Corporate Information Security Handbook

Download as pdf or txt
Download as pdf or txt
You are on page 1of 101

Cop

The Port Authority of New York & New Jersey


Information Security Handbook
October 15, 2008, corrected as of November 14, 2013


i



The Port Authority of New York and New Jersey
Information Security Handbook













Copyright 2008, 2013 The Port Authority of New York and New Jersey

No copyright is claimed in the text of U.S. regulations or statutes quoted within.

ii

TABLE OF CONTENTS


Page

INTRODUCTION .............................................................................................................. 1

CHAPTER 1

PORT AUTHORITY INFORMATION SECURITY
ORGANIZATIONAL STRUCTURE ....................................................................... 2

CHAPTER 2

CATEGORIZATION OF INFORMATION .......................................................................... 4

2.1 DEFINITIONS .................................................................................................. 4

2.2 GENERAL PROCESS FOR
CATEGORIZATION ....................................................................................... 5

2.3 TRAINING AND INFORMATION REVIEW ...................................................... 6


2.4 REMOVAL OF CATEGORY DESIGNATION .................................................. 7

CHAPTER 3

INFORMATION ACCESS ................................................................................................. 8

3.1 APPLICABILITY ............................................................................................. 8

3.2 GENERAL CRITERIA ..................................................................................... 8

3.3 INFORMATION ACCESS CONTROLS ........................................................... 9

3.4 ACCESS DISQUALIFICATION ....................................................................... 11

3.5 NON-DISCLOSURE AND CONFIDENTIALITY
AGREEMENTS (NDAs) .................................................................................. 11

iii
3.6 UNAUTHORIZED DISCLOSURE OF INFORMATION ................................... 12

3.7 SECURITY CLEARANCE AND ACCESS PROHIBITIONS ............................ 12

3.8 BACKGROUND SCREENING ........................................................................ 12

3.9 AUTHORIZED PERSONNEL CLEARANCE LIST .......................................... 13

3.10 DEVELOPMENT OF CONFIDENTIAL INFORMATION
PRACTICES AND PROCEDURES (CIPP) ...................................................... 13

3.11 PROCUREMENT STRATEGIES .................................................................. 14
CHAPTER 4

MARKING, HANDLING, STORAGE, TRANSMITTAL AND
DESTRUCTION REQUIREMENTS ................................................................................... 17

4.1 MARKING OF PROTECTED INFORMATION ................................................. 17

4.2 HANDLING PROTECTED INFORMATION ..................................................... 19

4.3 TRANSMITTAL OF PROTECTED INFORMATION ........................................ 19

4.4 STORAGE OF PROTECTED INFORMATION ................................................ 22

4.5 DOCUMENT ACCOUNTABILITY LOG ........................................................... 22

4.6 REPRODUCTION ........................................................................................... 23

4.7 DESTRUCTION OF PROTECTED INFORMATION ........................................ 23

4.8 INFROMATION TECHNOLOGY SYSTEMS
HANDLING OF ELECTRONIC INFORMATION /DATA .24

4.9 TRANSMISSION/EXCHANGE OF ELECTRONIC INFORMATION ...24
4.10 ELECTRONIC STORAGE 25
4.11 USER ACCESS DEACTIVATION 26
iv

CHAPTER 5

AUDITING AND MONITORING ........................................................................................ 27

5.1 PURPOSE ....................................................................................................... 27

5.2 AUDITS AND INVESTIGATIONS.................................................................... 27

5.3 SELF-ASSESSMENT ...................................................................................... 28

CHAPTER 6

POLICY VIOLATIONS AND CONSEQUENCES .............................................................. 29

6.1 RESPONSIBILITIES ....................................................................................... 29

6.2 VIOLATIONS, INFRACTIONS, OR BREACH OF
INFORMATION SECURITY PROTOCOLS ..................................................... 29

6.3 VIOLATION REPORTING, INVESTIGATION AND FACT
FINDING ......................................................................................................... 29

6.4 DISCIPLINARY ACTION ................................................................................. 29

CHAPTER 7

INFORMATION SECURITY EDUCATION AND AWARENESS
TRAINING ........................................................................................................................ 31

7.1 PURPOSE ....................................................................................................... 31

7.2 OVERVIEW ..................................................................................................... 31

7.3 TRAINING PROGRAM ELEMENTS ............................................................... 31
v
APPENDICES OF HANDBOOK


A - PROTECTED INFORMATION

B NON-DISCLOSURE AND CONFIDENTIALITY AGREEMENTS
B-1: Non-Disclosure and Confidentiality Agreements with reference to
Handbook
B-2: Non-Disclosure and Confidentiality Agreements without reference to
Handbook
B-3: PA/PATH Employee Non-Disclosure and Confidentiality Agreement

C BACKGROUND SCREENING CRITERIA

D THE SECURE WORKER ACCESS CONSORTIUM (SWAC)

E COVERSHEET FOR CONFIDENTIAL PRIVILEGED INFORMATION

F TRANSMITTAL RECEIPT

G GUIDELINES FOR THE STORAGE OF PROTECTED INFORMATION

H GUIDELINES FOR THE DISPOSAL AND DESTRUCTION OF
PROTECTED INFORMATION

I- AUDIT PROCEDURES
1
INTRODUCTION

This Port Authority of N.Y. & N.J. Information Security Handbook (Handbook) establishes
guidelines and uniform processes and procedures for the identification, handling, receipt,
tracking, care, storage and destruction of Protected Information (as hereinafter defined)
pursuant to The Port Authority of New York and New Jersey Information Security Policy (the
Policy). This Handbook is intended to be the implementation guideline for that policy. It is
also intended to complement the Port Authority Freedom of Information Code (Code), inasmuch
as it further defines certain information that may be exempt from release under the Code. The
guidelines contained in this Handbook are not intended to, in any way, be in derogation of the
FOI Code adopted by the Board in March 2012. The Code continues to provide open, timely
and uninhibited access to the Port Authority's (and its subsidiary corporations') public records
and reflects the New York Freedom of Information Law ("FOIL") and New Jersey's Open Public
Records Act ("OPRA"). . This Handbook prescribes requirements and other safeguards that are
needed in order to prevent unauthorized disclosure of Protected Information and to control
authorized disclosure and distribution of designated sensitive information, when it is released by
The Port Authority of New York and New Jersey (the Port Authority) either internally or
externally. A major underlying principle, on which the Handbook is premised, is that there is a
limited universe of sensitive information to which it applies. There is the expectation that
prudent, informed and circumscribed judgments will be made by those staff members charged
with the responsibility of identifying and properly designating sensitive information, as is
provided for in this Handbook. In this regard, adherence to the Handbooks requirements will
help ensure that the necessary care will be constantly and consistently undertaken in order to
ensure that mis-designation, or over marking, of information will be avoided. Another
important principle of the Handbook is that access to properly designated sensitive information
is premised on a strict need to know basis. It is the establishment of this need to know that is
the essential prerequisite for being granted access privileges. It must be emphasized that
possession of a federal security clearance or other access rights and/or privileges to sensitive
information does not per se establish a need to know for purposes of obtaining access to
discrete sensitive Port Authority information. This principle is equally applicable to the Port
Authority and its internal staff as it is to third party individuals and entities, which are given
access privileges to sensitive Port Authority information.
This Handbook will be amended and updated from time to time as may be appropriate. When
appropriate, each Port Authority department, office and/or business unit, as well as
contractors/consultants, should create a Confidential Information Practices and Procedures
(CIPP) document with additional guidelines for their respective businesses. This will assist
staff, and third parties working with the Port Authority, in carrying out the requirements of this
Handbook. A CIPP should augment, but may not deviate from, the requirements of this
Handbook. The procedures, safeguards and requirements of this Handbook fully apply to all
subsidiaries of the Port Authority that deal with, or create, Protected Information. Whenever the
term Port Authority is referenced in this Handbook, it should be understood to include and/or
cover its subsidiary entities.
The Port Authority expressly reserves the right to reject any information designation and/or to
remove/add any and all markings on information that is not consistent with this Handbook.
2

CHAPTER 1 - PORT AUTHORITY INFORMATION SECURITY ORGANIZATIONAL
STRUCTURE
The Port Authority organizational structure for information security is as follows:
Chief Security Officer (CSO) is responsible for the implementation of Port Authority policy on
security matters, both physical and informational, and for the coordination of security initiatives
throughout the agency in order to assure consistency in practices, procedures and processes.
In particular, the CSO works in close collaboration with the Director of Technology Services
Department and the Corporate Information Security Officer with regard to their respective areas
of security responsibilities. The CSO acts as the Port Authoritys principal liaison on security
related matters with governmental, public and private entities. The CSO works closely with the
Law Department, Public Safety Department and the Office of Inspector General on security
initiatives, on compliance with governmental requirements on security matters, and on issues
relating to compliance with the Port Authoritys security policy.

Corporate Information Security Officer (CISO) the CISO reports directly to the CSO in order to
assure agency wide consistency on policy implementation. The CISO is responsible for the
management, oversight and guidance of the Policy. The CISO works in conjunction with all
appropriate Port Authority departments and subsidiaries to: (i) formulate practices and
procedures concerning information security management issues affecting the Port Authority, its
operations and facilities; (ii) review, categorize and manage all Port Authority information
consistent with the Port Authoritys policy and procedures under its Freedom of Information
Code; and (iii) establish procedures and handling requirements for Port Authority information
based upon its sensitivity designation in order to ensure that the information is used solely for
authorized purposes. The CISO will report to the Secretary who in turn reports to the Executive
Director.

Departmental Information Security Officer (DISO) - each department head, and, where
appropriate, office head, will designate a staff member to act as DISO in order to ensure
compliance with the Policy. The DISO is responsible for management and oversight of
information security issues for departmental operations and reports to the CISO on information
security practices and procedures, or issues relating thereto. Additionally, the DISO may
perform the Security Information Manager (SIM) functions, if a SIM has not been designated for
a department, division, office, unit or project. Each DISO is also responsible for compiling an
inventory of all Confidential Privileged Information and Confidential Information in their
departments possession and/or providing updated listings to the CISO on a monthly basis, or
on such other periodic basis as may be established by the CISO. Additionally, the DISO is
responsible for approving the departmental Confidential Information Practices and Procedures
(CIPP) document and, before authorizing its use, for submitting the CIPP to the CISO for final
approval and providing periodic reports to the CISO, as the CISO may require.

Security Information Manager (SIM) Port Authority departments, offices or other business
units, as well as contractors, vendors, and consultants, individuals and/or entities, where
appropriate, who are involved with, or who could have exposure to, Confidential Information
shall designate a SIM who is responsible for coordinating the implementation and daily
oversight of the Policy for the particular Port Authority department, office, business unit, or third-
party contractor, vendor, or other party. The SIM reports to the DISO and/or the Security
Project Manager (SPM) for a project, where applicable. If a Port Authority department
3
determines that the SIM function may be carried out by the DISO, then the SIM designation may
not be required, unless or until the DISO, in consultation with the CISO, determines otherwise.
The functions of the SIM are further described throughout this Handbook.


Director of Technology Services Department is the head of the Technology Services
Department (TSD). The Director of TSD, or the Directors designee, works with the CSO and
the CISO to coordinate the Policy efforts and to provide the Port Authority with the most current
resources needed to comply with legislative and regulatory requirements, to adhere to industry
standards and best business practices and procedures, and to identify and address technology
issues that may affect the current and future policy. The Director of Technology Services
Department is also responsible for providing technical support and training to assist staff and to
meet information security management goals.

Office of Inspector General (OIG) The OIG's responsibilities include: conducting criminal and
administrative investigations of possible misconduct by Port Authority officers and employees,
as well as third parties doing business with the Port Authority; reviewing agency internal controls
and management practices for weaknesses that could allow losses from corruption,
incompetence and/or bad decision making; making recommendations for cost effective
improvements; serving as the confidential investigative arm for the Port Authoritys Ethics
Board; conducting educational awareness programs for all Port Authority employees pertaining
to integrity and ethics; and, where appropriate, conducting background investigations of certain
contractors proposing to do business with the Port Authority. The OIGs Security Inspection
Division is responsible for conducting investigations, inspections, reviews, and audits pertaining
to all Port Authority security programs in all departments. It should be noted that cases
involving investigations are exempt from CISO approval.

Information Security Subcommittee (ISSC), chaired by the CISO, includes departmental
representatives from line departments (who might also be functioning as a DISO), the Law and
Public Safety Departments, the Office of Inspector General and the Director of Technology
Services Department. The ISSC assesses the Policy needs and the effectiveness of the
policys implementation, as well as evaluating initiatives for its further development and
refinement.

4
CHAPTER 2 - CATEGORIZATION OF INFORMATION

2.1 Definitions

For purposes of this Handbook the following definitions shall apply:
(a) Information means, collectively, all documents, data, reports, notes, studies,
projections, records, manuals, graphs, electronic files, computer generated data or information,
drawings, charts, tables, diagrams, photographs, and other media or renderings containing or
otherwise incorporating information that may be provided or made accessible at any time,
whether in writing, orally, visually, photographically, electronically or in any other form or
medium, including, without limitation, any and all copies, duplicates or extracts of the foregoing.
(b) Protected Information means and includes collectively, Confidential
Information, Confidential Privileged Information, Sensitive Security Information (SSI), Critical
Infrastructure Information (CII) or Health Insurance Portability and Accountability Act (HIPPA)
and Information that is labeled, marked or otherwise identified by or on behalf of the Port
Authority so as to reasonably connote that such information is confidential, privileged, sensitive
or proprietary in nature. The term Protected Information shall also include all work product that
contains or is derived from any of the foregoing, whether in whole or in part, regardless of
whether prepared by the Port Authority or a third-party, or when the Port Authority receives such
information from others and agrees to treat such information as Protected.
(c) Confidential Privileged Information means and includes collectively
Information that reveals security risks, threats, vulnerabilities, documentation that identifies
specific physical security vulnerabilities or revealing specific security vulnerabilities details
related to emergency response protocols, egress plans, flow paths, egress capacities,
(diagrams, codes, standards) etc., which is not publicly available. and any and all Information,
documents and materials entitled to protection as a public interest privilege under New York
State law and as may be deemed to be afforded or entitled to the protection of any other
privilege recognized under New York and/or New Jersey state laws or Federal laws.
(d) Confidential Information means and includes collectively, any and all
Information, documents and materials entitled to protection as a public interest privilege under
New York State law and as may be deemed to be afforded or entitled to the protection of any
other privilege recognized under New York and/or New Jersey state laws or Federal laws. It
also includes Information that contains sensitive financial, commercial or other proprietary
business information concerning or relating to the Port Authority, its projects, operations or
facilities that would be exempt from release under the Port Authority Freedom of Information
Code. It also includes sensitive financial, commercial and other business information received
from third parties under Non-Disclosure and Confidential Agreements.
(e) Health Insurance Portability and Accountability Act (HIPAA) Employees,
associates or other contract personnel who have access to Protected Health Information (PHI)
must refer to, and comply with, the Privacy Policies and Procedures to Protect Personal Health
Information. Privacy regulations issued under the Health Insurance Portability and
Accountability Act of 1996 (HIPAA or Privacy Laws) place restrictions on the Group Health
Plans of the Port Authority and PATH (the Plans) ability to use and disclose Protected Health
Information (PHI).

