Critical Information Policies for Water Utilities

Critical Information Policies for Water Utilities Subject Area: Efficient and Customer-Responsive Organization

Critical Information Policies for Water Utilities

About the Awwa Research Foundation The Awwa Research Foundation (AwwaRF) is a member-supported, international, nonprofit organization that sponsors research to enable water utilities, public health agencies, and other professionals to provide safe and affordable drinking water to consumers. The Foundation s mission is to advance the science of water to improve the quality of life. To achieve this mission, the Foundation sponsors studies on all aspects of drinking water, including supply and resources, treatment, monitoring and analysis, distribution, management, and health effects. Funding for research is provided primarily by subscription payments from approximately 1,000 utilities, consulting firms, and manufacturers in North America and abroad. Additional funding comes from collaborative partnerships with other national and international organizations, allowing for resources to be leveraged, expertise to be shared, and broad-based knowledge to be developed and disseminated. Government funding serves as a third source of research dollars. From its headquarters in Denver, Colorado, the Foundation s staff directs and supports the efforts of more than 800 volunteers who serve on the board of trustees and various committees. These volunteers represent many facets of the water industry, and contribute their expertise to select and monitor research studies that benefit the entire drinking water community. The results of research are disseminated through a number of channels, including reports, the Web site, conferences, and periodicals. For subscribers, the Foundation serves as a cooperative program in which water suppliers unite to pool their resources. By applying Foundation research findings, these water suppliers can save substantial costs and stay on the leading edge of drinking water science and technology. Since its inception, AwwaRF has supplied the water community with more than $300 million in applied research. More information about the Foundation and how to become a subscriber is available on the Web at www.awwarf.org.

Critical Information Policies for Water Utilities Prepared by: Charles Herrick and Elizabeth Scherer Stratus Consulting Inc. 1920 L Street NW, Suite 420, Washington, DC 20036 and Gregory Welter O Brien & Gere Engineers 8401 Corporate Drive, Suite 400, Landover, MD 20785 Jointly sponsored by: Awwa Research Foundation 6666 West Quincy Avenue, Denver, CO 80235-3098 and U.S. Environmental Protection Agency Washington D.C. Published by: Distributed by:

DISCLAIMER This study was co-funded by the Awwa Research Foundation (AwwaRF) and the U.S. Environmental Protection Agency (USEPA) under Cooperative Agreement No. CR-83110401. AwwaRF and USEPA assume no responsibility for the content of the research study reported in this publication or for the opinions or statements of fact expressed in the report. The mention of trade names for commercial products does not represent or imply the approval or endorsement of either AwwaRF or USEPA. This report is presented solely for informational purposes. Copyright 2008 by Awwa Research Foundation ALL RIGHTS RESERVED. No part of this publication may be copied, reproduced or otherwise utilized without permission. ISBN 978-1-60573-024-6 Printed in the U.S.A.

CONTENTS LIST OF EXHIBITS... vii FOREWORD... ACKNOWLEDGMENTS... ix xi EXECUTIVE SUMMARY... xiii CHAPTER 1: PURPOSE AND APPROACH... 1 Background... 1 Purpose... 1 Report Organization... 1 CHAPTER 2: RESEARCH AND ANALYTICAL APPROACH... 3 Step 1: Targeted Literature Reviews... 3 Step 2: Update of State Freedom of Information Act Exemptions... 4 Step 3: Formal Evaluation of Existing Information Management Approaches... 4 Step 4: Utility Interviews... 5 Step 5: Integration and Analysis... 5 CHAPTER 3: ASSUMPTIONS AND RESEARCH ORIENTATION... 7 CHAPTER 4: SENSITIVE INFORMATION MANAGEMENT: UNDERSTANDING THE POLICY CONTEXT... 9 Information and Public Access: The Current Situation... 9 State Freedom of Information Laws... 13 CHAPTER 5: SENSITIVE INFORMATION IDENTIFICATION AND MANAGEMENT: THE CURRENT STATE OF AFFAIRS... 15 Utility Sensitive Information Management Practices... 15 Utility Information in the Public Domain... 16 CHAPTER 6: DECISION LOGIC FOR INFORMATION RELEASE AND DISCLOSURE... 17 Assessing an Information Object s Content and Context of Anticipated Use... 17 Question 1: Will the Document or Information Directly Reveal a Potential Vulnerability or Weakness in Security?... 18 Question 2: If the Document or Information Requested Were Combined With Other Information, Could it Reveal a Vulnerability or Weakness in Security?... 19 Question 3: Does the Requested Material Contain Personnel Information Such as Biographical Data, Contact Information, Names, Addresses, Telephone Numbers, etc.?... 20 Question 4: Is the Requestor Known or the Request Expected?... 21 v

Question 5: Would the Requesting Individual or Organization Have a Legitimate Benefit From Receipt of the Information?... 21 Question 6: If the Utility Does not Release the Information, Would it Forego an Understood Benefit?... 21 Question 7: Is the Document or Information Already Widely Available or Easily Available to the Public?... 22 Levels of Information Protection... 22 Sensitive Information Management Approaches... 24 Process Documentation, Transparency, and Consistency in Approach... 25 Information Management Case Studies... 25 Scenario 1: Dissemination of Water Distribution System Maps to Engineers and Developers... 26 Scenario 2: Release of Information on Raw Water Source Such as Detailed and Specific Information Beyond What is Required for Consumer Confidence Reports and Source Water Assessments... 27 Scenario 3: Information Released in the Course of Procurements, Particularly Drawings Released as Part of a Construction Bidding Process... 28 Scenario 4: Citizen Requests for General Information About Utility Construction or Maintenance Projects... 29 CHAPTER 7: ELEMENTS OF A WATER UTILITY INFORMATION SECURITY AND ACCESS CONTROL POLICY... 31 Scope and Purpose... 32 Staff Responsibilities for Information Management... 32 Information Classification and Associated Management Steps... 32 Supporting Procedures... 33 CHAPTER 8: ADDRESSING THE LINKAGE BETWEEN INFORMATION SECURITY AND RECORDS MANAGEMENT... 35 APPENDIX A: INFORMATION MANAGEMENT SURVEY... 39 APPENDIX B: STATE FOIA EXEMPTIONS... 43 REFERENCES... 49 ABBREVIATIONS... 55 vi

EXHIBITS 4.1 USEPA s management strategy for sensitive drinking water-related information... 11 6.1 Illustrative list of sensitive records or information objects... 18 6.2 Illustrative list of sensitive information topics... 19 6.3 Illustrative list of information topics that may contribute to a composite view of system vulnerabilities... 20 6.4 Illustrative list of sensitive data and information pertaining to utility business operations or personnel... 20 6.5 Illustrative list of types of information that might legitimately be requested by external parties... 22 6.6 Illustrative list of records and information that can be provided to the public... 23 7.1 Illustrative approaches to the development and implementation of a water utility sensitive information management policy... 32 7.2 Generic tasks and provisions relevant to a water utility information security policy... 34 vii

viii

FOREWORD The Awwa Research Foundation is a nonprofit corporation that is dedicated to the implementation of a research effort to help utilities respond to regulatory requirements and traditional high-priority concerns of the industry. The research agenda is developed through a process of consultation with subscribers and drinking water professionals. Under the umbrella of a Strategic Research Plan, the Research Advisory Council prioritizes the suggested projects based upon current and future needs, applicability, and past work; the recommendations are forwarded to the Board of Trustees for final selection. The foundation also sponsors research projects through the unsolicited proposal process; the Collaborative Research, Research Applications, and Tailored Collaboration programs; and various joint research efforts with organizations such as the U.S. Environmental Protection Agency, the U.S. Bureau of Reclamation, and the Association of California Water Agencies. This publication is a result of one of these sponsored studies, and it is hoped that its findings will be applied in communities throughout the world. The following report serves not only as a means of communicating the results of the water industry s centralized research program but also as a tool to enlist the further support of the nonmember utilities and individuals. Projects are managed closely from their inception to the final report by the foundation s staff and large cadre of volunteers who willingly contribute their time and expertise. The foundation serves a planning and management function, and awards contracts to other institutions such as water utilities, universities, and engineering firms. The funding for this research effort comes primarily from the Subscription Program, through which water utilities subscribe to the research program and make an annual payment proportionate to the volume of water they deliver and consultants and manufacturers subscribe based on their annual billings. The program offers a cost-effective and fair method for funding research in the public interest. A broad spectrum of water supply issues is addressed by the foundation s research agenda: resources, treatment and operations, distribution and storage, water quality and analysis, toxicology, economics, and management. The ultimate purpose of the coordinated effort is to assist water suppliers to provide the highest possible quality of water economically and reliably. The true benefits are realized when the results are implemented at the utility level. The foundation s trustees are pleased to offer this publication as a contribution toward that end. David E. Rager Chair, Board of Trustees Awwa Research Foundation Robert C. Renner, P.E. Executive Director Awwa Research Foundation ix

x

ACKNOWLEDGMENTS This report was funded by the Awwa Research Foundation. The project was managed and administered by Frank Blaha. The researchers would like to extend their great appreciation to AwwaRF, and especially to Frank for his creative inputs, process flexibility, and encouragement at every stage of the project. We also wish to thank the project advisory committee (PAC), which provided very useful comments, guidance, and critiques at various stages of this project. The researchers would like to thank the participating utilities for their input and feedback on all aspects of the research, analysis, and reporting of this work. Specifically, we would like to thank: Aquarion Water Company Santa Clara Valley Water District Fairfax County Water Authority Newport News Waterworks Lincoln Water System We would also like to thank the research team, individuals who attended the project workshop, and the utilities that participated in our survey process. Last, but not least, the researchers wish to thank the many individuals who helped execute the technical tasks and produce this report, especially Diane Callow, Erin Miles, and Christine Teter. Thank you all very much. Charles Herrick, PhD (Principal Investigator) Stratus Consulting Inc. Boulder, Colo. and Washington, D.C. xi

xii

EXECUTIVE SUMMARY The safety and security of the nation s drinking water systems is a top priority. Water security is a multi-faceted concern, but protection of utility information that could be used by terrorists to disrupt service, destroy critical infrastructure, or damage public confidence in the water supply is a key aspect of a comprehensive security program. Vulnerability assessments, detailed component specifications, and security audit findings are examples of security-relevant information that must be managed appropriately. However, other less explicitly security-focused documents and data may also be sensitive, especially if considered as part of a mosaic of system information. Following the attacks of September 11, 2001, many government agencies and nongovernmental organizations began restricting some of their information from access by the public. In some cases, these restrictions resulted in extensive denial of public access; in other cases, restrictions applied only to designated items and specific venues such as the internet. Decision-makers have begun to question how much such information would actually help a terrorist target and/or access a particular site or facility. Similarly, it has been recognized that information restriction practices sometimes make it difficult for legitimate partners to obtain information to conduct valued activities. RESEARCH OBJECTIVES This report is intended to serve as a primer on sensitive information management for and by water utilities. The report and an accompanying electronic decision tool provide guidance for identifying and managing potentially sensitive water utility records, data, and information. APPROACH This projected included five basic steps: (1) an extensive literature review of information management policies, approaches, and related issues, including the field of records management; (2) statutory review and development of an inventory of state-level freedom of information act exemptions pertinent to water utility information; (3) identification and evaluation of information security approaches from other sectors; (4) in-depth interviews with water utilities and other experts, focusing on typical and exemplary information management practices; and (5) integrated analysis of the literature review and interview findings. CONCLUSIONS Water utilities are clearly aware of the risks associated with inappropriate acquisition and use of information concerning their facilities and operations. Nevertheless, practices employed and capabilities for addressing this issue vary significantly. Interviews indicate that information security can fall between the cracks of utility management structures. In addition, the crossfunctional, cross-departmental nature of sensitive infrastructure information management underscores the need for a formal policy to assure utility-wide application of a defined set of information management procedures. New federal policies and freedom of information exemptions at the state level provide water utilities with the legal means to restrict information provision to stakeholders and the xiii

public. However, this document advises against a presumption of aggressive information restriction, and toward an approach that explicitly balances the potential risks and benefits associated with a given request for information disclosure. RECOMMENDATIONS Based on security literature, practices of leading utilities, and guidance developed for analogous organizations, such as electric utilities and airport authorities, we suggest that water utilities designate three levels of information sensitivity: Confidential Information: This category would include information that could be useful in planning or executing an attack on specified utility assets or processes, or could otherwise adversely impact the utility. This type of information requires the greatest restrictions from general release. Restricted Information: This category would include data, information, or records that should not be broadly released to the general public, but may be disclosed to or used by utility representatives or other individuals/groups with a need to know. Public Information: This category would include information provided to the public with few or no restrictions. Examples include water quality reports, service brochures, advertisements, press releases, and job opening announcements. Once the utility has specified the sensitivity of a particular item of information, the next decision is to designate an appropriate management protocol. Water utility information can be managed in many different ways, from absolute withholding to full and unrestricted disclosure. The report and electronic decision tool illustrate a range of useful and pragmatic approaches between these two extremes. The report outlines factors that water utilities should consider when developing and implementing an overall information security policy. This information security policy should provide administrative, managerial, and personnel guidelines for controlling access to and protecting a utility s sensitive information and records from unauthorized dissemination, access, utilization, and tampering. It should be flexible enough to address three basic types of information access needs: (1) access to utility information by customers and the general public; (2) access to information by utility partners; and (3) access to information by regulatory agencies and oversight bodies. There is no single policy for sensitive information management that will work for all utilities. Given its unique needs and circumstances, each utility may select from a range of options. Whatever approach a utility chooses to adopt, it is critical that the policy be designed to mesh appropriately with existing records management protocols and regulations. In a final chapter, the report identifies common concepts and points of overlap between sensitive information control and utility records management, and provides recommendations for the value-added linkage between these related fields of activity. xiv

