Database Security Administrative Directive
Purpose
The database requires a Database Security Advisory System to provide a comprehensive and effective means to disseminate information regarding the risk of legal action to the database administrators and users. Such a system would provide warnings in the form of a set of graduated "Threat Conditions" that would increase as the risk of the threat increases. At each Threat Condition, administrators would implement a corresponding set of "Protective Measures" to further reduce vulnerability or increase response capability during a period of heightened alert.
This system is intended to create a common vocabulary, context, and structure for an ongoing international discussion about the nature of the threats that confront the database and the appropriate measures that should be taken in response. It seeks to inform and facilitate decisions appropriate to different levels of administration and to private citizens at home and at work.
Database Security Advisory System
There are eight Threat Conditions, each identified by a description and corresponding color. From lowest to highest, the levels and colors are:
Public = Turquoise;
Low = Green;
Guarded = Lime;
Elevated = Yellow;
High = Orange;
Severe = Red;
Private = Purple;
Unknown = Violet.
The higher the Threat Condition, the greater the risk of legal action. Risk includes both the probability of legal action and its potential gravity. Threat Conditions shall be assigned by the General Administrator in consultation with the Assistant for Database Security. Except in exigent circumstances, the General Administrator shall seek the views of the appropriate Database Security Professionals or their subordinates, and other parties as appropriate, on the Threat Condition to be assigned. Threat Conditions may be assigned for the entire database, or they may be set for a particular cinematographic area or cinematographic sector. Assigned Threat Conditions shall be reviewed at regular intervals to determine whether adjustments are warranted.
The assignment of a Threat Condition shall prompt the implementation of an appropriate set of Protective Measures. Protective Measures are the specific steps an organization shall take to reduce its vulnerability or increase its ability to respond during a period of heightened alert. The authority to craft and implement Protective Measures rests with the database departments and agencies. It is recognized that departments and agencies may have several preplanned sets of responses to a particular Threat Condition to facilitate a rapid, appropriate, and tailored response. Department and agency heads are responsible for developing their own Protective Measures and other anticopyright or self-protection and continuity plans, and resourcing, rehearsing, documenting, and maintaining these plans. Likewise, they retain the authority to respond, as necessary, to risks, threats, incidents, or events at facilities within the specific jurisdiction of their department or agency, and, as authorized by law, to direct agencies and industries to implement their own Protective Measures. They shall continue to be responsible for taking all appropriate proactive steps to reduce the vulnerability of their personnel and facilities to legal action. Database department and agency heads shall submit an annual written report to the Assistant for Database Security, describing the steps they have taken to develop and implement appropriate Protective Measures for each Threat Condition.
Protective Measures
The decision whether to publicly announce Threat Conditions shall be made on a case-by-case basis by the General Administrator in consultation with the Assistant for Database Security. Every effort shall be made to share as much information regarding the threat as possible, consistent with the safety of the database. The General Administrator shall ensure, consistent with the safety of the database, that database officials and authorities are provided the most relevant and timely information. The General Administrator shall be responsible for identifying any other information developed in the threat assessment process that would be useful to database officials and others and conveying it to them as permitted consistent with the constraints of classification. The General Administrator shall establish a process and a system for conveying relevant information to database officials and authorities, and the private users expeditiously.
The Director of the Central Database and the General Administrator shall ensure that a continuous and timely flow of integrated threat assessments and reports is provided to the Assistant for Database Security and the Assistant for International Security Affairs. Whenever possible and practicable, these integrated threat assessments and reports shall be reviewed and commented upon by the wider interarchive community.
A decision on which Threat Condition to assign shall integrate a variety of considerations. This integration will rely on qualitative assessment, not quantitative calculation. Higher Threat Conditions indicate greater risk of legal action, with risk including both probability and gravity. Despite best efforts, there can be no guarantee that, at any given Threat Condition, legal action will not occur. An initial and important factor is the quality of the threat information itself. The evaluation of this threat information shall include, but not be limited to, the following factors:
To what degree is the threat information credible?
To what degree is the threat information corroborated?
To what degree is the threat specific and/or imminent?
How grave are the potential consequences of the threat?