5
(f) Attorney Work Product Attorney work product and other privileged information
should be protected and treated in accordance with the established rules of the legal profession
and may carry the label Privileged & Confidential or Attorney Work Product. Certain
attorney work product information may also fall within the definitions of Confidential Privileged
and/or Confidential Information as established by the Handbook, and as such, should be
marked and treated in accordance with the Handbook and the Law Department CIPP.

(g) Critical Infrastructure Information" (CII) has the meaning set forth in the Homeland
Security Act of 2002, under the subtitle Critical Infrastructure Information Act of 2002 (6 U.S.C.
131-134), and any rules or regulations enacted pursuant thereto, including, without limitation,
the Office of the Secretary, Department of Homeland Security Rules and Regulations, 6 C.F.R.
Part 29 and any amendments thereto. CII may also be referred to as Protected Critical
Infrastructure Information or PCII, as provided for in the referenced rules and regulations and
any amendments thereto.
(h) "Sensitive Security Information" (SSI) has the definition and requirements set
forth in the Transportation Security Administrative Rules & Regulations, 49 CFR 1520, (49
U.S.C. 114) and in the Office of the Secretary of Transportation Rules & Regulations, 49 CFR
15, (49 U.S.C. 40119) and any amendments thereto.
(i) Non-Disclosure and Confidentiality Agreement (NDA) refers to the
Agreements attached hereto as Appendix B (which include Appendices B-1 through B-3).
When approved by the Law Department, other forms of a NDA may be used for special
situations or specific projects, however, a general NDA may be used in retaining consultants
and contractors where the retainer involves work on various projects.
(j) Non-Disclosure Instructions (NDI) refers to the instructions attached hereto as
Appendix C. A NDI is used when represented staff are given or have responsibilities, which
involve working on sensitive and/or security related matters, and/or when such staff is being
given access to Confidential Information. The NDI is given to each individual before starting
such work or on being given such access. The CISO, in consultation with the Law Department,
may allow the use of NDIs in other circumstances, as may be appropriate.


2.2 General Process for Categorization
As defined hereinabove, the term Protected Information includes all Port Authority Information
protected pursuant to this Handbook or as governed by statutory regulations. Any sensitive
Information not specifically deemed Confidential Privileged Information should be categorized
as Confidential Information. In addition, certain other types of Protected Information, such as
HIPAA, SSI and CII, are treated separately and distinctly because they are governed by specific
federal designations and must be marked and handled in accordance with federal regulations or
requirements. The requirements in this Handbook apply to all Protected Information, unless
otherwise specified. Where a different or additional requirement applies to a specific sub-
category of Protected Information, it will be noted.

6
Each DISO, in consultation with the CISO, shall create a list of examples of Confidential and
Confidential Privileged Information to be used as a guide by the departmental staff. This list
may be included in the departments CIPP. Any employee, consultant, third-party contractor or
other agency personnel may nominate Information for categorization in either of the two
categories. The DISO, SIM, supervisors, managers or the CISO, as may be appropriate, should
take the action needed to process the Protected Information under their control and to review it
as soon as possible. It is important to understand that not every piece of material currently held
should be reviewed. The review should only be of Information that is considered potential
Protected Information. If management, employees, consultants, third-party contractors, or other
agency personnel determine that Information under review contains Protected Information, the
Protected Information should be designated with the appropriate categorization.
In order to categorize Information as Confidential Privileged Information or Confidential
Information the following steps must take place:

1. Inform the DISO or SIM, where applicable, and the unit supervisor of the group/entity
proposing the categorization.
2. Obtain DISO concurrence and approval.
3. Obtain CISO approval (except in the case of the PA OIG).
4. If approved, mark and label the information, and, if appropriate, apply a cover sheet (See
Appendix F).
If Information has been nominated for Confidential or Confidential Privileged categorization, a
final decision on the nomination shall be made within one week of its submission. During the
time period between the submission and a determination regarding the categorization, the
nominated Information should not be reviewed, released or distributed to any individuals, other
than those individuals who possess a need to know and are currently familiar with the
Information, or were previously provided access to other Confidential or Confidential Privileged
Information for the same project or task.


2.3 Training and Information Review
Port Authority managers, including, but not limited to, the DISO, SPM and the SIM will complete
training. This enables them to conduct a continuing review of Protected Information under their
control in order to identify and categorize it as Confidential or Confidential Privileged
Information. Employees, consultants, third-party contractors or other agency personnel must
participate in and complete the Policy training, which enables them to continue the process of
review, identification, and categorization of Protected Information.
Each Department Director will determine which staff members in the respective department
require Policy training and will do so on an ongoing basis. When access to Protected
Information is given to third parties, a training requirement may also be a condition for granting
access privileges.


7
2.4 Removal of Category Designation
At some point, Protected Information may no longer be considered Confidential or Confidential
Privileged, and should therefore have its designation removed or eliminated. This may occur as
a result of any number of circumstances, including changes within the Policy, the changing
nature of information security, a better understanding of particular material, and/or changes in
public policy or law, among others. In order to determine whether category designations should
be removed from particular materials, the CISO may establish criteria for the periodic review of
all sensitive material. In any case, the category designation of any particular Protected
Information may not be removed without the approval of the CISO. A record of any removal of
categorization for particular information must be kept by the DISO, with a copy provided to the
CISO.
8
CHAPTER 3 INFORMATION ACCESS

3.1 Applicability

Each employee, consultant, third-party contractor, tenant, individual and/or entity requiring, or
requesting, access to Port Authority Protected Information must adhere to the requirements set
forth in this Handbook.
1
Protected Information is intended for official business use only. Failure
to abide by the procedures set forth in the Handbook can lead to a denial of access privileges to
Protected Information and/or other contractual, civil, administrative or criminal action.

All employees, consultants, third-party contractors, individuals and/or entities given access
privileges to Protected Information are responsible for overseeing the safeguarding and
protection of Protected Information in their possession or under their control as per this
Handbooks requirements. Questions concerning the safeguarding, protection, release, and/or
access to Protected Information should immediately be brought to the attention of the CISO,
DISO, SPM, or SIM, as may be appropriate, in the particular circumstance.

3.2 General Criteria

In order for access to certain Protected Information to be considered for approval, all individuals
including PA staff, must meet and complete the following criteria, unless otherwise required
under federal or state regulations:

Be a citizen of the United States of America, or be an alien who has been lawfully
admitted for permanent residency or employment (indicated by immigration status), as
evidenced by Immigration and Naturalization Service documentation, or be a national of
the United States as defined by the Immigration and Nationality Act. This requirement
may be waived by the CISO with the concurrence of the OIG and/or the CSO where and
when circumstances so require.
Obtain sponsorship for a request to be given access to Protected Information through
the individuals assigned chief, director, manager, or supervisor. The written request
must include justification for access, level of access required, and indicate the duration
for which access privileges are required. (OIG is exempt from this)
Forward the request through the individuals supervisory chain to the CISO, (except in
the case of the PA OIG) , via the appropriate DISO, SPM, or SIM, requesting that a
specific background check be undertaken, where appropriate and/or required.
Background check required to access CP information and/or accessing a PA Facility that
requires background screening.
Complete the Port Authority Information Security Education and Awareness Training.

1
The CSO and/or the OIG in consultation with the Law Department may modify and/or waive the condition of
complying with the requirements of the Handbook where such compliance is impractical, such as in the case of a
governmental entity having its own information security procedures and/or protocols governing the handling and
protection of sensitive information. In addition, certain sensitive information is required to be submitted to other
governmental entities under applicable laws, rules or regulations, or the Port Authority may elect to submit
Confidential Information to a governmental entity, such as in the case of the CII process, wherein it may elect to
submit Confidential Information to the Department of Homeland Security in order to secure the protection of the CII
regulatory scheme.
9
Execute a Port Authority NDA (See Appendix B), or an Acknowledgement of an existing
executed NDA, and, if the individual is Port Authority represented staff, have been
provided with the NDI. Consultants or third party needs to designate a Security
Information Manager (SIM)
Be granted final approval of the security clearance level, in writing, by the CISO who
verifies that all requirements have been met.

The individuals name must be entered on the appropriate department, or Port Authority
Authorized Personnel Clearance List for access to Confidential and/or Confidential Privileged
Information. See Sec. 3.9 for more information regarding this List (Note: If an individuals name
does not appear on the appropriate Authorized Personnel Clearance List, access must be
denied).

Individuals who meet and complete the criteria listed above are neither guaranteed, nor
automatically granted, access to Protected Information, since access is conditioned on need to
know criteria. The OIG may access, without approval of the CISO, DISO, SPM or SIM, all
Protected Information when it is needed in connection with an OIG investigation, audit or
inspection work, or any other Port Authority related work, subject to the handling requirements
set forth in this Handbook.

3.3 Information Access Controls
Access to all Protected Information falling within any of the Port Authority Information categories
shall be undertaken in a manner that complies with and maintains all applicable state, federal
and common law protections. Access to particular Information must be conditioned upon a strict
need to know basis with regard to the particular, discrete Information, regardless of any federal
security clearance, or other Port Authority or other organizational information access
authorization. An individuals need to know is not established simply by reason of the individual
possessing a recognized federal security clearance, including one that allows for access to a
higher level of classified information than is otherwise required for the discrete Port Authority
Information to which access is sought. All requests for access to SSI by anyone who does not
possess the requisite need to know under SSI regulations must be reported to the
Transportation Security Administration (TSA) or, if applicable, the United States Coast Guard
(USCG) and, in certain instances, the Department of Transportation (DOT).

(a) Protected Information

Access to Protected Information shall be on a need to know basis only, as determined by the
DISO. In certain limited instances access, privileges may be conditioned on the satisfactory
completion of a background investigation(s). The background investigation, if warranted, should
utilize the least stringent criminal history access disqualification criteria that is appropriate for
granting access to the particular information for both Port Authority and non-Port Authority
employees. Where a background investigation is a condition to granting access, a DISO may
determine that periodic updates of such investigations are required as a condition to maintaining
continued access privileges. Access by third parties to certain Protected Information, such as
Confidential Privileged, and/or Confidential Information, requires that the parties execute a NDA
or an Acknowledgment of an existing NDA if the CISO or OIG determines that a NDA and/or
Acknowledgment is required.

10

(i) Confidential Information

Access to Confidential Information shall be on a need to know basis only, as determined by the
DISO. In certain instances, access privileges may be conditioned on the satisfactory completion
of a background investigation(s). The background investigation should utilize the least stringent
criminal history access disqualification criteria that is appropriate for granting access to the
particular information for both Port Authority and non-Port Authority employees. Where a
background investigation is a condition to granting access, a DISO may determine that periodic
updates of such investigations are required as a condition to maintaining continued access
privileges. Access by third parties to Confidential Information may require that the parties
execute a NDA or an Acknowledgment of an existing NDA if the CISO or OIG determines that a
NDA and/or Acknowledgment is required.

(ii) Confidential Privileged Information

Individuals requiring access to Confidential Privileged Information must have a need to know
consistent with the creation and preservation of the privilege attaching to the particular
Information. An individual will be given access privileges to the Confidential Privileged
information only to the extent that it is necessary and/or is required by the individual in order to
fulfill and/or carry out his/her duties, obligations and responsibilities to the Port Authority.
Access to Confidential Privileged information is subject to the satisfactory completion of a
background investigation for non-Port Authority individuals and to continuing periodic checks. A
list of disqualifying crimes for the different levels of background screening is attached as
Appendix D. A more stringent background investigation may be required of the individual for
access to certain Confidential Privileged Information if determined by the DISO. All access to
such Information must be granted and received in a manner that does not compromise or
abrogate the particular privilege attaching to the Information.
Confidential Privileged Information may not be disclosed to any individual without appropriate
prior approvals. Approval for disclosure of Confidential Privileged Information to third parties
must be obtained from the DISO. A Port Authority employee or other individual may not waive
any privilege attaching to Port Authority Information without the Port Authoritys express
permission as granted by the CISO, unless the Information to which the Port Authority asserts a
privilege is personal to a particular employee or individual and the privilege is directly derived by
reason of that circumstance. Access by third parties to Confidential Privileged Information will
be conditioned on the parties execution of a NDA or an Acknowledgment of an existing
executed NDA, as may be appropriate and determined by the CISO. In the case of certain
represented employees/individuals, and in some cases NDIs may be utilized in lieu of NDAs
upon the approval of the CISO.









11

3.4 Access Disqualification

Any employee, consultant, third-party contractor, or other individual and/or entity, who has been
granted access to Protected Information, may be temporarily denied access while an
investigation is conducted regarding any report to the CISO, OIG and the DISO that such
individual misused, mishandled, or lost Protected Information, or disclosed, disseminated, or
released Protected Information to an unauthorized individual or entity. Further, access to
Protected Information can be denied when improper or incomplete verification checks of
employees, entities, or individuals are discovered. In addition, if an individuals SWAC has
expired, or access level has changed that individual may no longer have access to Protected
Information.

