Guidelines on Collaboration and Information Security for State DOTs (2023)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

5   The following sections will discuss the tasks performed as part of this research project and the resulting deliverables. 2.1 Task 1 – Perform Literature Review In Task 1, a variety of information regarding the current status of relevant security standards and best practices, knowledge management systems, and interagency collaboration procedures was reviewed and summarized. A wide variety of standards, frameworks, and best practices that can be used to determine a knowledge base and collaboration framework were reviewed, includ- ing risk assessment for data-sharing activities that occur. Readers of this literature review can expect to find information regarding the following: • Current knowledge-sharing standards and practices used by state agencies • Insight on tools that allow users to manage and share knowledge content, including social software, big data, and communication tools, among others • Current initiatives and management strategies used by state agencies • Desired future balance of information and knowledge management components that will meet state agencies’ needs for both information access and information protection • Steps that these agencies must take to enable this desired balance between information access and information protection This literature review showed that many agencies are trying to determine how to collabo- rate and share knowledge and data while minimizing the risks of performing these activities. The federal government also recognizes these challenges and has frameworks and guidance in place to assist agencies with such activities. The literature review also indicated that as the world becomes more and more connected, the need for collaboration and sharing of data will expand. Agencies will need to weigh the benefits of these activities against the risks to determine which opportunities should be pursued. 2.1.1 Deliverables The final deliverable for this task was the Technical Memorandum 1 report, which was deliv- ered on September 25, 2020. 2.2 Task 2 – Develop Descriptive and Analytical Framework In Task 2, the literature review was extended by interviewing practitioners to determine how agencies were currently collaborating and sharing data and information and what factors impeded these activities in order to identify ways to overcome those factors. These interviews C H A P T E R 2 Overview of Tasks

6 Guidelines on Collaboration and Information Security for State DOTs helped to identify the critical need for a framework that agencies can consult when creating poli- cies and procedures to encourage collaboration using safe and secure methods. Task 2 included outlining a framework for evaluating data-sharing and collaboration opportu- nities. This framework uses some of the available National Institute of Standards and Technology frameworks and guidance documents to outline the steps needed to evaluate each opportunity. The steps include (1) asking specific, applicable questions; (2) determining the criteria to use to make a decision; (3) quantitatively evaluating the criteria; and (4) determining mitigation strategies for any risks that have been identified as requiring mitigation. The resulting document included example use cases, a list of questions to be asked, and a discussion of how to approach risk mitigation. 2.2.1 Deliverables The final deliverable for the task was the Technical Memorandum 2 report, which was deliv- ered on October 16, 2020. 2.3 Task 3 – Prepare Interim Report 1 In this task, an interim report was created that examined the business requirements for col- laboration and sharing and provided example use cases that outlined the corresponding require- ments, stakeholders involved, issues, and associated security concerns. The requirements were defined and organized into four groups: (1) Functional, (2) Technical, (3) Operational, and (4) Security. Each high-level requirement was assigned an identifier label, which is referenced in each of the applicable use cases for tracking purposes. These requirements presume that the business case for robust collaboration and intelligent sharing has already been established by the parties seek- ing both to accomplish the tasks these activities facilitate and to achieve the resulting benefits. For each use case, the level of detail provided includes the business case, applicable require- ments, example scenarios, and benefits realized. Each use case includes two corresponding illustrations. The first illustration depicts setting up the initial collaborative effort and the stake- holders involved. The second illustration details the ongoing communication methods and data types. For each use case, security and data cleansing are applied across the collaboration efforts; these are ongoing and applicable to each method and type. These use cases are intended to provide a wide range of real-world scenarios to ensure that the captured information regarding requirements and the determination of business cases and benefits is as complete as possible. 2.3.1 Deliverables The final deliverable for the task was Interim Report 1, which was delivered on March 12, 2021. 2.4 Task 4 – Prepare Interim Report 2 In Task 4, business requirements were summarized and the use cases that the research team had developed were expanded to organize findings around the security factors that impede collabora- tion or the sharing of data, information, or knowledge in order to identify ways to overcome them. The business requirements for collaboration and sharing were examined in day-to-day operations and example use cases outlining the corresponding requirements, stakeholders involved, issues,

