NORTH ATLANTIC TREATY ORGANISATION - NATO Reports/20130901... · NORTH ATLANTIC TREATY ORGANISATION...

NATO UNCLASSIFIED CSO/SEC(2013)01

September 2013

NATO UNCLASSIFIED

NORTH ATLANTIC TREATY ORGANISATION

COLLABORATION SUPPORT OFFICE (CSO) BP 25, 92201 Neuilly-sur-Seine Cedex - France

CSO INTERNAL SECURITY INSTRUCTIONS

CSO/SEC(2013)01 September 2013


September 2013

NATO UNCLASSIFIED 1

Table of content GENERAL SECURITY POLICY OF CSO ................................................................... 4

RESPONSIBLE OFFICE ................................................................................... 4 PURPOSE ............................................................................................. 4 SCOPE .................................................................................................. 4 REFERENCE ........................................................................................ 4

INTRODUCTION ............................................................................................... 4 RESPONSIBILITIES .......................................................................................... 6 APPLICABILITY ................................................................................................ 6

ANNEX 1 ORGANISATION ........................................................................................ 7 CSO Security Officer ............................................................................. 7

CSO Chief Security ............................................................................... 8

CSO INFOSEC Officer ........................................................................ 10

Division Chiefs and Executives............................................................ 10 CSO Personnel .................................................................................... 11 Security personnel ............................................................................... 11

ANNEX 2 PERSONNEL SECURITY ........................................................................ 12 General ................................................................................................ 12

Security Clearance .............................................................................. 12 Special NATO ID Card (NATO Agencies in France) ............................ 13

Contact with the press ......................................................................... 14 Unguarded Talk ................................................................................... 14

Security Violations/Infractions.............................................................. 14

Telephone, Telex and Telefax ............................................................. 15

Photocopiers........................................................................................ 15 Loss or Theft........................................................................................ 15

Anti-Terrorism/Social Contacts ............................................................ 15 Travel requiring prior authorization ...................................................... 16

Appendix 1 to ANNEX 2 NATO PERSONNEL SECURITY CLEARANCE CERTIFICATE ..................................................................................... 17

Appendix 2 to ANNEX 2 ATTESTATION OF SECURITY CLEARANCE ........ 18

Appendix 3 to ANNEX 2 CERTIFICATE OF ACKNOWLEDGEMENT OF RESPONSIBILITIES ............................................................................ 19

Appendix 4 to ANNEX 2 ATTESTATION OF PERSONNEL SECURITY CLEARANCE (for non-NATO national) ............................................... 20

ANNEX 3 PHYSICAL SECURITY ............................................................................. 21

Physical Security Measures ................................................................ 21 Passes/Visitors .................................................................................... 21

Carriage of Pistols or Revolvers .......................................................... 22 Photographic and Recording Equipment ............................................. 22 Keys .................................................................................................... 23 Staff Members Privately Owned Vehicles ............................................ 23 Visitors Vehicles .................................................................................. 23

Use of cellular phones ......................................................................... 23 Visits to NATO headquarters, NATO Commands and Agencies ......... 24

Appendix 1 to ANNEX 3 ACCESS OF CONTRACTING COMPANIES ........... 25

Appendix 2 to ANNEX 3 Guards’ security patrols ............................................ 26 General rules ....................................................................................... 26 Specific rules ....................................................................................... 26

Classified materials ............................................................................. 26 Safes and special rooms ..................................................................... 26


September 2013

NATO UNCLASSIFIED 2

Interior of buildings .............................................................................. 27

Exterior of the buildings - courtyard ..................................................... 27 Appendix 3 to ANNEX 3 Letter of acceptance and confidentiality ................... 28

ANNEX 4 SECURITY OF INFORMATION................................................................ 29 INTRODUCTION ............................................................................................. 29

Scope .................................................................................................. 29 Personal Responsibility ....................................................................... 29

ROLE OF CLASSIFIED REGISTRY ................................................................ 29 CLASSIFICATION OF NATO INFORMATION ................................................ 29

General ................................................................................................ 29 Responsibility for classification ............................................................ 31

Markings .............................................................................................. 31

Other special markings ........................................................................ 33

Downgrading and declassification ....................................................... 33 PREPARATION AND REPRODUCTION OF DOCUMENTS .......................... 34

Preparation .......................................................................................... 34 Photographic material .......................................................................... 35 Tape recordings ................................................................................... 35

Magnetic media of all types ................................................................. 35 All other material .................................................................................. 35

Reproduction and Translation.............................................................. 35 DISTRIBUTION/RELEASE OF NATO INFORMATION ....................... 36

NATO CLASSIFIED information .......................................................... 36

NATO UNCLASSIFIED information ..................................................... 36

PROTECTION OF CLASSIFIED INFORMATION ........................................... 37 General ................................................................................................ 37

Custody of documents ......................................................................... 37 Keys and locks .................................................................................... 38 Recording equipment .......................................................................... 39

Checking of documents in event of transfer or departure of a staff member ............................................................................................... 39

Destruction .......................................................................................... 40 Emergency Destruction ....................................................................... 41 Telephone Communications ................................................................ 41

INVENTORY OF CLASSIFIED DOCUMENTS ................................................ 41 REGISTRATION OF CLASSIFIED DOCUMENTS .......................................... 42

Receipt & transfer of classified documents .......................................... 43 CARRIAGE/FORWARDING OF NATO CLASSIFIED DOCUMENTS ............. 43

Packaging ............................................................................................ 43 Document control ................................................................................ 44 Carriage inside the country .................................................................. 44 International Carriage .......................................................................... 45 Forwarding of Classified documents .................................................... 45

Personal carriage of classified documents .......................................... 45 Electronic Transmission ...................................................................... 46

ANNEX 5 CLASSIFIED CONFERENCES AND MEETINGS .................................... 47

General ................................................................................................ 47 Control of access ................................................................................. 47 Physical Security ................................................................................. 48

ANNEX 6 INFORMATION AND INTELLIGENCE SHARING WITH NON-NATO ENTITIES .................................................................................................................. 50


September 2013

NATO UNCLASSIFIED 3

General ................................................................................................ 50

Recording requirements ...................................................................... 50 Appendix 1 to Annex 6 Decision taken by CSO Deputy Director Information &

Intelligence sharing with a Non-NATO Nation ..................................... 52 Appendix 2 to Annex 6 Annual Security Report on Information and Intelligence

Sharing with Non-NATO Entities ......................................................... 53 ANNEX 7 BREACHES OF SECURITY AND COMPROMISE OF NATO CLASSIFIED INFORMATION ......................................................................................................... 54

Scope .................................................................................................. 54 Definitions ............................................................................................ 54 Action on breaches of Security ............................................................ 55

Enquiry Report ..................................................................................... 55

Disciplinary or Judicial Action .............................................................. 56

ANNEX 8 INDUSTRIAL SECURITY ......................................................................... 57 ANNEX 9 DEFINITIONS ........................................................................................... 58


September 2013

NATO UNCLASSIFIED 4

GENERAL SECURITY POLICY OF CSO RESPONSIBLE OFFICE

PURPOSE 1. These Instructions defines the chain of responsibility for security in the S&T

Organization Collaboration Support Office (CSO) and sets forth in relevant instructions the actions to be taken in order to safeguard security in accordance with the current NATO regulations. All personnel must be aware of its contents, upon taking up their duties. The Security Officer and/or Chief, Security/Classified Registry shall ensure that they have reread this instruction at least once a year.

SCOPE

2. This instruction applies to CSO. All CSO elements at Neuilly-sur-Seine,

France for which CSO exercises overall responsibility, constitute CSO. It also applies to all personnel not serving in the CSO but having to work in the CSO premises.

REFERENCE

3. The Security Procedures approved by the NATO Council in document C-M

(2002)49 in conjunction with C-M(2002)50, their supporting directives and updates constitute the basis of CSO’s internal security instructions and no detailed instruction may conflict with that document.

4. The security operating procedures for the CSO computer information system

are approved and published under a separate reference elaborated and maintained by the INFOSEC officer of the office.

5. The policy, directives and guidance concerning the NATO information

management are contained in the following documents: C-M(2007)0118 for the NATO information management policy (NIMP), C-M(2008)0113(INV) for the primary directive on IM (PDIM), C-M(2002)60 for the management of NATO non classified information and AC/35-D/1040-REV2 supporting document on Information and Intelligence Sharing with Non-NATO Entities (NNE).

6. The Security Alert Measures and the Personal Protection against Crime and

Terrorists Activities dated June2013 constitute the basis for the specific security measures to be taken by the CSO.

INTRODUCTION 7. The requirements and procedures in this document are designed to protect

NATO classified information, NATO personnel and its surroundings. 8. The term “NATO classified information” used throughout this document

embraces all classified (NATO RESTRICTED and above) information (military,


September 2013

NATO UNCLASSIFIED 5

political and economic, scientific and technical) circulated within NATO; whether this information originates in the Office, other NATO commands and bodies, or is received from member nations, or from other international organizations.

9. NATO classified information may be circulated on the basis of the “need-to-

know” principle balanced with the “responsibility to share” principle to individuals who have been briefed on the relevant security procedures, and without reference to the originator. It should be emphasized that the information itself remains the property of the originator and shall be subject to originator control. Subject to the consent of the originator and in accordance with C-M (2002)49 in conjunction with C-M(2002)60 procedures, NATO classified information up to NATO SECRET shall only be released to non-NATO nations and organizations that have either signed a Security Agreement with NATO or that have provided a Security Assurance to NATO. The Security Officer of the Office holds the list of those Nations, which have signed such agreements.

10. NATO information which does not require a security classification (NATO

RESTRICTED and above) is known as NATO non-classified information and falls into two categories:

NATO UNCLASSIFIED: NATO UNCLASSIFIED information is sensitive and is subject to management and protection procedures detailed in the NATO Information Management Policy (NIMP). It is to be used for official purposes only. This information is not publicly accessible on the Internet, or other public networks.

Information releasable to the public: Such information is non-sensitive and does not carry any markings. It is not subject to any dissemination restrictions and is releasable to the public. This information may be publicly accessible on the Internet, or other public networks.

It includes:

information for the media – publications and any information intended

for dissemination outside the Alliance 11. Regardless of classifications and markings, all NATO information is also

subject to the provisions of the NATO Public Disclosure Policy. The policy provides for the disclosure of historically significant NATO information to the general public.

12. The requirements and procedures have been set out in convenient sections

so that all CSO members, who are required to handle NATO classified information, may be fully aware of their individual responsibility in fulfilling their particular security function. All cases/situations not covered by this instruction should be referred to the CSO Security Team for resolution.


September 2013

NATO UNCLASSIFIED 6

RESPONSIBILITIES 13. The CSO Director, as the Security Risk Owner (SRO), is responsible to the

North Atlantic Council for maintaining security within CSO. 14. The Deputy Director in his capacity as Security Officer is responsible to the

CSO Director for the implementation of the prescribed security procedures. 15. Division Chiefs and Executives are responsible to the CSO Director through

the Security Officer, for implementation of the Security Procedures within their areas of responsibility. They are responsible for ensuring that their staff complies with the security regulations established by NATO and CSO security officer. They will notify the Security Officer of any violations or incidents.

16. The CSO Chief Security shall assist the Security Officer in carrying out his

security responsibilities and be responsible for the classified registry functions and/or communications.

17. The Security officer shall appoint a Classified Registry Assistant. In the

absence of the Chief Security this individual shall be responsible for the classified registry functions.

18. The CSO Security Officer shall act as Principal Security Officer for CSO,

Neuilly-sur-Seine. APPLICABILITY

19. The requirements contained in this instruction are applicable to CSO and CSO

Staff members. This intent is equally valid at all CSO activities and meetings. In situations where the exact letter of these guidelines cannot be followed due to local rules or customs, the CSO Staff members are charged with compliance with intent of this instruction based on common sense and best judgment for the particular situation. Any deviation from these procedures must be brought to the attention of the Security Officer or the Chief Security. Mr. René LAROSE Director

NATO UNCLASSIFIED ANNEX 1 to


NATO UNCLASSIFIED 7

ANNEX 1 ORGANISATION

CSO Security Officer

20. In accordance with the instructions and by delegation of the CSO Director, the

CSO Security Officer shall implement all the provisions of the NATO Security Rules and Procedures. The Security Officer shall monitor and coordinate their proper application in all areas. In particular, this person shall be responsible:

(a) For the elaboration, dissemination and implementation of the CSO

internal security instructions, both inside the Office and outside the Office in external relations.

(b) For establishing and maintaining liaison with:

(1) The Security Officers of the various nations, permanent delegations

to NATO and of other NATO bodies

(2) The Security Officers of NATO entities located in France (3) Other international bodies when deemed in the best interest of this

Office

(4) The French National Security Authority (NSA) and other security related services within the framework of his/her responsibilities

(c) For instructing Office staff and other personnel as appropriate on

security matters when they take up their duties at the CSO.