Where it is determined that an individual has misused, mishandled or otherwise improperly
disclosed, released or disseminated Protected Information without authorization, that individual
may be subject to disqualification of access privileges and may also be subject to sanctions,
including formal disciplinary actions where the individual is a PA employee, with possible
penalties up to and including termination of employment. The foregoing action shall be
documented and provided to the individuals employer, SPM, DISO, or departmental manager,
OIG, and the CISO, as may be appropriate. In the case of third parties, remedial action may
include, but is not limited to, imposition of a monitor to oversee compliance with information
security and general security requirements, or possible disqualification, and/or termination of
present and/or future business relationships. Individuals and entities may also be subject to
criminal or civil legal action, as may be appropriate. Additionally, see Chapter 6 regarding the
possible consequences of violations of this Policy.

3.5 Non-Disclosure and Confidentiality Agreements (NDAs)
Employees, consultants, third-party contractors, tenants, or other individual or entities, including
governmental agencies where appropriate, will be required to sign NDAs or an Acknowledgment
of an existing NDA, or be subject to an NDI, as a condition of being granted access to
Confidential Privileged Information and, where appropriate, Confidential Information.
Employees, consultants, third-party contractors, or other agency personnel who refuse to sign a
NDA, in situations where it is required, will be denied access to Confidential and/or Confidential
Privileged Information, except in the case of certain Port Authority employees and third parties
where a NDI may be utilized in instructing and advising the Port Authority employee and/or third
party of the obligations and the requirements for handling Confidential Information. In certain
circumstances, a Memorandum of Understanding or Memorandum of Agreement containing
approved non-disclosure and confidentiality requirements may be utilized, in which cases
approvals are required from the CISO and the General Counsel, or their respective designees.
The DISO is responsible for determining whether a NDA/NDI is required as a condition to being
granted access privileges to certain Protected Information, other than Confidential Privileged
Information. If an individual refuses to execute an individual Acknowledgment, PA Employee
NDA or to receive the NDI, if it is deem required by the DISO, CISO or OIG, access to the
certain Protected Information must be denied. The SIM is also responsible for keeping proper
documentation for employees and individuals subject to NDIs, including the date when the
individual was given the NDI and by whom. A copy of all executed agreements and
acknowledgements are to be provided to the PA DISO and Third Party SIM. Original executed
NDAs shall be forwarded to the CISO, by the DISO, for filing in the official Port Authority records
repository, with a copy to Law Department DISO.

12

3.6 Unauthorized Disclosure of Information

If employees, consultants, third-party contractors, or other individuals and/or entities with
authorized access to Protected Information become aware that Protected Information has been
released to unauthorized persons, lost, stolen or compromised, they are required to immediately
notify the DISO, CISO, the Office of Inspector General, and any other appropriate information
security officer and report the discovery. In the case of SSI, the CISO must inform the TSA,
DOT, or USCG and, in the case of CII, the Department of Homeland Security (DHS), of the
breach of security. DOT, DHS, TSA and USCG rules govern the reporting of any unauthorized
disclosure of SSI or CII.

3.7 Security Clearance and Access Prohibitions

Access to Protected Information is not a right, privilege, or benefit of contracting with or
employment by the Port Authority, rather it is based on pre-established guidance. Protected
Information should not be divulged, released, turned over, or provided to any individual in any
organization who does not meet the established criteria or conditions set forth herein, or who
has not been approved for a security clearance issued by the Port Authority DISO, CISO or
OIG. The following security clearance and access guidelines and/or prohibitions are in effect to
protect Protected Information:

Protected Information shall only be used in the performance of required job responsibilities,
or in order to complete assigned tasks as determined by the SIM and DISO, with the
concurrence of the CISO or OIG. No other disclosure or use of Protected Information is
authorized.
Individual access to Protected Information will be rescinded when an employee, consultant,
third-party contractor, individual or entity, who had been granted access to Protected
Information, is no longer employed by the Port Authority, or is no longer under contract with,
or no longer has a relationship with the Port Authority, or is no longer in a position that
requires access to Protected Information in order for the individual or entity to perform duties
or complete tasks/projects.
Employees may not unilaterally sponsor themselves for background verification or enter
their name on an Authorized Personnel Clearance List.
Group access of organizations to Protected Information should be prohibited. Each
individual in a group must have security clearance to access Protected Information.
Persons who rarely, if ever, require access to Protected Information, (i.e., maintenance,
food service, cleaning personnel, vendors and other commercial sales, or service
personnel, who perform non-sensitive duties), should not be approved for a security
clearance.

3.8 Background Screening

In order to determine if any individual poses a potential security threat to the Port Authority or its
Facilities, the Port Authority requires background screening to verify the personal identity of, and
determine the criminal history of, all contactors and consultants working in secure areas at Port
Authority facilities or handling security related Protected Information. As such, employees of
third party contractors/consultants requiring access to certain Protected Information relating to
security on a specific project must obtain clearance through a background check prior to being
provided access to information unless otherwise waived in writing by the CISO or OIG. This
13
includes all individuals working on the project, including administrative and back-up staff that
have access to and/or are handling Confidential or Confidential Privileged Information.
All background checks for third parties required under the Policy should normally be conducted through
the Secure Worker Access Consortium" (SWAC), which is presently the only Port Authority approved
service provider of a background screening checks, except as otherwise required by federal law and or
regulation. The Office of Emergency Management administers this provider. S.W.A.C. is accessed by an
online application (http://www.secureworker.com) that enables the secure collection, processing,
maintenance and real-time positive identity verification (PIV) of individuals. The S.W.A.C. background
check is not a replacement for any federal agency (DHS, TSA, etc.) required background screening.
S.W.A.C. membership is valid for three years, at the end of which the member must renew the
online application. In addition, certain employees, such as those in the Public Safety Department, will
have their criminal history background checked through the electronic databases maintained by federal
and/or state law enforcement agencies when required as a condition of employment, or when required
by federal or state laws, rules, and/or regulations, or, in certain cases, where it is legally permitted and is
deemed appropriate by the CSO or OIG.
The DISO/SIM has authority to obtain the background check information from S.W.A.C. Additional
information about S.W.A.C., corporate enrollment and online applications can be found at
http://www.secureworker.com, or it may be contacted at (877) 522-7922. The S.W.A.C. application
process is described in Appendix "E."
In some cases TSAs Transportation Workers Identifications Credentials (TWIC) or Security
Identification Display Area (SIDA) background screening and credential may be used in lieu of the
SWAC process with approval by the DISO.

3.9 Authorized Personnel Clearance List

The DISO and SIM are responsible for compiling, maintaining, and updating their respective list
databases on an ongoing basis and forwarding the information to the CISO for compilation into
a master listing. Each DISO shall periodically review its departments/business units list with its
SIM to ensure that the list is current and that each individuals access to Protected Information
is still required. The CISO will maintain a master list database containing the names of all
employees, consultants, third-party contractors, and other individuals and/or entities that have
been granted a Port Authority security clearance and the specific category for which the security
clearance was received, including, but limited to, for a particular project, or for specific Protected
Information.

3.10 Development of a Confidential Information Practices and Procedures (CIPP)

Departments, offices and/or business units may adopt an individualized, discrete CIPP tailored
to their respective particular business practices for handling Protected Information. The CIPP is
meant to augment the Handbook and must be consistent with it. Each CIPP must be approved
by the CISO before being implemented.




14
3.11 Procurement Strategies
(a) General

As a public agency, the Port Authority has an established procurement process based on
openness, integrity, and fairness to the vendor community. The security of Protected
Information must be incorporated at the beginning of the procurement process in order to
establish a security benchmark that may be applied throughout the procurement process, as
well as during the term of the award/contract.

(b) Lifecycle Phases and Procurements

A project may contain Protected Information in one or more of its lifecycle phases (pre-award,
award, design, construction, close-out, or maintenance/service operation contracts, etc.).

Procurement and lifecycle information should be thoroughly reviewed by the originator before
being submitted to the Procurement Department for processing. If Protected Information is
discovered thereafter by Procurement, or any reviewing department, the originators department
manager or designee should be contacted immediately to retrieve the Protected Information and
process it in accordance with the Policy and this Handbook.

(c) Risk Exposure and Business Risk Strategy

Procurement shall develop and retain, by project, a current listing of pre-screened persons or
pre-qualified firms to bid on sensitive projects who agree to abide by the Policy requirements.
Requirements must be included in procurement documents in order to help reduce potential
disclosure of Protected Information and to provide bidders with certain security requirements in
advance. They must also be included in contract awards to ensure information protection
practices, procedures, and protocols are included in each projects lifecycle phase. The typical
requirements are:

(i) Non-Disclosure and Confidentiality Agreements (NDA). Require prospective
consultants, prime vendors, general contractors, or commercial enterprises to enter into
a NDA with the Port Authority before obtaining a copy of a RFP. NDAs should be project
and procurement specific and should be completed in a timely manner for specific types
of procurements or projects. A broad or generic NDA should not normally be utilized to
cover all procurements and projects under contract to a particular consultant, prime
vendor, general contractor or commercial enterprise over a long period of time, however,
it may be appropriate in certain situations to utilize such a NDA, if approved by the DISO
with the concurrence of the CISO. Consultants, Prime Vendors, General Contractors, or
Commercial Enterprises should contact the Port Authority to request authority prior to
releasing RFP Protected Information to a sub-contractor. The sub-contractor may have
to execute an Acknowledgement that it will comply with the terms of any NDA that the
successful bidder has executed.

(ii) Background Screening. Require potential users seeking access to certain
Protected Information to undergo background pre-screening. The pre-screening may
parallel the screening requirement used by the Port Authority to grant access to
Protected Information under Section 3.3. S.W.A.C.s background screening is usually
finalized within five to ten business days.

15
(iii) Designation of a Security Information Manager (SIM). Require companies
involved in Protected Information procurements or projects to designate a SIM to ensure
information security and Protected Information requirements are followed. A second
employee may be designated as an alternate SIM. All SIMs will be required to get
SWACd.

(iv) Information Security Education and Awareness Training. Require consultants,
vendors, contractors and commercial enterprises to attend training to ensure security
awareness regarding Port Authority information.

(v) Physical Security. Outline the specific guidelines and requirements for the handling
of Protected Information to ensure that the storage and protection of Protected
Information is consistent with the requirements of Chapter 4 of this Handbook.

(vi) Transfer or Shipping Sensitive Information. Prohibit or place restrictions on the
transfer, shipping, and mailing of Protected Information consistent with the handling
procedures set forth in Chapter 4 of this Handbook.

(vii) Website Restrictions. Prohibit posting, modifying, copying, reproducing,
republishing, uploading, downloading, transmitting, or distributing Protected Information
on unauthorized websites or web pages. This may also include restricting persons, who
either have not passed a pre-screening background check, or who have not been
granted access to Confidential Information, from viewing such information.

(viii) Destruction of Documents. Require Protected Information to be destroyed using
certain methods, measures or technology consistent with the requirements set forth in
Chapter 4 of this Handbook.

(ix) Use of Similar Agreements Between Prime Vendor and
Subcontractors/Subconsultants. Require the prime vendor, general contractor, or
consultant to mandate that each of its subcontractors/sub consultants maintain the same
levels of security required of the prime vendor, general contractor, or consultant under
any Port Authority awarded contract.

(x) Publication Exchanges. Prohibit the publication, exchange or dissemination of
Protected Information developed from the project or contained in reports, except
between authorized vendors, subcontractors and subconsultants, without prior approval
of the Port Authority. Requests for approval should be routed to and reviewed by the
CISO in conjunction with the Law Department and, where appropriate, Public Affairs.

(xi) Information Technology. Matters involving information technology policy, or use of
particular hardware or software, should require the application of specific protocols
and/or software tools to support Port Authority projects. Coordination of information
technology and consultation with the Director of Technology Services Department and
the CISO may be required for the success of particular projects.

(xii) Audit. Include provisions to allow the Port Authority to conduct audits for
compliance with Protected Information procedures, protocols and practices, which may
include, but not be limited to, verification of background check status, confirmation of
completion of specified training, and/or a site visit to view material storage locations and
protocols.
16

(xiii) Notification of Security Requirements. Advise all consultants, third-party
contractors, and other individuals and/or entities, as may be appropriate, that Port
Authority security procedure requirements may be imposed throughout the duration of
the project.

(xiv) Reproduction/Copies. Reproductions of Protected Information shall be consistent
with the requirements of Chapter 4 of this Handbook.



17

CHAPTER 4 MARKING, HANDLING, STORAGE, TRANSMITTAL AND DESTRUCTION
REQUIREMENTS

4.1 Marking of Certain Protected Information
(a) Confidential Privileged and Confidential Information

All documents, drawings, and all other Information that contain Confidential Privileged, or
Confidential Information must be marked with the appropriate respective protective marking:
CONFIDENTIAL PRIVILEGED (alternatively CONFIDENTIAL AND PRIVILEGED) or
CONFIDENTIAL (alternatively, where appropriate, Confidential Proprietary Information). The
markings must be conspicuous and in bolded Arial with a 16 point font size or equally visible
typeface.

The front page (or front and back cover, if appropriate) shall be marked at the top and bottom of
the page. In addition, all interior pages within the document must also be marked at the top and
the bottom of the page. Sets of documents large enough to be folded or rolled must be marked
or stamped so that the marking is visible on the outside of the set when it is rolled or folded.
The marking must be visible from the exterior container of the material, e.g., the spine of a
binder, or compact disc container or cover.

All Confidential Privileged Information must bear the following warning sign on its front cover,
back cover, and title sheet or first page. For compact discs, DVDs or other smaller materials,
the warning sign may be printed on an adhesive label and affixed to the material. It should be in
visible typeface and state:
"WARNING: The attached is the property of The Port Authority of New York and
New Jersey (PANYNJ). It contains information requiring protection against
unauthorized disclosure. The information contained in the attached document
cannot be released to the public or other personnel who do not have a valid need
to know without prior written approval of an authorized PANYNJ official. The
attached document must be controlled, stored, handled, transmitted, distributed
and disposed of according to PANYNJ Information Security Policy. Further
reproduction and/or distribution outside of the PANYNJ are prohibited without the
express written approval of the PANYNJ.

At a minimum, the attached will be disseminated only on a need to know basis
and, when unattended, will be stored in a locked cabinet or area offering
sufficient protection against theft, compromise, inadvertent access and
unauthorized disclosure.

