Cover Image

Not for Sale

View/Hide Left Panel
Click for next page ( 54

The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement

Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 53
53 information regardless of the age of the information, In addition to record managers, it may be useful and reviews before public records are removed from for any personnel with control over development of con- active files. tract documentation to understand the requirements of state FOIA law, so that they are aware of what infor- 4. Auditing Records Management Procedures mation included in the procurement documentation Developing and implementing adequate procedures may be subject to disclosure. for managing security information, particularly SSI, is In particular, it would be useful to understand a necessary step. However, procedures are only useful what exemptions applicable to contract documentation, to the extent that they are actually followed.501 Areas if any, may be used to protect security information, and that may be of particular concern include maintaining a the standards for applying those exemptions, including complete list of individuals authorized to access security the need, if any, to provide substantiation of a finding of information and being able to locate all security docu- endangerment of public safety (or statutory equivalent) ments. to support the application of an exemption.502 D. Issues to Consider in Establishing/Reviewing 3. Relationship Between General Policy for Managing Security Protocol for Procurement Process Security Information and Procurement Process The broader areas of concern discussed in the pre- ceding subsections may be broken down into several Effectiveness of the management of security in- issues that transit agencies may wish to consider in formation will hinge in part on the effectiveness of the establishing a security protocol for handling security process for designating security information to begin information in the procurement process. These issues with. are also relevant in reviewing an existing protocol. It may be advisable to have a single point of con- These issues are covered in checklist format in Appen- tact for designating SSI and restricted security infor- dix G. mation, either agency-wide or for each department. Applicability of the points raised below will depend DHS, for example, is required to have at least one SSI in part on the size and organizational structure of the coordinator in each DHS office that handles SSI. transit agency. The job descriptions of personnel who It may also be advisable to ensure that the agency appropriately carry out functions identified below will FOIA officer coordinates with the SSI designa- also vary according to agency size and organizational tor/personnel. structure. Agency counsel should of course review the If the agency's legal counsel is not routinely in- suitability of adopting any of these approaches. volved in FOIA requests, it may be advisable to at least involve counsel in requests for certain types of security 1. Record Retention Requirements information.503 Authority to designate need-to-know status is im- Federal, state, and local (whichever is most strin- portant to the effectiveness of security protocol. gent) records retention requirements will affect the Need to know must have some limits to be mean- length of time that the protocol must be observed for ingful. If most or all personnel working on a project specific documents. need to know specified information, it is reasonable to It may be advisable to ensure that decision-makers question the sensitivity of the information. In addition, understand the parameters of these requirements so the more people who have access to information, the that they can take into account the burdens that may harder it is to track that access. be incurred by including various types of security in- Overclassifying information as SSI or restricted formation in procurement documentation. security information may lead to two problems: track- ing system bloat and the "boy who cried wolf" syn- drome. 2. Record Disclosure Requirements If the tracking system becomes too cluttered with information that is not truly sensitive, information that is truly sensitive becomes more difficult to track. 502 State security exemptions may set forth broad categories 501 The New York State Comptroller audited the Metropoli- of documents that fall within the exemption, but require a tan Transportation Authority's (MTA's) controls over the dis- finding of public endangerment as to a specific document. For semination of security-sensitive information for the capital example, Maryland's statute only exempts vulnerability as- projects program and found that while the MTA's guidelines sessments and specified related documents to the extent that provided a reasonable control framework, certain procedures inspection would jeopardize facility security, facilitate planning were not being consistently followed. MTA took action in re- of a terrorist attack, or endanger life or physical safety. See sponse to the Comptroller's recommendations. Office of the III.B.2, Vulnerability Assessments, supra this digest. 503 New York State Comptroller, Metropolitan Transportation For example, as of 2002, the Texas Department of Trans- Authority Controls Over Security-Sensitive Information for the portation required legal counsel review before any requests for Capital Projects Program, Report 2006-S-6, Sept. 6, 2006, bridge design or plans could be released to the public. TRANSTECH MANAGEMENT, INC., supra note 1, at App. B.