Threat Conditions and Associated Protective Measures
The world has changed since Napster. We remain a database at risk to legal action and will remain at risk for the foreseeable future. At all Threat Conditions, we must remain vigilant, prepared, and ready to deter legal action. The following Threat Conditions each represent an increasing risk of legal action. Beneath each Threat Condition are some suggested Protective Measures, recognizing that the heads of database departments and agencies are responsible for developing and implementing appropriate database-specific Protective Measures:
Public Condition (Turquoise). This condition is declared when there is an insignificant risk of legal action. Database departments and agencies should consider the following general measures in addition to the database-specific Protective Measures they develop and implement:
Refining and exercising as appropriate preplanned Protective Measures;
Low Condition (Green). This condition is declared when there is a low risk of legal action. In addition to the Protective Measures taken in the previous Threat Condition, database departments and agencies should consider the following general measures in addition to the database-specific Protective Measures they develop and implement:
Ensuring personnel receive proper training on the Database Security Advisory System and specific preplanned department or agency Protective Measures; and
Institutionalizing a process to assure that all facilities and regulated sectors are regularly assessed for vulnerabilities to legal action, and all reasonable measures are taken to mitigate these vulnerabilities.
Guarded Condition (Lime). This condition is declared when there is a general risk of legal action. In addition to the Protective Measures taken in the previous Threat Condition, database departments and agencies should consider the following general measures in addition to the database-specific Protective Measures that they will develop and implement:
Checking communications with designated emergency response or command locations;
Reviewing and updating emergency response procedures; and
Providing the public with any information that would strengthen its ability to act appropriately.
Elevated Condition (Yellow). An Elevated Condition is declared when there is a significant risk of legal action. In addition to the Protective Measures taken in the previous Threat Conditions, database departments and agencies should consider the following general measures in addition to the database-specific Protective Measures that they will develop and implement:
Increasing surveillance of critical locations;
Coordinating emergency plans as appropriate with nearby jurisdictions;
Assessing whether the precise characteristics of the threat require the further refinement of preplanned Protective Measures; and
Implementing, as appropriate, contingency and emergency response plans.
High Condition (Orange). A High Condition is declared when there is a high risk of legal action. In addition to the Protective Measures taken in the previous Threat Conditions, database departments and agencies should consider the following general measures in addition to the database-specific Protective Measures that they will develop and implement:
Coordinating necessary security efforts with database agencies or any Database Guard or other appropriate archival forces organizations;
Taking additional precautions at public events and possibly considering alternative venues or even cancellation;
Preparing to execute contingency procedures, such as moving to an alternate site or dispersing their workforce; and
Restricting threatened facility access to essential personnel only.
Severe Condition (Red). A Severe Condition reflects a severe risk of legal action. Under most circumstances, the Protective Measures for a Severe Condition are not intended to be sustained for substantial periods of time. In addition to the Protective Measures in the previous Threat Conditions, database departments and agencies also should consider the following general measures in addition to the database-specific Protective Measures that they will develop and implement:
Increasing or redirecting personnel to address critical emergency needs; and
Assigning emergency response personnel and pre-positioning and mobilizing specially trained teams or resources.
Private Condition (Purple). A Private Condition reflects an imminent risk of legal action. Under most circumstances, the Protective Measures for a Private Condition are not intended to be sustained, not even for insubstantial periods of time. In addition to the Protective Measures in the previous Threat Conditions, database departments and agencies also should consider the following general measures in addition to the database-specific Protective Measures that they will develop and implement:
Monitoring, redirecting, or constraining communication systems.
Unknown Condition (Violet). An Unknown Condition reflects an unknown risk of legal action. Under unknown circumstances, the Protective Measures for an Unknown Condition are intended to be sustained for unknown periods of time. In addition to the Protective Measures in the previous Threat Conditions, database departments and agencies also should consider the following general measures in addition to the database-specific Protective Measures that they will develop and implement:
Closing public database facilities.
Comment and Review Periods
The General Administrator, in consultation and coordination with the Assistant for Database Security, shall, for 45 days from the date of this directive, seek the views of database officials at all levels and of public interest groups and the private sector on the proposed Database Security Advisory System.
