DHS to monitor access to IT systems

Government employees, contractors and consultants with access to Homeland Security Department computer systems are among those whose names and personal information will be kept in a newly created database, according to a notice posted in the Federal Register.

The General Information Technology Access Account Records System (GITAARS) will collect and store information on everyone with regular access to departmental IT systems. Use and distribution of the GITAARS system of records is to be regulated by the Privacy Act of 1984. Public comments on the proposed database are due by June 16.

The database will contain names, business affiliations, positions, phone numbers, citizenship, home addresses, e-mail addresses, access records, date and time of access, logs of Internet activity and Internet protocol address of access.

The information will be shared routinely with other government agencies for purposes such as workforce surveys in addition to auditing and oversight. In some cases, DHS will provide additional information, the notice stated.

"In some cases DHS must provide ... other information such as: occupation group/family, organization, supervisory status, grade, work role, duty station, series, pay plan, service in government, highest level of education, years of professional service, years of service in government, projected retirement, position title, work phone number and work address," the notice said.

The department also proposed routinely sharing business contact information available in the database and information that might relate to an investigation of identity theft.

In a separate Federal Register notice, DHS' Office of Intelligence and Analysis intends to create a new Enterprise Records System to track the investigation of people suspected of terrorist threats and activity, including threats against critical infrastructure such as key computer systems.

The Bush administration is proposing that the new intelligence database be exempt ? for national security purposes ? from most Privacy Act rules and notifications.

The new Enterprise Records System will apply to persons suspected of being involved in threats, which includes cyberthreats against critical infrastructure computer systems, according to the notice.

The database covers activities meant to "identify, create, or exploit" the vulnerabilities of key resources such as "the cyber and national telecommunications infrastructure and availability of a viable national security and emergency preparedness communications infrastructure, " the notice said.

Investigations of people suspected of financial crimes, including those conducted through identity theft, computer fraud and computer-based attacks, are also to be included in the database.