NSS No. 23-G Security of Nuclear Information

Sekce Odstavec Text
Main 1.1. The overall objective of a State’s nuclear security regime is to protect persons, property, society and the environment from harmful consequences of a nuclear security event [1]. Groups or individuals wishing to plan or commit any malicious act involving nuclear material or other radioactive material or associated facilities may benefit from access to sensitive information. Such information should therefore be identified, classified and secured with the appropriate measures. Sensitive information is information, in whatever form, including software, the unauthorized disclosure, modification, alteration, destruction, or denial of use of which could compromise nuclear security.
Main 1.2. Confidentiality is the property that information is not made available or disclosed to unauthorized individuals, entities or processes. Information security not only includes ensuring the confidentiality of information, but also includes ensuring the accuracy and completeness of the information (its integrity) and the accessibility or usability of the information on demand (its availability).
Main 1.3. Ensuring the security of sensitive information is a cross-cutting prerequisite for nuclear security, and the systems and measures to achieve effective information security are key elements of a State’s nuclear security regime.
Main 1.4. The Nuclear Security Fundamentals [1] and all three Nuclear Security Recommendations publications [2–4] recognize the importance of securing sensitive information. This Implementing Guide expands on the high level statements in those publications to provide additional detail on what should be done.
Main 1.5. This publication provides guidance on implementing the principle of confidentiality and on the broader aspects of information security. Much national and international guidance exists regarding the establishment and management of information security frameworks for information of various types, in the form of both high level guidance and detailed standards. This publication does not intend to replace such guidance. Instead, its goal is to assist States in bridging the gap between existing government and industry standards on information security in general, the particular concepts and considerations that apply to nuclear security, and the special provisions and conditions that exist when dealing with nuclear material and other radioactive material.
Main 1.6. The objective of this publication is to provide guidance on:

  • Establishing an effective framework for ensuring the confidentiality, integrity and availability of sensitive information (Section 3), including the necessary legislation and regulations;

  • Identifying information that may be considered as sensitive information (Section 4);

  • Considerations for the sharing and disclosure of sensitive information (Section 5);

  • Guidelines and methodologies for ensuring confidentiality, integrity and availability (Section 6).
Main 1.7. This publication addresses the security of sensitive information for civil uses of nuclear material and other radioactive material and associated facilities and activities. It focuses on sensitive information related to material and facilities that are under regulatory control.
Main 1.8. Nuclear security as it relates to nuclear and other radioactive material out of regulatory control may also involve sensitive information that needs to be secured. In such cases, the general guidance provided here should be applied insofar as it is applicable.
Main 1.9. The intended audience for this publication is anyone with a responsibility for the security of sensitive information. This includes:

  • Competent authorities, including regulatory bodies;

  • Management in facilities, companies and organizations involved in the use, storage or transport of nuclear material or other radioactive material;

  • Facility operators and their staff, particularly the security staff;

  • Contractors or other third parties working for the authorities, organizations or facility operators;

  • Any other entities that may have been given legitimate access to sensitive information.
Main 1.10. Following this introduction, Section 2 introduces several key terms and concepts that will be used throughout the publication. Section 3 describes the necessary elements that together build a framework for the security of sensitive information within a State, and Sections 4–6 address these elements in turn. Section 4 presents considerations for determining which information is sensitive information and therefore needs to be secured. Section 5 contains considerations for the sharing and disclosure of sensitive information. Section 6 describes in more detail the necessary actions at the facility level for securing sensitive information. Annex I provides an example of a classification framework. Annex II provides an example of a security categorization scheme for nuclear security related information. A suggested format and content of a training and awareness programme is given in Annex III.
Main 2.1. This section clarifies the meaning of certain important terms as used in this publication. The section also applies the key concepts of information security to the context of nuclear security. Definitions of a wider range of relevant terms are provided in the Glossary, at the end of this publication.
Main 2.2. Information is knowledge, irrespective of its form of existence or expression. It includes ideas, concepts, events, processes, thoughts, facts and patterns. Information can be recorded on material such as paper, film, magnetic or optical media, or held in electronic systems. Information can be represented and communicated by almost any means. In the nuclear domain, there is a vast amount of information in many forms. Information assets are the equipment or components (including media) that are used to store, process, control or transmit information.
Main 2.3. For the purpose of handling and security, information may be grouped into information objects. These may be defined as all elements of information that have value to an organization. Typically, an information object comprises a set of data, information or knowledge that shares a common usage, purpose, associated risk or form of storage or transmission.
Main 2.4. It is important to understand that nuclear security related information may have value (possibly of different natures and magnitudes) to any, or all, of the following:

  • The State;

  • Competent authorities;

  • Facility operators (including third parties, such as vendors);

  • A potential adversary (individuals and organized entities);

  • The media;

  • The public.

Main 2.5. Sensitive information is information, the unauthorized disclosure (or modification, alteration, destruction or denial of use) of which could compromise nuclear security or otherwise assist in the carrying out of a malicious act against a nuclear facility, organization or transport. Such information may refer, for example, to the nuclear security arrangements at a facility, the systems, structures and components at a facility, the location and details of transport of nuclear material or other radioactive material, or details of an organization’s personnel.
Main 2.6. Identifying information that satisfies this definition is among the key steps in establishing an information security programme to ensure confidentiality. More detailed and comprehensive guidance on the topic is provided in Section 4, and illustrative examples are provided in Annex II.
Main 2.7. Securing sensitive information is necessary because easy access to inadequately secured information can help adversaries to plan or commit malicious acts with relatively little effort or risk. If, for example, a facility’s physical protection plan were acquired by adversaries planning an attack on the facility, they would know the obstacles they would face, the size and arming of the guard force, the size of the response force and the approximate time it would take for that force to arrive at the site. They would also know the important targets within the facility, their locations and the measures protecting them. Similarly, if an adversary wishing to steal nuclear material during transport succeeded in acquiring a device giving access to detailed information about the planned transport — because the device had been inadequately secured — the adversary could plan an attack more effectively. Thus, the possession of such information or information assets by adversaries would increase the likelihood of their success.
Main 2.8. Access to sensitive information and sensitive information objects should be no wider than is necessary for the conduct of an organization’s business. By implication, the dissemination should be limited to those individuals who are appropriately authorized for access and only to those circumstances in which they need access. The ‘need to know’ and the ‘need to hold’rules are fundamental to the security of sensitive information. These rules should guide the management and control of information access rights. The access rights should be reviewed periodically and when required.
Main 2.9. Ensuring confidentiality depends on the application of security measures to selected sensitive information and sensitive information assets (the equipment or components, including media, that process, handle, store or transmit sensitive information) in order to ensure that it does not fall into the hands of unauthorized individuals or organizations, either external or internal. Guidance on measures against the insider threat is contained in Preventive and Protective Measures against Insider Threats [5]. Security measures should be based on risk analysis. The risk analysis should be kept up to date by a process of periodical reviews.
Main 2.10. Information security, as described in this publication, refers to the system, programme or set of rules in place to ensure the confidentiality, integrity and availability of information in any form. At a minimum, it includes:

  • Security of information in physical forms (e.g. paper and electronic media);

  • Security of computer systems, sometimes referred to as computer security, information technology (IT) security or cybersecurity (additional IAEA guidance can be found in Computer Security at Nuclear Facilities [6]);

  • Security of information assets (e.g. information storage and processing equipment, communication systems and networks);

  • Security of information about facility employees and third parties (e.g. contractors and vendors) that could compromise the security of the above;

  • Security of intangible information (e.g. knowledge).
Main 2.11. While confidentiality is often singled out, organizations should ensure that their information security programme addresses all three attributes. Loss of integrity or availability can negatively affect nuclear security just as loss of confidentiality can. For example, if authorized users do not have timely access to information necessary for their duties (loss of availability), or if that information has been altered in such a manner as to mislead them (loss of integrity).
Main 2.12. Information security should be considered and applied in the context of the overall security framework. It is closely interdependent with other security domains such as physical protection and personnel security. For example, physical protection measures can be used to protect sensitive information and sensitive information assets, while confidentiality measures make attack against physical protection systems more difficult or uncertain for adversaries. Gaps or shortfalls in any of the security domains can affect security in the others, so it is essential to use a comprehensive approach considering all domains together.
Main 2.13. Information security should also consider the necessary balance between security and other objectives, including safety, openness and transparency, and operational aspects. Guidance on safety is provided in the IAEA Safety Standards Series.
Main 3.1. Securing sensitive information on a fragmented, facility by facility basis will not be effective. An effective national framework is necessary to ensure comprehensive security measures across all facilities, sites and organizations (governmental and non-governmental) handling sensitive information. The State should build this national framework, which will include establishing:

  • The responsibility of the State;

  • A legal and regulatory framework;

  • National guidance;

  • Security policies;

  • Classification schemes.
Main Policies within each organization also contribute to the overall framework.
Main 3.2. The responsibility for ensuring the existence and effective operation of a State’s comprehensive nuclear security regime rests with the government of that State. Ensuring the security of sensitive information is an integral part of the nuclear security regime that the State should enforce.
Main 3.3. States typically have government organizations or agencies that are responsible for overall national security, hereafter referred to as national security authorities. The national security authorities usually have the responsibility of defining the fundamental national policy on all aspects of security. The security policies and instructions issued by the national security authorities are often general in nature, and not specifically designed for nuclear security. However, many States’ national security authorities do have policies and guidance for securing sensitive information, for example in government or military use.
Main 3.4. The State’s relevant competent authorities should develop and issue policy and requirements specific to the security of sensitive information at nuclear material and other radioactive material associated facilities and activities. These are usually based on, and in accordance with, any national security policy and requirements issued by the national security authorities, but taking into account the special nature of the activities that involve such materials. The competent authorities should also maintain close liaison with the national security authorities in order for the national threat assessment or design basis threat to be devised (for more information, see Development, Use and Maintenance of the Design Basis Threat [7]).
Main 3.5. Each organization should establish its internal policy, plans and procedures for ensuring the confidentiality, integrity and availability of any sensitive information related to nuclear security that it holds or handles, and for protecting related sensitive information assets, in compliance with the national security policy and the relevant national laws and requirements. All employees should be fully aware of the need for information security and follow their organizations’ information security rules and procedures.
Main 3.6. Requirements for the maintenance of nuclear security within a State’s boundaries should apply to all ministries, departments, agencies and other organizations that deal with matters identified by the State to be necessary for national nuclear security. The State may impose these requirements by laws, regulations or other legally binding requirements. The State’s requirements for nuclear security should include information security requirements. There should also be legislation in place that defines the sanctions or punishment that will be applied to any individual or organization who breaches such information security requirements. Such legislation may have sections which define the severity of particular types of breach of confidentiality or other information attributes and corresponding sanctions.
Main 3.7. The competent authorities’ regulatory powers should allow them to place obligations on the holders of sensitive information. The laws enacted for this purpose should mandate sanctions or punishment for unauthorized disclosure. The legislation should also mandate that State ministries, departments, agencies and other organizations provide the competent authorities with all necessary support to enable it to fulfil its task of ensuring the security of sensitive information.
Main 3.8. State policy on the security of information should define which type of information the State wishes to be secured and indicate how that security is to be applied. This is usually set out in a security manual compiled by the State’s national security authorities (or other appropriate authority). A manual of this sort may not make any direct mention of sensitive information for nuclear security. The manual will, however, specify different classes of information indicating its level of sensitivity, and hence the level of security to be applied, and how information objects should be marked to ensure that the level of their sensitivity is obvious.
Main 3.9. Detailed guidance on what constitutes sensitive information should be provided by the relevant competent authorities, in close liaison with the national security authorities and with the participation of users of nuclear material and other radioactive material. Such guidance is typically based on, and should be consistent with, the provisions of any national threat assessment. This type of guidance, sometimes referred to as classification policy, typically divides types of information into a series of related topics, and indicates the relative importance of a particular piece of information and thus its sensitivity and the degree of security to be applied.
Main 3.10. At the organization level, the importance of particular information can be indicated in the organization’s security plan, which should describe how particular sensitive information is to be protected in compliance with national legislation and regulations.
Main 3.11. In addition to issuing information security policies that comply with national requirements, the competent authorities should provide details of how these requirements should be applied to facilities and activities involving nuclear material and other radioactive material.
Main 3.12. The State’s policy on nuclear security should demonstrate a commitment to information security. It should encourage this through the issue and maintenance of a comprehensive and appropriate information security policy to be applied to all facilities and activities involving nuclear material and other radioactive material, as well as any other locations where related sensitive information is held. The aim of the policy is to ensure that sensitive information is secured against compromise.
Main 3.13. Each organization and facility that handles sensitive information should then compile its own dedicated information security policy, based on that of the competent authorities where applicable. This policy should be communicated throughout the organization in a form that is relevant, accessible and understandable to the intended users. Section 6 contains additional guidance on establishing an information security management programme, including policies.
Main 3.14. Implementing information security schemes and associated controls needs resources and time. It is not feasible or desirable to secure equally all information at a site or facility. Some information is non-sensitive and does not need any particular assurance measures. Even for sensitive information, different information objects may need different levels of security. It is therefore important to identify which information is sensitive information, and which level of security it requires. The competent authorities in each State should define which information concerning nuclear material, other radioactive material, associated facilities and activities constitutes sensitive information. Concerning international transport, the State should identify which information needs to be secured and may want to consider consistency among the States involved in international transport.
Main 3.15. The recommended way of assessing the value of a particular information asset is to use a risk informed approach, considering the damage and consequences that are likely to occur in the event of its compromise. It is important to note that any information compromise at one facility could affect other facilities with similar information assets; hence, the damage and consequences should be considered broadly for nuclear security effects at other locations and not just for one specific location. Specific consideration should be given to accumulations of information and potential single points of failure (e.g. information assets dependent on a single network or electricity supply). The results of this assessment could be used to determine the necessary level of security required for every information object, in accordance with the classification system used by the particular State.
Main 3.16. A national system of classification should be established and maintained to group information into classes, such that the unauthorized disclosure of any of the information within a class would have similar consequences, and therefore that all information in a particular class should be subject to similar security requirements. This should be a national system, not specific to a particular industry or devised by a single facility. In many instances, States already maintain such classification systems, but such systems may not address nuclear security specific information. The system is based on a risk informed approach, where the potential consequences of unauthorized disclosure of information determine the class and the related security requirements for such information.
Main 3.17. Careful consideration should be given to the number of classification categories and the benefits to be gained from their use. Very complex schemes may become cumbersome and prove impractical, whereas very simple schemes may not provide sufficiently precise classification. Furthermore, care should be taken when assigning a classification level to information objects. Overclassification (i.e. requiring more stringent security than is really necessary) can lead to unnecessary additional expense, whereas underclassification can put the information at an unacceptable risk of compromise. Overclassification may also conflict with policies on transparency or create a situation in which the classification becomes less meaningful to users of the information.
Main 3.18. A possible classification scheme for sensitive information, with classes that indicate the sensitivity of particular information objects, might contain the following levels1 :