CHAPTER 1 PURPOSE AND APPROACH BACKGROUND The safety and security of the nation s drinking water systems is a top priority throughout the country. Water utility security involves many facets, but protection of information that could be used by domestic or international terrorists to disrupt or destroy critical infrastructure or damage public confidence in the water supply is a key aspect of a comprehensive security program. Vulnerability assessments, emergency response plans, training exercise after action reports, risk assessments, detailed process and component specifications, and security audit findings are examples of security-relevant utility information that needs to be managed appropriately. For example, a vulnerability assessment in the wrong hands could provide a literal road map to a utility s most sensitive areas. However, other less explicitly security-focused documents and data streams may also reveal sensitive bits of information, especially if considered as part of a mosaic of system information (Stanley 2001, Baker 2004, USEPA 2005b). Following the attacks of September 11, 2001, many government agencies and nongovernmental organizations began to restrict some of their data, information, and records from access by the public. In some cases, these restrictions have resulted in extensive denial of public access; in other cases, restrictions apply only to designated items and specific venues such as the internet (OMB Watch 2002, Podesta 2003, Aftergood 2005). As time has passed, decisionmakers have begun to question the degree to which such information would actually help a terrorist target and/or access a particular site or facility. Similarly, it has been recognized that information restriction practices sometimes make it difficult for legitimate partners to obtain information necessary to conduct valued activities. PURPOSE This report is intended to serve as a general primer on the practice of protecting information in the water utility operational environment. While the subject of information protection has legal ramifications, there is no intent to provide legal advice in this report or associated materials. The report provides recommendations and guidance for the identification and management of potentially sensitive water utility records, data, and information. Also included is an electronic decision tool to help utility staff to quickly, comprehensively, and consistently review information sharing or disclosure requests. This tool, along with a worksheet utilities can use to document their decision process, is contained in the enclosed CD-ROM. Utilities are strongly advised to clear all information management decisions with in-house or other legal counsel. REPORT ORGANIZATION The rest of this report is organized into chapters. Chapter 2 provides a description of the overall approach and individual research activities undertaken in the course of this project. Chapter 3 discusses major assumptions that underlie and orient the project and our resulting recommendations. Chapter 4 summarizes federal and state policy regimes, procedures, and legal 1

positions pertinent to the management of sensitive water utility information. Chapter 5 summarizes current utility practice in the area of sensitive information management. Chapter 6 lays out a step-by-step decision logic for utilities to use to assess the sensitivity of particular information items and outlines a series of management options for the release or withholding of sensitive information. Chapter 7 describes the key aspects of a water utility information management policy, and explores alternative approaches for utilities to adopt as they implement an information management policy. Finally, chapter 8 addresses the linkage between sensitive information and records management, outlining key areas of overlap. The report includes a reference list and provides an electronic linkage to a decision tool to help utility staff assess the sensitivity of specific information items and select an appropriate management approach. Appendices include the questionnaire utilized in the utility survey described in chapter 5 and a listing of state-level Freedom of Information Act (FOIA) exemptions pertinent to water utilities. 2

CHAPTER 2 RESEARCH AND ANALYTICAL APPROACH This report, its recommendations and guidance, and the sensitive information identification and management tool, were developed based on a research approach that included five basic steps, described below. STEP 1: TARGETED LITERATURE REVIEWS The research team conducted a series of targeted literature reviews and expert interviews addressing the following six topical areas pertinent to the management of sensitive infrastructure information: Information Security Classification Approaches, Considerations, and Procedures: Over the past several decades, United States (U.S.) military branches, the Department of Defense, the Department of Energy, various National Laboratories, and private security companies have evolved a sophisticated body of methods and procedures to determine information classification levels and associated managerial protocols. This extensive literature base was reviewed to provide guidance regarding key issues and concepts. Records Management: There is a close association between the field of records management and evolving concerns about sensitive information management. State and municipal records management laws often determine how water utilities can choose to address information management issues. Many larger utilities already operate well-developed records management programs and procedures, which need to be coordinated with efforts to manage information security. Moreover, the field of records management provides access to a body of time-tested approaches and tools relevant to both public and private organizations. Right-to-Know and Civil Liberty Advocacy Literature: In recent years, proponents of open access have published critiques of governmental efforts to restrict information under the guise of enhanced security. In some cases, these authors have provided creative proposals for how agencies can better address the balance between open information access and security. Existing Water Sector Security Guidance and Utility Policies: Water sector research institutes and associations have sponsored a wide variety of studies that address various aspects of the information management issue. In addition, some utilities have pioneered policies and procedures specifically for the administration and management of sensitive infrastructure information. Federal Information Management Policies: Federal agencies with responsibility for homeland security and/or water sector oversight have developed internal standards and protocols for managing sensitive information. Characterization of these standards and procedures is pertinent to utilities that may be requested to submit information to these same agencies; but they are also useful in terms of model approaches. 3

Focused Search for Sensitive Information Already Available in the Public Domain: We developed a multi-pronged search strategy to locate potentially sensitive information about some of the project s participating utilities that is already available within the public domain. We shared this information with our partner utilities to (a) assess its potential sensitivity, and (b) review its overall status and reasons for public dissemination. STEP 2: UPDATE OF STATE FREEDOM OF INFORMATION ACT EXEMPTIONS Stratus Consulting engaged the National Conference of State Legislatures (NCSL) to obtain updated information on state security-related statutes pertinent to the distribution of water utility critical information. Drawing on past research, NCSL conducted a statutory analysis of state efforts to exempt drinking water systems from public disclosure in the context of Freedom of Information (FOI) requests. Knowledge of state-level FOI requirements is essential because it provides a starting point for utilities developing their own information management policies. Different exemption frameworks introduce different considerations at the utility level, in essence establishing rules of engagement for how to address FOI requests and manage potentially security-sensitive information. Appendix A contains state-by-state summaries of current applicable FOI exemptions for water utilities. STEP 3: FORMAL EVALUATION OF EXISTING INFORMATION MANAGEMENT APPROACHES Water utilities are by no means the first civilian organizations to deal with information access restriction from within an overall context of openness and right-to-know. Organizations such as financial institutions, healthcare organizations, and chemical manufacturing facilities have extensive experience with differential and situational access restrictions, information classification levels, and other information management controls. In an effort to draw upon the experience of other sectors, the research team conducted Web- and journal-based research to identify and describe potentially applicable models, approaches, and lessons learned. In this vein, we felt it important to draw upon the experience of sectors and organizations that are configured and operate in a manner generally comparable to water utilities. For many reasons, public water systems (PWS) tend to be more open than organizations in other critical infrastructure sectors (e.g., nuclear power). This arises from a number of reasons fundamental to what they do and how they have been traditionally organized. For instance, water utilities are intimately connected to their customers, often with no intermediary entities or operations. Public water supplies are usually publicly owned and managed by elected officials, or at least overseen by elected governmental bodies. Many public agencies and their officials operate with the philosophy of maximizing transparency and openness. And finally, water utilities generally work through competitive proposals with contractors, or contract by means of public bidding, or work cooperatively with property owners and commercial developers, to extend, modify, and maintain their distribution systems. We therefore felt it important that potentially applicable information management systems mesh with the fundamental qualities of community water systems. We assessed the relevance and applicability of approaches for the management of sensitive information in terms of a variety of factors such as public/private status, degree and nature of regulatory oversight, 4

organizational configuration and size, customer base and types of customer interaction, and the necessity for coordination with other organizations. Only organizational models deemed applicable were abstracted or summarized for use in this project. STEP 4: UTILITY INTERVIEWS The Stratus Consulting research team conducted 35 structured, in-depth interviews with utility staff, managers, and executives in an effort to determine their awareness of issues associated with the release of sensitive information, and to characterize both typical and exemplary practices with respect to the management of sensitive records and information. Interview subjects were identified from attendance lists for water utility conferences and workshops dealing with topics related to security. These individuals were asked if they would agree to telephone interviews; and also asked if they could recommend other individuals who would be knowledgeable about the overall topic of water utility information management, who were in turn contacted and approached regarding a possible interview. We first contacted potential interviewees by phone, provided them with a background on the project and the research team, encouraged them to ask questions, and asked them to (later) participate in a 30 45 minute telephone interview. Subjects agreeing to participate in the telephone interview were provided with a copy of the questionnaire in advance, and encouraged to involve other colleagues as appropriate. The Principal Investigator (PI) conducted all interviews. During the telephone interview, the PI followed an interview guide and carefully noted all respondent inputs. If a respondent mentioned documentation pertinent to the research focus, the PI would request access to a copy of the document, under the condition of strict confidentiality. STEP 5: INTEGRATION AND ANALYSIS The descriptions, characterizations, and recommendations contained in this report are derived through integration across the various research areas described above. Outputs from the various research steps were synthesized according to the judgment of the co-pis and other research team members. We focused most prominently on findings consistent across multiple research steps, and as applicable, noted consistencies among source categories. 5

6

CHAPTER 3 ASSUMPTIONS AND RESEARCH ORIENTATION As will be described in chapter 4, new federal policies and FOI exemptions at the state level provide water utilities with the legal means to restrict information provision to stakeholders and the public. Individual utilities and municipalities know more than anyone else about their unique vulnerabilities; utilities should adopt an approach to information dissemination that is consistent with their overall approach to risk and business management. This report adopts an approach that attempts to balance the potential risks and benefits associated with a given request for data and/or information disclosure. There are three primary reasons for adopting such an approach: 1. Utilities Serve the Public Good: Water utilities have been historically open institutions, and are often operated under the aegis of local or municipal governments. Private- or investor-owned utilities are subject to governmental oversight. In short, water utilities in the U.S. are operated subject to the public trust. The basic principle of public accountability, whether direct or indirect, implies a reasonable degree of operational transparency. An unrestrained urge to deny public access will inevitably erode public trust in governmental credibility and integrity. Indeed, much of the information that a utility has is intended for customer or public disclosure, with information concerning rate structures providing a clear example. Other information must be disclosed as a matter of law, as is the case with Safe Drinking Water Act (SDWA) violations reported in annual Consumer Confidence Reports (CCR). 2. Information Restriction can be Expensive and Administratively Burdensome: Information management systems can be expensive, and may introduce administrative complexity and burden to an organization s operations. Information restriction means that resources must be designated throughout an information object s life cycle to protect, distribute, and limit access. Restriction also implies that those who work with the information should be investigated prior to being given access. It may also mean that resources will need to be designated to support editorial activities necessary to redact sensitive content from materials that could otherwise be widely distributed. When information has been designated as sensitive or otherwise restricted, formalized review is needed when the record in question is considered for archiving or destruction (U.S. GPO 1997). 3. Information Restriction Constrains Operations and Denies Benefits to the Utility or Municipality: Water utilities often have a coherent and compelling business logic for sharing information with external vendors, contractors, consultants, and customers. It is frequently necessary for water utilities to interact with external organizations in order to construct or repair facilities, extend or upgrade service capabilities, protect assets in public streets, or achieve other business objectives. Excessive information restriction makes it difficult for the utility to interact with valued external partners, and thus deprives the utility and its customers of specific benefits. Utilities must devise practices that strike a balance between security enhancement and outside access to information. Granted, such a balance will differ from utility-to-utility. A large 7

water utility in the suburban Washington, D.C. area may have a very different risk profile compared to a small, rural system in, say, Mississippi or Nebraska. The tools and recommendations in this report are framed to accommodate risk perceptions and hazard profiles that differ among utilities. 8