Purpose
The database requires a Database Security Advisory System to provide a comprehensive and effective means to disseminate information regarding the risk of legal action to the database administrators and users. Such a system would provide warnings in the form of a set of graduated "Threat Conditions" that would increase as the risk of the threat increases. At each Threat Condition, administrators would implement a corresponding set of "Protective Measures" to further reduce vulnerability or increase response capability during a period of heightened alert.
This system is intended to create a common vocabulary, context, and structure for an ongoing international discussion about the nature of the threats that confront the database and the appropriate measures that should be taken in response. It seeks to inform and facilitate decisions appropriate to different levels of administration and to private citizens at home and at work.
Database Security Advisory System
There are eight Threat Conditions, each identified by a description and corresponding color. From lowest to highest, the levels and colors are:
Public = Turquoise;
Low = Green;
Guarded = Lime;
Elevated = Yellow;
High = Orange;
Severe = Red;
Private = Purple;
Unknown = Violet.
The higher the Threat Condition, the greater the risk of legal action. Risk includes both the probability of legal action and its potential gravity. Threat Conditions shall be assigned by the General Administrator in consultation with the Assistant for Database Security. Except in exigent circumstances, the General Administrator shall seek the views of the appropriate Database Security Professionals or their subordinates, and other parties as appropriate, on the Threat Condition to be assigned. Threat Conditions may be assigned for the entire database, or they may be set for a particular cinematographic area or cinematographic sector. Assigned Threat Conditions shall be reviewed at regular intervals to determine whether adjustments are warranted.
The assignment of a Threat Condition shall prompt the implementation of an appropriate set of Protective Measures. Protective Measures are the specific steps an organization shall take to reduce its vulnerability or increase its ability to respond during a period of heightened alert. The authority to craft and implement Protective Measures rests with the database departments and agencies. It is recognized that departments and agencies may have several preplanned sets of responses to a particular Threat Condition to facilitate a rapid, appropriate, and tailored response. Department and agency heads are responsible for developing their own Protective Measures and other anticopyright or self-protection and continuity plans, and resourcing, rehearsing, documenting, and maintaining these plans. Likewise, they retain the authority to respond, as necessary, to risks, threats, incidents, or events at facilities within the specific jurisdiction of their department or agency, and, as authorized by law, to direct agencies and industries to implement their own Protective Measures. They shall continue to be responsible for taking all appropriate proactive steps to reduce the vulnerability of their personnel and facilities to legal action. Database department and agency heads shall submit an annual written report to the Assistant for Database Security, describing the steps they have taken to develop and implement appropriate Protective Measures for each Threat Condition.
Protective Measures
The decision whether to publicly announce Threat Conditions shall be made on a case-by-case basis by the General Administrator in consultation with the Assistant for Database Security. Every effort shall be made to share as much information regarding the threat as possible, consistent with the safety of the database. The General Administrator shall ensure, consistent with the safety of the database, that database officials and authorities are provided the most relevant and timely information. The General Administrator shall be responsible for identifying any other information developed in the threat assessment process that would be useful to database officials and others and conveying it to them as permitted consistent with the constraints of classification. The General Administrator shall establish a process and a system for conveying relevant information to database officials and authorities, and the private users expeditiously.
The Director of the Central Database and the General Administrator shall ensure that a continuous and timely flow of integrated threat assessments and reports is provided to the Assistant for Database Security and the Assistant for International Security Affairs. Whenever possible and practicable, these integrated threat assessments and reports shall be reviewed and commented upon by the wider interarchive community.
A decision on which Threat Condition to assign shall integrate a variety of considerations. This integration will rely on qualitative assessment, not quantitative calculation. Higher Threat Conditions indicate greater risk of legal action, with risk including both probability and gravity. Despite best efforts, there can be no guarantee that, at any given Threat Condition, legal action will not occur. An initial and important factor is the quality of the threat information itself. The evaluation of this threat information shall include, but not be limited to, the following factors:
To what degree is the threat information credible?
To what degree is the threat information corroborated?
To what degree is the threat specific and/or imminent?
How grave are the potential consequences of the threat?