(d) For inquiring into breaches of the NATO Security Rules.

(e) For reporting major breaches, infractions, and compromises to the NATO Office of Security (NOS).

(f) For preparing an annual program on security awareness training within

CSO.

(g) For providing advice on security matters, as and when required.

(h) For performing other duties, as directed by higher competent CSO/NATO Authorities.

(i) For carrying out inspections during work

(j) For handling security aspects for contracts involving classified

information



NATO UNCLASSIFIED 8

(k) For providing the facilities management section with appropriate advice on security aspects when new buildings are to be erected; alterations made to existing ones and when material is to be purchased.

(l) For ensuring that appropriate physical security measures are in place

to protect CSO assets (people, buildings and/or information of all types.)

(m) For periodically checking that the alarm systems are operating

correctly.

(n) For preparing/reviewing annually, specific instructions, detailing the measures to be taken in periods of emergency and alert.

(o) For performing fire alarm exercises or evacuation exercises twice a

year.

(p) For scheduling, once a year or after changes have occurred, an awareness briefing for staff members on office security.

(q) For staffing and controlling the release of classified information to Non-

NATO Entities. (r) For supervising the work of the INFOSEC Officer.

CSO Chief Security

21. In accordance with the instructions of the Security Officer, the Chief Security

shall implement the Security Rules and Procedures and monitor their proper application. This person shall be responsible:

(a) For carrying out the duties explained in 20(c) through 20(p) in

conjunction with and in the absence of the Security Officer.

(b) For obtaining and keeping up-to-date Personal Security Clearance

Certificates (PSC) for persons employed by CSO.

(c) For briefing/debriefing and instructing personnel on security policy and instructions when they take up their duties or depart at/from the Office.

(1) Staff members shall sign a statement acknowledging that they

have been briefed on the NATO Security Regulations and are fully aware of their responsibilities vis-à-vis NATO and CSO with respect to security. This statement will then be maintained in the individual's security file.

(2) Staff members leaving CSO permanently shall sign a statement

whereby they recognize that they have been reminded of the obligations they accepted on appointment. The e-mail account



NATO UNCLASSIFIED 9

of departing staff members shall be cancelled immediately prior to departure. (REF: CSO Computer Information System Security Operating Procedures (CIS SecOPs))

(3) Periodic (preferably annual) re-briefings shall be addressed,

including written acknowledgements!

(e) For inquiring into breaches of the NATO Security Rules. (f) For drawing up, checking every year and physically verifying the annual

inventory of NATO SECRET documents held in other sections.

(g) For establishing a record of classified documents at the NATO SECRET and NATO CONFIDENTIAL levels.

(h) For protecting all classified documents (including all forms, electronic

media and archived files) and material in the possession of the staff.

(i) For maintaining a record of personnel authorized to have access to NATO documents and material classified NATO CONFIDENTIAL and above.

(j) For registering and circulating NATO classified documents. (k) For staffing and controlling the release of classified information to Non-

NATO Entities..

(l) For correctly applying the procedure for the destruction of classified documents and material.

(m) For maintaining records of the combinations of safes, padlocks and

door combinations and of the persons authorized to know these combinations.

(m) For supervising and inspecting the recording, handling, reproduction,

translation and destruction of NATO classified documents and/or material for which CSO is responsible.

(n) For assisting the OPR (Office of Primary Responsibility) in the

preparation of classified conferences or meetings.

(o) For inspecting all security containers in which documents to be safeguarded are kept and ensuring that all security requirements are met when these containers are purchased and delivered.



NATO UNCLASSIFIED 10

(p) For distributing and inspecting combination locks and padlocks.

(q) For periodically checking that the intrusion detection systems are operating correctly.

(r) For preparing (reviewing annually), in specific instructions, the

measures to be taken in periods of terrorist threat.

(s) For supervising and inspecting the parking areas inside the CSO facility.

(t) For carrying out security inquiries in event of the loss or disappearance

of accountable documents. (Accountable documents are those which have to be registered and controlled.)

(u) For carrying out periodic inspections and spot checks of NATO

CONFIDENTIAL and NATO SECRET documents and the procedures of accounting for documents in classified holding areas and in individual offices.

(v) For supervising the work carried out by the security guards.

CSO INFOSEC Officer

22. The Information Management and Systems branch head shall be responsible, as INFOSEC Officer, for the application of the security measures to protect information processed, stored or transmitted in communication, information and other electronic systems against loss of confidentiality, integrity or availability. He will ensure the creation of a secure environment for the operation of the CSO electronic systems.

23. The INFOSEC Officer shall also be responsible for the elaboration of the

Security Operating Procedures for the CSO Computer Information System in accordance with the NATO INFOSEC management, and INFOSEC technical and implementation directives.

Division Chiefs and Executives

24. Division Chiefs and Executives shall be responsible for the following:

(a) For ensuring that their staff complies with the security regulations and policies established by NATO and the CSO.

(b) For strictly controlling all visitors to the Office in their own areas of

responsibility, in particular when they need to be escorted.

(c) For protecting all classified documents (including all forms of electronic media) and material in the possession of the staff of their elements.




(d) For maintaining appropriate contact with the CSO Security Officer or the Chief, Security. Ensure Non-NATO Entities attendees complete appropriate enrollment forms.

(e) For reporting any breach of security detected to the Security Officer

and/or the Chief, Security.

(f) For organizing within their areas of activity and responsibility a permanent supervisory and control system with regard to the safeguarding of NATO information.

CSO Personnel

25. All CSO personnel, in accordance with security instructions, will ensure that at

the end of each day’s office hours:

(a) All possible means of entry are made secure (i.e. doors (if secure area), windows)

(b) All security containers are properly closed/secured and all classified

documents or material locked up.

(c) Desk is cleared of all sensitive information (i.e. NATO RESTRICTED, Classified documents, diskettes, CD-ROMs....)

(d) All computers are shutdown. (Instructions for shutting down the

computers are addressed in the CIS SecOPs).

(e) Keys that give access to security containers or offices have been secured (i.e. turning keys into the CSO Guard post). Keys to any security containers or offices should at no time be freely accessible. At no time should padlocks be left unsecured.

Security personnel

26. All security personnel will be in addition responsible for:

(a) Implementing and enforcing the security instructions related to the physical security of the Office.

(b) Reporting to the security officer and the Chief Security any breach in

the application of those instructions.

(c) Reporting to the security officer and the Chief Security any security incident.




ANNEX 2 PERSONNEL SECURITY

General

27. Access to NATO classified information must only be granted to persons

whose duties require it and who, after an enquiry, have been given clearance to have access to such information. The expression “classified information” is understood to mean:

(a) any piece of information on a classified matter, be it an oral

communication or the electrical or electronic transmission of a classified message, or be it “material” (defined in the next paragraph) determined to require protection against unauthorized disclosure, which has been so designated by security classification.

(b) the word “material” includes “document” as defined below and also any

item or machinery or equipment whether completed or in the process of manufacture.

(c) the word “document” denotes any letter, note, minute, report,

memorandum, signal/message, sketch, photograph, film, map, chart, plan, notebook, stencil, carbon, other form of recorded information (e.g. magnetic recording, punched card, tape, diskette, CD-ROM, hard disk), or any other means to preserve a copy/copies of electronic information.

Security Clearance

28. No person shall be entitled to have access to NATO classified information

solely by virtue of rank, appointment or security clearance.

The “NEED-TO-KNOW” is established in all cases by the Director or Deputy Director/Security Officer.

29. Every staff member prior to taking up duties at CSO shall hold a NATO

Personal Security Clearance (PSC) issued by the National Security Authority or other competent authority of the country of which he/she is a citizen (see Appendix 1 to this Annex). The level of this clearance, which shall depend on the functions of the post that the staff member is to hold, shall be laid down in the relevant job description, but shall not be lower than NATO SECRET.

30. Every staff member, upon taking up duties at CSO or when leaving the CSO,

must sign a letter of acknowledgement of responsibilities, a template of which is at appendix 3 to this annex.

31. The period of validity of the security clearance shall be determined by the

issuing National Security Authority. One year prior to expiration, the procedure for requesting renewal of the certificate shall be set in motion by the CSO Chief, Security.




32. Any member of the staff planning to marry or intending to live under a marital relationship must inform the Security Officer at least three months before the intended date of marriage. In this case, the National Security Authority shall be requested to revalidate the security Clearance certificate and the future spouse shall be required to fill in the forms required to conduct the renewal procedure.

33. Any staff member, who is required to deal with “outsiders” (non-Science and

Technology Organization (STO) members) on information pertaining to CSO on classified matters, shall ensure that such persons hold a security clearance of a level permitting access to the information involved, and inform the CSO Security Officer and/or Chief, Security accordingly. In case of doubt, access to classified information is to be refused.

34. No information classified NATO CONFIDENTIAL or above may be passed on

to persons who are not security cleared. NATO RESTRICTED information may be passed on to persons on a “NEED-TO-KNOW” basis and who have attended an awareness briefing. The “NEED-TO-KNOW” may be assessed simply by the appointment of the person by a National official for NATO members. For Non-NATO Entities there must be a existing security agreement between the said entity and NATO.

35. In event of withdrawal, downgrading or delays in renewal of the security

clearance issued to a CSO staff member, the Chief, Security shall inform the Security Officer (Deputy Director) who shall then inform the CSO Director. The CSO Director shall then take the appropriate action. (Reference: NATO Civilian Personnel Regulations).

36. The release of classified information to non-NATO Entities is subject to

confirmation that the person(s) having access to this information is in possession of a Personal Security Clearance (PSC) certificate to the level of the classified information being released.

(a) This may be done after the requesting entity(s) has/have submitted a

request through proper channels for the release of classified information, and the potential releaser has established a “need-to-know” on the part of the requestor.

(b) A Security Agreement must also have been established between

NATO and the nation/entity before release of any such information.

(c) All information and intelligence sharing with non-NATO entities have to follow guidance established in AC/35-D/1040-REV2. However, if a scenario is not governed by this supporting document, Enclosure “E” of C-M(2002)49 in conjunction with AC/35-D/2002-REV4 shall be consulted.

Special NATO ID Card (NATO Agencies in France)




37. The CSO Human Resources and Support branch will distribute a Special NATO ID Card to CSO staff members who are holders of a valid NATO SECRET or above Personal Security Clearance (PSC) certificate and who have received the mandatory security training. It may be used as an access document, and shall constitute valid proof of identity within the Office.

38. The CSO Human Resources and Support branch will distribute a CSO special

security pass to every staff member that will be only used to access the office and as a proof of physical presence in the facilities for safety purposes.

39. The CSO Special NATO ID Card may also be used as an access/exchange

document into NATO Entities in France and in other NATO entities outside France, including NATO HQ.

40. For safety purposes, one of these means of identification (Special NATO ID,

or CSO security pass or any other ID document) shall be given to the guard on duty each time one enters the premises and picked up from the guard each time one leaves the premises.

41. The CSO Special NATO ID Card and the CSO security pass may only be

used by the person to whom they are issued and must be returned to the CSO Security Office when the employee leaves the organization.

42. Any loss or theft of the ID Card or security pass has to be reported

immediately in writing to the Chief, Security giving details of the circumstances in which the loss or theft occurred. A copy of the declaration of loss/theft made at a Gendarmerie or Police Station (if applicable) must accompany the written notification.

Contact with the press

43. Only official representatives of CSO who have been appointed for this

purpose by the CSO Director may be authorized to make statements to the Press. All requests for contact with the Press must be coordinated with the Deputy Director. All correspondence or telephone calls from journalists or Press Agencies must be passed to the Security Officer.

Unguarded Talk

44. Classified matters must not be discussed in non-secure areas, whether

outside CSO (e.g. public transportation, vehicles, restaurants, cafes etc.) or in non-secure areas inside the Office’s facilities (e.g. hallways, courtyard). “Free Talk” is a major contributor to security violations, and proven to be a valuable source of hostile intelligence collection.

Security Violations/Infractions

45. Any contravention of the provisions of these regulations is termed a security

violation/infraction. This term includes contravention’s respecting security of personnel, security of documents (e.g. loss of classified documents), and




physical security (e.g. failure to lock a security container, leaving classified out in full view). It is the duty of any individual who becomes aware of a security violation/infraction to report the matter to the Security Officer or Chief, Security. All violation/infractions are to be reported to the Director and/or the Deputy Director.

Telephone, Telex and Telefax

46. The above-mentioned communication systems are not secure/not tempest

approved. Therefore the passing of classified information (NATO RESTRICTED and above) through these networks is forbidden.