CHAPTER 4 SENSITIVE INFORMATION MANAGEMENT: UNDERSTANDING THE POLICY CONTEXT INFORMATION AND PUBLIC ACCESS: THE CURRENT SITUATION Open access to public information has always been a hallmark of American political culture. However, the terrorist attacks on and before September 11, 2001 are prompting a reevaluation of how freedom of information should be balanced against the need for enhanced security. While ready access to information about the operations and outputs of governmental agencies and regulated entities gives meaning to the ideal of accountability to the public, the same information can potentially be used by terrorists to plan and execute attacks on units of critical infrastructure (Mariani 2004). It is sometimes argued that the balance has swung strongly in favor of information control. Under the Bush Administration, the rules governing exemptions to the 1974 FOIA have been relaxed substantially, enabling federal agencies to withhold information that would previously have been released (Podesta 2003, Aftergood 2005). An October 2001 memorandum from Attorney General John Ashcroft instructed agency heads to rescind the FOIA presumption of disclosure that had been operative under previous administrations. In 1993, the U.S. Department of Justice (DOJ) announced that it would defend FOIA exemptions only in those cases where the agency reasonably foresees that disclosure would be harmful to an interest protected by that exemption (U.S. DOJ 2001). Moreover, agencies are no longer compelled to articulate a plausible scenario of harm, but merely to assure that information withholding decisions have a sound basis in legal reasoning (U.S. DOJ 2001). As a supplement to the Ashcroft A popular Government, without popular information, or the means of acquiring it, is but a prologue to a farce or a tragedy. James Madison An informed citizenry is vital to the functioning of a democratic society Thomas Jefferson memorandum, the DOJ Information Security Oversight Office (ISOO) instructed agencies to take appropriate steps to assure the security of sensitive but unclassified information related to America s homeland security (U.S. DOJ 2001). Recent federal legislation has resulted in several provisions designed to help secure sensitive infrastructure information. The Critical Infrastructure Information Act (CIIA) was passed in November 2002 as subtitle B of Title II of the Homeland Security Act (P.L. 107 296, 116 Stat. 2135, sections 211 215). The CIIA regulates the use and disclosure of information submitted to the Department of Homeland Security (DHS) about vulnerabilities and threats to critical infrastructure (CRS 2003). Drawing on the definition established under the Patriot Act, critical infrastructure consists of systems or assets, whether physical or virtual, so vital to the U.S. that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of these matters (CRS 2003). Critical Infrastructure Information (CII) voluntarily submitted and accepted by DHS as CII is secure from FOI access, and may only be utilized in prescribed law enforcement or national security-related applications. In 2005, DHS designated a New Jersey town s electronic mapping data as CII. The governing board of the Brick Township Municipal Utilities Authority had submitted its geographic information system (GIS)-based asset mapping system to DHS to circumvent an open records request for data that the utility had 9

deemed sensitive (Tombs 2005, Donald 2006). Although Brick Township avoided FOI access to its data system, the full implications of this action are not yet clear. As of the publication of this report, it is not clear whether Brick Township will face restrictions in the use of its own data. Also pertinent to water utilities, the Public Health Security and Bioterrorism Preparedness Act of 2002 stipulates that vulnerability assessment and emergency response certifications are exempt from disclosure requirements under the federal FOIA (U.S. Congress 2002). The Act required The U.S. Environmental Protection Agency (USEPA) to develop protocols for the protection of submitted vulnerability assessments. Enacted in November of 2002, the Protocol to Secure Vulnerability Assessments Submitted by Community Water Systems to EPA establishes storage, custody, transmission, and access procedures for vulnerability assessments submitted to USEPA. The protocol also includes disciplinary actions for USEPA employees who violate information security provisions (USEPA 2002). Beyond vulnerability assessments, USEPA has taken steps to assure the security of sensitive utility data, records, and information. Since September 2001, states, utilities, and others have requested guidance from USEPA on how to deal with the competing interests between public availability of drinking water information and prudent restrictions on access in the interest of homeland security. In December 2001, the Director of USEPA s Office of Ground Water and Drinking Water issued a memorandum to its regional water managers describing how water systems may modify their CCR to remove information that may be considered sensitive, or information that the system believes will increase their vulnerability (USEPA 2001). Similarly, systems were instructed to review SDWA source water assessments, eliminate overly detailed references or descriptions of system asset information, and ensure that [it is released] only to those governmental agencies, water suppliers, and stakeholders working to secure and protect water supplies (USEPA 2001). In 2001 and 2002, the Office of Ground Water and Drinking Water participated in an Agency-wide workgroup, chaired by the Office of Environmental Information (OEI), to assess the sensitivity of USEPA s publicly available information holdings. This review was triggered by a March 17, 2002 memorandum from White House Chief of Staff Andrew Card, instructing all agencies to reevaluate sensitive but unclassified information to determine if a change in security classification was warranted (Card 2002). USEPA headquarters delivered an Agencywide request in late September asking those in the agency responsible for disseminating information to identify potentially sensitive information, and particularly resources which provide information on chemicals, and/or location, and/or amounts, and/or impacts on the environment or human health (OMB Watch 2002). To guide Agency managers in this assessment process, OEI developed four criteria for determining the sensitivity of information objects: type, specificity, connectivity, and availability of information. Information on a facility s or a pollutant s location, chemical identification, volume, acute effects, and plant processes falls within the type criterion. The specificity criterion builds on the type category and assesses the level of detail available for a specified information object. The connectivity criterion looks at the degree to which individual pieces of information can be connected to create realistic scenarios. Finally, the availability criterion assesses the level of control that USEPA has over releasing the information, focusing on whether the Agency is the sole provider of a particular item of information (Stanley 2001). The workgroup identified drinking water well and intake locational information and detailed treatment process data as highly sensitive and worthy of additional restrictions. Other PWS facility locational data fields, such as treatment plant latitude/longitude coordinates, were not identified as highly sensitive. 10

Recently, utility progress on source water assessments has generated new questions from USEPA s state partners concerning access to and display of information collected for delineated source water areas (SWA) and related issues. States have raised concerns about the data handling procedures USEPA has in place for storing the source water area and related assessment information. According to USEPA, several states believe the digital source water area polygons are of a sensitive nature and merit special handling procedures. Responding to these and other concerns regarding information security, the Office of Ground Water and Drinking Water recently established a Policy to Manage Access to Sensitive Drinking Water-Related Information (USEPA 2005a) and an associated Interim Standard Operating Procedure for Drinking Water Reach Address Database (RAD) Authorization and Access (USEPA 2006a). Detailed in Exhibit 4.1, information elements included under this policy are: Latitude and longitude coordinates of PWS wells and intakes and GIS analyses derived from these data Delineated SWA and related state source water assessment program (SWAP) data available to USEPA Exhibit 4.1 USEPA s management strategy for sensitive drinking water-related information Data category USEPA information security designation Rationale/explanatory notes 1 Latitude and longitude coordinates of PWS wells and intakes and GIS analyses derived from these data. USEPA considers this information highly sensitive and related to homeland security, USEPA will limit public access consistent with Agency-wide sensitivity criteria to preserve authorized restrictions on information access and disclosure. Information systems and applications that access, store, or use this information will need to be modified to conform to this policy. USEPA will consider withholding these data under FOIA Exemption 9 or other exemption categories as appropriate on a case-bycase basis. This information is not widely available. Unauthorized access to USEPA s data could be misused for harmful purposes. USEPA believes that FOIA Exemption 9 is the most applicable authority for withholding this information because it specifically focuses on wells and, by inference, intakes. USEPA will continue to exchange source water well and intake location data with state co-regulators to allow updating but will follow the approved security plans and related procedures in response to all other requests for access. USEPA will share stream reach data with states to verify the specific drinking water intake location on each stream reach. (continued) 11

Exhibit 4.1 (Continued) Data category USEPA information security designation Rationale/explanatory notes 2 Source water delineated areas and related state source water assessment program data available to USEPA Source: USEPA 2005b. Sensitive for data management purposes, requiring special data handling procedures under a Standard Operating Procedure (SOP) applicable to all Federal users. The SOP will require that protocols be followed before allowing public access to the data. The SOP will also specify certain situations where USEPA will treat the data as highly sensitive and consider bases for withholding information in response to specific requests under FOIA. USEPA considers the SWA polygon data it holds as sensitive for data management purposes because of differences in state handling requirements and because the SWA polygon data are derived directly from the source facility location. Special data handling procedures under an SOP will be required to access, store, and use all the SWA polygon data held by the Agency. As a general rule, USEPA will not deny access to the public on request. However, USEPA will treat the SWA polygon data as highly sensitive and will withhold data, based on applicable FOIA exemptions, where: A state requests that USEPA treat the data received from the state as confidential because the state has mandatory data access restrictions more stringent than USEPA. USEPA determines that the SWA geospatial representation could be used to identify the precise location of the intake or well. As indicated in Exhibit 4.1, it is USEPA s intention to restrict sensitive water utility information under FOIA Exemption 9. Exemption 9 covers geological and geophysical information and data, including maps concerning wells (U.S. DOJ 2004). According to DOJ, Exemption 9 has rarely been invoked or interpreted, and its boundaries remain substantially undefined. It is thus not clear what types of geological or geophysical information are protected from disclosure, or perhaps more importantly, whether it was intended to apply to all types of wells (U.S. DOJ 2004). Nevertheless, DOJ s Freedom of Information Act Guide asserts that it is reasonable to assume that courts may apply Exemption 9 to protect well data in compelling circumstances, such as when [it] is necessary to guard against an attack upon pooled natural resources (U.S. DOJ 2004). The USEPA s new policy does not cover treatment plant location and treatment process information reported by states into the Safe Drinking Water Information System (SDWIS). While this information has been restricted in the past, treatment plant location data are generally available through other sources and in other forms. Although detailed treatment process information was identified as highly sensitive in USEPA s 2002 homeland security information reviews, the Agency does not believe that data reported to SDWIS are detailed enough to trigger the need for access restrictions. Moreover, information provided to SDWIS is available to the public from non-usepa sources, including many utilities and states (USEPA 2005b). 12

STATE FREEDOM OF INFORMATION LAWS All U.S. states provide access to public records by means of freedom of information laws and associated governmental programs. Generally, state FOI laws are not superseded or limited by federal FOI laws. As a result, public water utilities cannot necessarily rely on exemptions in the federal FOIA (AMWA 2002, NCSL 2003). Nor is it clear that utilities can rely upon categorical exemptions such as those instituted through the Public Health Security and Bioterrorism Preparedness Act. It is therefore critical that utility leadership and legal counsel closely inspect state and municipal FOI statutes to clearly understand the nature and scope of water utility records categories and their applicability with respect to sensitive infrastructure information. Public entities create numerous materials that are not publicly available records under the terms of the state s FOI regime. Thus, the first step for a utility should be to understand the factors that control whether the state s provisions apply or not. Once the utility has a clear and unambiguous sense of types of information that qualify as both a record and publicly available, it is important to clarify the criteria that control exemptions from the state s FOI program. Although many state FOI statutes are built upon the federal model, it is nevertheless prudent to carefully review specific provisions for exemptions and other departures from the overall policy of open access to public records. By way of example, Oregon has implemented 88 exemptions to its overall FOI regime, whereas Arkansas has only 15 (AMWA 2002). In research conducted for this project, the NCSL determined that 50 U.S. states and territories have enacted statutory provisions that exempt various types of CII from disclosure under FOIA. Of particular relevance to this project, 37 states and the District of Columbia have enacted specific exemptions from public disclosure requirements for vulnerability assessments of water system security. In almost all cases, state-level FOIA exemptions provide the statutory rationale under which a utility may choose to withhold information that could reasonably be used by an outside party to plan and/or conduct an action that could result in damage to utility components, operations, or personnel. However, the wording, topical specificity, and characterization of applicable exemption-triggering circumstances varies greatly from state-tostate. Some states such as Iowa and Indiana include a list of specific information items subject to FOI exemption. Other states provide triggering rationale that are more interpretive. For example, Alabama s exemption may be utilized when the disclosure could reasonably be expected to be detrimental to the public safety or welfare or otherwise detrimental to the best interests of the public (NCSL 2006). Even if a utility s resident state has a FOI exemption for security-related information, it is critical to clearly understand the exemption language as well as factors that influence its applicability and interpretation. In a 2004 case before the Connecticut Supreme Court, the Town of Greenwich cited that state s FOI exemption to deny access to GIS records. The Supreme Court granted access to the GIS records because Greenwich failed to provide specific evidence to demonstrate how the release might threaten the town s security (Supreme Court, State of Connecticut 2004). In 2002, the Vermont Supreme Court rejected a similar exemption claim. That court wrote, Assuming the security exemption applies at all, defendants bear the burden of showing that it applies through a specific factual record (Supreme Court, State of Connecticut 2004). Based on our research, it is difficult to predict whether the Connecticut and Vermont decisions are isolated, or potentially models for other states. However, it seems imperative that utilities combine use of FOI exemptions with careful and reasonable depictions of potential risk. 13

