of government. Although this framework is necessarily broader, since it reaches far beyond information technology, it mirrors many of the best practices reflected in the Control Objectives for Information and Related Technologies (COBIT), the IT Infrastructure Library (ITIL), International Organization for Standards (ISO) 17799, and the standards promulgated by the National Institute of Standards and Technology (NIST), among others.
In short, the individual elements of what the committee proposes are not wholly new. They reflect much of the wise advice that the government has received—and largely failed to implement—many times before, advice that both it and the private sector do follow in other areas. It is the committee’s hope that by adding to this prior work the breadth of experience, knowledge, and expertise reflected in its membership, it can offer a comprehensive framework that policy makers will, in fact, implement. It is the integration of the individual elements that the committee does think is new.
At the heart of this framework are two sets of questions: First, is an information-based program effective or likely to be effective in achieving its intended goal—in short, does it work? Second, does the program comply with the law and reflect the values of society, especially concerning the protection of data subjects’ civil liberties?
Although these questions are posed as having yes-no answers, any serious application of the framework will almost certainly result in information on how effective and how protective of civil liberties any given information-based program is. This is critical knowledge when determining which of many competing systems, if any, should be developed, acquired, or deployed, and how they might be used or improved. For any potential program, policy makers will have to exercise sound judgment in deciding whether the program is sufficiently effective and sufficiently protective of privacy to warrant proceeding with it, although such judgment should be undertaken after the framework has been applied rather than before.
The questions posed by this framework should be asked not only of all new information-based programs, but also of existing programs today, at regular intervals in the future, and any time that a program is to be altered or put to a different use, to ensure that scarce resources are invested wisely; tools are used appropriately, lawfully, and consistently with societal values; and the best protection is pursued for national security and civil liberties. As discussed in greater detail below, achieving such goals requires routine monitoring, ongoing auditing, and clear, competent oversight. In short, the application of the framework is an ongoing process that should last throughout the operational lifetime of a program.
Technology can aid considerably in the application of the framework,