  • SECRET;

  • CONFIDENTIAL;

  • RESTRICTED.
Main 3.19. Additional information labels may indicate the restrictions on distribution of the information arising from its classification, such as:

  • No Further Distribution;

  • Distribution Controlled by Originator;

  • For Official Use;

  • Restricted Distribution;

  • Available for Public Use.
Main 3.20. Example definitions for the classification levels SECRET to RESTRICTED are given in Annex I.
Main 4.1. The first step in classifying and securing information is to identify the information that is considered sensitive information.
Main 4.2. Security controls should be considered for information of at least the following types, which could affect nuclear security2 :

  • Details of physical protection systems and any other security measures in place for nuclear material, other radioactive material, associated facilities and activities, including information on guard and response forces;

  • Information relating to the quantity and form of nuclear material or other radioactive material in use or storage, including nuclear material accounting information;

  • Information relating to the quantity and form of nuclear material or other radioactive material in transport;

  • Details of computer systems, including communication systems, that process, handle, store or transmit information that is directly or indirectly important to safety and security;

  • Contingency and response plans for nuclear security events;

  • Personal information about employees, vendors and contractors;

  • Threat assessments and security alerting information;

  • Details of sensitive technology;

  • Details of vulnerabilities or weaknesses that relate to the above topics;

  • Historical information on any of the above topics. Some of the above information, such as personal information, may also be subject to specific security requirements under other national laws or company policies.
Main 4.3. Annex II contains examples of specific types of information in the categories of para. 4.2, indicating whether they are typically considered to be sensitive information and why.
Main 5.1. There will often be a legitimate need to share sensitive information on an ongoing basis, for example among appropriate State agencies, among organizations handling nuclear material or other radioactive material and the relevant competent authorities, or among different States. Similarly, there will sometimes be a need to disclose sensitive information on an ad hoc basis to other organizations or the public. Both sharing and disclosure should be managed so as to ensure that sensitive information is not inadvertently shared with or disclosed to those who do not have a need to know.
Main 5.2. It is sometimes necessary for certain sensitive information to be shared with authorized State agencies or companies and organizations that have a need to know the information. Sharing information can create efficiencies that would not exist if the information were to be developed and handled independently. There are also occasions where not sharing information may damage security or weaken the overall planning, design and implementation of security measures. Furthermore, as nuclear security responsibilities are often not held exclusively by any single agency, company or organization, it is often necessary that information be shared among those who share the security responsibilities. For example, it is often necessary in the interests of national security for the competent authorities to pass sensitive information to the national security authorities and vice versa, for example changes in threat assessments or information on security events should be communicated in a timely fashion to relevant parties, in order to enable adjustment of security measures and exchange of operational experiences as a basis for continual improvement. In addition to security considerations, information sharing may be needed to support other objectives, including safety assessment, operational and commercial needs.
Main 5.3. The nature and extent of sharing such information should be based firstly on compliance with national laws or regulations and then on a balance between the benefits obtained from sharing and the needs of security. Rules on the passing of information between such authorities should be governed by the security procedures that pertain in that State. Establishing a common approach within the State can ensure that sensitive information is not disclosed inappropriately.
Main 5.4. It is often also necessary to share certain information with other States or relevant international organizations. In such a case, there should be an agreement in place to guarantee that sensitive information is secured by the recipient in a manner consistent with the requirements of the owner of the information. Security of information may be assured through a bilateral or multilateral treaty or agreement that defines how information will be secured against disclosure. Such agreements would typically describe the required protection measures to be applied to sensitive information for different classification levels in each State. They should also take into account how particular requirements in any one State (such as freedom of information legislation, see para. 5.6) might affect the handling of other States’ sensitive information.
Need for disclosure 5.5. Most States have in place laws addressing the security of information of importance to the national interest. Such laws specify sanctions that will be imposed should a person, a national of that State or otherwise, breach the laws on confidentiality of such information. There are also usually laws that regulate an individual’s access to official government information. There may be mechanisms to resolve disagreements between the government and other parties regarding which information can be withheld to protect national security.
Need for disclosure 5.6. Several States have freedom of information legislation or other laws that allow members of the public to request access to information held by the authorities. Typically, the only information that may be withheld by the authorities is that of types covered by specified exemptions, such as information associated with national defence, or private and personal information. In a number of States, an item bearing a classification marking is not automatically exempted from disclosure.
Need for disclosure 5.7. Other laws and regulations may require that certain types of information, which may include sensitive information, be disclosed. One example is environmental legislation that requires public reporting of specified information. It should be ensured that such laws allow exemption of information that might affect national security or the security of third parties.
Preparing guidance on disclosure 5.8. Specific guidance should be developed to assist organizations and facilities in deciding which sensitive information may be disclosed. When compiling such guidance, the responsible government agency will typically consult other government departments and relevant organizations. By identifying the type of information that it considers to be unsuitable for disclosure, the guidance should aim to prevent unauthorized disclosure of sensitive information (see also Annex II).
Preparing guidance on disclosure 5.9. States should consider the need to provide specific guidance on:

  • The sensitivity of certain types of sensitive information, based on the consequences of disclosure;

  • Which types of information can be disclosed, under which circumstances, to whom and by which particular methods;

  • Conditions on the disclosure of information;

  • Processes to review information for its potential sensitivity prior to public presentation, such as in conference presentations, web postings or technical specifications;