14

CHAPTER 5 SENSITIVE INFORMATION IDENTIFICATION AND MANAGEMENT: THE CURRENT STATE OF AFFAIRS UTILITY SENSITIVE INFORMATION MANAGEMENT PRACTICES While nearly all utilities are aware of the risks associated with inappropriate acquisition and use of their data, information, and records, the state of utility practice and capabilities for addressing this issue vary significantly from utility-to-utility. Many utilities are experienced with information management in arenas such as personnel and human resources, payroll, records management, and computer network security. However, they are less experienced when it comes to managing public access to CII. Almost all utilities report that they acted quickly to secure information resources in the wake of the 9/11 tragedies; in some cases these policies remain in draft form and have yet to be formally approved, adopted, and implemented. In roughly half of the utilities interviewed for this study, sensitive information identification and management is conducted based on the case-by-case exercise of managerial and/or executive judgment. In other cases, an individual employee has taken on the responsibility for information disclosure decisions (or recommendations). Approximately half of the utilities interviewed for this project have some sort of written information security policy (ISP). While some of the written policies are based on expert input or guidance from another sector, most utilities appear merely to have adopted an ad hoc, commonsense approach to CII management. In some cases, utilities rely on a piecemeal collection of policies (of varying formality), procedures, and guidance concerning various aspects of information management and dissemination. Often, utility information protection regimes are department- or domain-specific. In some cases, information technology (IT) or cyber security measures include aspects that address the control of CII. Roughly half of the utilities we spoke with claim to formally or informally integrate sensitive information review with an overall program in records management. However, the nature of this integration seems to vary widely. In a few cases, review of sensitive or CII has become an additional check-off in a formalized records management process, subject to written guidance and procedure. In other cases, coordination is addressed merely by virtue of the fact that the same individual typically an executive manager conducts both activities. Approximately 20% of utilities report that they have no formalized system for records management. None of the utilities interviewed for this study have experienced a situation in which information was inappropriately accessed or used by an outside party (that they are aware of). However, about half have pulled back data or information objects that were once available through an open, public venue, such as their Web site. Items removed from open access include facility plans, detailed system plans, and a municipal hazard plan. None of the utilities interviewed mentioned problems with inappropriate access and/or use of information in the context of business interactions with partners such as consultants, contractors, and vendors. While placing much emphasis on the existence and importance of long-term, trusting business relationships, utilities also report use of a variety of legal mechanisms to control how partners use utility information, such as contractual stipulations calling for employee background checks, information storage and copying provisions, confidentiality agreements, and requirements for the return of plans and data at the end of a specified period of performance. Almost all utilities voice concern over information transferred to regulatory and oversight agencies, primarily due to the 15

potential for FOI exposure through a request to the agency for that information; however, this concern is based more upon the possibility of an inappropriate access scenario than upon knowledge of actual events. UTILITY INFORMATION IN THE PUBLIC DOMAIN In addition to the further dissemination of data provided to oversight and regulatory agencies, utilities express concern regarding information propagated by means of the internet. Even though some utilities have successfully redacted records once carried on public access Web sites, it is nevertheless possible that sensitive utility information has been cached on archival sites or maintained on the Web domains of right-to-know or citizen action organizations. In other words, utilities are concerned because they may be unaware of sensitive data and information already available in the public domain. To scope this possibility, the research team conducted a multi-venue search for specific types of sensitive records and information objects. Focusing specifically on our partner utilities, searches targeted information that could be used to cause a disruption in chlorine delivery or an extended water service disruption. This included information on chlorine delivery schedules, receiving procedures, and storage modalities and capacities, as well as location of critical system components and schematics detailing important geographically-referenced information. This search began with an examination of each utility s Web site. The sites were carefully reviewed for key word conjunctions, and scanned for potentially relevant contractor solicitations or other procurement-related information. We also examined the Web sites of relevant state- and federal-level authorities, again focusing on key word conjunctions. We searched Web sites operated by right-to-know (e.g., www.rtknet.org) and citizen advocacy organizations that provide information to utility stakeholders and the public. Finally, we conducted a general Web search using the Google Search Engine and a Boolean string consisting of the utility s name, the name of specific utility facilities, and a variety of relevant terms, including system components. To augment our Web-based research, we sought documents and records available in reading rooms, with a focus on utility Risk Management Plans (RMP) and associated software for developing offsite consequence analyses. Based on this limited search exercise, information and records obtained through Webbased searches was too general to pose a threat to infrastructure security. Systems were discussed in terms of general components (e.g., distribution systems, treatment plans ) or isolated aspects of processes. Specifically, we were unable to find information on chlorine delivery schedules or details concerning electrical system components or their locations. Although we did find general geographic representations of the water systems, we could not locate maps with the precise longitude and latitude for system components. 16

CHAPTER 6 DECISION LOGIC FOR INFORMATION RELEASE AND DISCLOSURE As mentioned in chapter 3, we recommend that utilities adopt a balanced approach to the management of potentially sensitive information. In other words, utilities should avoid any inclination to be reflexively restrictive with respect to information sharing and/or dissemination requests. To be overly restrictive with respect to information withholding may tend to trivialize the importance of the overall information protection process, and may damage the utility s credibility with the public and partners. Moreover, utilities should exercise care when considering withholding records or information that could be viewed merely as embarrassing to the organization and/or its personnel. There may be negative implications for the utility and its leadership if it appears to outside observers that information oversight programs are being abused (Kroll Schiff & Associates 2004). As emphasized in chapter 3, restrictive information management systems are expensive and can burden an organization s operations. If information is designated as sensitive, those with a need to work with it must be investigated prior to being given access. It may also mean that resources will be needed to support editorial activities to remove sensitive content from materials that could otherwise be widely distributed. Finally, information restrictions mean review is needed when the record is considered for archiving or destruction (U.S. GPO 1997). It is important that sensitive information management decisions not appear arbitrary or capricious. It is important that information management decisions be (a) consistent from application-to-application, and (b) transparent, always including an explanation regarding why a request has been met with a limited response or denied outright (ISO 2001, 2005; NIST 2006). ASSESSING AN INFORMATION OBJECT S CONTENT AND CONTEXT OF ANTICIPATED USE A water utility s information management policy should be flexible enough to address three basic types of information access needs: (a) access to utility information by customers and the general public; (b) access to data and information by utility partners, such as consultants, contractors, and vendors; and (c) access to data, records, and information by regulatory agencies and oversight bodies. The following seven-question process is framed to address information requests from the public, utility partners, and/or oversight and regulatory bodies. The process helps utility staff determine whether a request for information includes sensitive material; and if so, how best to respond to the request. Questions 1 3 pertain to the potential sensitivity of information or a record, whereas Questions 4 7 address circumstances pertinent to the use and/or release of the requested information (NERC 2002, Rand Corporation 2004, FGDC 2005). Each question is followed by instructive or supplemental materials designed to help utility staff think through the assessment process. An interactive version of this process is provided in the enclosed CD- ROM. 17

Question 1. Will the Document or Information Directly Reveal a Potential Vulnerability or Weakness in Security? Utilities should consider whether the requested information would be useful for selecting one or more specific potential targets, or executing an attack on a potential target. We recognize that utility staff are not criminal investigators by training, and may not feel fully confident in determining whether a given record has the potential to aid a terrorist plot to destroy infrastructure, disrupt operations, damage public confidence, or harm utility personnel or the public. Generally, information that would present a significant risk would be of a technical nature, and relatively detailed rather than general. Information of this nature (i.e., highly detailed technical information) is unlikely to be of interest to the general public. To help utilities think through this question, Exhibits 6.1 and 6.2 provide examples of (a) specific types of records and (b) information topics that experts view as potentially sensitive. The lists in Exhibits 6.1 and 6.2 were derived through critical compilation of FOIA exemption statutes, utility interviews, policies and guidance from related sectors, and the information management literature. A yes answer to Question 1 would support (but not necessarily entail) a decision to withhold or restrict requested information, whereas a no answer would support a decision to release or otherwise share the requested information. Exhibit 6.1 Illustrative list of sensitive records or information objects Security plans Emergency response plans Security procedures Security assessments Vulnerability assessments Risk assessments Information system access codes and specifications Security system plans Threat assessments Plans for preventing attacks Design drawings Schematics Specifications of structural elements Building security systems Operations manuals Building floor plans Maintenance manuals Structural plans Security codes Plans or drafts of security systems Records identified as vital under utility records management classifications Sources: BASIC 2002, NERC 2002, U.S. FERC 2003, Indiana General Assembly 2003, Kentucky Legislature 2003, Rand Corporation 2004, NCSL 2006. 18

Exhibit 6.2 Illustrative list of sensitive information topics Details on final treatment process equipment (e.g., typically disinfection) Details on pump station discharge configuration (e.g., a location where a contaminant might be introduced under pressure with surety of targeted delivery) Details on a distribution system in the vicinity of a customer characterized as an attractive target Details on cyber/supervisory control and data acquisition systems Detailed information on electrical power systems for critical facilities (particularly switchgear and motor control centers, which would take an extended period to replace) Information on facility use of chlorine gas as a disinfectant, particularly information on storage and delivery of this chemical Details on source water intakes (note that general information, such as appropriate location, is a legitimate area of inquiry for the public, and is required in the annual consumer water quality reporting) Details on distribution system storage facilities or tanks Sources: BASIC 2002, Fairfax County Water Authority 2006, O Brien & Gere Engineers 2006, Santa Clara Valley Water District 2006. Question 2. If the Document or Information Requested Were Combined With Other Information, Could it Reveal a Vulnerability or Weakness in Security? Similar to Question 1, above, utility staff are not accustomed to thinking about the myriad ways in which nefarious individuals or groups might be able to misuse records and information. It is probably impossible to anticipate all possible ways in which a dedicated adversary could combine diverse types of information to identify and exploit a vulnerability. However, there are certain practical limitations that anyone would face in attempting to piece together a mosaic of vulnerability information by means of multiple, independent information sources. Two factors tend to be especially limiting: (a) time and effort, and (b) access to specialized technical knowledge. Within U.S. intelligence circles, information is typically not classified unless its open publication could be reasonably expected to save an adversary a substantial amount of effort in acquiring it by other means. Moreover, if specialized expertise would be required to utilize the information or to recognize its potential for utilization, this too would argue in favor of appropriately managed release or sharing (Quist 1993, U.S. GPO 1997). To help utilities think through this question, Exhibit 6.3 provides examples of types of information that might help a terrorist to identify potentially vulnerable links to other infrastructure resources. A yes answer to this question would support (but not necessarily entail) a decision to withhold or restrict requested information, whereas a no answer would support a decision to release or otherwise share the requested information. 19

Exhibit 6.3 Illustrative list of information topics that may contribute to a composite view of system vulnerabilities Energy sources Communications assets Communications procedures Transportation methods, routes, and schedules Proprietary software products Key suppliers Key customers Personnel data Shipping schedules Sources: NERC 2002, BASIC 2002, Rand Corporation 2004, U.S. TSA 2004. Question 3. Does the Requested Material Contain Personnel Information Such as Biographical Data, Contact Information, Names, Addresses, Telephone Numbers, etc.? Personnel and/or personal data are already restricted under state and federal privacy and records management laws. However, personal data about utility staff and their families could contribute to security-related vulnerabilities. Certain types of business operational records and information may also help outsiders to identify system vulnerabilities. Exhibit 6.4 provides a listing of sensitive data and information objects pertaining to business operations and personnel. A yes answer to this question would support (but not necessarily entail) a decision to withhold or restrict requested information; whereas a no answer would support a decision to release or otherwise share the requested information. Exhibit 6.4 Illustrative list of sensitive data and information pertaining to utility business operations or personnel Biographical data Contact information Telephone numbers Home addresses Medical records Employment history Social security numbers Financial information Payroll summaries Managerial cost accounting reports Litigation strategy memos Merger and acquisition documents Passwords and PINS Employee performance reviews Internal audit reports Sources: U.S. NARA 2001, Santa Clara Valley Water District 2006, USEPA 2006b. 20

Question 4. Is the Requestor Known or the Request Expected? In many cases, utilities have long-term relationships with trusted vendors, suppliers, and contractors. As indicated through the interviews conducted for this study, water utility engineering, construction, and technical support is a specialized business, and many utilities appear to maintain long-term business relationships with a small group of trusted and capable firms. An established relationship with an individual(s) within the requesting organization is clearly a pertinent factor and should weigh heavily in the decision to release or share information. Even so, it is prudent for a utility to take steps to assure that (a) the subject organization exercises rigorous information controls of its own; and (b) its ownership and staffing have remained stable. Even given a trusted, long-term relationship, utilities are advised to use risk mitigation measures such as non-disclosure agreements and contractual provisions that stipulate secure information management practices. (Note: There may be occasions in which the requestor of the information may not be known and might be unknowable.) If an information request contains or implies a clear business logic and originates from a known and trusted partner, disclosure (with or without usage restrictions) is probably a viable option. Question 5. Would the Requesting Individual or Organization Have a Legitimate Benefit From Receipt of the Information? Unlike some multi-national corporations, water utilities typically serve customers in a fairly specific locality or geographic region. Indeed, utility staff frequently serve their neighbors. As already mentioned, most utilities are either chartered or regulated by governmental bodies. As illustrated in Exhibit 6.5, there are often legitimate and good reasons for outside agencies to seek water utility information. The ability to demonstrate a need for the requested information (a yes answer) should weigh toward a decision to disclose. (Note: Keep in mind that the answer to this question may not be a clear yes or no, but rather a case of more or less.) Question 6. If the Utility Does not Release the Information, Would it Forego an Understood Benefit? Water utilities face many types of operational risks. While a terrorist attack could disrupt utility operations, so too can inadequate maintenance, human error, or delays in needed system expansion or equipment upgrades. Utilities frequently rely upon external parties (contractors, consultants, vendors) to provide needed equipment, services, and technical advice. A decision to withhold information from key external partners may delay or preclude key activities and result in the displacement of risk, rather than a reduction of risk. The ability to articulate a benefit through information sharing (a yes answer) should weigh toward appropriately managed release and/or disclosure. (Note: Keep in mind that the answer to this question may not be a clear yes or no, but rather a case of more or less.) 21