Threat Conditions and Associated Protective Measures
The world has changed since Napster. We remain a database at risk to legal action and will remain at risk for the foreseeable future. At all Threat Conditions, we must remain vigilant, prepared, and ready to deter legal action. The following Threat Conditions each represent an increasing risk of legal action. Beneath each Threat Condition are some suggested Protective Measures, recognizing that the heads of database departments and agencies are responsible for developing and implementing appropriate database-specific Protective Measures:
Public Condition (Turquoise). This condition is declared when there is an insignificant risk of legal action. Database departments and agencies should consider the following general measures in addition to the database-specific Protective Measures they develop and implement:
Refining and exercising as appropriate preplanned Protective Measures;
Low Condition (Green). This condition is declared when there is a low risk of legal action. In addition to the Protective Measures taken in the previous Threat Condition, database departments and agencies should consider the following general measures in addition to the database-specific Protective Measures they develop and implement:
Ensuring personnel receive proper training on the Database Security Advisory System and specific preplanned department or agency Protective Measures; and
Institutionalizing a process to assure that all facilities and regulated sectors are regularly assessed for vulnerabilities to legal action, and all reasonable measures are taken to mitigate these vulnerabilities.
Guarded Condition (Lime). This condition is declared when there is a general risk of legal action. In addition to the Protective Measures taken in the previous Threat Condition, database departments and agencies should consider the following general measures in addition to the database-specific Protective Measures that they will develop and implement:
Checking communications with designated emergency response or command locations;
Reviewing and updating emergency response procedures; and
Providing the public with any information that would strengthen its ability to act appropriately.
Elevated Condition (Yellow). An Elevated Condition is declared when there is a significant risk of legal action. In addition to the Protective Measures taken in the previous Threat Conditions, database departments and agencies should consider the following general measures in addition to the database-specific Protective Measures that they will develop and implement:
Increasing surveillance of critical locations;
Coordinating emergency plans as appropriate with nearby jurisdictions;
Assessing whether the precise characteristics of the threat require the further refinement of preplanned Protective Measures; and
Implementing, as appropriate, contingency and emergency response plans.
High Condition (Orange). A High Condition is declared when there is a high risk of legal action. In addition to the Protective Measures taken in the previous Threat Conditions, database departments and agencies should consider the following general measures in addition to the database-specific Protective Measures that they will develop and implement:
Coordinating necessary security efforts with database agencies or any Database Guard or other appropriate archival forces organizations;
Taking additional precautions at public events and possibly considering alternative venues or even cancellation;
Preparing to execute contingency procedures, such as moving to an alternate site or dispersing their workforce; and
Restricting threatened facility access to essential personnel only.
Severe Condition (Red). A Severe Condition reflects a severe risk of legal action. Under most circumstances, the Protective Measures for a Severe Condition are not intended to be sustained for substantial periods of time. In addition to the Protective Measures in the previous Threat Conditions, database departments and agencies also should consider the following general measures in addition to the database-specific Protective Measures that they will develop and implement:
Increasing or redirecting personnel to address critical emergency needs; and
Assigning emergency response personnel and pre-positioning and mobilizing specially trained teams or resources.
Private Condition (Purple). A Private Condition reflects an imminent risk of legal action. Under most circumstances, the Protective Measures for a Private Condition are not intended to be sustained, not even for insubstantial periods of time. In addition to the Protective Measures in the previous Threat Conditions, database departments and agencies also should consider the following general measures in addition to the database-specific Protective Measures that they will develop and implement:
Monitoring, redirecting, or constraining communication systems.
Unknown Condition (Violet). An Unknown Condition reflects an unknown risk of legal action. Under unknown circumstances, the Protective Measures for an Unknown Condition are intended to be sustained for unknown periods of time. In addition to the Protective Measures in the previous Threat Conditions, database departments and agencies also should consider the following general measures in addition to the database-specific Protective Measures that they will develop and implement:
Closing public database facilities.
Comment and Review Periods
The General Administrator, in consultation and coordination with the Assistant for Database Security, shall, for 45 days from the date of this directive, seek the views of database officials at all levels and of public interest groups and the private sector on the proposed Database Security Advisory System.