(b) Sensitive Security Information Requirements

Pursuant to the federal regulations governing SSI, Port Authority Protected Information that has
been designated SSI by the Federal government must be conspicuously marked with its
respective protective marking SENSITIVE SECURITY INFORMATION on the top and the
distribution limitation statement on the bottom of each page of the document including, if
applicable, the front and back covers, the title page, and on any binder cover or folder. The
18
protective marking must be in bolded Arial 16-point font size and the distribution limitation
statement must be in an 8-point font size. All copies of SSI documents must also bear the
required markings.

The distribution limitation statement is:
WARNING: This record contains Sensitive Security Information that is controlled
under 49 CFR parts 15 and 1520. No part of this record may be disclosed to
persons without a need to know, as defined in 49 CFR parts 15 and 1520,
except with the written permission of the Administrator of the TSA or the
Secretary of Transportation. Unauthorized release may result in civil penalty or
other action. For U.S. government agencies, public disclosure is governed by 5
U.S.C. 552 and 49 CFR parts 15 and 1520.

(c) Critical Infrastructure Information
Pursuant to the federal regulations governing CII, Port Authority Protected Information that has been
marked PCII by the Department of Homeland Security PCII Program Manager or the managers
designee will be marked as follows:
This document contains PCII. In accordance with the provisions of 6 CFR Part
29, this document is exempt from release under the Freedom of Information Act
(5 U.S.C. 552 (b)(3)) and similar laws requiring public disclosure. Unauthorized
release may result in criminal and administrative penalties. This document is to
be safeguarded and disseminated in accordance with the CII Act and the PCII
Program requirements.

(d) Document Control Number for Confidential Privileged Information
Documents that have been identified as Confidential Privileged Information will be given a
control number, which shall consist of the category of information followed by an acronym for
the transmitting department, followed by the last 2 digits of the year, followed by a number that
is sequential and, finally, followed by the copy number.
Examples:
CP LAW 13 1 1
CP PMD 07 10 2
The front page (or front and back cover, if appropriate) and all pages of Confidential Privileged
Information shall be marked with the control number. The control number must also be visible
from the exterior container of the material, e.g., the spine of a binder, or compact disc container
or cover. If deemed necessary by the DISO or CISO, certain Confidential Information or other
Protected Information may be given a control number.
19
4.2 Handling Protected Information

Handling refers to the physical possession of, and includes working on or with, Protected
Information to perform job duties or complete tasks or projects. This includes, but is not limited
to, reading, copying, editing, creating, or correcting the material. Protected Information in any
form, including physical or electronic, must be under constant surveillance by an authorized
individual to prevent it from being viewed by, or being obtained by, unauthorized persons.
Protected Information is considered to be in use when it is not stored in an approved security
container.
The following is a chart of the minimum-security requirements for handling Protected
Information, and certain requirements that apply only to Confidential Privileged and Confidential
Information:

Minimum Security Requirements for Handling Confidential
Privileged
Information
Confidential
Information
Must never be left unattended outside of storage location. X
Must be under the direct and constant supervision of an
authorized person who is responsible for protecting the
information from unauthorized disclosure.

X



Must be turned face down or covered when an unauthorized
person is in the vicinity. Be cognizant of others in area that
can view your computer screen.

X


X
When leaving a computer unattended ensure that the screen
is locked.
X
Attach an information cover sheet when removing materials
from their place of storage.
X
Use all means to prevent unauthorized public disclosure of
information.


X

X

4.3 Transmittal of Protected Information
Transmission refers to the sharing among individuals and/or entities, and/or the transfer or
movement of Protected Information from one location to another using either physical or
electronic means. The following chart sets forth the methods by which Protected Information
should be transmitted. In all instances, Protected Information must at all times be safeguarded
and transmitted in a manner and method designed to insure that it is not disclosed, or otherwise
compromised, and it should be appropriately marked with the proper identifying marking.
20
In general, all Confidential Privileged Information must be signed in and out, and, in certain
situations as determined by the DISO or SIM, Confidential Information may be signed in and out
as well. A cover sheet must be attached to the Confidential Privileged or, in certain situations
as determined by the SIM, to Confidential Information and it should be marked appropriately.
With respect to Confidential Privileged Information, the coversheet attached as Appendix F is
to be utilized to draw emphasis to the fact that a document contains Confidential Privileged
Information and to limit visual exposure to unauthorized individuals in near proximity.
Confidential Privileged Information and, where appropriate, Confidential Information, must be
wrapped and sealed. The exterior of the wrapping should not indicate that it is sensitive
material, or its category, or level.

Confidential Privileged Information may be transported using public modes of transportation,
and a courier service may also be utilized; provided, however, that the sign in and sign out
procedures will apply, as well as wrapping and sealing procedures. All packages must be
sealed in a manner that easily identifies whether the package has been opened prior to delivery
to the intended recipient. The use of a double wrapped/enveloped package or a tamper
resistant envelope must be used to fulfill this requirement. Protective markings are not to be
placed on the outer visible envelope. If using a double wrapped package or two envelopes, the
inner wrapping or envelope should be marked in accordance with appropriate category
designation. The package must be addressed to an individual who is authorized to receive it or,
preferably, to the SIM. All packages must contain a specific individuals name on the shipping
label. Where appropriate any of the foregoing requirements may also be required in handling
Protected Information and can be provided for generally in the departments CIPP, or as
required by the DISO and/or SIM with respect to handling such information in specific instances.

Minimum Security Requirements for Transmission Confidential
Privileged
Information
Confidential
Information
Verbally at a meeting, conference or briefing where all attendees
have the appropriate security clearance

X

X
Electronic Systems: restrict to Livelink
2
or a similar approved
secure repository
X
Electronic Mail: restricted from using e-mail accounts to transmit.
NOTE: Confidential Information may be transmitted using
encryption with express permission by the DISO/SIM, in writing

X


Hand Carried or delivered in the personal custody of Authorized
Individual: (a) request return receipt (b) place in sealed
envelope, and (c) name of recipient, department, address and
phone number must be written on face of envelope

X

X (b and c
only)
Approved Commercial Delivery Service (e.g., DHL, FedEx,
UPS): (a) request return receipt, (b) verify recipient name and
mailing address, (c) place in a sealed envelope, and (d) the


2
Livelink is a secure collaborative repository for the documents of a project.
21
exterior of a mailing document shall not indicate the security
category of the material contained therein

X

X
Use of USPS Certified Mail: (a) request return receipt,
(b) verify recipient name and mailing address, and
(c) the exterior of a mailing document shall not indicate the
security category of the material contained therein

X

X
Intra-agency Mail System (a) request return receipt (b) place in
sealed envelope, (c) name of recipient, department, address and
phone number must be written on face of envelope, and (d) the
exterior of a mailing document shall not indicate the security
category of the material contained therein


X


X (b, c, d
only)
Telephone: restricted from using a non-land line telephone to
transmit, unless expressly permitted by SIM in writing. If
approved: (a) use all means to prevent unauthorized public
disclosure, and (b) may not use mobile or internet devices.

X


Fax Machine: restricted from using fax machine to transmit
unless expressly permitted by the SIM in writing. If approved:
(a) prior coordination with recipient required,
(b) verify recipient fax number, (c) receipt of successful
transmission, and (d) follow-up contact required

X

X (a,b,c only)

Steps for transmittal of a hard copy of all Confidential Privileged Information and, when
required, for Confidential Information:

Step 1. Make certain that documents are properly marked: CONFIDENTIAL PRIVILEGED, or
CONFIDENTIAL, according to its designated category.
Step 2. Prepare Transmittal Receipt (Appendix F).
Step 3. Place document in envelope with the Transmittal Receipt, seal envelope, mark the
inner envelope CONFIDENTIAL PRIVILEGED or CONFIDENTIAL, place envelope in
second envelope (outer), this envelope shall not contain any protective markings.
Step 4. Address envelope to an individual who is authorized to receive it.
Step 5. Mail document.
Step 6. The Transmittal Receipt shall be returned to the party who initially sent the item.

When hard copies of 8 1/2 X 11 multi-page documents include threat scenarios, asset
criticality information, identification of security vulnerability details, risk assessments, design
basis threats and concepts of operations are distributed, this information is to be bound using
secure binding to prevent individual sheets from being removed from a set.
22
4.4 Storage of Protected Information
Steps should be taken to prevent unauthorized access to Protected Information. Certain
Protected Information should be kept in a locked storage room or a locked security container,
such as a drawer, cabinet or safe-type file that has a locking mechanism, and must be
vandalism resistant. The DISO will periodically review the departmental storage vehicles and
mechanisms and determine their appropriateness for the information being stored. Protected
Information should be gathered and stored in a minimum number of office locations.
Confidential Privileged Information must never be left unattended outside its storage location for
long durations. A storage space or security container/receptacle may not be left open and
unattended at any time. At no time should Confidential Privileged or Confidential Information be
stored, except for short periods during work, in unauthorized desk drawers, file cabinets, or
other unsecured locations. The CISO may require that certain information be kept in a safe in a
designated central location(s).
Combinations or locks for each security container must be changed or replaced when a person
having knowledge of the combination or possession of a lock key no longer requires it, leaves
the project or there is reason to suspect that the combination has been tampered with, or that
an unauthorized person may have acquired knowledge of the combination, or that a lock key is
in the possession of an unauthorized person. Keys and combinations of locks utilized to secure
certain Protected Information must be safeguarded at the same level of protection as paper
documents. The Guidelines for the Storage of Confidential Privileged, Confidential and Law
Enforcement Confidential Information attached as Appendix H provides further detailed
information and instructions.

Confidential Privileged Information and, where appropriate Confidential Information, may not be
stored at any individuals home overnight for a meeting the following day without prior written
authorization of the SIM or DISO.
Downloading of any Confidential Privileged Information and Confidential Information carries with
it the responsibility to protect that information in accordance with the procedures identified in this
Handbook. The possessor of the electronic file assumes full responsibility for the proper
handling, storage, transmittal and disposal of this Confidential Privileged and Confidential
Information.
4.5 Document Accountability Log
All entities, Port Authority Departments and third-parties having Protected Information in their
possession will have a system in place that will account for the material in such a manner that
retrieval is easily accomplished for inspection. The accountability log with respect to
Confidential Privileged and Confidential Information shall be maintained by the DISO, or the
SPM, or SIM, where applicable, and include:
The date that a document was received or created
The identity of the sender or creator
A brief description of the document
The Control Number, if Confidential Privileged Information
Number of copies
23
Transmission history (sent to whom, when)
If applicable at the time of the inspection, a Port Authority Document
Destruction Certification, stating that the document has been destroyed
(including, when, by whom and the method), or a Certification that the
document has been returned to the Port Authority.
4.6 Reproduction
Protected Information should only be reproduced to the minimum extent necessary to carry
out an individual or entitys responsibilities. However, the reproduced material must be
marked and protected in the same manner and to the same extent as the original material.
Authorized individuals must perform all reproduction work. Print and reproduction locations
are limited to Port Authority sites, or, when appropriate, to authorized consultant and/or third-
party contractor work site equipment. The CISO may require that the work site should limit
reproduction of Protected Information to a particular copying machine with technological
capabilities limited to copying (not scanning or storing etc.). Service providers, authorized by
the responsible SIM or DISO where appropriate, may be used for this task if the information
remains safeguarded throughout the process. Each reproduction of Protected Information
shall contain all security markings, instructions, etc., as set forth in Section 4.1. All scraps,
over-runs, and waste products resulting from reproduction shall be collected and processed
for proper disposal.
4.7 Destruction of Protected Information
All Protected Information that is no longer needed shall be disposed of as soon as possible,
consistent with the Port Authoritys Record Retention Policy, by any method that prevents its
unauthorized retrieval or reconstruction. Authorized service providers may be used for this
task provided that the information remains safeguarded until the destruction is completed.
Paper products must be destroyed using a cross cut shredder located in the office. As
previously noted in Section 4.5, a Port Authority Document Destruction Certificate must be
provided to the DISO or SIM for any document being destroyed, including original or copies
thereof. In addition to the requirements in this Handbook, all Departments shall continue to
comply with the Port Authority Records Program (A.P. 15-2.02). Where Protected Information
is no longer needed, but the Port Authority Records Program requires retention of the original,
the original Protected document shall be retained by the Departmental Records Coordinator
and all copies are to be destroyed in accordance with this section. The Guidelines for the
Disposal and Destruction of Confidential Privileged Information attached as Appendix I
provides further detailed information and instruction.
Since deleted electronic files can be recoverable by utilizing software tools, certain Protected
Information stored in electronic form needs to be erased and destroyed with methods that
comply with the US Department of Defense standards for file secure erasure (DoD 5220.22).
Therefore, CyberScrub or a similar software shall be used to prevent discovery by a computer
technician or other unauthorized person. With respect to Port Authority staff, individual staff
shall contact the Technology Services Department (TSD) to make a request that Protected
Information be permanently removed from a computer. This request shall be made by providing
relevant information on a TSD Service Request (TSR), found on eNet on the TSDpage.


24

4.8 Information Technology Systems Handling of Electronic Information/Data
All transmission, storage and destruction of all electronic information and data must be in
compliance with the Technology Services Departments (TSD) Cyber Security Guidelines for
the Port Authority of New York and New Jersey
Information Technology (IT) Systems that are used to electronically capture, create, store,
process or distribute Protected Information must be appropriately managed to protect against
unauthorized disclosure of the contents. The main objectives of these electronic handling
guidelines are to:
Provide access exclusively to the authorized individuals.
Compartmentalize Protected Information as required by a Departments CIPP.
Complete removal of Protected Information from the system when it is no longer needed.

This section is intended to describe the processes used to control secure electronic data, and is
to be implemented for the control, processing, handling, storage, and destruction of all
Protected electronic data as generated, received, or distributed by Authority staff, consultants,
contractors or third parties.