Exhibit 6.5 Illustrative list of types of information that might legitimately be requested by external parties Property owner location of the service lines and shutoff valve serving the property. Property developers/engineers basic information on the water and sewer lines in the vicinity of a property being developed, so that they can make capacity calculations and design appropriate service connections. Property owners/engineers/agencies locations of pipelines in city streets or in agency right-of-way, so that they can adequately design underground utility improvements without damaging your assets. Local community group: - Copies of reports or general information on a project of interest to the community. - General information on planned construction or maintenance activities (e.g., location, timing, etc.). Regulatory agency or environmental activist group water quality information on source water or finished water. Government public works agencies or private utilities general and specific information on planned capital projects (principally location and timing) to facilitate coordination of public space construction. Educational institutions and professional groups general information about the utility and about the treatment processes for educational purposes. Other utilities or their consultants request for sharing professional information about the utility s experience with a given treatment process or its approach toward managing a particular issue, for their use in developing an approach or design at another utility. Depending on the specific stage of the project, these requests might be for general information or very specific details. Either would be legitimate, but the more detailed information may need closer review or redacting before release. First responder agencies and regulatory agencies appropriate levels of detail on emergency response plans, facility physical security provisions, hazardous materials used or stored on site (location, quantities, details on containerization, etc.). Source: O Brien & Gere Engineers 2006. Question 7. Is the Document or Information Already Widely Available or Easily Retrievable to the Public? Utility records and documents may already have been released and disseminated to external organizations or be available through Web sites or other media within open sources or the public domain. If an adversary can easily obtain information through widely available open sources, the utility is advised to avoid the burdens and expenses associated with information withholding. Keep in mind that there are different degrees of public availability: a document available only in a local library reading room is different than materials already available over the Web. Exhibit 6.6 contains an illustrative list of information that can be provided to the public. If the requested information is already readily available (a yes answer), withholding is probably not an effective option. LEVELS OF INFORMATION PROTECTION Answers to Questions 1 7, above, should be combined into an overall assessment for a particular record or information object. While this is a serious responsibility, it need not be overly complicated (Laplante 2002, ISO 2005, DSSA 2006). U.S. federal government agencies 22

Exhibit 6.6 Illustrative list of records and information that can be provided to the public Anything in an official utility, district, or municipal publication, brochure, mailer, press release, or report published after September 11, 2001 Anything already publicly available from the Public Recorder or Clerk s office such as existing easement deeds Anything that went to a Board or other oversight body in an open session Information compiled, published, and publicly released by a federal or state regulatory agency, such as SDWA CCR Anything already carried or linked to the utility s external Web site exercise and administer at least 56 levels of information security classification. Such complexity is clearly untenable for the typical water utility, many of which are experienced only with use of a confidential designation (U.S. GPO 1997, USEPA 2005a, Integrated Publishing 2006). Based on guidance developed for analogous organizations, such as electric utilities, ports, and airport authorities, we suggest that water utilities designate three levels of information sensitivity (NERC 2002, City of Phoenix 2004, Rand Corporation 2004, U.S. TSA 2004, FGDC 2005). These designations are defined relative to the self-assessment questions outlined above. Confidential Information: This category would include information (including data and records) that could be useful in planning or executing an attack on specified utility assets and/or processes, or otherwise adversely impact the utility. Such information may be specified as exempt under applicable state or municipal FOI statutes. Assignment of information to this security designation coincides with a yes answer to Questions 1, or 2, or 3; and no answers to Questions 4, 5, and 6. Restricted Information: This category would include data, information, or records that should not be broadly released to the general public, but may be disclosed to or used by utility representatives or other individuals/groups with a verifiable need to know. Such information should be shared subject to specified protocols. Assignment to this security designation is consistent with a yes answer to Questions 1, or 2, or 3; and yes answers to Questions 4, or 5, or 6. Public Information: Information not included under any of the above designations that is provided to the public with few or no restrictions. Examples include brochures, advertisements, press releases, and job opening announcements. Assignment to this security designation is consistent with a no answer to Questions 1, 2, and 3. 23

SENSITIVE INFORMATION MANAGEMENT APPROACHES Once the utility has specified the sensitivity of a particular item of information, the next decision is to select and designate an appropriate management protocol. Water utility information can be managed in many different ways, ranging from absolute withholding to full and unrestricted disclosure. There are, however, many useful and pragmatic approaches between these two extremes. The information management protocols outlined below were identified and selected through literature review, analysis of similar organizations, and interviews with water utilities. The management tools are arranged in a continuum from least to most restrictive. Full Unrestricted Release: The utility can articulate no plausible risk associated with release of specified data or information, no matter what medium. Release of Paper Copy Only: Electronic documents, databases, or applications are sometimes relatively easy to locate (by means of Internet searches), copy, alter, and/or further distribute. It may be that residents or others in the utility s locality have a legitimate need for specified data or information, but that individuals outside the utility s operational area have significantly less need for the same information. In this circumstance, the utility may be well advised to distribute only paper copies of a requested document or record. Release of Paper or Electronic Copy With Signed Non-Disclosure Agreement: Non-disclosure agreements are widely used, well-understood legal instruments used to bind parties to specific uses and management practices for documents and records. Release Following due Diligence; Assessment of Bona Fide Need-to-Know: It is not uncommon for utilities to conduct background investigations before sharing information with outside parties. For example, vendors and contractors are sometimes required to submit background information in order to pre-qualify for Requests for Proposals (RFPs) and other solicitation packages. Release by Means of Access-Controlled Web Sites: Some utilities develop special password protected Web domains that enable selected external individuals/parties to obtain access to various types of information. Such Web applications may require execution of a non-disclosure agreement or other formalizing mechanism. Temporary Release of Numbered Paper Copy: While a requestor may have a bona fide need-to-know for specified information, there may nevertheless be legitimate doubts concerning the requestor s ability to maintain the long-term security of the document or information. In this case, the utility can satisfy the request through temporary release of a numbered copy. On-Site Review of Numbered Paper Copy: In the circumstance where a party with a bona fide need-to-know would benefit from sensitive data or information, the utility might be best served by granting supervised review under controlled conditions. Release of Edited or Excerpted Paper Copy: It may be that an information request can be fully or partially addressed through disclosure of part of a document or record. If the information object has segregable portions that do not convey or imply sensitive information or data, the utility may decide to extract or black-out portions of the document in order to grant a request for release. Topical or Issue Briefing With Utility Staff: A requestor s need for information may be satisfied simply through conversation with knowledgeable utility staff. 24

Denial of Request; Full Withholding of Requested Information: It may be that the utility determines that a specific record or document is simply too sensitive for release, even under controlled circumstances. Such an information object should bear appropriate marking or labeling, such as Not to be Released Under Any Circumstances, and should also be subject to appropriate storage protocols. In general, management tools near the top of continuum, such as full unrestricted release, would be appropriate for information designated as public. Tools near the bottom of continuum, such as excerpted paper copies and issue briefings, would be more appropriate for items of information that include confidential materials. In many cases, it may be appropriate to combine tools, for example permission to access a controlled Web site along with execution of a non-disclosure agreement. In this report and the associated decision tool we avoided the temptation to assign specific management tools to particular classification levels. Rather we suggest that such assignment is best left to utility decision-makers to reflect their unique perceptions of risk. PROCESS DOCUMENTATION, TRANSPARENCY, AND CONSISTENCY IN APPROACH As will be discussed further in chapter 8 on Records Management, records systems should contain complete and accurate representations of all transactions that occur in relation to a particular record (ISO 2001). It is strongly recommended that utilities document the results and rationale behind decisions to release or withhold sensitive information. A sample process documentation worksheet is included with the decision tool. The worksheet records (a) the information object requested and the name/affiliation of the requestor; (b) elements of the decision logic used by the utility in its treatment of a request for information, in this case the seven assessment questions; (c) the utility s answer or determination with respect to each assessment question; (d) a short narrative rationale for the selection of a specific answer to each assessment question; (e) the utility s overall classification for the record or information object, along with a narrative rationale for the overall classification decision; and (f) a description of the management approach or protocol for disseminating or withholding the requested information. The worksheet thus becomes a key aspect of the utility s record of decision with respect to a request for information. INFORMATION MANAGEMENT CASE STUDIES The preceding sections describe a seven-step decision logic for determining the sensitivity of a particular information object; an associated three-part information classification scheme; and a series of ten management practices to assure that information dissemination is accomplished in a secure, efficient, and transparent manner. In this section, we consider four illustrative information sharing scenarios to demonstrate the decision logic, classification scheme, and management practices. 25

Scenario 1: Dissemination of Water Distribution System Maps to Engineers and Developers Knowing where water distribution pipes and sewer pipes are located is essential in the construction of new buildings, roadways, underground utilities, and other infrastructure. However, detailed maps of these systems could aid a potential adversary in exploiting system vulnerabilities. Detailed distribution system maps (showing pipe connectivity, and locations of appurtenant valves and hydrants) could be used to carry out an attack via the water system on a targeted water consumer. Decision Logic Application: Question 1 (Document reveals sensitive information?) Yes Question 2 (Combined with other documents, reveals sensitive information?) Yes Question 3 (Personnel related?) No Question 4 (Requestor known, or request expected?) Yes Question 5 (Requestor has legitimate use for information?) Yes Question 6 (Utility benefits through information release?) Yes Question 7 (Information already publicly available?) No Recommended Designation: Restricted information. Details of a water distribution system have the potential to reveal vulnerabilities or weaknesses in security either alone or in conjunction with other information. However, engineers and developers have a legitimate need for, and will clearly benefit from, the release of this information. The utility may benefit through an efficient exchange of information with its customers and with engineers designing connections to or modifications of the distribution system. Release of this information will also reduce the risk of damage to utility assets. Management: There are several management options for restricted information, including non-disclosure agreements, background check requirements, controlled Web access, and on-site review provisions. In this case, on-site review would likely be impractical because it is important for the information to be available in the field. Many utilities have digitized this information, making controlled electronic distribution an attractive option, most likely in conjunction with non-disclosure agreements. The utility should be careful to release only the minimum amount of information necessary to enable the work to be done. 26

Scenario 2: Release of Information on Raw Water Source, Such as Detailed and Specific Information Beyond What is Required for Consumer Confidence Reports and Source Water Assessments Citizens should be informed about the source and quality of their drinking water. To that end, there are certain requirements under the Safe Drinking Water Act, such as the production of CCR and Source Water Assessments. In particular, the CCR is required to include sufficient location information for the consumer to be reasonably informed as to the existence of potential pollutant sources upstream of the water source. Although general information about water sources (such as the name of the source and general source water protection boundaries) may be inadequate to satisfy some consumer groups, in most cases the general public does not express a need to view more detailed information. Detailed information regarding the location or configuration of drinking water intakes (such as detailed drawings or high resolution maps that show the location of drinking water wells and/or surface water intakes) could put drinking water sources at risk for contamination and supply disruption, and may not provide significant additional utility to requesting groups. Decision Logic Application: Question 1 (Document reveals sensitive information?) Yes Question 2 (Combined with other documents, reveals sensitive information?) Yes Question 3 (Personnel related?) No Question 4 (Requestor known, or request expected?) No Question 5 (Requestor has legitimate use for information?) No Question 6 (Utility benefits through information release?) No Question 7 (Information already publicly available?) No Recommended Designation: Confidential information. Source water details have the potential to reveal vulnerabilities or weaknesses in security and it is not clear that either the general public or the utility would benefit from the release of information at that level of detail or resolution. In addition, although source water data must be shared with regulatory agencies, EPA s Office of Water considers the location of public drinking water wells and intakes to be highly sensitive and related to homeland security. Management: There are several management options for confidential information. In the case of source water information requested by the general public, a utility may want to release edited versions of reports, speak with the requestor about the topic or issue, or deny the request entirely. 27

Scenario 3: Information Released in the Course of Procurements, Particularly Drawings Released as Part of a Construction Bidding Process A wide range of information may be necessary for a contractor to determine whether or not it is appropriate to bid on a project, and to help in the formulation of a bid. Information relevant to bidding that may be security sensitive could include equipment schematics, operational characteristics of chlorine storage and feed facilities, or electrical power schematics. Decision Logic Application: Question 1 (Document reveals sensitive information?) Yes Question 2 (Combined with other documents, reveals sensitive information?) Yes Question 3 (Personnel related?) No Question 4 (Requestor known, or request expected?) Yes Question 5 (Requestor has legitimate use for information?) Yes Question 6 (Utility benefits through information release?) Yes Question 7 (Information already publicly available?) No Recommended Designation: Restricted information. This information could reveal a potential vulnerability or weakness in security either alone or in conjunction with other relevant information. However, if the utility does not release this information it will hinder its ability to procure contractors, which in turn could impede its ability to function efficiently. Management: There are several applicable management options for restricted information. These include nondisclosure agreements, background check requirements, controlled Web access, and provision for on-site review. Several utilities require vendors and contractors to submit background information, in what is sometimes termed a pre-qualification submittal, in order to qualify to receive a full solicitation package. Information in the pre-qualification form may include references and experience (e.g., applicable licenses and registration, company ownership, credentials, and general work record and reputation) as well as organizational responsibility (e.g., banking information, surety, and insurance). 28

