Metropolitan Transportation Authority

Controls Over Security-Sensitive Information for the Capital Projects Program

The Metropolitan Transportation Authority (MTA) provides subway, rail and bus service in and around New York City, and operates and maintains seven bridges and two traffic tunnels in New York City. In May 2004, the MTA published guidelines instructing its employees and vendors how to safeguard and prevent the unauthorized disclosure of security-sensitive information (such as blueprints and design documents) relating to capital projects. We examined the adequacy of the guidelines and tested MTA and vendor compliance with the guidelines. We found that the guidelines established a reasonable control framework for the protection of security-sensitive information. However, we also found that both the MTA and its vendors often failed to comply with the guidelines. For example, the MTA did not maintain a complete list of the individuals who had access to security-sensitive information, did not routinely update background screenings on its employees, and did not ensure that such screenings were performed on all vendor employees with access to security-sensitive information.

In addition, the MTA’s document control system is supposed to identify the location of all security-sensitive documents at any point in time. However, more than half the documents we tested could not readily be located by MTA and vendor security officers. We also determined that security-sensitive information may not be adequately safeguarded when it is maintained on vendors’ computer systems, and security plans for construction sites may not always be approved by the appropriate security personnel. We made a number of recommendations aimed at strengthening the MTA’s controls over security-sensitive information, and MTA officials took immediate action to strengthen the controls.

For a complete copy of Report 2006-S-6 click here.