4.9 Transmission/Exchange of Electronic Information
The Authority uses Livelink (moving toward PACS) as its project and program website solution
to collaborate with team members (i.e., authorized individuals) both inside and outside the
Agencys firewall. Additionally, the Authority also uses secure internet websites with secure
transmission to collaborate with team members outside the Agency. The use of a web-based
collaboration tool has numerous benefits that result s in time and cost savings, accountability,
security, and disaster recovery. For example, within the Authority, the Downtown Restoration
Program (DRP), the Security Capital Program, Office of Emergency Management, and the
Goethals Bridge Program, utilize Livelink website collaboration.
Access to these password-protected websites is controlled by permissions that apply to each
individual user account. In this manner, users are allowed to access folders and files only when
approved by the SIM, Project Manager or Program Manager directly responsible for the
information.
With these measures in place, the Authority has deemed that all electronic exchange of
Protected Information must be accomplished using a secure project website solution with
centrally managed access control on a per individual basis and with encrypted transfer.
Although the entire Port Authority Website is secure, in order to provide better organization and
auditing of files that contain Confidential Privileged or Confidential Information, special secure
folders must be created and maintained specifically to house this information. Information that
has been designated as Confidential Privileged Information may only reside in these secure
folders in order to further compartmentalize it from other types of information.
Additional secure Protected Information folders will allow other files such as reports,
presentations, etc., to be stored.
25
In addition to the Livelink website, certain electronic Protected Information may also be shared
via secure Local Area Networks (LAN). Protected Information should be removed from the LAN
as soon as the recipient has acknowledged receipt of the information. As with the website,
these LANs are password protected, and access to them is only for those individuals who have
signed the NDA and are provided with permission by the SIM or DISO, if required.
E-mailing of Confidential Privileged Information is not permitted, E-mailing of any other
Protected Information must be encrypted as per TSD standards.
4.10 Electronic Storage
Technology advances allow increasingly larger amounts of information to be stored on
increasingly smaller devices. This creates a greater risk of information security breaches due to
the size and portability of these devices, which can be lost or misplaced more easily when taken
outside of the office. If a situation arises whereby electronic files must be exchanged by
electronic media such as flash drives, CD or DVD, all provisions within this manual for handling
physical documents must be satisfied.
Possession of Protected Information in any format (hardcopy, electronic, photo, video, etc.)
carries with it the responsibility to protect that information in accordance with the requirements
of the Handbook. Authorized individuals in possession of electronic files containing Protected
Information assume full responsibility for the proper handling, storage, transmittal, and
destruction of this type of information in the same or comparable manner as hard copy
requirements.
Users who possess electronic files containing Protected Information shall adhere to the
following guidelines to maintain the proper protection of this material:
Desktops/Laptops/CAD Machine Users
Individuals granted access to The Port Authority Network or information systems shall
secure computers from unauthorized access.
When leaving a computer unattended, users shall apply the Lock Workstation
feature (ctrl/alt/delete, enter).
Unattended computers shall be secured from viewing by password protected
screen savers.
Computers shall activate the automatic screensaver feature after a period of non-
use. The period of non-use is fifteen (15) minutes, or a shorter time period if
required by a DISO.
Desktop computer users shall only store Confidential Privileged and Confidential
Information on a secure password protected network drive (directory on The Port
Authority Network) and not the computers local hard drive.
Laptop computer users shall store Confidential Information locally, when
necessary, with encryption software. Users shall contact their respective DISO
to request or confirm that Port Authority standard encryption technology is
installed on their assigned laptop computer.
Computer users shall not disable or alter security safeguards, such as virus
detection or encryption software, installed on Port Authority computers.


26
Portable Media
Confidential Privileged Information shall be encrypted on portable devices,
including handheld devices, if they are carried outside secure worksites.
All Protected Information stored on portable devices shall be password protected
at the document level.
Mobile laptop computers, computer media and any other forms of removable
storage (e.g., diskettes, CD ROMs, flash drives) shall be stored in a secure
location or locked cabinet when not in use.

4.11 User Access Deactivations
In addition to accessing the IT Systems, Port Authority, through the appropriate Systems
Administrator, may deactivate a User's IT privileges, whether or not the user is suspected of any
violation of this Policy, when necessary to preserve the integrity of facilities, user services, or
data.


27
CHAPTER 5 AUDITING AND MONITORING

5.1 Purpose
The ISSC, Audit and/or OIG may conduct random or scheduled examinations of business
practices under the Policy in order to assess the extent of compliance with the Policy. The
Policys self-assessment and audit processes enable management to evaluate the Policys
uniformity throughout the Port Authority and of third parties practices, in order to identify its
strengths and potential exposures, and to help guide evolving policy objectives.

5.2 Audits and Investigations
Audits conducted by the ISSC, Audit, and/or OIG may be scheduled in advance. The chief,
department director, project manager, company liaison or contract representative of the
organization being assessed should receive prior notice of the date of the assessment and also
be advised as to what the assessment will consist of. A copy of the current version of the Audit
Procedures guidelines, attached as Appendix J, should be provided to the particular entity(ies)
in order to allow adequate time to undertake appropriate pre-review and preparation action.
The Audit Procedures guidelines should guide the ISSC and/or Audit through the assessment
process. This Guideline is not all-inclusive and may be amended, as necessary. Organizations,
departments, units, or third parties, preparing for an ISSC and/or Audit visit are encouraged to
contact the CISO prior to the scheduled visit date in order to inquire and obtain additional
information about the process.

The ISSC and/or Audit may also conduct information security assessments without prior notice
and/or unannounced investigations coordinated through the Office of the General Counsel and
the Office of Inspector General, as it may deem necessary and appropriate. Where appropriate,
the CISO should be advised of the existence of such an investigation and, if appropriate, its
nature.

The ISSC and/or Audit approach to conducting an assessment should consist of three phases
(i) personnel interviews, (ii) site assistance visits, and (iii) corrective action follow-up.

(i) Personnel Interviews

The interview(s) should focus on the department, business unit, organization or
third partys compliance with the Policy, how engaged the interviewee is with the
Policy, and the level of education and awareness the interviewee has about the
Policy. Employees, consultants, third-party contractors, and other individuals
and/or entities should be included as potential interviewees. Personnel
interviews should encompass a wide range of individuals who are regularly
engaged with the Policy, as well as those having less involvement in it. This
allows the ISSC to develop a balanced understanding regarding Policy
compliance and effectiveness, as well as its impact on the organization and
enable it both to identify concerns and issues regarding the Policy, and to solicit
recommendations for possible improvements to the Policy.



28
(ii) Site Assistance Visits

The ISSC and/or Audit site visit should focus on a hands-on review of the
following processes and procedures: document safeguards, handling protocols,
transmission practices, control number usage, document marking, receipt and
copying practices, and disposal of Protected Information procedures. The visit
should also include compliance reviews of the security clearance access criteria,
document accountability audits, conditions regarding information access,
background check processes, Authorized Personnel Clearance Lists updates,
Protected Information material sign out and sign in records, where appropriate,
and the information security education awareness training program.

(iii) Follow-up

Policy compliance deficiencies noted during the assessments should be provided
by the ISSC and/or Audit through the CISO to the department head, chief, project
manager, consultant, third-party contractor liaison/representative, other agency
staff, and the respective DISO or SIM for corrective action. The ISSC, through
the CISO, may also follow-up on investigation results to determine corrective
actions and Policy compliance. The ISSC may also recommend the imposition of
any penalties or disciplinary action that are described in Chapter 6.

With the assistance of the respective DISO or SIM, a plan with milestones should be developed
with the intention of correcting any identified deficiencies. A return site assistance visit may be
scheduled in order to re-assess earlier identified deficiencies. The respective DISO, SPM, or
SIM should forward a periodic corrective action progress report to the CISO as part of the
milestone monitoring.

5.3 Self-Assessment
Department heads, chiefs, managers, supervisors, DISOs or SIMs should conduct an annual
self-assessment of their units Policy compliance using the Audit Procedures Guidelines. The
results will not be forwarded to the CISO, Audit or ISSC, but should be used as a tool to gauge
compliance before regular assessments are conducted. The results should be available for
inspection and any serious findings should be forwarded to the CISO.
29
CHAPTER 6 POLICY VIOLATIONS AND CONSEQUENCES
6.1 Responsibilities
Anyone having knowledge of any infraction, violation or breach of the Policy is required to report
it to the CISO, OIG, their DISO, and third party SIM, who shall in turn report the same to their
supervisor/manager. The CISO shall have the final decision with respect to the violation
determinations and/or the recommended course of action to be taken, consistent with Port
Authority policy, practices and legal requirements referenced in this section.
All individuals who have been reported as having violated the Policy may be temporarily denied
access to Protected Information and/or have their security clearance suspended until an
investigation is completed.
6.2 Violations, Infractions, or Breach of Information Security Protocols
Due to any number of unintended circumstances or, other conditions beyond the control of an
individual, Protected Information could be subject to compromise or loss. For example, an
individual may unintentionally discard Protected Information, mislabel Protected Information,
sent through the internal mail routing system, or drop or inadvertently leave Protected
Information in a public place. Intentional disclosure of Protected Information to unauthorized
individuals for personal gain, or to otherwise make available for unauthorized public release,
may also occur. Violations, infractions and breaches of the Policy will be reviewed on a case-
by-case basis to determine the facts and circumstances surrounding each incident.

6.3 Violation Reporting, Investigation and Fact Finding
Individuals must report alleged or suspected violations, infractions or breaches of the Policy to
the DISO, CISO, OIG and to their supervisor or manager. The DISO, in consultation with the
CISO and OIG, will determine whether an investigation into the allegations or other appropriate
action is warranted. The CISO will consult with the OIG on these matters and the OIG will
determine whether to undertake its own separate investigation into the matter. Individuals
and/or entities must cooperate with all authorized investigations of any act, omission or
occurrence relating to Port Authority property, information, materials, and, in the case of Port
Authority employees, and if applicable, must comply with the Agency General Rules and
Regulations. (See General Rules and Regulations for all Port Authority Employees. Port
Authority of New York and New Jersey. April 1990.)
6.4 Disciplinary Action
The following is a list of Policy violations and the possible respective disciplinary actions that
may be taken against any individual and/or entity, having authorized access to Protected
Information, who violates their responsibilities in handling such information:

a) Non-deliberate violations involving negligence and/or carelessness, such as
leaving Protected Information unattended.
First Offense: Verbal reprimand and security briefing.
Second Offense: Written reprimand and/or a security briefing and
possible suspension or termination of access privileges, depending on the
circumstances.
30
Third Offense - Termination of access and possible imposition of civil
penalties. Where the offense involves a Port Authority employee,
disciplinary action may also be taken.
b) Non-deliberate violation involving negligence and/or carelessness such as
misplacing or losing a document.
First Offense - Written reprimand and/or a security briefing, and possible
suspension or termination of access privileges, depending on the
circumstances, and possible imposition of a civil penalty. Where the
offense involves a Port Authority employee, disciplinary action may also
be taken.
Second Offense - Dismissal or termination of access privileges, and,
depending on the circumstances, the imposition of a civil penalty, and
possible legal action against the violator. Where the offense involves a
Port Authority employee, disciplinary action may also be taken including
suspension with forfeiture of up to one years personal and vacation time
allocation.
c) For cases of deliberate disregard of security procedures or gross negligence in
handling Confidential Privileged and Confidential Information.
First Offense Suspension or termination of access privileges,
termination of an agreement or contract, written reprimand, imposition of
a civil penalty depending on the circumstances, and possible legal civil
and/or criminal action against the violator. Where the offense involves a
Port Authority employee, disciplinary action may be taken up to and
including termination of employment. Termination of access privileges
will be for a period of one year at minimum and may be permanent,
subject to review by the CISO.

The Port Authority may also impose investigation costs and/or a monitor to oversee future
compliance with its security policies and practices at the violators expense, when the violation
is by a consultant, vendor contractor or other third party. Nothing herein is construed to limit the
Port Authoritys right to exercise or take other legal rights and remedies including terminating
agreements with a third party violator and/or refusing to enter into future business relationships
with the violator and/or seeking such legal action, as it may deem appropriate, including
injunctive, civil actions for monetary damages and/or seeking criminal prosecution of the
violator(s).

In addition, any violation relating to SSI or CII will be reported to the TSA, the OIG, and/or, if
applicable, DOT, USCG or DHS. Penalties and other enforcement or corrective action may be
taken as set forth in relevant statutes, rules and regulations, including, without limitation, the
issuance of orders requiring retrieval of Sensitive Security Information and Critical Infrastructure
Information to remedy unauthorized disclosure and directions to cease future unauthorized
disclosure. Applicable Federal Regulations, including, without limitation, 49 C.F.R. 15.17 and
1520.17 and 6 CFR Part 29, provide that any such violation thereof or mishandling of
information therein defined may constitute grounds for a civil penalty and other enforcement or
corrective action being taken by the DOT, TSA and/or DHS.
31
CHAPTER 7 INFORMATION SECURITY EDUCATION AND AWARENESS TRAINING

7.1 Purpose
Information Security Education and Awareness training ensures that all personnel requiring
access to Protected Information, regardless of position or grade level, have an appropriate
understanding of the need to adhere to security procedures in order to secure Protected
Information. The goal of the training program is basically to provide that all such employees,
consultants, third-party contractors, other individuals, entities and/or, where appropriate, third
parties develop essential security habits and thereby ensure that all personnel accessing
Protected Information understand and carry out the proper handling protocols for those
materials.

7.2 Overview
The CISO is responsible for implementing the Information Security Education and Awareness
Training Program (the Training Program). The Training Program, with assistance from the
Office of Inspector General, DISO and SIM, should be provided to all employees, consultants,
third-party contractors, and other agency personnel requiring access to Protected Information.
These individuals, regardless of rank or position in a particular organization, must complete
initial indoctrination and refresher training. The CISO, with the concurrence of the Law
Department, may waive this requirement for certain individuals. A current list containing the
names of all persons who completed training will be developed and retained by the CISO. The
CISO shall ensure that all employees have complied with the requisite Training Program.

7.3 Training Program Elements
The Training Program consists of three interconnected elements: (a) indoctrination training, (b)
orientation training, and (c) refresher training, recommended every three years. Each element
provides employees, consultants, third-party contractors, and other agency personnel with a
baseline of knowledge, as well as periodic updates, about the existing and current Policy. Each
element of the Training Program contributes another level of information to the individual. At a
minimum, all individuals must receive the indoctrination training, and the refresher training, if
warranted.

