Rights Management
Purpose
Our website requires a Homepage Security Advisory System to provide a comprehensive and effective means to disseminate information regarding the risk of legal action to its administrators and users. Such a system would provide warnings in the form of a set of graduated "Threat Conditions" that would increase as the risk of the threat increases. At each Threat Condition, administrators would implement a corresponding set of "Protective Measures" to further reduce vulnerability or increase response capability during a period of heightened alert.
This system is intended to create a common vocabulary, context, and structure for an ongoing discussion about the nature of the threats that confront our website and the appropriate measures that should be taken in response. It seeks to inform and facilitate decisions appropriate to different levels of administration and staff and to private users at home and at work.
Homepage Security Advisory System
There are six (6) Threat Conditions, each identified by a description and corresponding color. From lowest to highest, the levels and colors are:
- Public = Green;
- Relaxed = Lime;
- Regular = Yellow;
- Restricted = Orange;
- Private = Red;
- Unknown = Purple.
The higher the Threat Condition, the greater the risk of legal action. Risk includes both the probability of legal action and its potential gravity. Threat Conditions shall be assigned by the General Administrator in consultation with the Assistant for Homepage Security. Except in exigent circumstances, the General Administrator shall seek the views of the appropriate Homepage Security Professionals or their subordinates, and other parties as appropriate, on the Threat Condition to be assigned. Threat Conditions may be assigned for the entire database, or they may be set for a particular cinematographic area or cinematographic sector. Assigned Threat Conditions shall be reviewed at regular intervals to determine whether adjustments are warranted.
Protective Measures
The decision whether to publicly announce Threat Conditions shall be made on a case-by-case basis by the General Administrator in consultation with the Assistant for Homepage Security. Every effort shall be made to share as much information regarding the threat as possible, consistent with the safety of the website. The General Administrator shall ensure, consistent with the safety of the website, that administrators and staff are provided the most relevant and timely information. The General Administrator shall be responsible for identifying any other information developed in the threat assessment process that would be useful to website administrators and others and conveying it to them as permitted consistent with the constraints of classification. The General Administrator shall establish a process and a system for conveying relevant information to administators and staff, and the private users expeditiously.
The Director of the Central Database and the General Administrator shall ensure that a continuous and timely flow of integrated threat assessments and reports is provided to the Assistant for Homepage Security and the Assistant for Legal Affairs. Whenever possible and practicable, these integrated threat assessments and reports shall be reviewed and commented upon by the wider community.
A decision on which Threat Condition to assign shall integrate a variety of considerations. This integration will rely on qualitative assessment, not quantitative calculation. Higher Threat Conditions indicate greater risk of legal action, with risk including both probability and gravity. Despite best efforts, there can be no guarantee that, at any given Threat Condition, legal action will not occur. An initial and important factor is the quality of the threat information itself. The evaluation of this threat information shall include, but not be limited to, the following factors:
- To what degree is the threat information credible?
- To what degree is the threat information corroborated?
- To what degree is the threat specific and/or imminent?
- How grave are the potential consequences of the threat?
Threat Conditions and Associated Protective Measures
The world has changed since Napster. We remain a website at risk to legal action and will remain at risk for the foreseeable future. At all Threat Conditions, we must remain vigilant, prepared, and ready to deter legal action. The following Threat Conditions each represent an increasing risk of legal action. Beneath each Threat Condition are some suggested Protective Measures, recognizing that administrators and staff are responsible for developing and implementing appropriate database-specific Protective Measures:
Public Condition (Green). This condition is declared when there is a low risk of legal action. Administrators and staff should consider the following general measures in addition to the website-specific Protective Measures they develop and implement:
- Refining and exercising as appropriate preplanned Protective Measures;
- Ensuring personnel receive proper training on the Homepage Security Advisory System and specific preplanned Protective Measures; and
- Institutionalizing a process to assure that all content is regularly assessed for vulnerabilities to legal action, and all reasonable measures are taken to mitigate these vulnerabilities.
Relaxed Condition (Lime). This condition is declared when there is a general risk of legal action. In addition to the Protective Measures taken in the previous Threat Condition, database departments and agencies should consider the following general measures in addition to the website-specific Protective Measures that they will develop and implement:
- Checking communications with designated legal response teams;
- Reviewing and updating legal response procedures; and
- Providing the users with any information that would strengthen its ability to act appropriately.
Regular Condition (Yellow). A Regular Condition is declared when there is a significant risk of legal action. In addition to the Protective Measures taken in the previous Threat Conditions, administrators and staff should consider the following general measures in addition to the website-specific Protective Measures that they will develop and implement:
- Increasing surveillance of critical users;
- Coordinating legal response plans as appropriate with nearby jurisdictions;
- Assessing whether the precise characteristics of the threat require the further refinement of preplanned Protective Measures; and
- Implementing, as appropriate, backup and legal response plans.
Restricted Condition (Orange). A Restricted Condition is declared when there is a high risk of legal action. In addition to the Protective Measures taken in the previous Threat Conditions, administrators and staff should consider the following general measures in addition to the website-specific Protective Measures that they will develop and implement:
- Coordinating necessary legal efforts with Federal, State, and local law enforcement agencies or other appropriate organizations;
- Taking additional precautions at public events and possibly considering alternative venues or even cancellation;
- Preparing to execute backup procedures, such as moving to an alternate domain or dispersing the content; and
- Restricting threatened database access to essential personnel only.
Private Condition (Red). A Private Condition reflects a severe risk of legal action. Under most circumstances, the Protective Measures for a Private Condition are not intended to be sustained for substantial periods of time. In addition to the Protective Measures in the previous Threat Conditions, administrators and staff also should consider the following general measures in addition to the website-specific Protective Measures that they will develop and implement:
- Increasing or redirecting staff to address critical legal needs; and
- Assigning legal response personnel and pre-positioning and mobilizing specially trained legal teams or resources.
Unknown Condition (Purple). An Unknown Condition reflects an unknown risk of legal action. Under unknown circumstances, the Protective Measures for an Unknown Condition are intended to be sustained for unknown periods of time. In addition to the Protective Measures in the previous Threat Conditions, administrators and staff also should consider the following general measures in addition to the website-specific Protective Measures that they will develop and implement:
- Monitoring, redirecting, or constraining internet traffic; and
- Closing public databases.
Comment and Review Periods
The General Administrator, in consultation and coordination with the Assistant for Homepage Security, shall, for 45 days from the date of this directive, seek the views of database officials at all levels and of public interest groups and the private sector on the proposed Homepage Security Advisory System. One hundred thirty-five days from the date of this directive the General Administrator, after consultation and coordination with the Assistant for Homepage Security, and having considered the views received during the comment period, shall recommend to the Director of the Central Database in writing proposed refinements to the Homepage Security Advisory System.
0xDB requires JavaScript.