  • Which actions should be taken in any case of unauthorized disclosure of sensitive information, whether intentional or unintentional, or other breach of information security requirements.
Preparing guidance on disclosure 5.10. The guidance will need to be subject to change. Circumstances evolve and information that might be considered sensitive and unsuitable for disclosure at one time might be significantly less sensitive and suitable for disclosure at a later time (or vice versa). Guidance should therefore be reviewed and updated periodically and in the event of significant changes in policy or circumstances.
Preparing guidance on disclosure 5.11. Reducing the level of security applied to particular information, where appropriate, will generally be feasible. However, reclassification of information to a more restricted class may be impossible or ineffective if it has already been more widely disclosed. This should be taken into account in the original classification, and consideration should be given to the appropriate balance between confidentiality and caution, on the one hand, and availability and transparency, on the other. A default time frame for periodic review of classifications should be established, but changes should also be made when needed, for example if circumstances change significantly.
Preparing guidance on disclosure 5.12. All requests to an organization for disclosure of sensitive information should be considered against the same guidance or criteria and, if possible, all such requests should be processed through a single central office for the organization. A technique commonly used to gain inappropriate access to sensitive information is to make multiple requests to different individuals or units within the same organization. If these requests are addressed separately, without coordination, different responses may be given and sensitive information may be disclosed that otherwise would not have been.
Preparing guidance on disclosure 6.1. Section 3 describes the high level framework for securing sensitive information. This section addresses in more detail the components of such a framework required within a facility or organization, placing them in the context of the management system.
Preparing guidance on disclosure 6.2. A management system should be in place that establishes policies and objectives and enables the objectives to be achieved in an efficient and effective manner. An integrated management system (see IAEA Safety Standards Series No. GS-R-3, The Management System for Facilities and Activities [8], and associated guidance) is a vital support element to a nuclear security culture. Many activities at facilities are controlled by management systems. These ideally integrate security, safety, health, environmental, quality and economic elements in a single management process or a set of integrated and mutually reinforcing systems. Information security should be integrated into the existing management system of the facility or organization to ensure information confidentiality, integrity and availability.
Preparing guidance on disclosure 6.3. Ensuring the confidentiality, integrity and availability of sensitive information depends on effective designation of roles and responsibilities, classification to identify which information is sensitive and needs to be secured, why it needs to be secured and to which level (see Section 4), decisions on how to secure such information, implementation of the necessary security measures, and response (including recovery) if such information is compromised, stolen or lost.
Preparing guidance on disclosure 6.4. The management framework explained in the following applies to all levels of management at organizations holding or handling sensitive information.
Preparing guidance on disclosure 6.5. Management has the overall responsibility for ensuring information security is in place and effective throughout the facility or organization, in order to secure sensitive information. All personnel who handle sensitive information have a responsibility to ensure its security in accordance with related national legislation as well as the organization’s policies and procedures.
Management Responsibilities 6.6. Management responsibilities typically include:

  • Assuming overall responsibility for securing sensitive information and sensitive information assets;

  • Ensuring compliance with relevant laws and regulations;

  • Assigning organizational security responsibilities;

  • Providing effective security training and education;

  • Ensuring that an effective information security policy is established;

  • Providing adequate resources to implement an effective information security programme;

  • Ensuring development of the information security programme and associated plans and procedures;

  • Ensuring effective change management related to plans, procedures and policies;

  • Ensuring periodic audits, reviews and revisions of information security policy and procedures.

Classification responsibilities 6.7. Guidance on the classification to be applied to an information object should be provided by the relevant competent authorities in the form of a classification guide or guidance. Such a document groups information on particular topics and indicates the sensitivity of the information. Those who originate sensitive information should use such a guide when deciding on the appropriate classification level.
Classification responsibilities 6.8. Once information has been disseminated, the recipient or holder of a sensitive information object should not change the classification level applied to the information without the permission of the originator. Recipients and holders of copies may, and when appropriate should, challenge the classification level applied. For example, if the competent authority received information from an operator that was incorrectly classified in reference to applicable laws, it should instruct the operator to change the classification.
Classification responsibilities 6.9. In cases where the originating organization has ceased to function, its successor would become responsible. Where a successor cannot be traced, the holder of a sensitive information object may, if appropriate, change its classification level after consultation with the relevant competent authorities.
Classification responsibilities 6.10. If the classification level applied to an information object or type of information objects is changed, the change should be notified as far as possible to everyone who might be affected. This may include current and past holders of the information, as well as those who might use it in future.
Classification responsibilities 6.11. All organizations handling sensitive information should have a security plan. The security plan should have a detailed section dealing specifically with the security of sensitive information. The relevant requirements of the security plan should be communicated to employees and contractors working for the organization. It is essential that employees and contractors understand their responsibilities.
Information security plan 6.12. Responsibility for information security should be included in an organization’s hierarchy of policies and procedures. As a minimum, the following should be addressed:

  • A definition of information security and a statement of its overall objectives, scope and importance.

  • A definition of roles and responsibilities, including the establishment of a focal point to direct and manage information security.

  • Compliance with information security requirements, including legal, regulatory and contractual requirements.

  • The establishment of a risk management plan to reduce risks to an acceptable level, defined by the State, by applying adequate controls based on a risk assessment approach. For a nuclear facility, the risk management plan should be approved by the competent authority or other authority designated by the State.

  • Regular monitoring and review of the arrangements in place to ensure that policy, standards and procedures remain relevant and effective.

  • Requirements for education and training to ensure that staff, contractors and other personnel have an appropriate awareness of policy, procedures and practice to the extent necessary for their duties, and that they fully understand their responsibilities (including their legal obligations).

  • The consequences (i.e. penalties or sanctions) for non-compliance with information security requirements or wilful negligence in securing sensitive information.

  • Reference documentation that supports the policy, for example more detailed procedures for specific systems or security rules to which users should adhere.

Information security plan aspects specific to sensitive information 6.13. With specific reference to securing sensitive information, the plan should also cover:

  • The information life cycle: definition of the processes to create, identify, classify, mark, handle, use, store, transmit, reclassify, reproduce and destroy sensitive information;

  • The security requirements for sensitive information, giving due consideration to the security objectives of confidentiality, integrity and availability of the information;

  • Restriction of access to sensitive information and sensitive information assets to those who need such access to perform their duties, who have the necessary authority and who have been subjected to a trustworthiness check commensurate with the classification level of the information;

  • The transmission of sensitive information in a manner that reduces any risk of compromise, unauthorized interception, modification or disruption to an acceptable level.