(a) Indoctrination Training
Indoctrination Training provides personnel with the fundamentals of the Training
Program. It should be completed when beginning employment or assignment to a
project for the Port Authority, but no later than sixty (60) days after initial hire, or after
commencing work on a project. It may be combined with other types of new employee
indoctrination programs. Individuals completing this level of training should understand
the basic organization of the Policy, the Policy definitions, what materials are defined as
Protected Information under the Policy, how to identify Protected Information (security
category levels and markings), the general criteria and conditions required in order to be
granted a security clearance, procedures for categorizing documents, the obligation to
report suspected and alleged policy violations, and the penalties for non-compliance with
the policy and for unauthorized disclosure of Protected Information.
32
(b) Orientation Training

Orientation Training focuses on the more specific protocols, practices and procedures
for individuals whose roles and responsibilities involve reading, using, safeguarding,
handling, and disposing of Protected Information. Individuals assigned such
responsibilities should complete this level of training. Orientation training should be
conducted prior to assignment to a department, project, task, or other special
assignment, where the individual is expected to become involved with receiving and
handling Protected Information. Individuals completing this level of training should be
introduced to the DISO or SIM, understand the organizational elements of the Policy,
know how to process Protected Information, know the different security categories under
their control or within their assigned work environment, know how to identify proper
safeguarding protocols, including hardware needs, and understand the differences
between general access privileges and the need to know requirement for access to
particular information. Individuals should also read and acknowledge their
understanding of the requirements.

(c) Refresher Training
Within a three (3) year time period during the anniversary month of the individuals start
date on a project, or initial access to Protected Information, all employees, consultants,
third-party contractors, and other individuals and/or entities, who continue to have
access to sensitive materials, should receive an information security education and
awareness training refresher briefing to enhance their information security awareness.
At a minimum, the refresher training should include indoctrination and orientation topic
training, as well as key training on recent Policy changes or other appropriate
information. Also, this milestone may be used to reaffirm the individuals need for a
security clearance or to determine whether the individual requires a periodic update of
their background check.
(d) Other Circumstances and Special Briefings

If a Port Authority employee, consultant, third-party contractor, or other individual and/or
entity transfers to another department, is promoted within his or her department, or
changes employers on the same project without a break in service, and can provide a
record of completion of indoctrination training within the previous twelve months, only
annual refresher training may be required. All other situations demand that an
individual requiring access to Protected Information fulfill the conditions for information
security education and awareness training under this Policy.

In addition to reading and signing a NDA or an Acknowledgment of an existing NDA, or,
alternatively, being subject to a NDI, temporary or one-time access individuals should be
fully briefed on the limitations on access to Protected Information and the penalties
associated with the unauthorized disclosure, before being granted access to such
information.
Special briefings may be provided on a case-by-case basis, as circumstances may
require.

1
APPENDIX A
PROTECTED INFORMATION


Confidential Privileged Information
Information that reveals security risks, threats, vulnerabilities, built in or potential to Port
Authority facilities and/or assets
Documentation that identifies specific physical or system security vulnerabilities, when
referring to specific security or terrorist threats and/or the specific capabilities in-place to
counter a threat
Documentation revealing specific security vulnerabilities at a new or existing PANYNJ
facility, if specific weaknesses are reflected or maximum tolerances are provided
Information revealing details of defeating a security system(s) or revealing the system in its
entirety
Drawings or documents that reveal specific security design criteria or ratings with regard to
security performance
Information identifying the basis for implementing an operational or technical security
solution
Details related to emergency response protocols, egress plans, flow paths, egress
capacities, security systems, etc., not publicly available (diagrams, codes, standards)

Information includes, but is not limited to:
1. Security Risk and Threat Assessments (SRA);
2. Design Basis Threat Analysis (DBT);
3. Facility Security Programs/Plans (to the extent such Programs/Plans are not designated
as SSI or CII );
4. Continuity of Operations Plans;
5. Security White Papers;
6. Blast Protection Design Requirements; Blast Analysis; Vector Analysis (Security
Barriers, Bollards, etc.);
7. Structural plans, details and specifications if site specific information involves details
regarding the capability or vulnerability of security system(s) or additional protection to a
critical structure(s);
8. Drawings and/or documents with specific forced entry ratings;
9. Security System(s) designs when high technology data, which was developed by or for
the Port Authority, is site specific or concerns core area system;
10. Critical element of security or life safety system; such as master controls, overrides,
backup power sources when such elements would not be readily observable by the
public;
11. Security system(s) command and control operating instructions and supporting
countermeasures when referring to a specific site or project location;
12. Design data revealing engineering, construction of a Communication or Data Center
electrical system, network connections, or facility support system with signal cable (e.g.,
intercom, telephone);




2
Confidential Information

Specific security system/hardware model number installed at specific locations
Details concerning overall security system(s) or individual sub systems(s), including design
engineering, construction, fabrication and rollout schedule when data is site specific or
concerns core area systems
Structural plans and details if site-specific information involves details of security system(s) of
protection
Design data revealing engineering, construction, or fabrication details of primary and
emergency electrical power systems supporting security, communications or life safety
systems
Documents identifying protective measures around Operations & Control Centers
Documents identifying the location of Police and Emergency Communication Lines
Security budget information
Security Capital Plan
Security personnel information

Information includes, but is not limited to:
1. Methods utilized to mitigate vulnerabilities and threats, such as identity, location, design,
construction, schedule, and fabrication of security systems;
2. Details concerning overall security system(s) or individual subsystem(s), including
design, engineering, construction, fabrication and rollout schedule when data is site
specific or concerns core area systems;
3. Concept of Operations (CONOPS) documents;
4. Structural plans and details if site-specific information involves details of security
system(s) or protection;
5. Documents identifying protective measures around Operation Control and Data Centers;
6. Documents identifying the location of Police, Emergency Communication and Network
Lines;
7. Security White Papers
8. Secure Identification Display Area (SIDA) Badge Application (Aviation)
9. Selected Environmental Documents Condition Surveys containing information on
contaminated sites;
10. Emergency Operations Plan (to be shared with other Agencies);
11. Guidance for Managing Multi-Agency Response to WMD/CBREN Incidents;
12. Security system logs and reports, system operators and users including all related
personal and company data;
13. System information used to construct and protect security systems;
14. Information/documents complied for law enforcement or official investigatory purposes;
15. Sensitive financial, commercial and other business information received from third
parties under Non-Disclosure and Confidentiality Agreements:
16. Security Project Management budget Information;
17. Security Project Management Capital Plan;
18. Property Lease Agreements (Negotiations);
19. Legal Settlement agreements (when specified in the final settlement agreement);
20. Financial Analysis relating to ongoing litigation;
21. 5-year Capital Security Plan.
22. Law Enforcement investigatory material based upon the sensitive or confidential nature
of the information

3
Health Insurance Portability and Accountability Act (HIPAA)

Employees, associates or other contract personnel who have access to Protected Health
Information (PHI) must also refer to, and comply with, the Privacy Policies and Procedures to
Protect Personal Health Information. Privacy regulations issued under the Health Insurance
Portability and Accountability Act of 1996 (HIPAA or Privacy Laws) place restrictions on the
Group Health Plans of the Port Authority and PATH (the Plans) ability to use and disclose
Protected Health Information (PHI).

To protect the privacy and confidentiality of PHI and to comply with HIPAA, all members of
Employee Benefits, including the Customer Service Representatives, and any others who have
access to PHI, must comply with the policies and procedures set forth in this manual (the
Policies and Procedures). The purpose of this manual is to establish how the Privacy Laws
are to be implemented by the Plans and Employee Benefits in particular. This document
maintained by the Employee Benefits Division of HRD, addresses Privacy Law Concerns
related to the Health Insurance Portability and Accountability Act (HIPAA).

HIPAA defines Protected Health Information (PHI) as all individually identifiable health
information that is transmitted or maintained by the benefit plans in any medium electronic,
oral or written. The Port Authority receives this information in its employer capacity and,
therefore, it is not considered to be PHI:

An individuals name, address, birth date, marital status, dependent information and Social
Security number;
An individuals choice of health plan;

Attorney Work Product

Attorney work product and other privileged information should be protected and treated in
accordance with the established rules of the profession and may carry the marking Privileged &
Confidential. Certain work product information may also fall within the definitions of
Confidential Privileged and/or Confidential Information as established by the Handbook, and as
such, should be marked and treated in accordance with the Handbook and the Law Department
CIPP.

Federal Designations:

Security Sensitive Information (SSI): has the definition and requirements set forth in the
Transportation Security Administrative Rules & Regulations, 49 CFR 1520, (49 U.S.C. 114)
and in the Office of the Secretary of Transportation Rules & Regulations, 49 CFR 15, (49 U.S.C.
40119) and any amendments thereto.

1. Facility Security Programs/Plans (Aviation and Port Facilities fall under SSI);
2. Exclusive Area Agreements (Aviation and Ports An agreement between PA and tenant
that has a security program, which permits the tenant to assume responsibility for
security within the affected area(s). SSI);
3. TAS Security Directives (SSI);
4. SEA LINK Database and corresponding applications (Ports - SSI/Privacy Act
Information).
5. Security Directives issued by the TSA

4
Critical Infrastructure Information (CII); has the meaning set forth in the Homeland Security
Act of 2002, under the subtitle Critical Infrastructure Information Act of 2002 (6 U.S.C. 131-
134), and any rules or regulations enacted pursuant thereto, including, without limitation, the
Office of the Secretary, Department of Homeland Security Rules and Regulations, 6 C.F.R. Part
29 and any amendments thereto. CII may also be referred to as Protected Critical
Infrastructure Information or PCII, as provided for in the referenced rules and regulations and
any amendments thereto.





PROTECTED INFORMATION
(CONFIDENTIAL INFORMATION)
Handbook Marking
Confidential Privileged
Confidential
CII & SSI
Outside Handbook Marking Protocols
HIPAA
Litigation/Law
Law Enforcement Investigatory
Material
Active Negotiations
RFP Proposals under evaluation

5
APPENDIX B


Non-Disclosure and Confidentiality Agreements




































6
B-1
Non-Disclosure and Confidentiality Agreement
with reference to Handbook

7


8


9


10


11


12


13


14



15


16


17


18
B-2
Non-Disclosure and Confidentiality Agreement
without reference to Handbook



19





20





21





22





23





24





25





26





27





28





29





30


B-3
PA/PATH Non-Disclosure and
Confidentiality Agreement



1



2



3



4




1

1
APPENDIX C


Background Screening Criteria

CONTENTS:
Background Screening Specifications
High Access Level Criteria
Medium Access Level Criteria
Standard Access Level Criteria

2
Criminal History
Background Screening Specifications
Social Security Number Positive Identity Verification (PIV)
Federal District Court Search (each district of residence and employment)*
National Criminal Search*
Statewide Criminal Check (each state of residence and employment)*
County Criminal Search (each county of residence and employment)*
Sexual Offender Search (each resident state)*
Alien Immigrant Search
Immigration Violation Check
Fake Identification Convictions
State Driving Record
Check for material false statement or omission on application form
National Terrorist Watch List Search (OFAC-SDN)
Note* Within ten (10), seven (7), or five (5) years preceding date of application as noted
on the HIGH, MEDIUM, and STANDARD Level of Clearance forms.


3
Level of Clearance

HIGH Secure Access Control Areas
and CONFIDENTIAL PRIVILEGED INFORMATION

I. No convictions ever in your lifetime: an individual has a disqualifying criminal offense
if the individual was convicted, or found not guilty by reason of insanity, in a civilian or
military jurisdiction of any of the following criminal offenses:
(1) TerrorismA crime listed in 18 U.S.C. Chapter 113Bor a State law that is
comparable.
(2) Violations of the Racketeer Influenced and Corrupt Organizations Act, 18 U.S.C.
1961, et. seq., or a State law that is comparable.
(3) A crime involving a severe transportation security incident.
(4) Making any threat, or maliciously conveying false information knowing the same to be
false, concerning the deliverance, placement, or detonation of an explosive or other
lethal device in or against a place of public use, a state or government facility, a public
transportations system, or an infrastructure facility.
(5) Improper transportation of a hazardous material under 49 U.S.C. 5124, or a state law
that is comparable;
(6) Murder.
(7) Espionage.
(8) Sedition.
(9) Treason.
(10) Unlawful possession, use, sale, distribution, manufacture, purchase, receipt,
transfer, shipping, transporting, import, export, storage of, or dealing in an explosive
or explosive device.
(11) Conspiracy or attempt to commit any of the criminal acts listed in paragraph I.
II. An individual has a disqualifying criminal offense if the individual was convicted, or found not
guilty by reason of insanity, in a civilian or military jurisdiction, within the past ten (10) years
from completion of sentence preceding the date of the application, of the following offenses:
(1) Forgery of certificates, false marking of aircraft, and other aircraft registration violation;
(2) Interference with air navigation;
(3) Aircraft piracy;
(4) Interference with flight crewmembers or flight attendants;
(5) Commission of certain crimes aboard aircraft in flight;
(6) Carrying a weapon or explosive aboard aircraft;
(7) Conveying false information and threats; (e.g., bomb threats, explosives in briefcase,
etc. in security areas)
(8) Aircraft piracy outside the special aircraft jurisdiction of the United States;
(9) Lighting violations involving transporting controlled substances;
(10) Unlawful entry into an aircraft or airport area that serves air carriers or foreign air
carriers contrary to established security requirements;
(11) Destruction of an aircraft or aircraft facility;
(12) Assault with intent to murder.
(13) Kidnapping or hostage taking.
(14) Rape or aggravated sexual abuse.
(15) Extortion.
(16) Armed or felony unarmed robbery.


4
(17) Distribution of, possession with intent to distribute, or importation of a controlled
substance.
(18) Felony arson.
(19) Felony involving a threat.
(20) Felony involving
(i) Willful destruction of property;
(ii) Importation or manufacture of a controlled substance;
(iii) Burglary or Robbery
(iv) Theft;
(v) Dishonesty, fraud, or misrepresentation, including identity fraud and money
laundering;
(vi) Possession or distribution of stolen property;
(vii) Aggravated assault;
(viii) Bribery; or
(ix) Illegal possession of a controlled substance punishable by a maximum term of
imprisonment of more than 1 year;
(x) Smuggling;
(xi) Immigration violations; or
(21) Violence at international airports;
(22) Unlawful possession, use, sale, manufacture, purchase, distribution, receipt, transfer,
shipping, transporting, delivery, import, export of, or dealing in a firearm or other
weapon. A firearm or other weapon includes, but is not limited to, firearms as defined in
18 U.S.C. 921(a)(3) or 26 U.S.C.5 845(a), or items contained on the U.S. Munitions
Import List at 27 CFR 447.21.
(23) Conspiracy or attempt to commit any of the criminal acts listed in paragraph II.
Under want, warrant, or indictment. An applicant who is wanted, or under indictment in any
civilian or military jurisdiction for a felony listed in section II, is disqualified until the want or
warrant is released or the indictment is dismissed.