Overview of Tasks 7   and associated security concerns were provided. Figure 1 shows the four groups (Functional, Technical, Operational, and Security) into which the requirements can be categorized. These requirements presume executive management buy-in and that the business case for robust collaboration and intelligent sharing has already been established. Executive manage- ment support and the establishment of business cases supporting collaboration and sharing are paramount for these business requirements to be implemented successfully. For each use case, the level of detail provided includes the business case, applicable require- ments, example scenarios, and benefits realized. This task included expanding use cases by creating scenarios of activities that may occur as part of the use case. These scenarios assisted in identifying which requirements were applicable. The results of this task demonstrated the need for the framework to provide agency policy makers with an outline of the required policies and procedures for promoting secure collabora- tion and sharing of data and information. In addition, task results identified the need for agency collaborators to have a clearly identified location where the appropriate policies and procedures for their desired collaboration effort can be found. 2.4.1 Deliverables The final deliverable for the task was Interim Report 2, which was delivered on September 17, 2021. 2.4.2 Outreach Activity The outreach activity consisted of a presentation of the tasks at a regular panel meeting that included the TRB project panel members. This allowed for review of feedback and updates to the business requirements and use cases before the next tasks were finalized. 2.5 Task 5 – Prepare Final Deliverables For Task 5, the project team and panel members determined the best format for an instructional guide that would provide the greatest benefit to agencies wanting to collaborate in a secure manner and that would also meet the goals of the project. The ability to share and collaborate was observed to be greatest in states with the strongest and clearest security practices and policies. Some states may have practices and policies for collaboration but do not provide a single location for some- one to easily find them. This suggests that both the presence and the promotion of strong and Functional Technical Collaboration and Sharing Business Requirements Operational Security Figure 1. Collaboration and sharing business requirements.

8 Guidelines on Collaboration and Information Security for State DOTs clear security practices and policies are key to enabling agency staff to engage in safe and secure collaboration and the sharing of data and information. Content was created for a tool intended to serve two groups of users: (1) policy makers respon- sible for setting policy, procedures, and security rules and (2) those who seek to engage in collab- oration or sharing activities and must therefore determine the appropriate practices and policies of the agency. Each group will gain distinct benefits by using the guide. For policy makers, the guide describes each requirement, provides examples, and offers best practices, in addition to providing a structured outline for documenting the location of the rel- evant policies, procedures, and security rules. When the agency finds a requirement for which they do not have corresponding locations to reference, the guide identifies this as a gap that needs to be filled. For collaborators, the guide also describes the requirements, provides examples, and offers best practices while leading them to select those most appropriate for their use case. Once the applicable requirements are selected, the guide will display the links or locations that were popu- lated by the policy makers. The cumulative effect of the guide will be to expose users to requirements that are applicable to their activities related to collaboration or the sharing of data and information and to encourage users to consider relevant issues and implications in a way that guides them toward the use of safe and secure practices. For Task 5, the content for this tool was created in a document to be reviewed by panel members prior to its incorporation into the tool. A presentation of the findings to deliver at TRB’s 2022 Annual Meeting was also created. 2.5.1 Deliverables The final deliverable for this task was the secure collaboration tool content, which was delivered on February 28, 2022. 2.6 Task 6 – Finalize Project Summary Report For Task 6, a tool was created using the content from Task 5 for data inputs and outputs. The tool contains instructions for agency policy makers and for collaborators on how to use it and guides both types of users as they navigate through the content. The ultimate goal of the tool is to display the appropriate policies, procedures, and best practices for the requirements selected by the end user. Since the policies and procedures will vary by agency, it also provides instructions to policy makers on how to populate that portion of the tool. 2.6.1 Deliverables The final deliverables for Task 6 are the secure collaboration tool, which was delivered on June 13, 2022, and the final report, which was also delivered on June 13, 2022. The secure col- laboration tool can be found on the National Academies Press website (nap.nationalacademies. org) by searching for NCHRP Research Report 1034: Guidelines on Collaboration and Information Security for State DOTs.