Scenario 4: Citizen Requests for General Information About Utility Construction or Maintenance Projects Utilities often perform outreach activities to inform the public about upcoming construction and maintenance projects. Such outreach can take the form of community presentations or mailings to customers who will potentially be affected. The information contained in these presentations and mailings typically relates to the location of the project, the duration of the project, and the basic scope of the project, without providing details such as the exact type of equipment used, schematics, delivery schedules, or detailed maps of the construction site. Decision Logic Application: Question 1 (Document reveals sensitive information?) No Question 2 (Combined with other documents, reveals sensitive information?) Yes Question 3 (Personnel related?) No Question 4 (Requestor known, or request expected?) No Question 5 (Requestor has legitimate use for information?) Yes Question 6 (Utility benefits through information release?) Yes Question 7 (Information already publicly available?) No Recommended Designation: Public information. General information about construction does not have the potential to reveal a vulnerability or weakness in security; and there are clear benefits to both the general public and the utility in releasing such information. Although the requested information may not be published, some aspects of the project work will be readily observable by the general public. Management: In this situation it might only be necessary for a utility to distribute pamphlets and flyers and to make presentations of information associated with construction. Citizens and others in the vicinity of the utility have a significantly higher need for information regarding construction and maintenance projects than those outside the utility s operational area and thus release of information through other media could be deemed unnecessary. 29

30

CHAPTER 7 ELEMENTS OF A WATER UTILITY INFORMATION SECURITY AND ACCESS CONTROL POLICY In the preceding chapters, we outlined an approach for assessing the sensitivity of specific items of information and provided guidance on the selection of appropriate information management protocols. We also recommended an approach for documenting the results of the assessment process and the rationale behind the utility s decision. Together, these items constitute a decision tool to help water utilities deal with information requests as they arise. In this chapter, we outline factors that water utilities should consider in developing and implementing an overall ISP. An ISP provides administrative, managerial, and personnel guidelines for controlling access to and protecting a utility s sensitive information and records from unauthorized dissemination, access, utilization, and tampering (Kroll Schiff & Associates 2004). An ISP should provide clear management direction and support for information security in accordance with relevant laws and regulations and the utility s business and operational requirements (ISO 2005). Based upon literature review, studies of analog organizations, and information gathered through interviews with utility staff and other experts, we recommend that utilities develop and adopt a written policy for the identification and control of sensitive information. Development of a formal, written policy is recommended because water utility information security management currently tends to be an ad hoc activity, often lacking a clear center of authority. The interviews conducted for this project indicate that information security is frequently uncoordinated and fragmented within utility management structures, with executive leadership, legal counsel, records management, public relations, IT, operations and engineering, and security staff all playing roles. The cross-functional, cross-departmental nature of sensitive infrastructure information management suggests the need for investment in the development of a formal policy. Such a policy can spur and maintain utility-wide application of a consistent approach to a clearly defined set of information management procedures. Having a written policy and being able to demonstrate compliance in a consistent manner will help to defend from challenges to restriction of information. Another reason for development and adoption of a written ISP is to raise awareness of the overall issue and the need for information security vigilance utility-wide. Indeed, some of the utilities interviewed for this project cited lack of issue awareness as their biggest challenge in the management of sensitive information. There is no single approach for development of a water utility ISP. Given its unique needs and circumstances, each utility may select from a range of options. Exhibit 7.1, below, outlines a range of plausible options for a water utility ISP. Whatever approach a utility chooses to adopt, it is critical that the policy be designed to mesh appropriately with existing records management protocols. The approach outlined in chapter 8 identifies likely points of intercept with a typical records management policy. The following section outlines key aspects of a water utility information security plan. This approach is based upon model policies developed for the Defense Security Service Academy (DSSA) and the International Standards Organization (ISO), as well as input derived from interviews with leading utilities (DSSA 2006, ISO 2005). From our utility interviews, it is 31

Exhibit 7.1 Illustrative approaches to the development and implementation of a water utility sensitive information management policy Minimal Process: A utility could use the decision tool outlined in this report or a simple list of prescribed information objects, and move forward on a case-by-case basis, taking care to document decisions as they occur. In all cases, the prescribed approach should be initiated by means of some type of directive from the utility s executive leadership. Mid-Range Process: Many utilities already have a records management policy. For those that do, an information security policy could be developed as an annex to existing records management protocols; in essence merely adding the three (recommended) security designations and the 10 associated management protocols as a formal feature to existing records management activities. Chapter 8 outlines key points of integration for utilities that wish to combine sensitive information management protocols with existing records management programs. Develop a Comprehensive Information Security Policy Framework: As needs and resources warrant, a utility can develop a focused, comprehensive policy for assuring the security of potentially sensitive infrastructure information. clear that both of these models have been adapted for use by municipalities and major water utilities (City of Phoenix 2004). Based on critical institutional and operational differences between water utilities and typical DSSA target audiences (typically a defense or military establishment), we have simplified these templates to cover the major components, outlined below. SCOPE AND PURPOSE The ISP must begin with a clear statement describing (a) applicable utility information assets and records, (b) applicable personnel and employees, (c) key security-related definitions, and (d) circumstances under which provisions of the policy will be extended to other agencies, consultants, and contractors. STAFF RESPONSIBILITIES FOR INFORMATION MANAGEMENT An adequate security policy must clearly explain specific expectations and responsibilities of all utility staff involved with creation, access, dissemination, management, tracking, and/or storing of sensitive information. An ISP should also clearly articulate the consequences for information security violations. An ISP may need to be coordinated with human resources and personnel policies; and may need to address separation of rules. INFORMATION CLASSIFICATION AND ASSOCIATED MANAGEMENT STEPS An ISP must describe information sensitivity categories and clearly specify criteria for inclusion of a specific record or information object in the appropriate category. While this report articulates three levels of information sensitivity classification, individual utilities may find it useful to designate a different number of categories. The ISP must also spell-out information management protocols associated with each classification level, and provide guidance for the selection of an appropriate protocol. 32

SUPPORTING PROCEDURES Once a record or information object has been classified, it is necessary to assure an appropriate regime of administrative processes. A comprehensive ISP will typically address considerations such as the following: Sensitivity Designation Labeling and Control Marking: Physically marking confidential and access restricted information with the appropriate designation and control markings (e.g., Do-Not-Distribute, For-Official-Use-Only) serves to warn and inform holders of the degree of protection associated with a particular item of information. It is important to mark all security sensitive information, clearly indicating applicable management protocols. Physical Security: It makes little sense for a water utility to review and classify information objects unless it also assures that sensitive materials are physically secure. Access to every building, computer room, and utility location containing sensitive information must be physically restricted through use of appropriate access control methods such as receptionists, metal key locks, and magnetic card door locks. When it is not being used, sensitive information must be protected from unauthorized disclosure (AwwaRF 2001, ASCE 2004, Baker 2004). Destruction and Disposal: All security-sensitive information items must be disposed of properly. Third Party Agreements: Agreements for services by a third party should incorporate applicable information security arrangements, security-related definitions, and stipulations for secure storage, transfer, use, and end-of-agreement disposition. Typical agreements include provision for employee background checks and certification and standard non-disclosure terms. Asset Inventory: There is a strong logical connection between utility asset management programs and efforts to enhance the security of CII. Guidance from the ISO recommends development of an asset inventory, including information assets. At its simplest, such an inventory would identify and list all utility information objects designated as confidential and/or restricted (ISO 2005). Exhibit 7.2 lists generic tasks and provisions for an ISP. Utility management and executive leadership should actively support the ISP through clear direction, demonstrated commitment, explicit assignment of roles, and acknowledgement of related responsibilities. In addition to management and executive support, an ISP should have an owner who exercises management responsibility for the development, review, and evaluation of the overall policy. 33

Exhibit 7.2 Generic tasks and provisions relevant to a water utility information security policy Identify the types of information the utility holds that need to be protected Create designations appropriate for the sub-sets of identified information Outline criteria for granting access to each class of information Establish a marking and labeling scheme Determine storage needs, methods, media, and associated security measures Develop procedures for accessing protected information and recording transactional activity Procedures for processing newly created records and information into the program Procedures for the transmission and transfer of protected information internally and externally Develop employee training and awareness programs Employee non-disclosure agreements Vendor confidentiality and non-disclosure agreements Premises security Review of public Web site content 34

CHAPTER 8 ADDRESSING THE LINKAGE BETWEEN INFORMATION SECURITY AND RECORDS MANAGEMENT As public entities, many water utilities are subject to state- and/or municipal-level records management laws. Generally, these laws require governmental agencies to make and preserve records containing adequate and proper documentation of their organization, function, policies, decisions, procedures, and essential transactions. These records are public property and must be managed according to applicable laws and regulations. Records management laws define record types, establish records retention schedules, and establish records management roles and responsibilities within the utility or municipality. In some cases, records management laws include guidance for IT systems, including servers, e-mail, and Web sites. While these laws tend not to define and/or address CII, they frequently define relevant categories of records and associated management procedures. For instance, records schedules for waterworks operations often include potentially security-relevant categories such as bacteriological records, chemical analyses records, cross-connection control records, violation correction records, and water well completion reports. State public records laws also stipulate how utilities should address and respond to information requests received by means of legal instruments, such as state-level FOIAs and subpoenas issued through civil and criminal proceedings (TSLAC 2000, ISO 2001, ASCE 2004, Iron Mountain 2005). As indicated previously, it is essential that a utility coordinate its information security practices and records management policies. Indeed, it may be that a utility can simply migrate its information sensitivity review procedures into its records management framework, in essence creating a new review cycle under existing procedures. Review of a wide range of utility, municipal, corporate, and state-level records management laws suggests the following points of interception: Definitions: Most state and/or municipal public records management laws include standardized definitions that are germane to the management of sensitive infrastructure information, including key terms such as public record, requestor, records management, retention period, filing and retrieval systems, and records schedules. It is essential that a water utility s information management policy be fully consistent with concepts and definitions stipulated in applicable records management laws. Exemptions: Most state, and some municipal, open records laws designate certain types of records as exempt from public access. As discussed previously, virtually all U.S. states have recently legislated exemptions to their FOI laws covering water utility critical information objects. It is important that utilities become familiar with relevant exemption categories and controlling legal precedents and interpretations. Roles and Responsibilities: Nearly all state records management laws specify roles and responsibilities for records management activities within the organization. Management protocols for sensitive infrastructure information should utilize these roles as appropriate and augment responsibilities as needed. Forms: Most state-level records management regimes include various standard forms. As applicable, sensitive information management procedures should utilize, reference, or be appended to existing forms. 35

Records Processing Requests: Utilities subject to state-level open records and/or record management laws typically develop procedures for processing requests for records. Many of these procedures will overlap with the execution of an ISP. These procedures address: - Copying - Time deadlines - Fees (if any) Records Access: The regulatory environment under which a utility operates likely establishes broad principles regarding access rights, restrictions, and conditions which are then incorporated in records management procedures. States frequently enact legislation or executive directives covering areas such as privacy, FOI, and archiving. Since records may contain personal, commercial, or operationally sensitive information, access is sometimes denied. Policies and procedures enacted to control or limit access to security sensitive information should be carefully linked or integrated with existing controls on records access. It is a principle of records management that access control is accomplished by assigning status to both records (information objects) and individuals (ISO 2001). Managing the access process involves ensuring that: - Records are categorized according to their access status at a particular time (which implies that access status can change over time as conditions or circumstances change) - Records are only released to those authorized to see them - Records processes and transactions are only undertaken by those authorized to perform them - Parts of the organization with responsibility for specific topics and/or business functions review access permissions to records dealing with their business domain or areas of responsibility Records Storage, Distribution, and Disposal: Under most records management laws, utilities and municipalities are required to retire inactive records, transfer and archive records identified as permanent, and destroy records that are not historically significant or material to utility operations. ISPs should adopt existing storage, distribution, and disposal practices. Useful background can be found in ISO (2001). Records Schedules and Categorization Schemes: Records categorization systems reflect the business of the organization from which they are derived and are typically based on analysis of the organization s core business activities. Many organizations establish a series of basic records categories, such as operations, accounting, legal, and finance. These high-level categories are typically sub-divided into more specific records schedules or classes (Iron Mountain 2005). Sensitive infrastructure information types should be designated with full cognizance to existing records schedules; perhaps augmenting existing schedules with security designation levels (and associated procedures) or through creation of a new schedule category reserved for security sensitive information. 36

Vital Records: Utility business continuity plans and/or emergency response plans sometimes identify records deemed vital to the continued functioning of the organization. Such records should be carefully reviewed in the context of sensitive information management (USEPA 2004). 37