5
Level of Clearance

Up To MEDIUM Secure Access Control Areas
and CONFIDENTIAL INFORMATION

I. No convictions ever in your lifetime: an individual has a disqualifying criminal
offense if the individual was convicted, or found not guilty by reason of insanity, in a
civilian or military jurisdiction of any of the following criminal offenses:
(1) TerrorismA crime listed in 18 U.S.C. Chapter 113Bor a State law that is
comparable.
(2) Violations of the Racketeer Influenced and Corrupt Organizations Act, 18 U.S.C.
1961, et. seq., or a State law that is comparable.
(3) A crime involving a severe transportation security incident.
(4) Making any threat, or maliciously conveying false information knowing the same
to be false, concerning the deliverance, placement, or detonation of an explosive or
other lethal device in or against a place of public use, a state or government facility, a
public transportations system, or an infrastructure facility. (3) Improper transportation of
a hazardous material under 49 U.S.C. 5124, or a state law that is comparable;
(5) Improper transportation of a hazardous material under 49 U.S.C. 5124, or a state
law that is comparable;
(6) Murder.
(7) Espionage.
(8) Sedition.
(9) Treason.
(10) Unlawful possession, use, sale, distribution, manufacture, purchase, receipt, transfer,
shipping, transporting, import, export, storage of, or dealing in an explosive or
explosive device.
(11) Conspiracy or attempt to commit any of the criminal acts listed in paragraph I.

II. An individual has a disqualifying criminal offense if the individual was convicted, or found
not guilty by reason of insanity, in a civilian or military jurisdiction for the following
offenses, within the past ten (10) years from completion of sentence for the offense
preceding the date of the application:
(1) Extortion.
(2) Armed or felony unarmed robbery.
(3) Felony involving
(i) Importation or manufacture of a controlled substance;
(ii) Burglary or Robbery;
(iii) Theft;
(iv) Dishonesty, fraud, or misrepresentation, including identity fraud and money
laundering;
(v) Possession or distribution of stolen property;
(vi) Bribery; or
(4) Conspiracy or attempt to commit any of the criminal acts listed in paragraph II.
Under want, warrant, or indictment. An applicant who is wanted, or under indictment in any


6
civilian or military jurisdiction for a felony listed in section II, is disqualified until the want or
warrant is released or the indictment is dismissed.
III. An individual has a disqualifying criminal offense if the individual was convicted, or found
not guilty by reason of insanity, in a civilian or military jurisdiction for the following
offenses, within the past seven (7) years from completion of sentence for the offense
preceding the date of the application:
(1) Assault with intent to murder.
(2) Kidnapping or hostage taking.
(3) Rape or aggravated sexual abuse.
(4) Distribution of, possession with intent to distribute, or importation of a controlled
substance.
(5) Felony arson.
(6) Felony involving a threat.
(7) Felony involving
(i) Willful destruction of property;
(ii) Aggravated assault;
(iii) Smuggling;
(iv) Immigration violations;
(8) Violations of the Racketeer Influenced and Corrupt Organizations Act, 18 U.S.C.
1961, et. seq., or a State law that is comparable, other than the violations listed in
paragraph (b) of Section I.
(9) Unlawful possession, use, sale, manufacture, purchase, distribution, receipt,
transfer, shipping, transporting, delivery, import, export of, or dealing in a firearm or
other weapon. A firearm or other weapon includes, but is not limited to, firearms as
defined in 18 U.S.C. 921(a)(3) or 26 U.S.C.5 845(a), or items contained on the U.S.
Munitions Import List at 27 CFR 447.21.
(10) Conspiracy or attempt to commit any of the criminal acts listed in paragraph III.

Under want, warrant, or indictment. An applicant who is wanted, or under indictment in any
civilian or military jurisdiction for a felony listed in section III, is disqualified until the want or
warrant is released or the indictment is dismissed.

7
Level of Clearance

Up To STANDARD
Secure Access Control Areas

I. No convictions ever in your lifetime: an individual has a disqualifying criminal offense if
the individual was convicted, or found not guilty by reason of insanity, in a civilian or
military jurisdiction of any of the following criminal offences:
(1) Terrorism A crime listed in 18 U.S.C. Chapter 113Bor a State law that is comparable.
(2) Violations of the Racketeer Influenced and Corrupt Organizations Act, 18 U.S.C. 1961, et.
seq., or a State law that is comparable.
(3) Espionage.
(4) Sedition.
(5) Treason.
(6) Unlawful possession, use, sale, distribution, manufacture, purchase, receipt, transfer,
shipping, transporting, import, export, storage of, or dealing in an explosive or explosive
device.
(7) Conspiracy or attempt to commit any of the criminal acts listed in paragraph I.

II. An individual has a disqualifying criminal offense if the individual was convicted, or found not
guilty by reason of insanity, in a civilian or military jurisdiction for the following offenses, within
the past ten (10) years from completion of sentence for the offense preceding the date of the
application:
(1) Extortion.
(2) Felony involving
(i) Theft;
(ii) Dishonesty, fraud or misrepresentation, including identity fraud and money
laundering;
(iii) Unlawful sale, distribution, manufacture, import or export of a controlled
substance that resulted in the conviction of an A Felony in the New
York State Penal Law, or any comparable law in any State, or
comparable Federal law.
(3) Conspiracy or attempt to commit any of the criminal acts listed in paragraph II.


8
III. An individual has a disqualifying criminal offense if the individual was convicted, or
found not guilty by reason of insanity, in a civilian or military jurisdiction for the following
offenses, within the past five (5) years from completion of sentence for the offense
preceding the date of the application:

(1) Violent Felony Offenses (as defined in the New York State Penal Law 70.02) or any
comparable law in any State.
(2) Conspiracy or attempt to commit any criminal act listed in paragraph III.


APPENDIX D
Secure Worker Access Consortium (SWAC)
Secure Worker Access Consortium (SWAC is accessed by an online application that enables
the secure collection, processing, maintenance and real-time positive identity verification (PIV) of
individuals. As of January 29, 2007, SWAC is the only Port Authority approved provider to be
used to conduct background screening, except as otherwise required by federal law and or
regulation. Additional information about S.W.A.C., corporate enrollment, online applications, and
location of processing centers can be found at http://www.secureworker.com, or SWAC Customer
Service may be contacted at (212) 608-0855.
o Consultants / Contractors
o Step 1: - A firm representative completes the Corporate Membership Application
Form online at www.secureworker.com. Firms are encouraged to establish a
Corporate Membership Account through which their workers will be processed.
o Step 1a: Employees & Workers of Contractors Individual completes the Individual
Membership Application Form online. (A company administrator may complete this
form on someone's behalf.)
o Step 2: The applicant is photographed, provides a digital signature and presents the
required identification documents at an operational SWAC Processing Center.
o Step 3: SWAC ID Card is available for pickup. The typical length of the process is one
week. To verify that an ID Card is ready for pickup, call (212) 608-0855.

o Individuals
o Step 1: Individual completes the Individual Membership Application Form online.
http://www.secureworker.com

o Step 2: Individual immediately takes the required government issued identity
documents to a SWAC Processing Center to complete the second and final step
of the SWAC application process. NOTE: This step is required before your
background screening is initiated.



o SWAC Processing Centers - check the SWAC website to verify the locations,
and days and times of operation of the Processing Centers.
George Washington Bridge Port
Authority Administration Building, Main
Lobby
220 Bruce Reynolds Boulevard
Bridge Plaza South
Fort Lee, NJ 07024
Tuesdays, 6:00 AM to 12:00PM

John F. Kennedy International Airport
Building #14
RE's Office Conference Room
Jamaica, NY
Fridays, 6:00AM to 12:00PM

Port Authority Bus Terminal
625 Eighth Avenue (at 40th Street)
South Wing, 2nd Floor
New York, NY 10018
Tuesdays & Fridays, 6:30AM to
12:30PM



LaGuardia Airport (LGA)
Port Authority Administration Building
Hanger #7S, 2nd Floor
Flushing, NY 11371
Wednesdays, 6:00AM to 12:00PM

Newark Liberty International Airport
(EWR)
70 Brewster Road
Building #70 Lobby
Newark, NJ 07114
Mondays & Thursdays, 7:30AM to
3:30PM

World Trade Center
65 Trinity Place
(corner of Exchange Alley, across from
SYMS clothing store)
New York, NY 10006
Monday through Friday, 6:00 AM to
12:00 PM


APPENDIX E
1


[insert department name] DEPARTMENT




PORT AUTHORITY OF NY & NJ

CONFIDENTIAL PRIVILEGED INFORMATION





"WARNING: The attached is the property of The Port Authority of New York and New Jersey (PANYNJ). It
contains information requiring protection against unauthorized disclosure. The information contained in the
attached document cannot be released to the public or other personnel who do not have a valid need to know
without prior written approval of an authorized PANYNJ official. The attached document must be controlled,
stored, handled, transmitted, distributed and disposed of according to PANYNJ Information Security Policy.
Further reproduction and/or distribution outside of the PANYNJ are prohibited without the express written
approval of the PANYNJ.

At a minimum, the attached will be disseminated only on a need to know basis and when unattended, will be
stored in a locked cabinet or area offering sufficient protection against theft, compromise, inadvertent access
and unauthorized disclosure.


Document Control Number: CP-[insert dept acronym]- [insert
year]-[insert sequential number] [insert copy number]





1
APPENDIX F

[Insert address of Recipient]


Date:
From:

The [insert department, division or project name] is providing a copy of the following
items to (insert recipients name and address).



Description

Date

Copy Number

Describe item


00/00/00

CP-[dept abbreviation]-
XX-XX-XX




Upon receipt, the items listed above must be safeguarded in accordance with the
procedures identified in the The Port Authority of New York & New Jersey Information
Security Handbook dated October 15, 2008.

PLEASE SIGN AND RETURN TO:
Document Control
[insert Port Authority department, division or unit]
Attn: [SIM or SPM}
[Address]




2
I acknowledge receipt of the above items listed above and accept full responsibility for
the safe handling, storage and transmittal elsewhere of these items.


Name (PRINT): ______________________________________
Organization: ______________________________________
Signature: ______________________________________
Date: ______________________________________
Title: ______________________________________



1
APPENDIX G


GUIDELINES FOR THE STORAGE OF
PROTECTED INFORMATION
I. GENERAL
I. GENERAL
This section describes the preferred methods for the physical protection of
Protected Information in the custody of PANYNJ personnel and their contractors,
consultants, architects, engineers, et al. Where these requirements are not
appropriate for protecting specific types or forms of such material, compensatory
provisions shall be developed and approved by the Chief Information Security
Officer (CISO). Nothing in this guideline shall be construed to contradict or inhibit
compliance with any applicable law, statute or code. Cognizant Security Information
Managers (SIM) shall work to meet appropriate security needs according to the
intent of this guideline and at acceptable cost.
II. PROTECTED INFORMATION STORAGE

A. Approved Containers

The following storage containers are approved for storage of PANYNJ Protected
Information:

1. A safe or safe-type steel file container that has a built-in three- position dial
combination lock or electronic combination lock.

2. Any steel file cabinet that has four sides and a top and bottom (all
permanently attached by welding, rivets or peened
bolts so the contents cannot be removed without
leaving visible evidence of entry) and is secured by a
rigid metal lock bar and an approved key operated or
combination padlock. The keepers of the rigid metal
lock bar shall be secured to the cabinet by welding,
rivets, or bolts so they cannot be removed and
replaced without leaving evidence of the entry. The
drawers of the container shall be held securely so their contents cannot
be removed without forcing open the drawer.


2

B. Approved Locks and Locking Devices


The following locks and locking devices are examples of types approved for
storage of PANYNJ Protected Information, but not limited to these locks:

1. Any restricted keyway 7-pin tumbler lock or equivalent pick resistant
lock.

2. A combination padlock such as a Sesame four-
position dial padlock. See photo at right.

For Port Authority facilities, locks and locking devices
available from Port Authority stock room or approved
vendor will meet this requirement.

C. Combinations to Security Containers, Cabinets, and Vaults

If required, only a minimum number of authorized persons shall have
knowledge of combinations to authorized storage containers. Containers shall
bear no external markings indicating the level of material authorized for
storage therein.

1. A record of the names of persons having knowledge of the combination
shall be maintained.

2. Security containers, vaults, cabinets, and other authorized storage
containers shall be kept locked when not under the direct supervision of
an authorized person entrusted with the contents.

3. The combination shall be safeguarded in accordance with the same
protection requirements as the Confidential Information contained within.
4. If a record is made of a combination, the record shall be marked with the
category of material authorized for storage in the container, i.e. CP or
SSI.






3
D. Changing Combinations

Combinations shall be changed by a person authorized access to the
contents of the container, or by the SIM or his or her designee. Combinations
shall be changed as follows:

1. The initial use of an approved container or lock for the protection of
Confidential Information.

2. The termination of employment of any person having knowledge of the
combination, or when the Protected Information access granted to any
such person has been withdrawn, suspended, or revoked.

3. The compromise or suspected compromise of a container or its
combination, or discovery of a container left unlocked and unattended.