Photocopiers

47. Each photocopier is labeled to the level authorized for reproduction.

Loss or Theft The procedures outlined below apply equally to all family members of CSO staff members

48. Any loss or theft of classified documents, CSO/NATO ID Cards, French

Identity cards, passports, theft of car or diplomatic license plates, laptops or any CSO equipment is to be reported immediately to the Security Officer or to the Chief, Security. Further instructions will then be given.

Anti-Terrorism/Social Contacts

49. Any Staff Member who, in social contacts with persons from outside the

Office, believes to having been exposed or contacted by a member of any organization or country whose intelligence services targets the Alliance and its member nations by violent, subversive or other unlawful means, is required to inform the CSO Security Officer without delay.

50. Any Staff Member who observes activity, which could be inferred to be of a

suspicious or hostile nature against CSO Personnel, activities, or assets, should report that information to the CSO Security Officer. If such activities occur at a location outside of the Paris region, the suspicious behavior should also be reported to the STO local coordinator in charge of that distinct location.

51. Staff members should be particularly alert of people who appear to be

lingering around and studying the patterns and time schedule of CSO people or activities.

52. Situations that could lead to inappropriate contacts might be invitations to

cocktail parties or dinners, invitations to take part in cultural or recreational activities, attempts by individual nationals to establish and/or renew relationship or the exchange of correspondence through such means as a “Pen Pal” club. The proliferation of information technology has multiplied the




possibilities of external contacts; hence extreme caution must be exercised, especially while communicating through social networks like “facebook, twitter, etc…”.

Travel requiring prior authorization

53. The NATO Office of Security (NOS) no longer publishes a list of countries that

pose a special security risk. However, common sense should prevail and the following precautions taken:

(a) Confirm with your National Security Authority that there are no national

objections for your planned travels. The Chief Security can assist you on verifying/identifying a good source of point of contact.

(b) Notify the CSO Security Officer in writing of your travel plans, as a

safety precaution, in case of an incident/unusual occurrence during your travels.

(c) Report any incident/unusual occurrence to the CSO Security Officer

upon your return. 54. As a general rule, avoid travel to countries where there is an imminent threat.

If in doubt, contact an official who is knowledgeable in personal security matters either within CSO or externally (such as your responsible National Security Authority).




Appendix 1 to ANNEX 2 NATO PERSONNEL SECURITY CLEARANCE CERTIFICATE

1. Certification is hereby given that:

Full Name:

…………………………………………………………………………………………………..

Date and Place of Birth:

…………………………………………………………………………………………………..

has been granted a personnel security clearance by the Government of:

…………………………………………………………………………………………………..

In accordance with current NATO regulations, including the Security Annex to C-M(64)39 in the case of ATOMAL information, and is, therefore, declared suitable to be entrusted with information classified up to and including:1

…………………………………………………………………………………………………..

…………………………………………………………………………………………………..

…………………………………………………………………………………………………..

2. The validity of this certificate will expire not later than2

…………………………………………………………………………………………………..

…………………………………………………………………………………………………..

Signed:

Title: Official Government stamp Date of Issue:

Contact details of the issuing authority (Phone, e-mail, fax):

To be sent via official registered mail to: CSO Security Officer

BP 25 92201 Neuilly / Seine cedex

France

Note: the marking on this page is not part of the template

1 Insert, as appropriate, one or more of the following:

(a) COSMIC TOP SECRET (d) COSMIC TOP SECRET ATOMAL (b) NATO SECRET (e) NATO SECRET ATOMAL (c) NATO CONFIDENTIAL (f) NATO CONFIDENTIAL ATOMAL 2 The date of expiry shall conform with the provisions of paragraph 18 of the Directive on Personnel

Security.




Appendix 2 to ANNEX 2 ATTESTATION OF SECURITY CLEARANCE

Issued by……………………………………………………………………………………….

(Member Nation or NATO civil or military body)

Date and Place of issue………………………………………………………………………

Valid until……………………………………………………………………………………….

This is to certify that:

Full Name………………………………………………………………………………………

Date of Birth…………………………………………………………………………………...

Place of Birth…………………………………………………………………………………..

Nationality………………………………………………………………………………………

Where employed………………………………………………………………………………

Purpose and Duration of Visit………………………………………………………………..

……………………………………………………………………………………………………………………………………………………………………………………………………

Holder of Passport / Identity Card No………………………………………………………

Issued at………………………………..Dated……………………………………………….

Military Rank and Number (where applicable)……………………………………………..

has been granted access to NATO information classified up to and including

………………………………………………..in accordance with current NATO security regulations, including the Security annex to C-M(64)39 in the case of ATOMAL information, and has been briefed accordingly by

…………………………………………………………………………………………………..

Signed:

Title: Official Government stamp (optional)

Date:

To be sent via official registered mail or protected e-mail to3:

CSO Security Officer BP25

92201 Neuilly / Seine cedex France

or [email protected] (NS network)

or, exceptionally, to be hand carried to the location of the activity. Note: the marking on this page is not part of the template

3 NOTE: This certificate must be handled in accordance with the provisions of NATO Security Policy

and its supporting directives.

mailto:[email protected]




Appendix 3 to ANNEX 2 CERTIFICATE OF ACKNOWLEDGEMENT OF RESPONSIBILITIES

TO BE SIGNED BY MEMBERS OF CSO OF THE NORTH ATLANTIC TREATY ORGANIZATION

I understand:

(1) that I am responsible for preserving the security of all classified information which may be imparted to me as a result of my employment with the North Atlantic Treaty Organization and undertake to comply with such regulations concerning security as may from time to time be laid down;

(2) that I must not divulge any information gained by me as a result of my employment to any unauthorized person, orally or in writing, without the previous sanction of the CSO Director;

(3) that I must not, without the authority of the Director, publish any information which I have acquired or to which I have had access owing to my official position as a member of the Organization, whether orally or in any document, article, book, play, film or otherwise;

(4) that on leaving the organization, I should surrender any sketch, plan, model, article, note or document made or acquired by me in the course of my official duties, save such as I have been duly authorized to retain by the Director.

I certify:

That I am aware of my responsibility for safeguarding NATO classified information, and will abide by the CSO Security Regulations.

I understand:

that the provisions of this certificate apply not only during the period of my employment, but also after my employment with the organization has ceased and that I am liable to prosecution if either by intent or negligence I allow classified information to pass into unauthorized hands.

NAME : DATE




Appendix 4 to ANNEX 2 ATTESTATION OF PERSONNEL SECURITY CLEARANCE

(for non-NATO national) 1. Attestation is hereby given that:

Full Name (Last Name, First Name):

…………………………………………………………………………………………

Date and Place of Birth:

…………………………………………………………………………………………

Where employed:

…………………………………………………………………………………………

Purpose and Duration:

…………………………………………………………………………………………

…………………………………………………………………………………………

Holder of Passport/Identity Card No :……………………………………………..

Issued at :……………………………………………………………………………

Dated …………………………………………………………………………………

Has been granted a Personnel Security clearance for NATO classified information in accordance with security requirements no less stringent than those of NATO, has been briefed on the security regulations for the protection of NATO information and the legal and disciplinary consequences of infraction/breaches of those regulations, and is, therefore, declared suitable to be entrusted with information classified up to and including:

NATO SECRET4 NATO CONFIDENTIAL5

2. The validity of the attestation will expire no later than:

…………………………………………………………………………………………

3. Issued by:

Name and address of the issuing authority:

……………………………………………………………………………………………………………………………………………………………………………………

Contact details of the issuing authority (Phone, e-mail, fax):

…………………………………………………………………………………………

Full Name (Last Name, First Name):

Title:

Signature: Official stamp

Note: the marking on this page is not part of the template To be sent by registered mail to: CSO Security Officer – BP 25 – 92201 Neuilly/Seine cedex - France

4 Delete as appropriate

5 Delete as appropriate




ANNEX 3 PHYSICAL SECURITY

Physical Security Measures

55. The aim of physical security measures is to prevent an unauthorized person

from gaining access to NATO Classified information and to avoid any “bad act” and/or terrorism act.

56. The Office will be officially opened during working days (Monday thru Friday)

from 07h30 to 20h30. During these opening hours the access is free for CSO staff. Outside the opening hours the access for both the pedestrians and the vehicles has to be requested to the Chief Security or the Security Officer.

57. At all times the gate and the barrier shall remained closed and positive

identification shall be made by the guard to let either the person or the car access to the site.

(a) When security alert state is “ALPHA”: during working days, between

08h00 and 09h00, the main gate may be opened and barrier lowered. After positive identification of the driver and the passengers the guard on duty will raise the barrier. He will proceed the same way in the evening between 17h00 and 18h00.

(b) When security alert state is “BRAVO” and above: the gates and the

barrier shall remain closed at all times and are opened to allow access to those positively identified persons and/or vehicles.

Passes/Visitors

58. CSO Staff are admitted onto CSO premises based on personal recognition.

Upon entering they will leave their NATO pass or ID card with the guard and upon exiting the premises will pick it up.

59. Visitor definition: somebody who is not member of the CSO staff but has

something to deal with at the CSO (official visit, activity team members, workers, consultants, contractors, retirees, 1st level relatives).

60. All visitors to CSO who are NATO members from other NATO entities will

exchange their NATO Pass or ID card for an CSO badge which states: “VISITOR, NO ESCORT REQUIRED”

61. Family members (with the exception of children under age of 18) will be given

a badge “VISITOR, ESCORT REQUIRED” and must leave a form of identity card with the guard. The visited staff member will permanently escort them. Children shall be under the supervision of their parents at all times and are not allowed inside the buildings without the staff member.




62. All other visitors, including contractors after they have been cleared and retirees from other NATO bodies, will leave a form of identity card with the guard and be issued a badge, which states:

“VISITOR, ESCORT REQUIRED”

The CSO staff member being visited will be responsible for escorting the visitor on the premises. At no time shall the visitor be left unattended.

63. CSO Staff members will inform the guards and/or the Security Office when

there is to be a/or visitor/visitors, with the name(s), date and time of arrival, ID card or passport number, type and plaque number of vehicle.6

64. AGARD/RTA/CSO Retirees visiting the Office will leave a form of identity card

with the guard and be issued a badge which states:

“ARAR, CSO (Retiree’s name)”

This badge allows the retirees access but restricted only to non-sensitive areas within CSO premises. This badge does not allow the AGARD/RTA/CSO retirees to escort other visitors.

65. If a non scheduled visitor requests to visit a staff member, the guard will:

(a) Let the visitor access the waiting room,

(b) Collect information on the purpose of visit and name of the visited staff member,

(c) Coordinate with the requested member,

(d) Either authorize the access under escort of the visited staff member or

request the visitor to plan another appointment with the staff member.

Carriage of Pistols or Revolvers 66. Visitors armed with pistols or revolvers will inform the guards. Guards shall

inform the Security Officer. Decision of removal or carriage will be on a case-by-case basis.

Photographic and Recording Equipment

67. Visitors are not allowed to bring cameras or recording equipment into offices

without the official approval of the Security Officer or the Chief, Security. The use of personal computers to process classified NATO data is also forbidden unless specifically approved by the Security Officer. For further details, reference CIS SecOps.

6 This does not pertain to visitors attending a meeting to be held at the Office. See Annex 3

“Classified Conferences and Meetings” for instructions.




Keys

68. The guards are responsible for the control of the keys to offices. Keys will be

checked in and out from the guards on a daily basis.

Staff Members Privately Owned Vehicles 69. Due to a limited number of parking spaces, members are only allowed one

vehicle on the premises per family, the second and third vehicle will be parked outside, unless room is available and the Security Officer or the Chief, Security has given authorization. Only the Director or Deputy Director has authority to waive this rule for specific reasons; such as security.

70. Upon entering the Office, staff members will park their vehicles facing forward,

and leave their vehicle keys visible inside the vehicle (during working hours). Making sure to turn off all codes and informing the guards if there is a code to start the vehicle.

71. Staff members wanting to station their vehicle after business hours must have

approval from the Chief Security and park in the far back region of the courtyard (facing forward) (leave the vehicle unlocked and keys at the guard post).

72. Staff members will not leave their vehicles while on leave or for personal reasons unless approved by the security officer.

73. Due to density of traffic in rue Ancelle at specific times of the day (morning

and evening), drivers must pay particular attention when entering or exiting the Office. Priority will always be given to entering vehicles. Upon exiting, risks of accident are increased, the guard will ensure, before raising the barrier that no pedestrian on the sidewalk is approaching to the gate. The entry of vehicles into rue Ancelle will rest on drivers’ responsibility.

Visitors Vehicles

74. The staff member being visited must first acquire approval from the Security

Officer or the Chief, Security for visitors wanting to park their vehicle within the premises of the Office. Upon acquiring approval, information on the make, model, color and license plate number must be provided.

