Top 20 Security Program Action Items for Transit Agencies

18. Access to security sensitive documents is controlled.

Top 20 1. Written security program and emergency management plans are established. 2. ...plans are updated to reflect anti-terrorist measures... 3(A). ...plans are an integrated system program... 3(B). ...security design criteria... 3(C). ...incident command system... 4. ...signed, endorsed and approved by top management. 5. ...security and emergency management programs are assigned to a senior level manager. 6. ...responsibilities are defined and delegated... 7. ...supervisors, forepersons, and managers are held accountable... 8. A threat and vulnerability assessment resolution process... 9. Security sensitive intelligence information sharing... 10. Background investigations are conducted of new employees. 11. Criteria for background investigations are established. 12. Security orientation or awareness materials are provided... 13. Ongoing Training Programs... 14. Public awareness materials are developed and distributed... 15. Periodic audits of security and emergency management policies... 16. ...Drills and full-scale exercises... 17. Access to documents of security critical systems... 18. Access to security sensitive documents is controlled. 19. Background investigations are conducted of contractors... 20. Protools have been established to respond to OHS threat advisery levels.

Guide for Developing Security Plans for Information Technology Systems Federal Computer Security Program, National Institute of Standards and Technology December 1998 This in-depth document contains guidelines to protect information technology and physical security resources in the form of management controls and operational controls. It includes information on the organization, procedures and oversight necessary to ensure that only legitimate users of the information system or physical facility obtain sensitive information which may affect security or emergency preparedness.	DOC
Interim Sensitive Security Information (SSI) Policies and Procedure for Safeguarding and Control Transportation Security Administration November 2002 This document specifies the requirements that must be implemented immediately by all employees and contractors covered under paragraph 3 of this document to mark, store, control, transmit, destroy, and manage the release or withholding of Sensitive Security Information (SSI). This policy covers SSI in every form in which it is stored, including paper, electronic, magnetic, and other media. This policy contains the minimum standards for employees and contractors to mark, store, control, transmit, and destroy SSI.	DOC