Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
11 Establishing a Sensitive Information Management Policy The threat of terrorist attacks against the United States demands greater vigilance among state departments of transportation (DOTs) over access to sensitive information they produce or control. Most information for which DOTs have responsibility poses no threat to transportation security. In the wrong hands, however, some kinds of infor- mation could be dangerously misused by individuals or groups intending to inflict harm on the transportation system, its users, employees, or the general public. This informa- tion should be protected from inappropriate intentional disclosure (for example, in response to an external email request from a person without the need to know or by a disgruntled employee) and from unintentional disclosure (for example, when unpro- tected sensitive information is stolen from a DOT employee). State DOT personnel are, in general, just beginning to learn how to manage sensi- tive transportation-related information. They are accustomed to sharing information, such as design documents, freely as part of project management with contractors, other state agencies, or individuals. Important documents are rarely kept in secure locations. Furthermore, state-level âsunshineâ laws create an environment in which restrictions on access to information are rare. Despite frequent misconceptions, state and local governments seeking to protect infor- mation they produce or control cannot rely on methods reserved for securing federally controlled sensitive information. (See text box on page 2.) State DOTs must, therefore, develop alternative policies for ensuring sensitive information does not fall into the wrong hands, while maintaining public accountability and ensuring management efficiency. Adequate solutions can generally be achieved without recourse to legislative changes. All DOTs are encouraged to establish and use comprehensive sensitive information management policies. This guide is intended as a useful starting point for state DOT executives and members of state DOT design, construction, or procurement groups who are considering ways to implement basic sensitive information handling practices. It may also be of interest to security and law enforcement personnel, consultants, con- tractors, and others working with state DOTs. This guide provides basic information about two primary elements that should be the foundation for any DOTâs sensitive information management policy: 1. How to identify sensitive information that must be protected and 2. How to control access to sensitive information responsibly. By establishing appropriate policies in each of these areas, DOTs can improve trans- portation security, while minimizing administrative burden and maintaining appropriate accountability to the public.
2Federal Protection of Sensitive Information This sidebar explains commonly used federal approaches for protecting information, and why they are not generally applicable to information controlled by state DOTs. 1. Classified (National Security) Information Information can be classified if it relates to the national defense and foreign relations of the United States and requires protection against unauthorized disclosure. Such information, regardless of its physical form or characteristics, must be owned by, produced by or for, or under the control of the U.S. Government. States cannot classify information. Access to classified documents is tightly controlled. 2. Critical Infrastructure Information Pursuant to the Critical Infrastructure Information Act of 2002 (CII Act), CII includes private sector information related to physical or computer-based assets that may be voluntarily submitted to the Department of Homeland Security (DHS) with the assurance that the information, if it satisfies the requirements of the CII Act, will be protected from public disclosure. States are not able to protect information under the CII Act. 3. Sensitive Security Information Sensitive security information (SSI) is sensitive information obtained or developed in the conduct of security activities, including research and development, the unauthorized disclosure of which would be detrimental to transportation safety. The Transportation Security Administration (TSA) has enacted regulation on the safeguarding and disclosure of categories of records and information determined by TSA to be SSI, including vulnerability assessments and emergency response plans. However, other sensitive information, although not official SSI under the regulations, may also warrant no public disclosure.