Use of cellular phones

75. The use of cellular phones is prohibited in conference and meeting rooms.

They shall be put in the OFF mode. If classified talks are supposed to take place then the cellular phones should be collected, locked in a safe place and given back at the end of the meeting.




76. The use of cellular phones is tolerated in offices as long as they are not used, even in stand-by mode, while dealing with classified information. They shall then be put in the OFF mode.

77. Cellular phones with cameras shall not be used to take pictures in the Office be it inside or outside the building.

Visits to NATO headquarters, NATO Commands and Agencies

78. Such visits are understood to mean visits to facilities under another security

jurisdiction and which involves access to information classified NATO CONFIDENTIAL and above. Security jurisdiction in terms of this instruction means the area of security responsibility of a National Authority or of NATO. All NATO entities come within the security jurisdiction of NATO.

79. A CSO employee, who is to undertake official international travel in the

framework of CSO activities to a NATO Entity involving access to, or communication of NATO classified information, or access to facilities which may only be entered by persons who are holders of valid NATO security clearances, must make a request to the CSO Chief Security to provide a attestation of his/her security clearance (see Appendix 2 to Annex 2). When possible and required, the Chief Security shall send this attestation to the Security Authority of the body or command to be visited. In exceptional cases, the employee concerned may hand carry the attestation letter (see Appendix 2 to Annex 2) and present it to the relevant authority.

80. Any copy of an attestation of security clearance issued to a staff member, for

the purpose of proof of identity, must be returned to the Chief, Security after the staff member has returned from his official travel.

81. The Security Office must be informed no later than 5 working days before the

date of departure of any international travel involving access to NATO classified information, in order that the authority to be visited may take the appropriate action.

82. The following data are required for completion of the attestation letter:

(a) Passport number

(b) The specific purpose of the official travel provided in sufficient details in order to justify to the approving security authority the official need to conduct this visit.

(c) The place and the exact address of the meeting; name of Point-of-

Contact, telephone number, e-mail address (optional); the dates and the duration of the trip.

(d) The name, fax and telephone number of the Security Authority

requesting the information.




Appendix 1 to ANNEX 3 ACCESS OF CONTRACTING COMPANIES

CLEANING COMPANY

83. During Working Days: between 08h00 and 11h00 two members of the

cleaning company have access to the CSO in order to execute cleaning tasks in the buildings.

84. These personnel will be issued a visitor pass after provision of their ID

document. They should have been subject to French records check (“Contrôle élémentaire”).

85. These personnel will be at all times during their presence within the premises

under the overall supervision of the General Services of the Office. Each staff member has the responsibility to ensure that during the cleaning of their office no classified information could be accessible to these personnel.

86. Cleaning will not start before the guard on duty has checked all rooms for

inadvertently left classified materials. 87. In case the cleaning company has to plan and perform heavy duties (such as

carpet cleaning), it shall advise the Office of the designated personnel well in advance in order to coordinate the access (letter to the general services office). General services will ensure that copies of ID cards are provided to the Chief, Security.

88. The cleaning company must comply with CSO security rules and signed a

letter of acceptation and confidentiality as provided in appendix 3 to this annex.

MAINTENANCE COMPANIES

89. In case construction works and/or maintenance of the CSO buildings are

scheduled, the contracted company shall provide the Office with a complete list of the workers along with copies of ID cards at least two weeks before the beginning of the works.

90. Members of the team will be positively identified upon arrival and shall leave a

form of identity card and their mobile phones with the guard. A staff member of the Facilities Management branch shall escort them.

91. Staff members from the maintenance company that will be entering CSO

premises or dealing with CSO staff must comply with CSO security rules and sign a letter of acceptance and confidentiality with those rules as provided in appendix 3 to this annex.




Appendix 2 to ANNEX 3 Guards’ security patrols

General rules 92. At all times, during their patrols, the guards shall carry with them the mobile

telephone and the PTI (“Protection Travailleur Isolé”) device. 93. During their duty the guards must pay due attention to their main task, which

is to deter and repel any unauthorized access to the Office. 94. Upon leaving the guard post, night and day, outside opening hours, the duty

guard must lock the door and activate the night ring, be it for a security patrol or for a short absence. During opening hours, the duty guard must seek the replacement by the Chief Security, the chief registry or the general services technician.

95. At least, three security patrols shall be realized at random times after business

hours and after the last CSO member has left the Office. They will be reported in the guard post log book.

96. Every opening day, a security check of all floors and the basement of both

buildings shall be performed. 97. The guard post log book will be checked weekly by the Chief Security and at

random times by the Security Officer. Specific rules

Classified materials 98. During his security patrols the guard shall ensure that no classified material

(document or equipment) has been left on a desk. 99. In such a case, he must inform the Chief, Security, or in his absence the

Security Officer of the CSO. The guard will place the document or material in the appropriate safe in the guard post. It will be reported in the log book.

100. The document or material will be issued to the Chief, Security the next

working day.

Safes and special rooms 101. During his inspections the guard shall verify that safes in the various offices,

the archives and the special rooms (crypto room and tempest room) are properly secured and locked. After checking he must report on the appropriate sheet at his disposal on the safe or the special rooms’ door.




102. In case a safe is found unsecure or unlocked, the guard will immediately inform the Chief, Security or the Security Officer of the CSO. He shall mention it in the log book.

Interior of buildings

103. During his inspections, the guard shall ensure that all windows are closed, all

electrical equipments (coffee machines, heating plaques, printers, copiers) are shut down and all the water taps are shut off.

104. The doors of following offices shall be locked outside working hours: A013

(Chief Human Resources and Support), A101 (Director of CSO) and Room 4 Annex B building (Publications Assistant).

105. The door of the boiler room shall remain locked at all times. Only Facilities

Management personnel of the CSO and the guards have access to this room. A visual control of the boiler room shall be performed every day by the duty guard and reported in the log book.

106. A visual inspection of all the offices shall be performed and any anomaly

reported in writing to the Facilities Management of the CSO for maintenance.

Exterior of the buildings - courtyard 107. A visual inspection of the exterior of the buildings, the fences, gates, exterior

lights and cameras shall be performed regularly and randomly (4 times a day) by the guard during his duty and reported in the log book. Any anomaly shall be reported in writing to the Chief, Security and/or to the Facilities Management for maintenance.

108. Outside opening hours both buildings A and B shall remain locked and

secure. Controls of the securing system are in the guard post.




Appendix 3 to ANNEX 3 Letter of acceptance and confidentiality

ENGAGEMENT DE CONFIDENTIALITÉ

(À joindre à votre proposition)

Je soussigné, ……………………………….…., représentant la société………………………………………………………….., m’engage à ce qu’aucune information, protégée ou non, ne soit communiquée sous quelque forme que ce soit à d’autres personnes que celles qui ont besoin d’y avoir accès dans le cadre de leur activité professionnelle en rapport avec le contrat en objet. à ……………………………………le [date], Fonction dans l’entreprise : Signature : cachet commercial de l’entreprise : L’attention des sociétés sollicitées est attirée sur le fait qu’il leur sera demandé de fournir les détails d’état-civil Nom Prénom Date et lieu de naissance Nationalité Adresse Numéro de pièce d’identité (+ copie) De chacun des intervenants sur le site de la CSO, dix (10) jours ouvrables avant la date prévue de l’intervention.




ANNEX 4 SECURITY OF INFORMATION

INTRODUCTION

Scope 109. This Annex sets forth the basic principles and the minimum security standards

to be applied in CSO for the protection of NATO classified information.

Personal Responsibility 110. THE BEST-WRITTEN SECURITY PLANS AND REGULATIONS ARE

WORTHLESS IF EACH AND EVERY STAFF MEMBER DOES NOT PAY DUE ATTENTION TO SECURITY.

(a) It is the duty of every CSO staff member to apply the rules set forth in this Annex with common sense and judgment, and to inform the CSO Security Officer and/or Chief, Security of any breach of security in each division. (b) All staff members should act in accordance with the spirit of this Annex in any situation not expressly covered within. (c) In addition, all staff members are required to inform their supervisor & the Security Officer or the Chief, Security of anything that might indicate an attempt at espionage or subversion. (d) Finally, all staff members are invited to propose any practical steps that could be taken in order to strengthen security in his/her area of responsibility.

ROLE OF CLASSIFIED REGISTRY 111. The role of the classified registry is to carry out the registration, handling,

reproduction, distribution, forwarding, archiving, and destruction of classified documents in accordance with the security rules laid down in document AC/35-D/2002-Rev3 with updates, AC/35-D/1032 “Guidelines on Security of Information”, and in this Annex.

112. The Chief, Security is responsible for the classified registry functions in the

CSO. CLASSIFICATION OF NATO INFORMATION

General 113. Markings should indicate information ownership, protection, access and

handling requirements. The ways and means of protecting, distributing and providing access to information are determined by relevant NATO policies and procedures.




114. Principles (a) Information Sharing: information shall be managed with an emphasis

on the ‘responsibility-to-share’ balanced by the security principle of ‘need-to-know’, and managed to facilitate access, optimize information sharing and re-use, and reduce duplication, all in accordance with security, legal and privacy obligations.

(b) Information Protection: NATO Security Policy5 requires that access to and release of NATO classified information be controlled. NATO classified information should be clearly marked to identify the required level of protection and to indicate releasability where appropriate

(c) Consistency of Marking: Markings on information items should be consistent to enable information sharing, cooperation, and effective and efficient processes. Consistent markings should be used on both NATO classified and NATO unclassified information.

(d) Public NATO Information: NATO Information which from its inception is intended to be communicated to the public as part of NATO’s public diplomacy and outreach activities, e.g. a press release, shall be presented in conformity to the NATO Visual Identity Guidelines and should not carry standard NATO markings. NATO Information being made available to the public as a result of public disclosure should retain the original markings, with annotations indicating its change of categorization6. This applies equally for NATO information released to a specific public entity such as a court, parliamentary commission, or similar.

115. It is impossible to draw up a complete set of instructions on security classifications. In any case, such instructions should not substitute for the judgment and reasoning which, taking the circumstances into account, make it possible to select an appropriate security classification.

116. One of the fundamental rules to be followed is that every document must be

classified according to its own contents and according to the security classification of the document to which it refers or the file in which it is registered.

117. Before selecting the security classification to be given to a document, the

originator must always consider whether the unauthorized disclosure of the information would have the consequences mentioned in the definitions of the various categories.

118. Particular care should be taken not to over-classify or under-classify

information. The level of security that is required for any given information shall determine the level of classification. If the information is sensitive for reasons other than security then it shall be given a specific marking as detailed above.

119. A cover note/sheet must be given the same overall classification category as

that given to the documents attached to it. The originator must indicate – on the cover sheet - if the classification has authorization to be downgraded to a given level when separated from its attachment.




120. References to classified documents need no classification, unless they

themselves contain or reveal classified information. However, to avoid endangering the protection of classified information, such references should be as few in number as possible.

121. Collated information can often acquire a requirement for a higher classification

than its component parts because of the greater intelligence value of a comprehensive picture.

122. The overall classification of a document must be at least as high as that of its

most highly classified component. 123. The recipient must bring cases of apparent over-classification or under-

classification to the attention of the originator. If the originator decides to reclassify the document, all addressees shall be informed accordingly.

Responsibility for classification

124. The originator of a document within CSO shall be responsible for determining

its appropriate security classification up to NATO CONFIDENTIAL. 125. The originators, within CSO, responsible for determining the classification for

NATO SECRET documents shall be the Director, Deputy Director, Panel Executives, SPB, and OCD. If necessary, the originator shall ask for advice from his/her superior, or the Security Officer (Deputy Director). If the document has technical content, the advice of a specialist is required.

Markings

126. NATO information falls into three categories: Classified, Unclassified and

Public. All NATO classified and unclassified information should carry a marking indicating its classification.

127. The NATO marking shall be applied to all copies of NATO SECRET, NATO CONFIDENTIAL and NATO RESTRICTED documents prepared for circulation within the NORTH ATLANTIC TREATY ORGANIZATION. The NATO marking may also be applied to UNCLASSIFIED documents. When applied to a document, the marking NATO means: the document is the property of NATO and that the information contained therein remains the property of the originator. NATO Information may carry additional marking showing the collective ownership of the document (e.g. NATO / EAPC, NATO / PfP, …); they shall only be used to show the joint production of the information and not its releasability.

128. Rules for application of security classification categories:

(a) NATO TOP SECRET (COSMIC) – This security classification shall only be applied to information the unauthorized disclosure of which would result in exceptionally grave damage to the North Atlantic Treaty Organization.




(b) NATO SECRET – This security classification shall only be applied to

information the unauthorized disclosure of which would result in grave damage to NATO.

