four reports required by the project: the "Risk Analysis Training Needs Report"; the "Automated Risk Analysis Tool Evaluation Report", and the "Current and Future Vulnerabilities Report." The fourth report, "Risk Analysis Policies and Guidelines Evaluation Report", is awaiting final DOL acceptance.

    Following recommendations in the "Training Needs Report", project staff contacted three independently selected vendors and arranged on-site evaluation of their automated risk analysis tools. A product called "RiskWatch", which is produced by a company of the same name, scored the highest among the software packages evaluated and was selected. The evaluations were conducted utilizing the National Institute of Standards and Technology's Special Publication 500-174, "Guide for Selecting Automated Risk Analysis Tools."

  4. Training and Training Schedule(s). In addition to the reports listed above, the project requires that various levels of risk analysis training be offered to SESA personnel. The first training offered will be a video developed by project staff that provides an Executive Overview of the risk analysis process for SESA Administrators and other officials. The video will be sent to all SESAs by early December 1996. The second offering will be a combined fundamental and intermediate risk analysis training session for SESA personnel beginning in March 1997. Advanced Risk Analysis training will be offered to agencies that have gained experience using the Risk Analysis software approximately seven months after fundamental and intermediate training is completed. Following completion of advanced training, risk analysis user group meetings will be held before September 30, 1998, the scheduled ending date of the project. The DOL will provide detailed information concerning the advanced training and user group sessions at a later date.

      a.  Number of Participants to be Trained.  Due to budget limitations, the project will train only one person from each SESA. With that limitation training slots will be filled on a first-come, first-served basis. To ensure maximum benefit from the training, each session will be limited to approximately 14 participants. After the project training is completed, additional SESA personnel can be scheduled for training on the use of the Risk Analysis Software directly with RiskWatch.

      b.  Fundamental and Intermediate Risk Analysis training.  There will be three or four sessions, depending on demand, each session lasting five days. Participants will learn the Fundamentals of the Unemployment Insurance (UI) Risk Analysis process, and how to use the risk analysis software  RiskWatch  (intermediate training). During the first day, participants will learn what a risk analysis is, what their SESA's Federal risk analysis requirements are, and what their responsibilities are during the risk analysis process. The fundamentals class will also introduce participants to risk analysis terminology and methodologies; teach them to use risk analysis to identify threats and vulnerabilities; and advise them how to protect their SESAs from threats by using recommended safeguards. In the remaining four days, participants will learn how to use the RiskWatch automated Risk Analysis Software.

      c.  Who Should Attend.  This course should be attended by: internal auditors, information security officers or investigators, or other internal security personnel responsible for the performance of the DOL required SESA risk analysis. Participants with little or no knowledge of the risk analysis process should attend the first-day fundamentals class.

      To attend the intermediate class individuals should have a good understanding and knowledge of:

        1.  The UI program

        2.  The risk analysis process (or have taken the fundamentals class)

        3.  Electronic Data Processing terminology and operations

      d.  Dates and Locations.

      March 10, 1997 - March 14, 1997 - Sacramento, California

      March 17, 1997 - March 21, 1997 - Sacramento, California

      April 7, 1997 - April 11, 1997 - Annapolis, Maryland

      April 14, 1997 - April 18, 1997 - Annapolis, Maryland *

      (SESAs are encouraged to send personnel to the closest training site).

      *Depending on responses from the SESAs, the April 14, 1997, session may be offered, but would be conducted only by RiskWatch without participation by EDD.

  5. Nominations. Provide names of nominees to Jarvis Arellano, 800 Capitol Mall, MIC 78, PO Box 826880, Sacramento, California 94280, by close of business (cob) January 2, 1997. Indicate whether the nominee will be present for the first day, Fundamentals Class. Nominees will receive agendas and information concerning the location of the training by return mail.

  6. Travel Expenses. Travel expenses are the responsibility of the SESA.

  7. Action Required. SESA Administrators are requested to provide copies of this UIPL to appropriate IS and ADP staff.

  8. Inquiries. Inquiries should be directed to your Regional Office.