Procedures for handling sensitive information 6.14. Effective management of risks from threats to the confidentiality, integrity and availability of information will involve developing effective countermeasures against such threats. This process will necessarily involve a combination of security controls drawn from information security, physical protection and personnel security.
Procedures for handling sensitive information 6.15. Personnel security, including trustworthiness checks, ensures that those who have access to sensitive information are deemed by the State to be suitably trustworthy to do so. For information with a relatively low classification, the organization should decide whether any checks on those requiring access are needed; if so, a limited check of an individual’s background may be sufficient. For access to information of higher classification, a more comprehensive set of background checks will be needed to determine trustworthiness. The personnel security process should also include the execution of a non-disclosure agreement between the person and the competent authority or respective organization.
Procedures for handling sensitive information 6.16. Physical protection often combines a degree of strictly managed access through a secure perimeter with one or more layers of other physical protection measures closer to the information assets, for example vaults and other secure locations. The same principles can be used to provide physical protection for information and information assets.
Procedures for handling sensitive information 6.17. Information security measures include technical, procedural and administrative controls applied throughout the life cycle of information objects, including creation, handling, storage, transmission, replication and destruction. Information security measures include, among other things:

  • Administrative management to govern, maintain and develop information security (including third party services);

  • Personnel security, particularly in the phases of recruiting, and the beginning and end of employment;

  • Physical security of areas where sensitive information or sensitive information assets are used, handled or located;

  • Security of digital and manual information handling: workstation security, virus and malware protection, deletion and destruction of information, and manual processes;

  • Communication network security (telephones, email, the Internet and local area networks): policy, user authentication, equipment identification, segregation, connection and routing controls, and monitoring;

  • Equipment security: access control, logging of use, spare part management, backup of critical equipment, backup power arrangements, documentation and maintenance, cabling and media security;

  • Software security: access control, logging of user and super user activities, backup management, maintenance contracting, configuration and version management, use of registered, legal software, testing for vulnerabilities and testing for system behaviour under error conditions;

  • Security of use of information systems: user rights control, user recognition and verification, connecting to services, systems and equipment, password management, oversight of use, and the two person rule (i.e. two person control) for critical operations;

  • Classification and corresponding procedures for handling information;

  • Protection of privacy.
Procedures for handling sensitive information 6.18. The handling of sensitive information should be governed by procedures in accordance with the information security section of national security policy and guidance, including any interpretation placed on it by the State’s competent authorities. The minimum performance standards for various security levels should be described in the information security plan. An example would be the encryption methodology used for the electronic transmission of information.
Rights management system 6.19. A management system should be in place that establishes the control of how, why and when specific holders and users of sensitive information should be authorized to have access to the sensitive information and sensitive information assets. The rights management system typically includes:

  • Defined structure of responsibility regarding authorization management;

  • Defined processes about the function who has the right to appoint whom and who has the right to access sensitive information and sensitive information assets;

  • Defined processes about how to verify, control and supervise the function of assigning access;

  • Defined processes to determine how long an authorization to access sensitive information and sensitive information assets should last;

  • Defined processes for revoking the authorization to access sensitive information and sensitive information assets;

  • Defined processes to maintain full traceability of the management of rights in all steps of the management chain for the authorization to access sensitive information and sensitive information assets.

Periodic reviews 6.20. Security policies, plans and procedures should evolve according to changing circumstances. An effective way of ensuring that they are kept up to date may be to include a time frame for review in the policy document itself. Should there be a fundamental change in circumstances that might lead to a change in policy, for example a change in legislation, then a review may take place earlier. The review structure should apply to policy at all levels with nuclear security responsibilities.
Periodic reviews 6.21. Developing, fostering and maintaining a robust nuclear security culture is an essential element of a nuclear security regime. This is especially true with information security in which people and processes are often the key factor in securing information.
Periodic reviews 6.22. As part of an effective nuclear security culture [9], all organizations, employees and contractors should have a full understanding of their security responsibilities and the importance of these responsibilities. It is essential that employees and contractors receive security education and training commensurate with their individual responsibilities and needs.
Periodic reviews 6.23. Employees and contractors with specific security responsibilities and those with access to sensitive information, as well as management at all levels of an organization, need specific training and briefings regarding their responsibilities. It is also important to ensure that other categories of employee (e.g. messengers, security personnel and clerks) who handle sensitive information without necessarily being aware of its content should also receive security training specific to their responsibilities.
Periodic reviews 6.24. One-off information security training events will not adequately reinforce training and may, over the long term, allow employees to become complacent. Everyone who handles sensitive information, including all management, employees and contractors, should receive continual on the job training and attend periodic refresher courses. Records of the formal training received and completed by all employees and contractors should be maintained. It is especially important that any changes in security rules and procedures should be made known to all relevant employees and contractors as soon as practicable. A suggested format and content of a training and awareness programme is given in Annex III.
Periodic reviews
Periodic reviews 6.25. A competent authority or an organization sometime needs a third party to provide services or goods that involve sensitive information. Such arrangements should be made through legal agreements such as a licence or contract, including non-disclosure agreements. Such agreements with third parties may involve sensitive information being put into the care of the third party. In order to ensure that such information is not put at risk, there should be a national policy or legislation covering arrangements in which sensitive information is involved. Contracting organizations and facilities should then be obliged to follow that policy.
Periodic reviews 6.26. It is the responsibility of the contracting organizations when negotiating such relationships with third parties to ensure that any sensitive information entrusted to third parties is satisfactorily secured. Security measures in place to protect sensitive information should be commensurate with the risks and in accordance to the policy.
Periodic reviews 6.27. In this context, competent authorities and organizations should make certain that third parties:

  • Have information security processes and procedures that meet at least the requirements of the organization’s own security arrangements;

  • Have a focal point to direct and manage security at the contracting company;

  • Have in place a system to ensure that all staff with access to the sensitive information held by the third party have been subject to a trustworthiness check at an appropriate level;

  • Ensure that access to sensitive information and sensitive information assets is limited to only those who have the necessary need to know and the appropriate security clearance;

  • Transmit information in a manner compliant with national legislation, local policy and in such a way that information is not put at risk of compromise;

  • Ensure that the information is not shared with any unauthorized party or individual;

  • Ensure that all personnel have an appropriate awareness of security policy and practice and fully understand their responsibilities (including their legal obligations);

  • Have procedures to address information security events;

  • Ensure that security arrangements at the third party’s premises are regularly inspected by the competent authorities or contracting organizations in accordance with the provisions of the agreement, to ensure that they are in compliance with the security requirements of the agreement.