(c) NATO CONFIDENTIAL – This security classification shall only be

applied to information the unauthorized disclosure of which would be prejudicial to the interests of NATO.

(d) NATO RESTRICTED – This security classification shall be applied to

information the unauthorized disclosure of which would be undesirable to the interests of NATO.

129. COSMIC – this marking shall be applied exclusively to all copies of TOP

SECRET documents to be distributed within NATO and which are to be given special protection.

130. Releasability: In support of information sharing, it may be necessary to

release some NATO information beyond the information domain to which it would typically be available. In this case, the originator should indicate such releasability when the document is ready for collaboration and/or publication. The releasability marking should be clear and complete. Originators should take both current and anticipated information sharing requirements into consideration when applying the relevant elements of the marking.

131. Dissemination Limitation: Contrary to releasability markings, dissemination limitation markings are used to indicate that dissemination and access of the information is limited to only some of the entities that would be implicit in the initial domain marking.

132. The markings listed below may also be applied by the originator to NATO

UNCLASSIFIED information to control dissemination of that information to specific groups and individuals. They may only be modified by or with the consent of, the originator. They include:

(a) PERSONAL/IN-CONFIDENCE – information to be seen only by (the

originator and) the individual to whom it is addressed.

(b) COMERCIALLY-SENSITIVE – information concerning NATO commercial processes, contracts or financial affairs.

(c) MANAGEMENT – information concerning advice on policy and

planning affecting the interests of NATO.

(d) MEDICAL/IN-CONFIDENCE - information concerning medical reports and related material on personnel and units.

(e) STAFF/IN-CONFIDENCE - information containing references to named

or identifiable staff or personal confidences entrusted by staff to management.




Other special markings

133. National security classifications and their NATO equivalent are shown at of

Annex 1 to AC/35-D/1002(revised). 134. The following are examples of correctly presented markings:

(a) Basic Marking: NATO UNCLASSIFIED

(b) Marking combined with Administrative/Category Marking: NATO UNCLASSIFIED – STAFF

(c) Marking with Releasability Marking denoting specific countries: NATO RESTRICTED

Releasable to Japan, Switzerland, Ukraine

(d) Marking with Releasability Marking denoting a community of countries: NATO/EAPC CONFIDENTIAL

Releasable to ISAF

(e) Marking with Dissemination Limitation NATO/KFOR CONFIDENTIAL

NATO, Ireland, Sweden, Ukraine Only

Downgrading and declassification 135. NATO classified documents may only be downgraded or declassified by the

originator. The originator may make this decision by:

(a) Reviewing at least annually to ascertain whether the original security classification is still applicable, and/or whether they are to be downgraded or declassified. The security system must not be overloaded with documents whose contents no longer require their original level of classification.

(b) Ensuring that all original addressees of those documents are notified

promptly of their downgrading or declassification. Original and subsequent addressees, who have given further dissemination to the documents, shall be responsible for ensuring that the holders of those copies are informed promptly that the documents have been downgraded or declassified.

(c) Making a statement on the document which states the date when the

document may be destroyed, downgraded or declassified 136. In all cases, action to re-mark documents shall be taken immediately by the

holders of those documents for which a downgrading or declassification notice has been received.




137. Wherever possible, the originator shall, when issuing a document, indicate the level to which it may be downgraded in given circumstances, as for example, on a certain date, and/or on the happening of a specific event.

PREPARATION AND REPRODUCTION OF DOCUMENTS

Preparation 138. Documents marked NATO are subject to the control and protection set forth in

the NATO security procedures. It is the responsibility of each person to become familiar with these policies and guidance.

139. Documents classified NATO RESTRICTED and above shall be typed,

translated and reproduced only by persons with the appropriate level of security clearance, at least to the level of classification of the document to be handled. The only authorized locations for classified work NATO CONFIDENTIAL and above are at the TEMPEST-approved workstations.

140. The security classification and the marking NATO must be conspicuously stamped, typed, printed or hand-written at the top and bottom of each hand-written or printed page of the document. Paragraphs must be marked with appropriate classification. The classification and the marking shall, whenever possible, be indicated in larger letters than those used in the text of the document. In no case shall they be smaller.

141. Paragraphs above also apply to working papers. 142. All NATO classified documents shall bear a reference number and date on the

first page. Each NATO SECRET document shall bear the reference number on each page and a copy number of the first page.

(a) A new Annex or Appendix added to a COSMIC TOP SECRET or NATO

SECRET document or designed to replace a portion of an existing COSMIC TOP SECRET or NATO SECRET document shall state on the first page:

(1) The reference number of the original document with its date of issue and (2) The purpose of the new text, as for example an addition or substitution

(b) The original date of a NATO SECRET document should be retained

even though amendments are made to it, unless it is the subject of fundamental revision and re-issue.

(c) The first page of a NATO classified document or its index or table of

contents shall include a complete list of Annexes and Appendices.




(d) Each hand-written or printed page of a document shall be numbered. The total number of pages of NATO SECRET documents shall be stated on the first page. To facilitate the checking of the completeness of a NATO SECRET document when it consists of more than one component (e.g. Enclosures, Annexes, Appendices, etc.) a list of effective pages must be included in the document.

(e) When a document is downgraded or declassified by its originator, the

original NATO classification on the first page shall be lined through. The new classification or NATO UNCLASSIFIED, as the case may be, will be shown immediately above or under it, together with the authority for such action, as well as the date and initials of the person effecting the amendment.

Photographic material 143. Photographs, films (including negatives and positives) and their spools and

containers, shall be marked in such a manner as to ensure that any recipient or viewer will know that classified information of a specified level is involved.

Tape recordings

144. The spools containing tapes (i.e. cassette tapes), including videotapes on

which classified information has been recorded must be clearly marked with the highest classification of information recorded thereon. (See also CIS SecOPs)

Magnetic media of all types

145. The classification of magnetic media such as a diskette, tape back-ups, hard

drives and/or other computer-generated media on which classified information has been recorded, must be clearly marked with the highest classification of information contained thereon and shall be accounted for. (See also CIS SecOPs).

All other material

146. The assigned security classification and, where appropriate, downgrading and

declassification instructions, shall be conspicuously stamped, printed, hand-written, painted or affixed by means of a tag, sticker, decal or similar device on classified material other than described above.

Reproduction and Translation

147. Reproduction of classified documents by the addressee shall be controlled in

a manner to deter unauthorized access. Approval for reproduction of documents NATO CONFIDENTIAL and above must first be acquired through the Chief Security.




148. Reproductions (see Annex 2, paragraph 14) and translations of classified documents may be produced by the addressee under strict observation of the “NEED-TO-KNOW” principle. Security measures laid down for the original document shall be applied to such reproductions and/or translations. If classified NATO SECRET, documents must be marked with identifying copy numbers. Before the reproduction and/or translation of NATO SECRET documents, the CSO Chief Security must be informed and the copy numbers and number of copies made must be recorded. Requests for translation of NATO SECRET documents must also pass through the CSO Chief Security office.

DISTRIBUTION/RELEASE OF NATO INFORMATION

149. Distribution/release of NATO classified or NATO unclassified documents shall

be on a “NEED-TO-KNOW” balanced with the “responsibility to share” principles.

NATO CLASSIFIED information

150. The initial distribution of documents classified NATO RESTRICTED and above should be specified by the originator. The addressee may authorize such wider distribution, as he/she may consider necessary in accordance with the principle of the NEED-TO-KNOW.

151. Documents classified NATO CONFIDENTIAL and above shall be limited to

persons currently authorized to have access to such information. 152. Classified information:

(a) may not be passed outside the North Atlantic Treaty Organization, except under the condition laid down below and that it is subject to the security protection outlined in these procedures:

(b) may be circulated, in accordance with the NEED-TO-KNOW principle

and without reference to the originator, within NATO. It should be emphasized that the information itself remains the property of the originator.

(c) may not be given to any non-NATO nations entity except by the

originator or as set out in AC/35-D/2002-Rev3 and updates and the supporting directives, especially AC/35-D/1040 and updates. The CSO Security Officer is the delegated authority appointed to manage the security risks within the CSO with respect to this matter.

NATO UNCLASSIFIED information

153. In accordance with the NATO Information Management Policy (NIMP),

information marked NATO UNCLASSIFIED may be released to non-NATO nations and organizations only when such release would not be against the interests of NATO.




154. Responsibility for the release of information marked NATO UNCLASSIFIED

has been delegated by the North Atlantic Council and Military Committee to the Director of the CSO.

155. NATO information marked NATO UNCLASSIFIED is to be used only for official NATO purposes.

156. When it is determined that NATO UNCLASSIFIED information is releasable to the public, all markings shall be removed.

157. When NATO UNCLASSIFIED information is released to Non NATO entities other than the public, the NATO markings shall be retained as an indication that this information is subject to security arrangements in place for the exchange of information with the entity concerned.

PROTECTION OF CLASSIFIED INFORMATION

General 158. The places in which NATO classified material is stored range from strong

rooms to lockable containers. The protective measures vary accordingly.

(a) The purpose of physical security measures is to prevent unauthorized persons from having access to NATO classified information.

(b) Places in which NATO classified material is kept must be protected

against unlawful entry through the windows, doors, roofs, and/or other openings. The protection shall be enhanced by the presence of guards, patrols, intrusion detection systems and/or alarms.

(c) By studying and evaluating the components of the protection system

such as the security of the building, premises and containers, it is possible to determine how long a trained intruder would take to gain surreptitious access to protected information. This time element shall dictate the frequency of inspection by the guard or patrol or the requirement for an on-site permanent guard post. A continuous “Risk Assessment” process will assist to determine current vulnerabilities, and will propose several options for the most economical allocation of resources to meet existing vulnerabilities.

(d) Places in which NATO information classified CONFIDENTIAL or above

is stored must be inspected after normal working hours to ensure that safes, cabinets, and/or other authorized storage containers are locked, and classified documents and waste securely housed.

Custody of documents




159. COSMIC TOP SECRET materials or documents shall be stored in a nationally approved security container placed in an area equipped with an Intrusion Detection System and under permanent supervision of the guard force.

160. NATO SECRET and NATO CONFIDENTIAL documents shall be stored in a nationally approved security container.

161. Security facilities and equipment shall be subject to periodic inspection. 162. NATO RESTRICTED documents shall be placed in premises not open to

members of the public and which, unless other security precautions are taken, are to be locked/secured after working hours in cupboards, cabinets or desks.

163. NATO SECRET and NATO CONFIDENTIAL documents must not be left

unattended in an office during normal working hours. When offices are vacated, even temporarily, NATO SECRET and CONFIDENTIAL documents shall be safeguarded in accordance with the provisions listed above.

164. NON-CLASSIFIED documents that are not locked up must:

(a) either be clearly marked NATO UNCLASSIFIED (b) or be placed in a container or on a shelf not containing any NATO classified documents. This container or shelf shall then be marked: “This cabinet/shelf or storage area … does not contain any NATO classified documents.” When this is indicated, the occupant of the office is responsible for any breaches of security discovered during inspections (c) or be placed in a room marked: “This room does not contain any NATO classified information”. In this case, the responsibility for ensuring that no classified documents are in the room falls on its occupant, even if the latter is temporarily absent.

165. Any classified document not properly secured in accordance with the

paragraphs above, and found by the security guard during the inspection, shall be locked up and a report made the next day to the Security Officer and/or Chief Security. The latter will then inform the staff member responsible of such incident. (See also ANNEX 6 for further details.)

Keys and locks

166. Staff members are not allowed to retain keys to security containers outside

normal duty hours. Combination settings to security containers shall be committed to memory by persons with a “need-to-know”. Spare keys and a written record of each setting for use in emergency, should be held in a sealed envelope by the Chief Security. Keys and special records of combination settings to security containers shall be given security protection no less stringent than the material to which they give access. In exceptional cases when authorized by the Security Officer, keys may remain in the personal custody of the user if the container is secured both with a key and a combination lock.




167. Knowledge of combination settings of security containers shall be restricted to

the smallest possible number of persons. Settings shall be changed:

(a) Every twelve months (for containers holding NATO CONFIDENTIAL and above); (b) Whenever a permanent change of personnel occurs; (c) Whenever a compromise has occurred or is suspected

168. The Chief security will perform the action outlined above. Only the Chief

Security or in his/her absence, the Principal Assistant (Human Resources and Facilities Management) can give individuals, on a “need-to-know” basis, the combinations to security containers.

Recording equipment

169. During storage, all dicta-phone disks and magnetic tapes shall be handled in

the same way as documents of the same classification. (See also CIS SecOPs)

170. The use of voice-recording apparatus other than that belonging to CSO and

used for official recording is prohibited. Such devices may not be brought into the CSO facility without the prior authorization of the Director and/or Security Officer.