4. At other times when considered necessary by the SIM or CISO.

E. Supervision of Keys and Padlocks

Use of key-operated padlocks are subject to the following requirements:
1. A key and lock custodian shall be appointed to ensure proper custody
and handling of keys and locks used for protection of Protected
Information.
2. A key and lock control register shall be maintained to identify keys for
each lock and their current location and custody.
3. Keys shall be inventoried with each change of custody.
4. Keys and spare locks shall be protected equivalent to the level of
classified material involved.
5. Locks shall be replaced after loss or compromise of their operable
keys.
6. Making master keys is prohibited.
F. Document Retention Areas
Due to the volume of the Protected Information in possession, or for
operational necessity, it may be necessary to construct Document Retention
Areas for storage because approved containers or safes are unsuitable or
impractical. Access to Document Retention Areas must be controlled to
preclude unauthorized access. During hours of operation this may be
accomplished through the use of a cleared person or by an approved access


4
control device or system. Access shall be limited to authorized persons who
have an NDA on file, received appropriate training on the protection of
information and have a bonafide need-to-know for the Protected Information
material/information within the area. All other persons (i.e. visitors,
maintenance, janitorial, etc.) requiring access shall be escorted at all times by
an authorized person where inadvertent or unauthorized exposure to
Protected Information cannot otherwise be effectively prevented. During non-
working hours and during working hours when the area is unattended,
admittance to the area shall be controlled by locked entrances and exits
secured by either an approved built-in combination lock, an automated
access control system or an approved key-operated lock. Doors secured
from the inside with an emergency panic bar will not require additional locking
devices.
G. Construction Requirements for Document Retention Areas

This paragraph specifies the minimum safeguards and standards required for
the construction of Document Retention Areas that are approved for use for
safeguarding Protected Information. These criteria and standards apply to all
new construction and reconstruction, alterations, modifications, and repairs of
existing areas. They will also be used for evaluating the adequacy of existing
areas.

1. Hardware: Only heavy-gauge hardware shall be used in construction.
Hardware accessible from outside the area shall be peened, pinned,
brazed, or spot welded to preclude removal.

2. Walls: Construction may be of material offering resistance to, and
evidence of, unauthorized entry into the area. If insert-type panels are
used, a method shall be devised to prevent the removal of such panels
without leaving visual evidence of tampering.

3. Windows: During nonworking hours, the windows shall be closed and
securely fastened to preclude surreptitious entry.

4. Doors: Doors shall be constructed of material offering resistance to and
detection of unauthorized entry. When doors are used in pairs, an
astragal (overlapping molding) shall be installed where the doors meet.

5. Ceilings: Where surrounding walls do not extend to the true ceiling, the
ceiling shall either be hard capped with the same construction materials as
the surrounding walls or removable tiles shall be clipped in place such that
they cannot be removed without destroying tiles and providing evidence of
intrusion.


1
APPENDIX H

GUIDELINES FOR THE DISPOSAL AND DESTRUCTION OF
PROTECTED INFORMATION.


I. GENERAL
This section describes the preferred methods for the disposal and destruction of
Protected Information in the custody of PANYNJ personnel and their contractors,
consultants, architects, engineers, et al. Where these requirements are not
appropriate for disposal or destruction of specific types or forms of such material,
compensatory provisions shall be developed and approved by the Chief
Information Security Officer (CISO). Cognizant Security Information Managers
(SIM) shall work to meet appropriate security needs according to the intent of this
guideline and at acceptable cost.
Protected Information no longer needed shall be processed for appropriate archiving or
disposal. Protected Information approved for destruction shall be destroyed in
accordance with this section. The method of destruction must preclude recognition or
reconstruction of the Protected Information or material.

All persons in possession of Protected materials shall establish procedures for review of
their Protected holdings on a recurring basis to reduce these inventories to the minimum
necessary for effective and efficient operations. Multiple copies, obsolete material, and
Protected waste shall be destroyed as soon as practical after it has served its purpose.
Any appropriate downgrading actions shall be taken on a timely basis to reduce the
volume and to lower the level of Protected material being retained.
I
Original records must be retained in accordance with the Agencys Records
Management Policy and Retention Schedules.
AND DESTRUCTION
II. DISPOSAL AND DESTRUCTION

A. Destruction Requirements

All persons in possession of Protected materials shall destroy this material in their
possession as soon as possible after it has served the purpose for which it was
released, developed or prepared, or as soon as possible after its designated
retention period has expired.



2
B. Methods of Destruction

1. Generally, Protected material shall be destroyed by commercial grade
cross cut shredders located conveniently throughout the workplace for
use by authorized individuals.
2. Additionally, Confidential material may be destroyed by burning,
pulping, melting, mutilation, chemical decomposition, or pulverizing (for
example, hammer mills, choppers, and hybridized disintegration
equipment) where shredding may not be appropriate. Whatever method
is employed must preclude recognition or reconstruction of the
Confidential Information or material.

3. Confidential material in microform, that is: microfilm, microfiche, or
similar high data density material, may be destroyed by burning or
chemical decomposition, or other methods as approved by the CISO.
4. Commercial destruction facilities may be used only with the approval of,
and under conditions prescribed by, the SIM. When commercial
destruction facilities are utilized, they shall conform to all appropriate
sub-contracting requirements to include appointment of a SIM,
adherence to the requirements of the PANYNJ Information Security
Handbook, receiving required security training and properly executing a
Non-Disclosure and Confidentiality Agreement (NDA).
5. Electronically Stored Protected Information must be deleted from all
computer hard drives, tapes, CDs, DVDs, memory, and/or magnetic,
analog, or digital media used to store or transport digital files. The
device used to store or transport any Protected file will require a bit-by-
bit overwrite of the storage area used by the file. This will protect
against having the deleted file recovered using data recovery tools.
Commercial tools are available to automate this process.









3


C. Witness to Destruction

Protected material shall only be destroyed by authorized personnel,
whether in-house or contracted, who meet all of the PANYNJ criteria for
awarding access authorization, have met all training requirements, have a
properly executed NDA on file and have a full understanding of their
responsibilities to ensure proper control of the materials while in their
possession and complete destruction thereof.

D. Destruction Records

Protected Information is accountable and therefore any disposal in
approved waste containers or destruction via convenience shredders must
be reported to the issuing SIM, or his/her document control representative,
indicating which documents were disposed/destroyed and the date of such
action.

Protected waste shall be destroyed as soon as practical. This applies to all waste
material containing Protected Information. Pending destruction, Protected waste
shall be appropriately safeguarded. (See also Appendix G - Guidelines for the
Storage of Protected Information.)

III. PROTECTED WASTE
A. Approved Receptacles

1. Receptacles utilized to accumulate Protected waste shall be
constructed of substantial materials that would provide evidence of
tampering. Hinges and lids shall not be removable while the container
is secured without leaving evidence thereof.

2. All such receptacles shall be clearly identified as containing Protected
material.

3. Slots shall be provided in such receptacles that allow for easy deposit
of materials for destruction but preclude removal of deposited waste
by insertion of a persons hand or tool.


4

4. Locks, and the control thereof, on all Protected waste receptacles
shall meet or exceed the requirements of the PANYNJ Guideline for
Storage of Confidential Information.

B. Oversize Waste Materials

PANYNJ projects often involve large drawings and other materials
associated with construction projects, which cannot be conveniently
disposed of via office shredders or placed in typical slots on secure trash
receptacles. In no cases shall such material be permitted to be placed or
accumulate adjacent to secure receptacles while awaiting destruction.
Oversize materials awaiting destruction may be stored as follows:

1. Within an approved Document Retention Area.

2. Within a specially constructed secure waste receptacle where disposal
slots have been specifically designed for accepting rolled drawings or
other oversize materials and preclude the removal there from.
3. Within a standard secure waste receptacle where the receptacle has
been opened by an authorized individual to allow placement of the
oversized item(s) into the container and it has been secured thereafter.


1

APPENDIX I
Audit Procedures
COMPANY / ORGANIZATION
Is the Company Non-Disclosure and Confidentiality Agreement properly
executed and maintained in current status?
Has a senior management official been designated as Security Information
Manager (SIM), as required by the Handbook for Protecting Security
Information? Has a deputy SIM been identified?

ACCESS AUTHORIZATIONS
Has a Non-Disclosure Agreement been executed by each employee who has
been afforded access?
Is a current record maintained of all employees authorized access to
Confidential Information at the firm?
Does the contractor provide a roster of all cleared employees to the PA as
required? Is it current?
SECURITY EDUCATION
Does the contractor provide that all employees who have access to Protected
Information with security training and briefings commensurate with their
involvement with the information?
Are contractors who employ persons at other locations ensuring the required
security training?
Are the Non-Disclosure Agreements executed by employees prior to accessing
the sensitive information?
Do initial security briefings contain the minimum required information?
Does the contractor's security education program include refresher security
briefings?
Are employees debriefed at the time of a termination, reassignment or project's
completion regarding the requirements for continued safeguarding of Protected


2
Information?
Has the contractor established internal procedures that ensure authorized
awareness of their responsibilities for reporting pertinent information to the SIM?
Has the contractor established a graduated scale of administrative disciplinary
action to be applied against employees who violate the Handbook?
Are employees aware of Emergency Procedures?
Does management support the program for safeguarding Port Authority
Confidential and Privileged Security Information?
STANDARD PRACTICE PROCEDURES
Is the Confidential Information Practice and Procedures (CIPP) document
current and does it adequately implement the requirements of the Handbook?
A CIPP only needs to be prepared when the Departmental Information Security
Officer (DISO) believes it necessary for the proper safeguarding of
Confidential Information.
SUBCONTRACTING
Have all Subcontractors properly executed the Non-Disclosure and
Confidentiality Agreement?
Has a Non-Disclosure Agreement been executed by each of the Subcontractor's
employees who has been afforded access?
Is a current roster maintained of all Subcontractor employees authorized access
to Confidential Information at the firm?
Does the Subcontractor provide this roster to the Prime Contractor's SIM as
required? Is it current? Does it include the date that the agreement was
signed? Is it included in the Prime Contractor's Team Roster?
Does the contractor complete all actions required in the Handbook prior to
release or disclosure of Port Authority Protected Information to
subcontractors? Has the Subcontractor been provided a Handbook?
Has a senior management official of the Subcontractor been designated as the
Security Information Manager (SIM), if required by a CIPP?


3
Has a deputy SIM been identified?
Is the safeguarding capability of all subcontractors determined as required?
Is the requirement to abide by security procedures identified in the Handbook
incorporated into each subcontract?
Does the Subcontractor have an adequate understanding of the
Handbook's requirements and the types of information that require
safeguarding?
VISIT CONTROL
Are procedures established to ensure positive identification of visitors prior to
disclosure of Protected Information?
CLASSIFICATION
Does the contractor have adequate procedures for evaluating Protected material
being created, extracted, or summarized?
Is contractor-developed Protected Information appropriately marked, and
protected?
PUBLIC RELEASE
Does the contractor obtain the approval of the Port Authority prior to public
disclosure of ANY information pertaining to a security program contract?
STORAGE
Has the contractor established a system of security checks at the close of each
working day to ensure that sensitive material is secured?
How would the Protected material be safeguarding during an emergency?
Is a record of the names of persons having knowledge of the combinations to
security containers maintained?
When combinations to containers are placed in written form, are they stored
appropriately?
Do authorized persons, when required, change combinations to security


4
containers?
MARKINGS
Is all Protected material, regardless of its physical form, marked properly?
Is all Protected material marked to show the name and address of the facility
responsible for its preparation and the date of preparation?
Are overall markings marked conspicuously as required?
Are protective markings applied to Protected compilations if required?

TRANSMISSION
Is Protected Information properly prepared for transmission outside the facility?
Are Transmittal Receipts included with Protected Information if required?
Is a suspense system established to track transmitted documents until the signed
receipt is returned?
Are authorized methods used to transmit Protected material outside the facility?
Is the NDA of the receiving facility determined prior to transmission of Protected
Information?
PROTECTED INFORMATION CONTROLS
Do contractor employees understand their safeguarding responsibilities?
Is the contractor's accountability system capable of facilitating the retrieval and
disposition of Protected material as required?
Are external receipts and dispatch records maintained as required?
Is all Protected material received at the contractor facility and delivered directly to
designated personnel?
Do contractor employees promptly report the loss, compromise, or suspected


5
compromise of Protected Information to the SIM?
DISPOSITION
Is a program established to review Protected retention on a recurring basis for
the purpose of reduction?
Is Protected material destroyed as soon as possible after it has served its
purpose?
Does the contractor employ an effective method of destruction?
Is Protected material destroyed by the appropriate employees?
Is Protected waste properly safeguarded until its timely destruction?
REPRODUCTION
Does the facility's reproduction control system keep reproduction of Protected
material to a minimum?
Is the reproduction of Protected Information accomplished only by properly
authorized, and knowledgeable employees?
Is reproduction authorization obtained as required?
Are reproductions of Protected material reviewed to ensure that the markings are
proper and legible?
AUTOMATED INFORMATION SYSTEMS (AIS)
Are appropriate physical controls being exercised over approved AIS?
Are AIS media containing Protected Information handled in a manner
consistent with the handling of Confidential documents?
Are all AIS storage media, internal memory, and equipment, that contain
Protected Information, properly sanitized prior to removal from protection?


6
Suggested Questions When Interviewing Employees NOT Authorized Access
to Confidential Information:
What is Protected Information?
Have you ever seen Protected Information?
If you found Protected Information unprotected, what would you do?

Suggested Questions When Interviewing Employees Authorized Access to
Protected Information:
What is your job title/responsibility?
Which contract or program requires you to access this information?
How do you access the information?
How long have you been authorized access?
When was your last access to Protected Information?
Have you ever had access to Protected Information outside of this
facility?
Did anyone else from the facility accompany you?
Did you take any Confidential notes or Protected Information back to the
facility?
What procedures were followed to protect this information?
Where is this information now?
Have you ever provided access to Protected Information to visitors?
How did you determine their need-to-know?
Have you ever been approached by anyone requesting Protected
Information?
Do you ever work overtime and access Protected Information?
When was the last time that you had a security briefing?
What can you recall from this briefing?
Have you ever been cited for a security violation?
What would YOU do if YOU committed a security violation or
discovered one?
Do you have the combination to any storage containers?
Who other than yourself has access to these containers?


7
Is a record maintained of the safe combination? If so, where?
Do you reproduce or generate Protected Information?
Where do you typically work when you generate Protected
Information?
What procedures do you follow to protect Protected Information while
working on it?
Do you ever use a computer to generate Protected Information? How
do you mark this Information?
Please produce the guidance that you used. Is it accurate?
What procedures do you employ when hand carrying Protected material?
Have you reproduced Protected Information? Describe the
procedures.
Have you destroyed Protected Information? What procedures were
used?
Do you have any questions regarding security?

You might also like