Periodic reviews 6.28. Routinely performing assurance activities is essential to sustaining an information security programme. Assurance is needed that the security programmes in place at organizations holding sensitive information, including third parties, comply in all aspects with national policy and regulations. When applicable, information security measures should be reviewed by the competent authorities before formal approval is granted for them to be used. Assurance may be achieved by regular, formal inspections or audits of the organization or facility. Audits are typically internal to the organization, whereas inspections can be performed both internally and externally. Additionally, inspections can be either announced or unannounced (i.e. with or without advance notice).
Periodic reviews 6.29. Internal inspections and audits are those carried out by the organization to determine whether the security programme in place complies with the approved information security plan and to ensure compliance with regulatory requirements. Such inspections allow an organization to check its own compliance at greater frequency than external inspections. Furthermore, inspections or audits conducted by personnel who are familiar with the internal requirements, procedures and systems may identify opportunities for improvement that differ from those an external inspection might discover.
Periodic reviews 6.30. External inspections are those conducted by the competent authorities or other authorized outside organizations. The aim of such inspections is to assess the level of compliance with a State’s information security policy. External inspections provide an independent assessment, as compared with inspections conducted by the organization itself. When using external auditors, issues of confidentiality and trustworthiness should be addressed.
Periodic reviews 6.31. Inspection and audit results should highlight specific areas for action or improvement. Identified preventive and corrective actions should be assigned specific time frames for rectification or implementation. Rectification and implementation actions should be followed up and their effectiveness assessed.
Periodic reviews 6.32. Breaches of security can result from the compromise of an information object. Two types of breach in which information is compromised are leaks and losses. Leaks are generally associated with a compromise of confidentiality where there has been an unauthorized disclosure, deliberate or accidental, of information. Losses are generally associated with a compromise of information resulting from theft of, or failure to appropriately secure, information or information assets.
Periodic reviews 6.33. Information security incidents may also involve loss of availability or integrity of information, which may be caused inadvertently or by intentional actions. Loss of availability may occur, for example, owing to a fault in an information system (such as a database) or malicious denial of use (intentionally jamming an information network with excessive data traffic). Loss of integrity may be caused, for example, by damage to an information system, corruption of a database, or unauthorized alteration of information during transmission.
Periodic reviews 6.34. The reporting to the competent authorities of significant incidents or breaches of nuclear security, including information security breaches, should be mandatory, and this requirement should be embodied in a State’s laws or regulations. The laws or regulations should also specify sanctions or penalties for failure to make such reports.
Periodic reviews 6.35. Heads of organizations and facilities should ensure that formal reporting arrangements are in place to ensure that all information security incidents are brought to their immediate attention so that corrective actions can be taken and, where appropriate, the incident reported to the competent authorities. Embarrassment should not be a reason for failing to report any information security incident at any level. Incidents should be reported promptly so that appropriate corrective action may be taken and trends may be identified.
Periodic reviews 6.36. All information security incidents should be investigated. Policies and procedures should be defined governing information security incident investigation. An investigation should aim to determine whether a security incident has a minor or major impact on information security and confidentiality. The competent authorities may then initiate any appropriate action. An example of a minor incident may be a failure to lock up or secure a document properly that did not result in the loss or compromise of any information. A major incident, for example, may be the theft of a security plan that results in a strategic threat to an organization.
Periodic reviews 6.37. An investigation should:

  • Look fully into the circumstances of the incident to establish the scope, scale and effect.

  • Assess the consequences of the incident and the degree of compromise that may have occurred.

  • Assess the need for further actions or wider enquiries, possibly to include other agencies.

  • Recommend corrective actions or take action to contain or minimize the consequences.

  • Report the outcome of the investigation, including:

    1. The probable cause of the incident;

    2. The assessed degree of compromise;

    3. The likely effect(s) of the compromise;

    4. Possible recommendations on improvements to the security programme in order to avoid a similar incident;

    5. Recommended further actions warranted by the incident;

    6. Lessons that need to be learned by the concerned parties.

  • The probable cause of the incident;

  • The assessed degree of compromise;

  • The likely effect(s) of the compromise;

  • Possible recommendations on improvements to the security programme in order to avoid a similar incident;

  • Recommended further actions warranted by the incident;

  • Lessons that need to be learned by the concerned parties.
Periodic reviews 6.38. The competent authorities should maintain records of the number and type of reported information security incidents. Recurring incidents or trends in security failures should be identified and may indicate the need for changes to security policy or improvements in security procedures or programmes. Updates on trends and changes should also be included in awareness training so that an appropriate security culture among employees and contractors is maintained. Organizations and facilities should also maintain their own records.

  • INTERNATIONAL ATOMIC ENERGY AGENCY, Objective and Essential Elements of a State’s Nuclear Security Regime, IAEA Nuclear Security Series No. 20, IAEA, Vienna (2013).

  • INTERNATIONAL ATOMIC ENERGY AGENCY, Nuclear Security Recommendations on Physical Protection of Nuclear Material and Nuclear Facilities (INFCIRC/225/ Revision 5), IAEA Nuclear Security Series No. 13, IAEA, Vienna (2011).

  • INTERNATIONAL ATOMIC ENERGY AGENCY, Nuclear Security Recommendations on Radioactive Material and Associated Facilities, IAEA Nuclear Security Series No. 14, IAEA, Vienna (2011).

  • EUROPEAN POLICE OFFICE, INTERNATIONAL ATOMIC ENERGY AGENCY, INTERNATIONAL CIVIL AVIATION ORGANIZATION, INTERNATIONAL CRIMINAL POLICE ORGANIZATION–INTERPOL, UNITED NATIONS INTERREGIONAL CRIME AND JUSTICE RESEARCH INSTITUTE, UNITED NATIONS OFFICE ON DRUGS AND CRIME, WORLD CUSTOMS ORGANIZATION, Nuclear Security Recommendations on Nuclear and Other Radioactive Material out of Regulatory Control, IAEA Nuclear Security Series No. 15, IAEA, Vienna (2011).

  • INTERNATIONAL ATOMIC ENERGY AGENCY, Preventive and Protective Measures against Insider Threats, IAEA Nuclear Security Series No. 8, IAEA, Vienna (2008).

  • INTERNATIONAL ATOMIC ENERGY AGENCY, Computer Security at Nuclear Facilities, IAEA Nuclear Security Series No. 17, IAEA, Vienna (2011).

  • INTERNATIONAL ATOMIC ENERGY AGENCY, Development, Use and Maintenance of the Design Basis Threat, IAEA Nuclear Security Series No. 10, IAEA, Vienna (2009).

  • INTERNATIONAL ATOMIC ENERGY AGENCY, The Management System for Facilities and Activities, IAEA Safety Standards Series No. GS-R-3, IAEA, Vienna (2006).

  • INTERNATIONAL ATOMIC ENERGY AGENCY, Nuclear Security Culture, IAEA Nuclear Security Series No. 7, IAEA, Vienna (2008).
Periodic reviews
Periodic reviews I-1. Annex I provides an example of a classification framework. Individual States may devise and use any appropriate classification system to indicate the level of sensitivity of nuclear security information. The definitions given in the following represent a four-level system similar to that of many Member States. The fourth level TOP SECRET is not discussed, as experience has shown that in the civil nuclear field it is very unlikely that any information assets would attract the classification TOP SECRET. Note also that while information is primarily envisioned as being in the form of documents or knowledge, items of equipment or other physical objects may be classified when classified information may be derived from them by visual observation of internal or external appearance, structure, operation, test, application or use.
Periodic reviews I-2. The compromise of information or material classified SECRET would be likely:

  • To raise international tension;

  • To cause serious damage to relations between governments;

  • To threaten life directly, or seriously to prejudice public order, or individual security or liberty;

  • To cause serious damage to the operational effectiveness or security of national security forces or the continuing effectiveness of highly valuable security or intelligence operations;

  • To cause substantial material damage to national finances or economic and commercial interests;

  • To be of use to an individual or group planning a malicious act which could cause grave damage at a facility with, or during transport of, nuclear material or other radioactive material.