171. Disks and tapes used for classified recordings must be marked with the

security classification of their contents, and stored in the same way as documents of equivalent classification. (See also SecOps)

(a) These disks and tapes must be stored as mentioned, and then retained at their proper level of classification. (b) Classified disks and tapes (NATO SECRET and above), even when erased, must not be used for NATO UNCLASSIFIED recordings. Such disks and tapes shall be destroyed according to the SecOps.

Checking of documents in event of transfer or departure of a staff member

172. Before a CSO employee is transferred or leaves, the Chief Security shall carry

out an inventory of all NATO SECRET documents held by the staff member, if applicable. This check shall take place not more than two weeks before a transfer, and not more than one month before a departure. After the inventory has been performed, the Chief Security shall draw up a certificate for the Security files. When the case arises, documents found to be missing shall be listed in an annex to the certificate. If documents are missing, the staff member concerned shall be requested to provide a written explanation. (See ANNEX 4 for further details)




Destruction

173. To prevent unnecessary accumulation, superseded documents and

documents no longer needed shall be destroyed as soon as practicable. It is not necessary to await destruction instructions from the originator.. Holders of NATO CONFIDENTIAL and above documents shall maintain a continuing review of them to determine whether they can be destroyed and inform the Chief Security prior to destruction for appropriate instructions.

174. Copies of NATO RESTRICTED and CONFIDENTIAL documents that are no

longer required may be destroyed. CONFIDENTIAL documents must be destroyed under the supervision and control of the CSO Chief Security. NATO RESTRICTED documents may be destroyed within each section by using an approved shredder. In both cases, the CSO Chief Unclassified Registry (for NATO RESTRICTED) and the CSO Chief Security/Classified Registry (for NATO CONFIDENTIAL) must be informed of the control number of the documents in question so that these items can be recorded as “destroyed” in the Registry Unclassified/Classified log books.

175. NATO SECRET documents to be destroyed must be recorded in a

Destruction Certificate or letter in accordance with the following procedure:

(a) The office concerned shall inform the Chief Security/Classified Registry of the documents to be destroyed. The Chief Security shall record or have recorded the documents to be destroyed in the Destruction Certificate.

(b) The copy number of the classified documents to be destroyed must be

written in the letter.

(c) The individual concerned will accompany the Chief Security for destruction of the documents. Both of them shall be appropriately cleared and authorized to have access to NS information.

(d) Documents will only be destroyed in the shredder located in the Chief

Security’s office.

(e) After the classified documents have been destroyed, the Chief Security and one independent witness will sign the destruction certificate. The destruction certificate along with the document log sheet shall then be filed and retained at least ten years in the Destruction Certificate folder located in the Classified Registry.

(f) As soon as the Destruction Certificate/letter is received, the Register of

NATO SECRET documents shall be modified reflecting such destruction. Referencing the letter in the block marked “Destroyed date and signature” shall do this.




(g) A destruction letter is not required for NATO RESTRICTED / NATO CONFIDENTIAL documents.

(h) A destruction letter is not required for classified working drafts, papers,

and carbons. Such material is to be turned over to the Chief Security, who will carry out their destruction.

176. Surplus or superseded classified documents, including all classified waste

such as: spoilt copies, working drafts, shorthand notes, carbon paper, etc… shall be destroyed by means approved by the Host Nations laws and procedures.

Emergency Destruction

177. In an emergency and when so decided by the CSO Director, the offices shall

hand all NATO CONFIDENTIAL and above files to the Chief Security for immediate destruction. (See also CSO Emergency and Evacuation Procedures)

Telephone Communications

178. CSO telephone lines are not protected or secure. Consequently,

conversations whether internally between two phone extensions or with the outside, can be overheard by unauthorized persons.

179. It is therefore forbidden to discuss classified information over the telephone. It

is also forbidden to use codes or paraphrases that may be easily deciphered. INVENTORY OF CLASSIFIED DOCUMENTS 180. An inventory of all NATO SECRET documents shall be taken every year and

reflect current holdings.

(a) The Chief Security shall give an inspection letter to each office holding NATO CONFIDENTIAL and above documents, stating if it is an annual inventory or spot check to be done. Upon receiving the letter the following shall be done:

(1) The individual concerned for safeguarding classified shall request

the assistance of a CSO Staff member for the inventory to be done.

(2) The individuals shall verify that all documents listed on the letter are still on hand. Any discrepancies found will be noted on the form. Both individuals will sign and date the document and return it to the Chief Security by the suspense date for verification.

(3) The completed inventory form must be classified NATO RESTRICTED.




(4) The form will then be filed in the “Spot-check” or “Annual Inventory” files located in the Classified Registry.

(5) Spot checks may also be carried out by the Security Officer.

REGISTRATION OF CLASSIFIED DOCUMENTS 181. Classified information/material NATO CONFIDENTIAL and above will be

logged in a ledger kept in the Classified Registry office (Chief Security office). NATO RESTRICTED and below documents will be recorded on a appropriate system held in the unclassified registry office. Prior to accessing the classified document, the individual requesting the document shall sign for the document on the appropriate form. The Chief Security/Classified Registry will fill date checked in and date checked out.

182. The Classified Registry shall keep an electronic log. In this log items will be

separated according to their classification level. This log will contain the following information:

Heading will consist of the following: CNTRL NO: a chronological serial (control number) which shall be written on the bottom right hand corner of the document. DATE RCVD: this is the date the document was received by the Chief Security. CLASSIFICATION: this is the classification of the document. When a document is downgraded, the letter corresponding to the new classification shall replace the previous one and be noted in the logbook. ORIGIN: the originator of the document (i.e. NATO HQ, NC3B, TSCO NATO, RTO, etc.) DOCUMENT the reference number and subject of the document (for NATO REF & SUBJECT: Documents) and the publication number (for CSO Publications) DOC DATE: the date of the document COPY NO: copy number located on the document DESTRUCTION DATE : this column is to be used for the reference Destruction Certificate and date of destruction and where filed. SAFE: location of the mentioned documents with room and safe number (e.g. Registry #10, CAVE #1) DATE OUT: date that an individual checks out a document




DATE RTND: date that an individual has returned the document. INVENTORY DATE: most recent inventory date

Receipt & transfer of classified documents 183. When classified documents are received, the Chief Security/Classified

Registry shall enter them in the control log. The document will then be placed in a special folder marked with the classification of the document and handed to the addressee or to the Deputy Director, who shall determine dissemination of the document. The recipient shall sign the control register for NATO SECRET and NATO CONFIDENTIAL documents and be held responsible for them until returned to the Classified Registry.

184. The Chief Security/Classified Registry having signed for receipt of the

documents shall be held responsible for them. Prior to leaving the Office, he/she will perform an inventory with his/her replacement (if possible) or with the Principal Assistant (Human Resources and Facilities Management) to transfer all documents. This shall be documented in an official letter stating the transfer of such documents to the new occupant.

185. Each document shall have a removable log sheet attached to it. If an individual needs to see a document the Chief Security shall have them sign and date the log sheet. Upon return the log sheet will be annotated and reattached to the document.

186. Hard copy documents received by the CSO Unclassified Registry at the “NR”

level will be distributed through normal channels in a separate envelope, but without a need of a signature from the recipient(s). Accountability and the physical security of “NR” media are detailed in the CIS SecOPs.

CARRIAGE/FORWARDING OF NATO CLASSIFIED DOCUMENTS 187. The personal carriage of documents classified COSMIC TOP SECRET is

forbidden. 188. The procedures described below for the personal carriage of documents

classified NATO CONFIDENTIAL and NATO SECRET should be resorted to only when individuals are required to travel at short notice or when time does not permit such documents to be sent by approved secure means and when copies cannot be made available locally at the traveler’s destination.

Packaging

189. The Chief Security or Principal Assistant Deputy (Human Resources and

Facilities Management) are the authorizing officials and shall do all classified packaging for NATO CONFIDENTIAL and above.




190. Documents classified NATO CONFIDENTIAL and NATO SECRET shall be transmitted by diplomatic pouch through embassies or the CEPS Programme Office Classified Registry or by personal carriage. The documents shall be prepared in accordance with NATO rules and shall carry a courier certificate (see appendix 1 to Annex 1 to AC/35-D2002-REV4).

191. When staff members carry NATO classified documents between offices of the

same building and enclosed group of buildings; they shall be covered in such a way as to prevent observation of their contents.

Document control

192. When NATO CONFIDENTIAL and above documents are forwarded, a receipt

must be placed in the inner cover. The dated and signed receipt must be returned immediately to the CSO Chief Security/Classified Registry.

193. If the receipt is not returned to CSO within three/four weeks, the Classified

Registry shall send a copy of the document search form to the addressee. If the latter has not received the document, the Classified Registry shall inform the Security Officer and an enquiry shall be carried out in accordance with the current NATO regulations. The originator shall be informed of the results of the enquiry.

194. NATO RESTRICTED documents shall be packaged in accordance with the

rules applicable to NATO SECRET and CONFIDENTIAL documents. However, no receipt is required unless the originator wishes to receive one.

(a) These documents may be sent by registered mail and a receipt

obtained for them.

(b) The receipt, which requires no security classification, shall quote only the reference number, date, copy number and language of the document and not its title.

195. For NATO CONFIDENTIAL documents and above, couriers and messengers

shall obtain receipts against package numbers. Receipts for packages, containing NATO CONFIDENTIAL documents are only required if carried outside the confines of the Office premises.

Carriage inside the country

196. The French national regulations permit classified documents to be sent by

post within the territories of France. However, it is preferred inside the Paris area, that the transport of documents classified NATO CONFIDENTIAL and above should be performed by personal carriage . the individual performing such carriage should have been briefed on his security responsibilities, possess a written authorization, and be provided with a NATO courier certificate (see appendix 1 to Annex 1 to AC/35-D2002-REV4).




197. Whenever a messenger service is used for the carriage of documents classified NATO CONFIDENTIAL and above outside the confines of the CSO premises, the packaging and the receipting provisions contained in Paragraphs above shall be complied with.

International Carriage

198. The international carriage of documents classified NATO CONFIDENTIAL and

above shall be realized by diplomatic pouch or military courier service. Exceptionally, the personal carriage of NATO SECRET and NATO CONFIDENTIAL documents internationally may be permitted provided that all the provisions of section PERSONAL CARRIAGE OF CLASSIFIED DOCUMENTS mentioned below are complied with.

Forwarding of Classified documents

199. In France, the transmission of NATO RESTRICTED and up to and including

NATO SECRET documents, inside the country through the French Postal Service (PTT) is authorized by national regulations. Such items will be sent by registered mail in double cover with return receipt requested.

200. Documents classified NATO CONFIDENTIAL and above will go through the

Chief Security for proper dissemination.

Personal carriage of classified documents 201. The carriage of classified documents by persons other than couriers or

messengers shall be subject to the following conditions:

(a) The bearer must be cleared for access to at least the level of classification of the documents carried.

(b) A record must be kept in the Chief Security office when NATO

SECRET or CONFIDENTIAL documents are carried. The receipt for the documents or actual documents, if returned, must be checked against this record.

(c) The documents must be carried in a locked container or sealed

envelope, which must bear a label with an identification and instruction to the finder in event of loss.

(d) The documents must not leave the possession of the bearer unless

they are housed in accordance with the provisions for safe custody of classified documents (see paragraphs 153-159.). (i.e., the documents must not be left unattended in hotels and vehicles or stored in hotel safes or luggage lockers).

(e) The documents must not be read in public places such as in an aircraft,

trains, or other means of public transportation.




202. When international carriage is involved:

(a) an official seal to prevent Customs examination shall cover the container or document package;

(b) the bearer must carry a courier certificate recognized by all NATO

nations and authorizing him/her to carry the package as identified;

(c) the bearer shall not travel through or over non-NATO nations nor use any mean of transportation carrier registered in a non-NATO nation, to which any of the criteria listed below applied :

(1) the government of a nation :

has given evidence by word or deed of an attitude hostile to

NATO and/or NATO nations

is not able to give a generally agreed level of protection to the life and/or personal belongings of its residents and/or visiting foreigners; or

has given evidence that it does not respect at all times the

immunity of a diplomatic seal;

(2) the intelligence servicers of the nation target NATO and/or NATO nations; or

(3) the nation is at war, or subject to serious civil strife.

(d) the bearer must be instructed on the matter, by the Chief Security, and

be aware of his obligations with respect to the safeguarding of the documents entrusted to him/her.

Electronic Transmission

203. Within the S&T Organization Collaboration Support Office, Neuilly-sur-Seine,

France there is at the moment only one mean (NS WAN workstation at the basement) to transmit NATO RESTRICTED and above electronically.

204. All means of electronic transmission of NATO documents must follow the CIS

SecOPs maintained by the INFOSEC Officer.




