Guidelines on Collaboration and Information Security for State DOTs (2023)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

9   This research project has shown that the most effective way to promote the safe and secure col- laboration and the sharing of information and data among transportation agencies is to ensure that best practices for safety and security are documented and followed by agency staff. The fol- lowing best practices summarize key points that agency staff should consider prior to engaging in collaboration or sharing data and information with external parties. Following these practices will help to ensure that the activities, tools, and participants in such activities are authorized, compliant, safe, and secure. 3.1 Establish Collaboration Business Needs Agencies should document the business needs and benefits of collaboration and the sharing of data and knowledge. It is important to understand the use cases that rely on or are dependent upon collaborative efforts and to recognize the benefits that arise from these efforts. Once these needs and benefits are comprehended, the agency can use this data to create the appropriate guidance, policies, and procedures. 3.2 Document Policies and Procedures Agencies should document permissible activities and uses pertaining to data, information, and knowledge and make that documentation available and publicized to users. This will inform the user of the level of collaboration and sharing that is allowed and encouraged while also denoting what is not allowed. The answers to the following questions should be documented as part of this process: • Who is permitted to perform these collaborative activities? With whom can they be performed? • What information can be shared? What tools or methods can be used in collaboration? • Where can data or knowledge exchanges occur? Where is data or knowledge stored? What are the attributes of information that determine restrictions on whether or how it is shared? • When is the audience for information more restrictive? When are specific collaboration methods or tools allowed? Are there restrictions on the period of time in which an activity can occur? • Why are there restrictions? What are the security risks and vulnerabilities? • How can a party be authorized to obtain knowledge or access, view, obtain, utilize, modify, or extend a specific set of data? How does a user know when a dataset is allowed to be shared? C H A P T E R 3 Conclusion

10 Guidelines on Collaboration and Information Security for State DOTs 3.3 Follow Best Practices for Security Agencies should define rules to manage risk and protect points of vulnerability. Security best practices should be followed for protecting the network, data, and users. Agency collaborators should have access to these rules, understand them, and comply. Agencies should ensure that a feedback mechanism is in place to allow users to give feedback when restrictions are preventing collaborative efforts from occurring. Agencies should be agile in adjusting and changing as the business needs change. For instance, prior to COVID-19, many agencies had policies in place that would not allow work from home or web teleconferences. When the pandemic occurred, those agencies that could pivot and adjust were better able to handle the transition to support remote work. 3.4 Determine Data Restrictions and Protections Agency users should define the attributes of Knowledge Assets (e.g., data, information, and media content or tools); these attributes may include restrictions on access, protection against changes, and updates when changed. Following are several items to consider with regard to restrictions and protections on Knowledge Assets: • Agency owners should define which parties can have access to or exchange what content, in what manner, for what purpose, at what time, through which media, and in what format. • Data may be restricted depending on its content, such as whether it includes Personally Iden- tifiable Information (PII) or sensitive or confidential data [such as Internet Protocol (IP) addresses]. • The integrity for a Knowledge Asset indicates the degree of fidelity of its content and accuracy of its values and information based on the extent of its protection from—or exposure to— access, modification or usage by another party or exposure to vulnerabilities such as cyber risk or threats. • Agency users must ensure that a Knowledge Asset has not been modified by unauthorized parties or left unprotected and exposed via unsecure virtual media during acquisition, exchange, storage, or viewing activities. • Knowledge Assets may be incomplete; if so, the parties using the asset should be notified of any changes. 3.5 Document Collaborative Activities Agencies should also consider the need to observe and document the collaborative activities to ensure that all participating parties, tools, environments, and the formats used are authorized and authenticated, and that all engagement activities are compliant with protocols for safety, security, or other requirements. Agency users should obtain permission from all of the parties whose activities will be observed, and should consider the authenticity of those parties as well as the authorization, proprietorship, usage limitations, and privacy of the activities to be observed. 3.6 Identify Collaborative Tools and Shared Media Agency users should consider providing guidance for the appropriate electronic, virtual, or physical tools a party might use to facilitate activities involving collaboration and coordination or for use in the acquisition, exchange, use, or management of data, information, and other Knowledge Assets. Agency users should also consider the detailed procedures a party should follow for the safe, secure, and effective use of such assets.

Conclusion 11   For purposes of procurement, deployment, establishment of usage guidelines, or ongoing usage of collaborative tools, the agency should consider the following four things: • Efficacy of a tool and its ability to successfully fulfill or support a party’s activities involving collaboration, coordination or exchange and usage of Knowledge Assets • Safety and security of, and a party’s authorization to use, a designated tool • Deployment and proper usage of the tool, including determination of when, where, by whom, for what purpose, for how long, and under what conditions the tool can be used by certain parties • Management of the tool, including acquiring, deploying, maintaining, and protecting it 3.7 Perform Records Management Records management refers to activities involving the planned, controlled, and organized docu- mentation (in a stored electronic media or paper format) of files, information, activities, and other Knowledge Assets related to a project or task. The purpose of such activities is to make these records accessible for future use and modification. Agency users should consider which Knowledge Assets need to be documented and stored in an organized way. Such assets may include data or information, formatted knowledge, tools, and other stored media relevant to business objectives and related activities. While managing a system of storage and organiza- tion, agency owners are required to (1) determine which records warrant storage, updates, and required notification to designated parties; and (2) to identify a retention policy for these records.