Periodic reviews I-3. The compromise of information or material classified CONFIDENTIAL would be likely:

  • To damage diplomatic relations;

  • To prejudice individual security or liberty;

  • To cause damage to the operational effectiveness or security of national security forces or the effectiveness of valuable security or intelligence operations;

  • To work substantially against national finances or economic and commercial interests;

  • To substantially undermine the financial viability of major organizations;

  • To impede the investigation or to facilitate the commission of serious crimes;

  • To impede seriously the development or operation of major government policies;

  • To shut down or otherwise substantially disrupt significant national operations;

  • To be of use to an individual or group planning a malicious act which could cause serious damage at a facility with, or during transport of, nuclear material or other radioactive material.

Periodic reviews I-4. The compromise of information or material classified RESTRICTED would be likely:

  • To affect diplomatic relations adversely;

  • To cause substantial distress to individuals;

  • To make it more difficult to maintain the operational effectiveness or security of national security forces;

  • To cause financial loss or loss of earnings potential to, or to facilitate improper gain or advantage for, individuals or companies;

  • To prejudice the investigation of crime;

  • To facilitate the commission of crime;

  • To breach proper undertakings to maintain the confidence of information provided by third parties;

  • To impede the effective development or operation of government policies;

  • To breach statutory restrictions on disclosure of information;

  • To disadvantage government in commercial or policy negotiations with others;

  • To undermine the proper management of the public sector and its operations;

  • To be of use to an individual or group planning a malicious act which could cause significant damage at a facility with, or during transport of, nuclear material or other radioactive material.
Periodic reviews I-5. With regard to applying the above classification levels to the control of nuclear sensitive information, consideration should be given to how the unauthorized disclosure of such information could assist a potential adversary in the following:

  • Selecting a target for an act of theft, or sabotage of nuclear material or other radioactive material, equipment or facilities.

  • Planning or committing an act of theft or sabotage of nuclear material or other radioactive material, equipment or facilities:

    1. Design of security systems;

    2. Building plans;

    3. Methods and procedures for the transfer, accountability and handling of nuclear material or other radioactive material;

    4. Security plans, procedures and capabilities.

  • Measuring the success of an act of theft or sabotage of nuclear material or other radioactive material, equipment or facilities:

    1. Actual or hypothetical consequences of the sabotage of specific vital equipment or facilities.

  • Illegally producing a nuclear explosive device, radiological dispersal device or radiation exposure device:

    1. Design information useful in developing a device;

    2. Location of materials required to manufacture a device;

    3. Location of a nuclear weapon.

  • Dispersing nuclear material or other radioactive material in the environment:

    1. Location, form and quantity of materials.

  • Design of security systems;

  • Building plans;

  • Methods and procedures for the transfer, accountability and handling of nuclear material or other radioactive material;

  • Security plans, procedures and capabilities.

  • Actual or hypothetical consequences of the sabotage of specific vital equipment or facilities.

  • Design information useful in developing a device;

  • Location of materials required to manufacture a device;

  • Location of a nuclear weapon.

  • Location, form and quantity of materials.

Periodic reviews II-1. Annex II provides an example of a security categorization scheme for nuclear security related information. The State should decide the exact level of classification to be applied to each item of such information. Table II–1 provides examples of sensitive information and identifies the sensitivity issues associated with them. Where release of the information is not recommended, the table suggests the reasons and whether security might be warranted.
Periodic reviews II-2. The categories of information as presented in Table II–1 are only indicative of what might be considered sensitive information. They are not intended as a comprehensive list or model. The relevance of the categories to be considered for inclusion in any similar national table would be made according to a specific assessment by the State.
Periodic reviews II-3. Within each row of the table, the first column describes an example type of information. The second column indicates whether this category is usually applicable to nuclear material and nuclear facilities (N), other radioactive material and associated facilities (R), or both (N, R). The third column gives an indication of whether the information might be considered sensitive or not sensitive. The final column provides some explanation of the sensitivity of the information and the rationale for securing it.
Periodic reviews II-4. With regard to the designation of information as sensitive and the assignment of a potential classification level, consideration should be given to information that has already appeared in the public domain, or any previous compromise or possible compromise of information. It may be impractical to assign and manage a classification level for such information.
Periodic reviews II-5. Consideration should also be given to designating non-sensitive information as sensitive if it, combined with other non-sensitive information, can be used to reveal sensitive information.
Table II-1. National Security Categorization Scheme for Nuclear Security Related Information
Table II-1. National Security Categorization Scheme for Nuclear Security Related Information III-1. Annex III provides an example framework and content for establishing a security awareness programme. When deciding the content of an information security awareness programme, an organization’s security manager should consider the specific relevance of the topics and methods highlighted here and adapt the programme accordingly.
Table II-1. National Security Categorization Scheme for Nuclear Security Related Information III-2. Training can be broadly divided into four types:

  • Awareness training increases awareness of threats and vulnerabilities and recognition of the need to protect data, information and the means of processing them (computer and information security awareness).

  • Topical training includes courses on specific aspects of security for all staff (classified material handling and information security incident procedures).

  • Professional training is typically detailed technical training for staff with particular responsibilities, for example for system administrators, software developers, network administrators, security guards, document classifiers and declassifiers, among others.

  • Specialized security training is focused and expert level training, usually for management level, in the areas of risk management, incident prevention and incident response, among other things.
Table II-1. National Security Categorization Scheme for Nuclear Security Related Information III-3. The programme could include content to raise awareness on the following topics:

  • Overview of the national security infrastructure.

  • Aspects of information security and why they are important to nuclear security.

  • The national classification system.

  • Security principles, for example ‘need to know’ and ‘need to hold’.

  • Current threats to security arising from deliberate actions by:

    1. Hostile intelligence services in respect of espionage and technology transfer;

    2. Subversive organizations;

    3. Other individuals and groups, such as information brokers and investigative journalists seeking to gain unauthorized access to sensitive information or nuclear sites and facilities;

    4. Insiders.

  • The threat from adversary organizations and from sabotage, taking account of the contemporary world threat from any extremist factions.

  • The risks and consequences of internal loss or leaks of sensitive information, perhaps through inadvertent behaviour or to cause embarrassment, together with deliberate betrayal for political motives or to assist terrorism.