ANNEX 5 CLASSIFIED CONFERENCES AND MEETINGS

General 205. All conferences or meetings at which NATO classified information is to be

discussed must be held in a security area or area that has been designated as secure.

In the CSO facility, there are three conference facilities considered as security areas, (the blue, red, and V.K. conference rooms).

Control of access

206. Technical, maintenance (contractors) and cleaning staff that are required to

enter the security areas must have an adequate security clearance or be accompanied by the CSO staff member requesting the assistance of the mentioned above.

207. The Chief Security or Principal Assistant Deputy (Human Resources and

Facilities Management) shall ensure that the required security arrangements are complied with before, during and after meetings.

208. The prime responsibility for the application of the security rules (with the

respect to the control of attendees and the protection of classified material) is the organizer/chairperson of the conference/meeting, in co-ordination with the Chief Security.

209. Classified information discussed at meetings is considered properly

safeguarded if all those present:

(a) if a NATO Nation’s citizen, provide, or exceptionally hand carry, a valid Certificate of Security Clearance (see Appendix 2 to Annex 2) of a level corresponding at least to the highest security classification of the documents to be discussed during the meeting;

(b) if Non-NATO Nationals, are designated as representatives of their organization, have been personnel security cleared in accordance with NATO standards, and provide an Attestation of Security Clearance in accordance with the template at Annex 2 – Appendix 4. They still require to be escorted even if they provide this attestation which does not constitute a NATO security clearance.

(c) Have a “need-to-know” of the contents of the documents provided to them.

210. Chairpersons of meetings during which classified information is to be

discussed shall ensure that all participants have an appropriate security clearance and “need-to-know” well in advance prior to the meeting (minimum of two weeks prior). For this purpose, they shall, through the CSO Panel Assistant or CSO Staff member in charge of the meeting:




(a) Provide a list of individuals to attend the meeting to the CSO Chief Security, or in his/her absence to the Principal Assistant Deputy (Human Resources and Facilities Management), for verification that a current NATO Security Clearance is in the database.

(b) Upon verification, the Chief Security or Principal Assistant Deputy

(Human Resources and Facilities Management) will then notify the CSO staff member/Panel Assistant of those individuals whom do not have a clearance on file. It shall then be the responsibility of the CSO staff member/Panel Assistant to request those individuals provide a valid Certificate of Security Clearance (see Appendix 2 to Annex 2), prior to the meeting or exceptionally to hand carry a certificate.

211. For unclassified meetings held at CSO a list of attendees must be provided to

the Security Office. The CSO premises are a RESTRICTED area, and if an individual does not have a clearance on file, he/she may attend the meeting but must be escorted by the Panel Executive Assistant or someone attending the meeting who has a green badge. Only those individuals holding a valid NATO security clearance will be allowed to have unescorted access to the CSO. During the meeting the Chairperson shall be the escort of said individuals. That is why it is pertinent that the Chairperson holds a valid Security Clearance.

212. Authorized Non-NATO personnel may attend meetings on the CSO premises

but must be escorted at all times. 213. At the beginning of the meeting the Chairperson shall draw the attention of the

participants to the security rules mentioned above 214. For classified meetings held at the CSO, the Panel Assistant or individual in

charge of setting up the meeting will obtain a list of persons nominated to attend. This list will then be given to the Chief Security 2 weeks in advance for verification of clearances. The Chief Security or Security Assistant will then take the necessary measures to control access to the conference room where the meeting is to be held.

215. For classified meetings held outside the Office, the above rules shall still be

adhered to. In addition the CSO Security Office shall work with the National/Local Coordinator through the Panel Executive/Panel Assistant on providing the necessary security measures.

Physical Security

216. In the event of a classified meeting (within the CSO or outside), the following

shall be complied with:

(a) A cleared classified computer shall be connected directly to the projector by the CSO CIS support staff.




(b) The use of voice-recording apparatus other than that used for official recording is prohibited. No such equipment may be taken into the conference room.

(c) Neither still nor movie-cameras may be brought into a security area.

(d) During and after meetings, suitable arrangements are to be made for

the storage of all classified material.

(e) After each meeting, the conference room and the security area must be thoroughly searched for any forgotten documents.

(f) Classified waste shall be collected and handed over to the Chief

Security for destruction.

(g) All mobile phones and/or other portable devices must be in the “OFF” position prior to entering any CSO conference facility/room. During conferences at the “NATO SECRET” and “NATO CONFIDENTIAL” levels, all mobile phones and/or other portable devices will be surrendered to the CSO meeting coordination team for safekeeping or during classified meetings in or outside of the Office, to the Registration desk.

(h) Each person, in possession of a laptop computer and/or any other

portable device is responsible for providing the necessary level of protection to the device, to include its electronic contents, to the level of highest classification contained therein. All laptop computers must be cleared for the classification level of the meeting, be from an “official” origin, and may not be privately owned. Before entering the Conference Meeting Room (inside the Office or outside) the laptop will be shown to the Chief Security for verification of the level of classification. (See also CIS SecOps for further instructions). In the event that the laptop is not cleared or of a personal nature it shall be held outside the conference room by the CSO staff.

(i) On regular intervals a “sweep” of the conference rooms and

surrounding areas will be carried out. Such inspections will be carried out in coordination with the appropriate NATO services.




ANNEX 6 INFORMATION AND INTELLIGENCE SHARING WITH NON-NATO ENTITIES

(ref: AC/35-D/1040-REV2)

General 217. The supporting document on Information and Intelligence sharing (I&IS) with

non-NATO entities (NNE) established provisions, mechanisms and procedures to supplement NATO Security Policy for classified information and intelligence sharing in order to support Operations, Training, Exercises, Transformation and Cooperation activities at all NATO levels. I&IS with NNE shall occur only when the NNE has the need-to-know, balanced by the responsibility to share.

218. The CSO Deputy Director has been delegated the authority, by the CSO

Director, to manage the security risks within the CSO and its related activities, and to take all security decisions with regard to I&IS with NNEs.

219. There are 7 categories of NNE. In addition of non-NATO Nations (NNN), I&IS is considered with: Contractors, Governmental Organizations (GO), Host Nations (HN), International Organizations (IO), Non-Governmental Organizations (NGO), and Non-NATO Multinational Forces (NNMF).

220. Each of the above categories is concerned with specific procedures for I&IS.

These procedures are detailed in the above document which is detained by the security officer of the CSO who is also responsible for their implementation.

221. Specific procedures apply to subset of the NNN:

(a) The 7 Non-NATO Nations as defined in the Directive on Personnel Security; specifically Australia, Austria, Finland, Ireland, New Zeland, Sweden and Switzerland.

(b) Non-NATO Troop Contributing Nations (NNTCN) (c) All other NNNs

Recording requirements 222. Decisions made by the Deputy Director with regard to I&IS with NNEs shall be

recorded on the applicable template, dependent on the category of NNE. 223. The template at Appendix 1 to this annex shall be used by the Chief Security,

CSO, to document decisions made for access or release of NATO classified Information and Intelligence to NNNs. The panels support offices and the MSCO will document this form before seeking the decision from the Deputy Director for I&IS.

224. For the other categories, the templates can be found in the reference

document. Should the CSO have the need to share classified information with NNEs other than the NNN, they will be used to document decisions.




225. The completed copies of Appendix 1 shall be maintained by the CSO Chief Security for a minimum of 5 years, and shall be made available during inspections by higher security authorities.

226. Appendix 2 to this Annex contains the template which shall be used by the Chief Security to compile annual Security Report on access to and release of NATO Information and Intelligence to NNEs. This report, signed by the Deputy Director, will be provided to the CSO Director.




Appendix 1 to Annex 6 Decision taken by CSO Deputy Director

Information & Intelligence sharing with a Non-NATO Nation 1. Type of access approved

Physical:

NATO Class II NATO Class I

CIS:

NATO/<X><classification> CIS: NATO <classification> CIS:

Access to Non-Released NATO

classified Information

NATO Classified Information released

2. Access granted to:

Last Name

First Name

Rank

Passport / ID Card No

Nation Issuing PSC

Nationality

Security clearance Level

Security Clearance expiry date

Access start date

Access end date

3. Justification for Access or Release:

4. Details for Released Documents:

Title Reference Number Classification

5. The Principal Security Advisor has confirmed the NNN has a security agreement or

security assurance applicable with the level of NATO information/intelligence accessed or released

6. I have consulted with the Principal Security Advisor and confirm the NNN meets all

requirements specified in the Supporting Document on Information and Intelligence Sharing with Non-NATO Entities. The access(es) specified above are granted in NATO’s interest.

Delegated Authority Details:

Name and Rank

Post/Title

Signature Date




Appendix 2 to Annex 6 Annual Security Report on

Information and Intelligence Sharing with Non-NATO Entities

1. General State of security:

Comment on implementation of the Supporting Document on I&IS with NNEs over the reporting period

Current/future scenarios not covered by the Supporting Document on I&IS with NNEs

Brief details of incidents/investigations involving NNEs

Recommended changes to the Supporting Document on I&IS with NNEs

2. Statistical Data for Access Granted to and release to NNEs during <insert period of time>:

# of NATO documents released

NNE, by Nation or Organization Class II Area Class I Area NATO Classified

CIS NATO Classified

REL X CIS NR NC NS

Delegated Authority Details:

Name & Rank Post/Title

Signature Date




ANNEX 7 BREACHES OF SECURITY AND COMPROMISE OF NATO CLASSIFIED

INFORMATION

Scope

227. The protection of NATO classified information depends on the design of

appropriate security regulations and on the effective implementation of these regulations by education and supervision backed up by disciplinary and, in extreme cases, legal sanctions.

Definitions

228. Breach of Security: an act or omission contrary to existing NATO general or

local security regulations, the results of which may endanger or subject to compromise NATO classified information.

229. Compromise: NATO classified information is compromised when knowledge

of it has, in whole or in part, passed to unauthorized persons, i.e. individuals without appropriate NATO security clearance or authority to have such access, or when it has been subject to risk of such passing. Thus, classified information lost, even temporarily, outside a security area is to be presumed compromised. Also, classified information lost, even temporarily, inside a security area, including documents which cannot be located at periodic inventories, is to be presumed compromised until an investigation proves otherwise.

230. Security Incident/Infractions: The mishandling of classified material,

information or not abiding by CSO Security Policies/Instructions. The following are some examples of security incidents:

(a) Failing to properly escort uncleared visitors or allowing improper access

to CSO controlled facilities.

(b) Failing to leave an Identity card at the guard post upon entering or failing to recuperate identity card upon departing.

(c) Taking classified material out of the building without proper double-

wrap protection.

(d) Crossing international borders with classified material without courier authorization.

(e) Failing to secure containers with classified material.

(f) Storing classified materials in desk drawers or other improper

containers.

(g) Failing to secure classified computer hard drives.




(h) Reading classified documents in any public area

(i) Transmitting classified information on unclassified fax or copy machines.

(j) Losing control of classified material by leaving it in a non-secure area.

(k) Placing classified information on unclassified computers.

(l) Discussing classified information on unsecured telephones.

231. In any event of a security incident or infraction, the Security Office shall be

informed and the incident recorded. (See also Annex 1, paragraph 22) 232. Recorded minor incidents/infractions for repeat offenders shall be placed in

the individual’s Security Personnel File.

Action on breaches of Security 233. All breaches of security must be reported immediately to the Security

Officers. The importance of speed, especially when a leak is suspected cannot be over-emphasized.

234. Each reported breach of security shall be investigated by persons who have

security and investigative experience, if possible, and who are independent of those persons immediately concerned with the breach.

235. In the event of a breach of security, where the possibility of compromise is so

remote that it can reasonably be ruled out, the matter will be dealt with by the CSO Security Officer in coordination with the CSO Director.

236. In the event of a breach of security where the possibility of compromise

cannot be reasonably ruled out, the CSO Security Officer is to be informed and he shall report to the NATO Office of Security (NOS). Initial reports shall be forwarded immediately in cases where it has been determined that:

(a) CTS or NS information is involved; or

(b) there are indications or suspicions of espionage; or

(c) Unauthorized disclosure to the press/media has occurred.

In other cases of compromise a detail report has to be forwarded when the investigation has been completed.

In all cases of reportable compromise the final report, or a progress report, of the investigation shall be with the NOS within 90 days of the initial report

Enquiry Report




237. The enquiry report forwarded to the CSO Director through the CSO Security Officer must be concise and give all available information, including:

(a) a brief description of the circumstances of the breach, the date or period

during which it may have been committed, the date and place it was discovered and the name of the persons who noticed it, and reported the facts;

(b) details on the information/material involved, security classification,

originator, references, date, and/or other pertinent details; abbreviations are to be avoided unless they are readily understandable;

(c) an assessment of the risk of compromise, such as, “certain”, “probable”,

“possible”, or “improbable”; (d) whether or not the originator of the document has been informed of the

breach (if applicable).

