MEMORANDUM FOR Chief Information Officers

FROM: Thomas N. Pyke, Jr.

Chief Information Officer

SUBJECT: Guidance on Information that Should Not be Disseminated on Department of Commerce Web Sites

Recent events have prompted a review of many aspects of how we do our jobs. The Department of Commerce disseminates a large amount of information to the public on its Web sites as a part of carrying out its mission. It is important that Commerce agencies now evaluate the information made available to the public on the Web to ensure that the value of that public information dissemination outweighs any the potential risk to Commerce people, infrastructure, procedures, and programs that may result from placing this information on the Web.

Commerce agency CIOs and program managers should evaluate the public dissemination on the Web of the following types of information, and promptly remove from the Web such information as decisions are made to do so during this evaluation process:

Information on People --

Personal data on staff members including SSNs, dates of birth, and places of residence.
Information on the family members of staff, including such information contained in biographic summaries
Schedules, travel plans, or the exact location of employees, including building and room number information in online directories

Information on Infrastructure --

Detailed plans, maps, diagrams, aerial photographs, or architectural plans for Department of Commerce facilities (Limit directions for visitors to the absolute minimum needed, and consider providing such information by fax or other means directly to individual visitors)
Listings of, or documents that mention, specific physical or logical vulnerabilities
Information technology architecture plans, diagrams, or network maps describing telecommunication networks (e.g., IP addresses, server names, access numbers)
Information on the location of hazardous materials or sensitive facilities

Information on Plans and Procedures --

Information on emergency response or preparedness procedures
Lists of emergency response officials
Information on the location of emergency stockpiles of material.
Disaster recovery plans
Incident reports or lessons learned from past disaster recovery exercises, drills, or events

Information on Programs -

Information about Commerce programs that increases risk beyond the value to the public should be removed from the Web. CIOs and program managers should review all Web sites and make decisions about the program information provided to the public. For example, one NOAA Web site used to provide public access to a software model that would help predict the dispersion of harmful material resulting from hazardous material events. This information has been removed from the Web.

CIOs and program managers also need to ensure that information accessible through the Web that is intended for internal use only is sufficiently protected to prevent public or other unauthorized access. The use of intranets to disseminate such information internally is encouraged.

Please also consider, in light of our current times, that if you request correspondence from the public, that you request it be sent electronically.

The bottom line is that agency CIOs and program managers need to apply common sense to decisions about the dissemination of information on the Web in the context of both continuing threats and threats that are apparent as a result of recent events.

cc: Samuel W. Bodman
Otto Wolff
Secretarial Officers
Heads of Operating Units