38

APPENDIX A INFORMATION MANAGEMENT SURVEY 39

40

41

42

APPENDIX B STATE FOIA EXEMPTIONS Exhibit B.1 Descriptions of state FOIA exemptions State/ jurisdiction Statutory citation Description of exemptions Alabama Ala. Code 36-12- 40 (2006) Alaska Arizona Arkansas California Alaska Stat. 40.25.120 (a)(10) Ariz. Rev. Stat. Ann. 39-126, 49-205(2) Ark. Stat. Ann. 25-19-105 (b)(15) Cal. Gov. Code 6254(z)-(bb) Exempts from public disclosure requirement records concerning security plans, procedures, assessments, measures, or systems as well as other records relating to, or having an impact upon, the security or safety of persons, structures, facilities, or other infrastructures. The exemption includes information concerning critical infrastructure and critical energy infrastructure information when the disclosure could reasonably be expected to be detrimental to the public safety or welfare or otherwise is detrimental to the best interests of the public. When a request for such records is received, the statute provides that the public officer receiving the request for records shall notify the owner of such infrastructure in writing of the request and provide the owner an opportunity to comment on the request and on the threats to public safety or welfare that could reasonably be expected from public disclosure on the records. Specific exemption for records pertaining to facilities and infrastructure when the release of the information would reasonably be expected to interfere with the implementation or enforcement of a security plan, or could reasonably be expected to endanger the life or physical safety of an individual, or present a real and substantial risk to the public health and welfare. Specific exemptions for water system assessments. One specifically exempts federal risk or vulnerability assessments of infrastructure, including water, from disclosure. The other exempts water system vulnerability assessments from disclosure that are submitted to USEPA pursuant to Public Law 107-188. Specific exemption for risk and vulnerability assessments. Specific exemption for documents prepared by a state or local agency that assess its vulnerability to terrorist or other criminal acts and that is for distribution or consideration in a closed session. Also includes an exemption to disclosure requirements for CII that is voluntarily submitted to the California Office of Homeland Security for use by that office, including the identity of the person or entity that submitted the information. Voluntarily submitted is defined as submitted in the absence of the office exercising any legal authority to compel access to or submission of critical infrastructure. (continued) 43

Exhibit B.1 (Continued) State/ jurisdiction Statutory citation Description of exemptions Connecticut Delaware District of Columbia Florida Conn. Gen. Stat. 1-14, 1-210(19) 29 Del. Code Ann. 10002(16) D.C. Statute 2-534(10) Broad exemption for records that the Commissioner of Public Works has reasonable grounds to believe may result in a safety risk to any person, state-owned or leased facility or any fixture, and equipment attached to that facility. Specific exemptions for records, that if disclosed, could jeopardize the security of any facility owned by the state or a political subdivision, or could facilitate the planning of a terrorist attack, or could endanger the life or physical safety of an individual, including plans designed to prevent or respond to an emergency situation that would reveal vulnerability assessments, and plans or other records of waste and water systems. Specific exemption for any specific vulnerability assessment intended to prevent or mitigate an act of terrorism. Fla. Stat. 119.071 Specific exemptions for a security system plan for any property owned by or leased to the state or a political subdivision. A security system plan includes records and information related to threat assessments conducted by any state or local agency or private entity, and threat response plans. Georgia Ga. Code 50-18- 72(a)(15) Hawaii Hawaii Rev. Stat. 92F-13(4) Idaho Idaho Code 9-340B (3)(b) Illinois 5 ILCS 140/7 (1)(ll)-(mm) Specific exemption for security plans and vulnerability assessments for any public utility, building or function; plans for preventing attacks; documents revealing the existence, nature and location of security devices; and plans blueprints or other materials that would compromise security if made public. Exemption for government records that are protected from disclosure pursuant to state or federal law. Specific exemption for information, including vulnerability assessments, the disclosure of which would jeopardize people s safety. Specific exemption for vulnerability assessments, security measures and response policies or plans that are designed to identify, prevent or respond to potential attacks upon a community s population or systems, facilities, or installation when said destruction or contamination would constitute a clear and present danger to the health or safety of the community. The exemption only applies to the extent that disclosure could reasonably be expected to jeopardize the effectiveness of the measure or the safety of the personnel who implement them or the public. Examples of information exempt under this statute include details pertaining to the mobilization or deployment of personnel or equipment, the operation of communication systems or protocols and tactical operations. (continued) 44

Exhibit B.1 (Continued) State/ jurisdiction Statutory citation Description of exemptions Indiana Ind. Code 5-14- 3-4 (19) Iowa Kansas Kentucky Louisiana Maine Iowa Code 22.7(45) Kan. Stat. Ann. 45-221 (12), (45) Ky. Rev. Stat. 61.878 (1)(m) La. Rev. Stat. 44:3(3) 402 Me. Rev. Stat. Ann. 3 Specific exemptions for records or parts of records when the public disclosure of the information would have a reasonable likelihood of threatening public safety by exposing a vulnerability to terrorist attack. Among the items included in this exemption are records assembled, prepared or maintained to prevent, mitigate or respond to a terrorist attack; vulnerability assessments; risk planning documents; needs assessments; threat assessments; domestic preparedness strategies; location of community drinking water wells and surface water intakes; and infrastructure records that disclose the configuration of critical communication, electrical, ventilation, water and wastewater systems. Specific exemption for records of a municipal utility, including vulnerability assessments, the disclosure of which could reasonably be expected to jeopardize the security or the public health and safety of those served by the municipal utility. Specific exemption for records of emergency or security information of a public agency, or plans used for the generation of or transmission of water, the disclosure of which would jeopardize the security of the public agency or facility. Also listed in the statute is a specific exemption for records which, if disclosed, would pose a substantial likelihood of revealing security measures that protect systems, facilities or equipment used in the production, transmission or distribution of energy, water or communications services as well as transportation and sewer or wastewater treatment facilities or equipment. The statute specifically states that security measures include, but are not limited to, tactical plans and vulnerability assessments. Specific exemption from disclosure for public records when such disclosure has a reasonable likelihood of threatening public safety by exposing a vulnerability to a terrorist attack. Among the records exempt under the statute are vulnerability assessments, security and response needs assessments, infrastructure records that expose a vulnerability through the disclosure of the location, configuration or security of critical systems (including public utility critical systems); detailed drawings, schematics, maps or specifications of structural elements, floor plans and operating, utility or security systems of any building owned, occupied, leased or maintained by a public agency. Specific exemption for records held by publicly owned water districts that contain threat or vulnerability assessments. Specific exemption for public records, including risk assessments prepared specifically to prevent or prepare for an act of terrorism, the disclosure of which could reasonably be expected to jeopardize the physical safety of the public. (continued) 45

Exhibit B.1 (Continued) State/ jurisdiction Statutory citation Description of exemptions Maryland Md. State Govt. Code Ann. 10-618(j) Massachusetts Mass. Gen. L. ch. 4, 7(n) Michigan Mich. Comp. Laws 15.243 (y) Minnesota Mississippi Miss. Code Ann. 25-61-11 Missouri Montana Nebraska Mo. Rev. Stat. 610.021 (18)-(19) Mont. Code Ann. 2-6-102 (3) Neb. Rev. Stat. 84-712.05(8) Nevada NRS 239C.270 NRS 239C.210 NRS 270C.110 Specific exemptions for plans prepared to prevent or respond to emergency situations, the disclosure of which would reveal vulnerability assessments, and plans or records of waste and water systems, the disclosure of which would reveal the building s structure and security systems. The exemptions are provided only where disclosure would jeopardize the security of any relevant structure, help plan a terrorist attack, or endanger people s lives or physical safety. Specific exemption for records, including vulnerability assessments, the disclosure of which is likely to jeopardize public safety. Specific exemptions for public or private records designed to protect people s security and safety, including public water supply designs, and risk planning documents and threat assessments. No exemption. Stipulates that Mississippi s exemptions shall not conflict with or supersede any state or federal law that specifically declares a public record to be confidential. Specific exemption for information about existing or proposed security systems and structural plans of real property owned or leased by a municipal utility when the disclosure would threaten public safety. Operational guidelines and policies developed, adopted or maintained by any public agency responsible for law enforcement, public safety, first response or public health for use in responding to or preventing any critical incident deemed to be terrorist in nature or which has the potential to endanger individual or public safety or health are also exempt from disclosure. Existing or proposed security systems and structural plans owned or leased by a public governmental body, and information that is voluntarily submitted by a non-public entity owning operating an infrastructure to any public governmental body for use in devising plans for protecting that infrastructure are also exempt when the disclosure would threaten public safety. Exempts information that is constitutionally protected from disclosure, which is information where there is an individual privacy interest that clearly exceeds the merits of the public disclosure and matters related to individual or public safety. Exemption for information, including vulnerability assessments intended to prevent or mitigate criminal acts, the disclosure of which would likely endanger public safety or property. Protects the confidentially of information conveyed to the governor, including information pertaining to water utilities, when the entity conveying the information requests that it remain confidential. (continued) 46

Exhibit B.1 (Continued) State/ jurisdiction Statutory citation Description of exemptions New Hampshire New Jersey New Mexico N.H. Rev. Stat. 91-A:5(VI) N.J. Rev. Stat. 47:1A-1.1 N.M. Stat. Ann. 14-2-1(8) New York N.Y. Pub. Off. Law 47-6-87(a) North Carolina N.C. Gen. Stat. 132-1.7 North Dakota N.D. Cent. Code 44-04-24 Ohio Ohio Rev. Code 149.433 Oklahoma Okla. Stat. 51-24A.27-28 Oregon Pennsylvania Puerto Rico Rhode Island South Carolina South Dakota Tennessee Or. Rev. Stat. 192.501 (23), 192.5028 (8) 65 Pa. Cons. Stat. 66.1-66.4 R.I. Gen. Laws 46-15.3-7.5(a) S.D. Codified Laws Ann. 1-27-3 Tenn. Code Ann. 10-7-503(b), 10-7-504(a)(2) Specific exemption for records concerning the preparation and implementation of all emergency functions developed by state and local government officials intended to stop a deliberate act that may result in significant property damage, personal injury or loss of life. Specific exemption for emergency or security information for facilities, that if disclosed, would jeopardize the security of the facility or create a risk for the safety of people or property. Specific exemption for records that contain plans prepared by the state or a political subdivision, the publication of which could reveal vulnerabilities or risk assessments that could aid in a terrorist attack. Exemption of records when they are specifically exempted from disclosure by state or federal law. Specific exemption for information containing details of public security plans or plans of public infrastructure facilities. Specific exemption for a security system plan kept by a public entity, which is defined to include information related to vulnerability and capability assessments conducted by public or private entities. Specific exemption for security records, which include vulnerability assessments designed to prevent or mitigate an act of terrorism. Specific exemption for vulnerability assessments of water and wastewater systems. A second exemption is provided for information obtained from the federal government that may be required to be kept confidential pursuant to federal law. Specific exemption for records or information that would reveal security efforts taken or recommended to protect publicly owned buildings or other property. A second exemption is provided for information prohibited to be disclosed by federal law. Exemption of records, the access to which is prohibited by state law, or which, if disclosed, would result in the loss of federal funds by the state or local governments. Uncertain exemption. Specific exemption for information contained in water supply systems management plans. Uncertain exemption. Exemption for records that are required by law to be kept secret. Specific exemption for utility service providers reports identifying areas that are vulnerable to terrorism or other unlawful disruptions of service. (continued) 47

Exhibit B.1 (Continued) State/ jurisdiction Statutory citation Description of exemptions Texas Utah Vermont 2003 Tex. Gen. Laws, Chap. 1312 Utah Code Ann. 63-2-201(3)(b); 63-2-304 (10)(11) 1 Vermont Stat. Ann. 317(c) (32) Virgin Islands 3 V.I.C. 881(14) 23 V.I.C. 1146 Virginia Va. Code 2.2-3705 (57) Washington Wash. Rev. Code 42.17.310(ww) West Virginia W.Va. Code 29B-1-4 Wisconsin Wis. Stat. 19-36(1) Wyoming Wyo. Stat. 16-4-203 Source: NCSL 2006. Specific exemption for certain information relating to risk or vulnerability assessments designed to prevent, detect or investigate an act of terrorism. Exemption of records, access to which is restricted by state or federal law, or the disclosure of which would result in the loss of state or federal funds. Specific exemption for records of publicly-owned, -managed or -leased structures, to the extent the release of the information presents a substantial likelihood of jeopardizing the safety of persons or the security of public property, final building plans and as-built plans. Exempted records include drafts of security systems within a facility depicting the internal layout and structural elements of buildings, facilities, infrastructures, systems, or other structures owned, operated, or leased by an agency; emergency evacuation, escape, or other emergency response plans that have not been published for public use; and vulnerability assessments, operation and security manuals, plans, and security codes. Exempts confidential information affecting homeland security from disclosure. The statute establishing the homeland security department provides that measures adopted must not be inconsistent with federal law and must include a plan for the security of critical infrastructure licensed or regulated by agencies of the federal government. Specific exemption for plans to prevent or respond to a terrorist activity, or specific security measures that, if disclosed, would jeopardize the public safety or the security of any governmental facility. Specific exemption for records designed to prevent or mitigate terrorist acts, specifically including vulnerability assessments. Also exempts records that are not subject to disclosure under federal law. Specific exemption for records designed to prevent or mitigate terrorist acts, specifically including vulnerability assessments. Exemption of records specifically exempted from disclosure by state or federal law. Specific exemption for vulnerability assessments, building plans and other information related to waste and water systems. 48