  • Conduct or activities likely to help potential adversaries or increase the risk of compromise, including:

    1. Vulnerable behaviour such as casual attitudes to security and loose talk;

    2. Unwitting behaviour that can attract the attention of hostile agencies and precautions needed in everyday activities, including, for example, social approaches, travel, correspondence and acquaintances.

  • Information on topical security events or new types of approach being used by hostile agencies, which should be disseminated rapidly.

  • Emphasis on the need to report immediately all suspicious circumstances, perceived weaknesses in security procedures or vulnerable behaviour apparent in colleagues — the means of doing this in confidence should be widely briefed.

  • The effect of national laws and regulations and their relevance to individuals, for example, laws governing secrecy, anti-terrorism, security, data protection and freedom of information, and the sanctions and the punishment for transgression.

  • Explain the levels of security clearances; how trustworthiness checks are carried out; why they are necessary in the nuclear and radiological industry; and which levels of access relate to particular clearance and trustworthiness levels — in addition, how this relates to the threats to security mentioned above.

  • Denial of service (e.g. preventing an organization from having access to the information when needed, including actions such as theft) or destruction — a breach of availability.

  • Unauthorized modification of or interference with information — a breach of integrity.

  • Unauthorized disclosure — a breach of confidentiality.

  • Hostile intelligence services in respect of espionage and technology transfer;

  • Subversive organizations;

  • Other individuals and groups, such as information brokers and investigative journalists seeking to gain unauthorized access to sensitive information or nuclear sites and facilities;

  • Insiders.

  • Vulnerable behaviour such as casual attitudes to security and loose talk;

  • Unwitting behaviour that can attract the attention of hostile agencies and precautions needed in everyday activities, including, for example, social approaches, travel, correspondence and acquaintances.
Table II-1. National Security Categorization Scheme for Nuclear Security Related Information III-4. The programme could include content to train participants on the following topics: (a) The security of information regarding nuclear material and other radioactive material and facilities. (b) Good security practice and procedure including: (i) Correct use of classification markings; (ii) Physical protection, personnel security and information security (e.g. documents, communications and computers); (iii) Practical examples of applying the security rules and procedures in the tasks in which employees are, or will be, engaged; (iv) Actions to be taken if a breach of security is suspected or discovered.
Table II-1. National Security Categorization Scheme for Nuclear Security Related Information III-5. In addition to a fundamental training programme, there are a number of other methods by which security awareness messages can be brought to the attention of employees and contractors:

  • Regular security newsletters published by the national security authorities. These can contain issues of topical interest and advice on a range of security matters.

  • Posters to remind individuals of the threats to security and of the principal security controls necessary to counter them. Their impact tends to be temporary, so posters should not only be prominently displayed but also frequently changed.

  • Stickers to remind employees of their personal responsibility for the maintenance of security when using specific items of equipment.

  • Security reminder notices in the startup (boot) phase of a computer system, which the user has to acknowledge reading before the computer will finish booting or logging in. (Systems can record such acknowledgements so that a user cannot deny having seen the notice.)

  • Security notices, bulletins and circulars drafted by security management to remind staff of certain security rules, to counter possible complacency, among other things.

  • Raising awareness of instances of breaches of security and the lessons to be learned from them.

  • Warning individuals of specific or topical threats to security and providing guidance to counter them.

  • Providing a channel of communication with individuals on security matters generally.

  • Regular periodic tests of individual security knowledge.

  • An organization’s intranet can also be a valuable tool in conveying or promoting the security message so long as the nature and sensitivity of the material remain within the accredited level of classification for the network.

Table II-1. National Security Categorization Scheme for Nuclear Security Related Information availability.
Table II-1. National Security Categorization Scheme for Nuclear Security Related Information The property of being accessible and usable upon demand by an authorized entity.
Table II-1. National Security Categorization Scheme for Nuclear Security Related Information competent authority.
Table II-1. National Security Categorization Scheme for Nuclear Security Related Information A governmental organization or institution that has been designated by a State to conduct one or more nuclear security functions.
Table II-1. National Security Categorization Scheme for Nuclear Security Related Information compromise.
Table II-1. National Security Categorization Scheme for Nuclear Security Related Information The accidental or deliberate violation of confidentiality, loss of integrity or loss of availability of an information object.
Table II-1. National Security Categorization Scheme for Nuclear Security Related Information confidentiality.
Table II-1. National Security Categorization Scheme for Nuclear Security Related Information The property that information is not made available or disclosed to unauthorized individuals, entities or processes.
Table II-1. National Security Categorization Scheme for Nuclear Security Related Information information object.
Table II-1. National Security Categorization Scheme for Nuclear Security Related Information Knowledge or data that have value to the organization.
Table II-1. National Security Categorization Scheme for Nuclear Security Related Information information security.
Table II-1. National Security Categorization Scheme for Nuclear Security Related Information The preservation of the confidentiality, integrity and availability of information.
Table II-1. National Security Categorization Scheme for Nuclear Security Related Information integrity.
Table II-1. National Security Categorization Scheme for Nuclear Security Related Information The property of accuracy and completeness of information.
Table II-1. National Security Categorization Scheme for Nuclear Security Related Information need to hold.
Table II-1. National Security Categorization Scheme for Nuclear Security Related Information Rule by which individuals are permitted to have in their physical possession only the information assets that are necessary to conduct their work effectively.
Table II-1. National Security Categorization Scheme for Nuclear Security Related Information need to know.
Table II-1. National Security Categorization Scheme for Nuclear Security Related Information Rule by which individuals, processes and systems are granted access to only the information, capabilities and assets that are necessary for execution of their authorized functions.
Table II-1. National Security Categorization Scheme for Nuclear Security Related Information nuclear material.
Table II-1. National Security Categorization Scheme for Nuclear Security Related Information Any material that is either special fissionable material or source material as defined in Article XX of the IAEA Statute.
Table II-1. National Security Categorization Scheme for Nuclear Security Related Information other radioactive material.
Table II-1. National Security Categorization Scheme for Nuclear Security Related Information Any radioactive material that is not nuclear material.
Table II-1. National Security Categorization Scheme for Nuclear Security Related Information radioactive material.
Table II-1. National Security Categorization Scheme for Nuclear Security Related Information Any material designated in national law, regulation or by a regulatory body as being subject to regulatory control because of its radioactivity.
Table II-1. National Security Categorization Scheme for Nuclear Security Related Information sensitive information.
Table II-1. National Security Categorization Scheme for Nuclear Security Related Information Information, in whatever form, including software, the unauthorized disclosure, modification, alteration, destruction, or denial of use of which could compromise nuclear security.
Table II-1. National Security Categorization Scheme for Nuclear Security Related Information sensitive information assets.
Table II-1. National Security Categorization Scheme for Nuclear Security Related Information Any equipment or components that are used to store, process, control or transmit sensitive information. For example, sensitive information assets include control systems, networks, information systems and any other electronic or physical media.