REFERENCES Aftergood, S. 2005. The Age of Missing Information [Online]. Slate. Available: <http://slate.com>. Aftergood, S. 2006. Federation of American Scientists. August 20, 2006 telephone interview. Discussed issues associated with federal and state efforts to restrict information flow following 9/11. AMWA (Association of Metropolitan Water Agencies). 2002. State FOIA Laws: A Guide to Protecting Sensitive Waster Security Information. Washington, D.C.: Association of Metropolitan Water Agencies. Andress, C. 2003. Eliminating Hometown Hazards: Cutting Chemical Risks at Wastewater Treatment Facilities [Online]. New York: Environmental Defense. Available: <www.environmentaldefense.org/pdf.cfm>. Aquarion Water Company of Connecticut. 2003. Procedure for the Security of Critical Information. Monroe, Conn. ASCE (American Society of Civil Engineers). 2004. Interim Voluntary Security Guidance for Wastewater/Stormwater Utilities. Reston, Va.: ASCE. AwwaRF (Awwa Research Foundation). 2001. Emergency Planning for Water Utilities (M19). Denver, Colo.: AwwaRF. Baker M. 2004. Security Practices Primer for Water Utilities. Prepared by Michael Baker Corporation. Denver, Colo.: AwwaRF. BASIC (Bay Area Security Information Collaborative). 2002. Water Utility Threat Condition Emergency Response Plan for the Homeland security Advisory System. Oakland, Calif.: Bay Area Security Information Collaborative. Card, A. 2002. Memorandum for the Heads of Executive Departments and Agencies. Washington, D.C.: The White House. City of Phoenix. 2004. Information Security Policy. Phoenix, Ariz. City of Rocky Mount. 2001. Administration Policy: Use of the City Computer System. Rocky Mount, N.C. Clinton, W. 1995. Executive Order 12958: Classified National Security Information. Washington, D.C.: The White House, Office of the Press Secretary. CRS (Congressional Research Service). 2003. Homeland Security Act of 2002: Critical Infrastructure Information Act. Washington, D.C.: Congressional Research Service, The Library of Congress. Donald, K. 2006. Brick Township Municipal Utilities Authority. August 31, 2006 interview. Discussed issues associated with Brick Township s use of CII provisions under the Homeland Security Act to protect a GIS asset management system from New Jersey State FOI Requirement. DSSA (Defense Security Service Academy). 2006. Defense Personnel Security Research Center: Available: http://www.diss.mil/. Fairfax County Water Authority. 2006. Information Security Standard. Arlington, Va. FGDC (Federal Geographic Data Committee). 2005. Guidelines for Providing Appropriate Access to Geospatial Data in Response to Security Concerns [Online]. Reston, Va.: FGDC, U.S. Geological Survey. Available: <http://www.fgdc.gov>. 49

Gallagher, S., and M. Neugebauer. 2004. Critical Infrastructure Information Sharing. Ithaca, N.Y.: Syracuse University, Institute for National Security and Counterterrorism, Information Sharing and Homeland Security Conference, May 2004. Gerwin, S. 2006. Washington Suburban Sanitary Commission. December 4, 2006 interview. Reviewed WSSC information security protocols; reviewed draft version of the decision tool developed for this project. Goddard, M. 2006. City of Phoenix, Water Services Department. December 7, 2006 interview. Reviewed draft version of report and decision tool developed for this project. Hook, D. 2006. Santa Clara Valley Water District. June 3, 2006 and December 13, 2006. Conducted beta review of project survey questionnaire; reviewed draft version of the decision tool developed for this project. Indiana General Assembly. 2003. Indiana Code 5-14-3-4. Indianapolis, Ind. Integrated Publishing. 2006. Security Classification Levels [Online]. Fort Richie, Fla.: Integrated Publishing. Available: <http://www.tpub.com/content/advancement/12018/css/12018_693.htm>. Iron Mountain. 2005. Records Management Best Practices Guide. Boston, Mass.: Iron Mountain. ISO (International Organization for Standardization). 2001. Information and Documentation Records Management. Geneva, Switzerland: ISO/IEC. ISO (International Organization for Standardization). 2005. Information Technology Security Techniques Code of Practice for Information Security Management. Geneva, Switzerland: ISO/IEC. Kempe, M. 2006. Massachusetts Water Resources Authority. August 14, 2006 interview. Discussed MWRA s draft information security planning process; reviewed early draft version of the decision tool developed for this project. Kentucky Legislature. 2003. Kentucky Revised Statute 61.878. Frankfort, Ky. Kroll Schiff & Associates. 2004. Protecting Corporate Secrets: A Brief Primer on Contemporary Practices in Information Security. Reston, Va.: Kroll Schiff & Associates. Laplante, P. 2002. Identifying and Protecting Unclassified Sensitive Information. Washington, D.C.: U.S. Department of Energy, Information Classification and Control Policy, Policy and Quality Management. Laplante, P. 2006. (Retired) U.S. Department of Energy. September 1, 2006 interview. Discussed the theory and practice of information classification; reviewed early draft version of the decision tool developed for this project. Lincoln Water System. 2005. Draft Security Manual. Lincoln, Neb. Mariani, M. 2004. A Little Less Sunshine. Governing Magazine. June. Washington, D.C.: Congressional Quarterly Press. McDermott, P. 2006. Director, OpenTheGovernment.org. September 5, 2006 interview. Discussed issues associated with federal and state efforts to restrict information flow following 9/11; reviewed early draft version of the decision tool developed for this project. Molton, S. 2006. OMB Watch. September 5, 2006 interview. Discussed issues associated with federal and state efforts to restrict information flow following 9/11; reviewed early draft version of the decision tool developed for this project. 50

NCSL (National Conference of State Legislatures). 2003. State Open Record Laws: Legislative Activities in 2003. In Terrorism Preparedness: A Series of Reports About State Responses to Public Health Threats. Denver, Colo.: NCSL. NCSL (National Conference of State Legislatures). 2006. Protecting Water System Security Information 2006 Update. Denver, Colo.: NCSL (developed under contract to Stratus Consulting Inc., Boulder, Colo. and Washington, D.C.). NERC (North American Electric Reliability Council). 2002. Security Guidelines for the Electricity Sector: Protecting Potentially Sensitive Information (Version 1.0). Washington, D.C.: NERC. NIST (National Institute of Standards and Technology). 2006. Information Security Handbook: A Guide for Managers. NIST Special Publication 800-100. Gaithersburg, Md.: U.S. Department of Commerce, National Institute of Standards and Technology. O Brien & Gere Engineers. 2006. Information Usage by Outside Parties. Memorandum dated December 18 from Gregory Welter to Charles Herrick, Stratus Consulting. OMB Watch. 2002. OMB Watch Freedom of Information Act Request to EPA. Letter from Reece Rushing to Betty Lopez, U.S. EPA Associate Director, FOIA Operations, December 20, 2001; and summary of EPA response. http://www.ombwatch.org/article/articleprint/736/-1/97. Podesta, J. 2003. Need to Know: Governing in Secret. In The War on Freedoms: Civil Liberties in an Age of Terrorism. Edited by R. Leone and G. Anrig. New York: The Century Foundation. Pozen, D. 2005. The Mosaic Theory, National Security, and the Freedom of Information Act. Yale Law J. 115(628):628 679. Quist, A. 1993. Security Classification of Information, Volume 2. Principles for Classification of Information. Oak Ridge, Tenn.: Oak Ridge National Laboratory. Rand Corporation. 2004. Mapping the Risks: Assessing the Homeland Security Implications of Publicly Available Geospatial Information. Santa Monica, Calif.: Rand Corporation. Reeverts, C. 2006. U.S. EPA, Office of Water. December 5, 2006 interview. Discussed EPA policy and procedures to manage sensitive drinking water information. Santa Clara Valley Water District. 2006. Records Management Guide. San Jose, Calif. Stanley, E. 2001. Testimony of Elaine Stanley, Director Office of Information Analysis and Access, Office of Environmental Information, U.S. Environmental Protection Agency, Before the Subcommittee on Water Resources and Environment of the Committee on Transportation and Infrastructure, U.S. House of Representatives, November 8, 2001. Stone, K. 2006. U.S. EPA. National Center for Homeland Security Research. July 5, 2006 interview. Discussed EPA policy and procedures for the protection of sensitive water utility information. Supreme Court, State of Connecticut. 2004. SC 17262, 274 Conn. 179; 874 A2d 785; 2005 Conn. LEXIS 218. Tombs, R.B. 2005. Policy Review: Blocking Public Geospatial Data Access is Not Only a Homeland Security Risk. URISA J. 16(2):49 51. TSLAC (Texas State Library and Archives Commission). 2000. Suggested Policy Model for Establishing a Records Management Program by Ordinance in a Small Municipality [Online]. Austin, Texas: TSLAC, State and Local Records Management Division. Available: <http://www.tsl.state.tx.us/slrm/recordspubs/pm3.html>. [cited August 31, 2006] 51

Tumarkin, J. 2006. U.S. Environmental Protection Agency, Office of Environmental Information. June 7, 2006 interview. Discussed EPA post 9/11 efforts to develop information sensitivity criteria and review web contents. U.S. Congress. 2002. Public Health Security and Bioterrorism Preparedness and Response Act of 2002. Public Law 107-188, June 12, 2002. U.S. Department of Homeland Security. 2005. Safeguarding Sensitive But Unclassified (For Official Use Only) Information. Department of Homeland Security, Management Directive System, MD Number:11042.1. U.S. Department of Homeland Security. 2006. Procedures for Handling Critical Infrastructure Information. September 1. Fed. Reg. 71(170):52262 52277. U.S. DOJ (U.S. Department of Justice). 2001. New Attorney General FOIA Memorandum Issued. FOIA Post. Washington, D.C.: U.S. Department of Justice, Office of Information and Privacy. U.S. DOJ (U.S. Department of Justice). 2004. Freedom of Information Act Guide, Exemption 9. [Online]. Available: <http://www.usdoj.gov/oip/exemption9.htm>. USEPA (U.S. Environmental Protection Agency). 2001. Sensitive Data in Consumer Confidence Reports and Source Water Assessments. Memorandum dated December 5 from the Director of the EPA Office of Ground Water and Drinking Water, Cynthia Dougherty, to EPA Regional Office Water Management Division Directors. Washington, D.C.: U.S. EPA, Office of Ground Water and Drinking Water. USEPA (U.S. Environmental Protection Agency). 2002. Protocol to Secure Vulnerability Assessments Submitted by Community Water Systems to EPA. Washington, DC: U.S. Environmental Protection Agency. USEPA (U.S. Environmental Protection Agency). 2004. EPA Order 2160.1 Vital Records. Washington, D.C.: U.S. EPA. USEPA (U.S. Environmental Protection Agency). 2005a. National Security Information Handbook. Washington, D.C.: U.S. Environmental Protection Agency, Office of Administration and Resources Management. USEPA (U.S. Environmental Protection Agency). 2005b. Policy to Manage Access to Sensitive Drinking Water-Related Information. Memorandum dated April 4 from EPA Deputy Assistant Administrator, Michael Shapiro, to EPA Deputy Regional Administrators. USEPA (U.S. Environmental Protection Agency). 2006a. Proposed Revision to Interim Standard Operating Procedure (SOP) for Drinking Water Reach Address Database (RAD) Authorization and Access. Washington, D.C.: U.S. Environmental Protection Agency, Office of Water. USEPA (U.S. Environmental Protection Agency). 2006b. Records Management Policy. Washington, D.C.: U.S. EPA. U.S. FERC (U.S. Federal Energy Regulatory Commission). 2003. Critical Energy Infrastructure Information. Washington, D.C.: FERC (Docket Nos. RM02-4-000, PL02-1-000; Order No. 630). U.S. GPO (U.S. Government Printing Office). 1997. Report of the Commission on Protecting and Reducing Government Secrecy. Washington, D.C.: U.S. GPO. U.S. NARA (U.S. National Archives & Records Administration). 2001. Records Management Self-Evaluation Guide [Online]. Washington, D.C.: U.S. National Archives & Records Administration. Available: <http://www.archives.gov/records_management/publications>. [cited July 14, 2005] 52

U.S. TSA (U.S. Transportation Security Administration). 2004. Information Security (INFOSEC) Program: TSA Management Directive No. 2800.8 [Online]. Washington, D.C.: Transportation Security Administration. Available: <http://tsaweb.tsa.dot.gov/intraweb/assetlibrary/tsa_md_2800_8.pdf>. 53

54

ABBREVIATIONS CCR CII CIIA DHS DOJ DSSA FOI FOIA GIS ISO ISOO ISP IT NCSL OEI PI PWS RAD RFP RMP SDWA SDWIS SOP SWA SWAP U.S. USEPA Consumer Confidence Reports Critical Infrastructure Information Critical Infrastructure Information Act Department of Homeland Security U.S. Department of Justice Defense Security Service Academy Freedom of Information Freedom of Information Act geographic information system International Standards Organization Information Security Oversight Office (DOJ) information security policy information technology National Conference of State Legislatures Office of Environmental Information (USEPA) Principal Investigator public water system Reach Address Database Requests for Proposal Risk Management Plans Safe Drinking Water Act Safe Drinking Water Information System Standard Operating Procedure source water areas source water assessment program United States U.S. Environmental Protection Agency 55

6666 West Quincy Avenue Denver, CO 80235-3098 USA P 303.347.6100 www.awwarf.org email: info@awwarf.org Sponsors Research Develops Knowledge Promotes Collaboration 1P-4.5C-91218-10/08-NH