Disciplinary or Judicial Action 238. Appropriate disciplinary action, in accordance with the NATO Personnel

Regulations and National Security Regulations may be taken with respect to an offending staff member, if the Director considers that the circumstances and the seriousness of the breach committed justify such action.




ANNEX 8 INDUSTRIAL SECURITY

239. This annex deals with security aspects of industrial operations that are unique

to the negotiation of NATO classified contracts and their performance by industry, including the release of classified information during pre-contract negotiations. This annex refers to NATO security committee provisions on industrial security: AC/35-D/2003-REVISED

240. Industrial security is the application of protective measures and procedures to

prevent, detect and recover from the loss or compromise of classified information handled by industry in contracts. NATO classified information disseminated to industry, generated as a result of a contract with industry, and contracts involving classified information shall be protected in accordance with NATO Security Policy and supporting directives.

Currently, the CSO has established a contract involving classified information with the company dealing with the editorial services related to the technical reports. Some of these reports are classified up to the level of NATO SECRET. A Security Aspect Letter as described in the above referenced document has been attached to the contract and an acknowledgement certificate was delivered by the contractor. All the classified reports at NR level and above will be processed within the premises of the CSO on dedicated workstation accessible to the editorial company personnel after a valid NATO Security Clearance at NATO SECRET level has been shown up.




ANNEX 9 DEFINITIONS

Availability The property of information being accessible and usable upon demand by an authorised individual or entity

Accountable Information All information classified CTS and NS, all ATOMAL information, and other NATO classified information to which access controls or dissemination controls have been applied

Background Information Information that has been developed outside of a programme/project.

Breach of security A breach of security is an act or omission contrary to NATO Security Policy and supporting directives that results in the actual or possible compromise of NATO classified information (including, for example, classified information lost while being transported; classified information left in an unsecured area where uncleared persons have unescorted access; an accountable document cannot be found). US suggested to add at the end of this definition: “…cannot be found; classified information has been subjected to unauthorised modification; destroyed in an unauthorised manner; or, for CIS, there is a denial of service”.

Cargo Handling Company

(may include a freight forwarder or a transportation agent) A commercial firm that is chartered to receive, process and ship material

Classified Information Any information (namely, knowledge that can be communicated in any form) determined to require protection against unauthorised disclosure and which has been so designated by a security classification

Classified Material as Freight

Consignments of such size, weight, or configuration that they cannot be hand carried, transmitted by diplomatic pouch service, or military courier service

Commercial Carrier Any private company authorised by law or regulation to provide the required transportation service

Commercial Courier Service

A private company that is organised and incorporated to hand-carry material

Compromise NATO classified information is compromised when knowledge of it has, in whole, or in part, passed to unauthorised individuals, i.e. individuals without an appropriate NATO security clearance and authority to have such access. Classified information lost, even temporarily, outside a secure area is to be presumed compromised. NATO classified information is also compromised if it has been subject to unauthorised modification or destruction and/or denial of service

Communication and Information System

An area which contains one or more computers, their local peripheral and storage




(CIS) area units, control units and dedicated network and communications equipment

Confidentiality The property that information is not made available or disclosed to unauthorised individuals or entities.

Consignee The contractor, facility or other organisation receiving material from the consignor

Consignor The contractor, facility or other organisation responsible for organising and dispatching material.

Consortium An association of several companies that is organised to accomplish a specific purpose

Container A NSA/DSA approved large receptacle of solid construction with lockable opening, capable of being carried on an aircraft, by a road vehicle or trailer, by rail car, or in a ship’s hold or on deck

Contract A legally enforceable agreement to provide goods or services

Contractor An industrial, commercial or other entity that agrees to provide goods or services

Contract Manager The duly appointed representative of a facility who has the authority to negotiate, let, and administers contracts on behalf of the facility

Contracting Officer The duly appointed representative of a government department or Office of a NATO nation, or of a NATO civil or military body, who has the authority to negotiate, let and administer prime contracts on behalf of the nation or NATO body

Courier A person officially assigned to hand-carry material

Deliberate Compromise Deliberate compromise occurs when NATO classified information has intentionally been disclosed to unauthorised individuals, including through espionage or unauthorised disclosure to the media

Designated Security Authority (DSA)

An authority subordinate to the National Security Authority (NSA) of a NATO nation who is responsible for communicating to industry the national policy in all matters of NATO industrial security policy and for providing direction and assistance in its implementation. In some countries, the function of a DSA may be carried out by the NSA.

Designated Security Representative

An individual designated at a contractor facility, by the NSA/DSA, who approves the international dispatch of a classified consignments and is authorised by the NSA/DSA to receive such consignments

Document Any recorded information regardless of its physical form or characteristics

Equipment/Components Equipment/Components – The words “equipment/components” designate any item of machinery, equipment, or weapons, either manufactured or in the process of manufacture.

Facility An installation, plant, factory, laboratory, office, university or other educational Institution, or commercial




undertaking, including any associated warehouses, storage areas, utilities and components which, when related by function and location, form an operating entity.

Foreground Information Information developed in the performance of a programme/project

Host Nation General: the nation in which a NATO civil or military body is located. Industrial security : the nation designated by an official body of NATO to act as the governmental Office to contract for the performance of a NATO prime contract. Nations in which sub-contracts are performed are not referred to as host nations.

Information Knowledge that can be communicated in any form

INFOSEC The application of security measures to protect information processed, stored or transmitted in communication, information and other electronic systems against loss of confidentiality, integrity or availability, whether accidental or intentional, and to prevent loss of integrity or availability of the systems themselves. INFOSEC measures include those of computer, transmission, emission and cryptographic security. Such measures also include detection, documentation and countering of threats to information and to the systems.

Infraction A security infraction is an act or omission contrary to NATO Security Policy and supporting directives that does not result in the actual or possible compromise of NATO classified information. (e.g. classified information left unsecured inside a secure facility where all persons are appropriately cleared, failure to double wrap classified information, etc.)

Infrastructure The NATO term denoting all those installations which are necessary for the deployment and operations of modern armed forces, for example: airfields, signals, communications, military headquarters, fuel tanks and pipelines, radar warning and navigational aid systems, and port installations

International Visits Visits made by individuals subject to one NSA/DSA or belonging a NATO body, to facilities or bodies subject to another NSA/DSA or to NATO, which will require, or may give rise to access to NATO classified information or where, regardless of the level of classification involved, national legislation governing the establishment or body to be visited in support of NATO approved related activities requires that such visits shall be approved by the relevant NSA/DSA. All NATO civil and military bodies fall within the security jurisdiction of NATO




Integrity The property that information (including data, such as cipher text) has not been altered or destroyed in an unauthorised manner

Joint Venture A commercial enterprise undertaken by two or more entities jointly and for a specific purpose, e.g., a limited partnership

Life-cycle Life cycle of information encompasses the stages of planning, collection, creation or generation of information; its organisation, retrieval, use, accessibility and transmission; its storage and protection; and, finally, its disposition through transfer to archives or destruction

Major Programme/Project

A programme or project of major significance, normally involving more than two nations and security measures that extend beyond the normal basic requirements described in NATO Security Policy

Material The word “material” includes documents and equipment/components

Nation of Origin The nation in which a contractor is registered or incorporated to do business and which characterises the nationality of the facility.

NATO “NATO” denotes the North Atlantic Treaty Organisation and the bodies governed either by the Agreement on the status of the North Atlantic Treaty Organisation, National Representatives and International Staff, signed in Ottawa on 20th September, 1951 or by the Protocol on the status of International Military Headquarters set up pursuant to the North Atlantic Treaty, signed in Paris on 28th August, 1952.

NATO asset Anything of value deemed critical to the fulfilment of a NATO mission. This may include installations/services/capabilities. The value of a NATO asset can be assessed in terms of the function performed in the NATO mission or the impact on the Alliance’s reputation and credibility

NATO Classified Contract

Any contract issued by a NATO civil or military body or a NATO member nation in support of a NATO funded or administered programme/project that will require access to or generate NATO classified information

NATO Classified Information

information means knowledge that can be communicated in any form; classified information means information or material determined to require protection against unauthorised disclosure which has been so designated by a security classification; the word “material” includes documents and also any items of machinery or equipment or weapons either manufactured or in the process of manufacture;




the word “document” means any recordedinformation regardless of its physical form or characteristics, including, without limitation, written or printed matter, data processing cards and tapes, maps, charts, photographs, paintings, drawings, engravings, sketches, working notes and papers, carbon copies or ink ribbons, or reproductions by any means or process, and sound, voice, magnetic or electronic or optical or video recordings in any form, and portable ADP equipment with resident computer storage media, and removable computer storage media

Facility Security Clearance (FSC)

An administrative determination by a NSA/DSA that, from a security viewpoint, a facility can afford adequate security protection to NATO classified information of a specified classification or below, and its personnel who require access to NATO classified information have been properly cleared and briefed on NATO security requirements necessary to perform on the NATO classified contracts.

NATO Production and Logistics Organisation (NPLO)

A subsidiary body, created within the framework of NATO for the implementation of tasks arising from that Treaty, to which North Atlantic Council grants clearly defined organisational, administrative and financial independence. It shall be comprised of a board of directors; and an executive body, composed of a General Manager and staff.

NATO Programme A Council approved programme that is administered by a NATO management Office/office under NATO regulations

NATO Project A Council approved project that is administered by a NATO management agency/office under NATO regulations

NATO Project Manager The manager responsible for any NATO project/programme or contract.

NATO Project Management Agency

The executive body of a NPLO

NATO Statements of Criticality

VERY HIGH level Statements: these shall be applied to those NATO assets whose unavailability would result in exceptionally grave impact on the NATO mission. Such assets shall be protected under conditions which ensure that only individuals who are entitled have access to them; that any attempts to compromise, modify, destroy, or deny service shall be detected, and those responsible identified. HIGH level Statements: these shall be applied to those NATO assets whose unavailability would result in serious impact on the NATO mission. Such assets shall be protected under conditions which make it highly unlikely that individuals who are not entitled have access to them; that any attempts to compromise,




modify, destroy, or deny service shall be detected and that those responsible shall be identified MEDIUM level Statements: these shall be applied to those NATO assets whose unavailability would be damaging to the interests of the NATO mission. Such assets shall be protected under conditions that inhibit access by individuals not entitled to it; and that any attempts to compromise, modify, destroy, or deny service are likely to be identified LOW level Statements: these shall be applied to those NATO assets whose unavailability would hinder the effectiveness of the NATO mission. Such assets shall be protected under conditions which inhibit access by individuals not entitled to it

Need-to-know A positive determination that a prospective recipient has a requirement for access to, knowledge of , or possession of information in order to perform official tasks or services

Negotiations The term encompasses all aspects of awarding a contract or sub-contract from the initial “notification of intention to call for bids” to the final decision to let a contract or sub-contract

Originator The nation or international organisation under whose authority information has been produced or introduced into NATO

Parent Nation The nation of an individual’s citizenship or permanent residence

Programme/Project Security Instruction (PSI)

A compilation of security regulations/procedures, based upon NATO Security Policy and supporting directives, which are applied to a specific project/programme. The PSI also constitutes an Annex to the main contract, and may be revised throughout the program lifecycle. For sub-contracts let within the program, the PSI constitutes the basis for the SAL

Programme/Project Security Classification Guide

Part of the program (project) security instructions (PSI) which identifies the elements of the program that are classified, specifying the security classification levels. The security classification guide may be expanded throughout the program life cycle, and the elements of information may be re-classified or downgraded

Prime Contract The initial contract led by a NATO Project Management/Agency/Office for a Programme/project

Prime Contractor An industrial, commercial or other entity of a member nation which has contracted with a NATO Project Management Agency/Office to perform a service, or manufacture a product, in the framework of a NATO project, and which, in turn, may subcontract with potential sub-contractors as approved

Programme/Project Manager

The official designated by a programme/project management office to supervise the technical aspects of




the programme/project, ensuring that the programme/project is completed on schedule, within costs, and with technical specifications

Risk The combination of the value of the NATO classified information or NATO asset, and of the threats to and vulnerabilities of the information or asset; that is the probability or likelihood or an attack succeeding and of the damage being sustained as a result of a compromise/loss of the NATO classified information or NATO asset

Risk management A systematic approach to determining which security safeguards (counter-measures) are required to protect NATO classified information and NATO assets, through the analysis of threats to them and their vulnerabilities and the resulting reduction of any risk to an acceptable level.

Security Classification Check List

Part of a security aspect letter (SAL) which describes the elements of a contract that are classified, specifying the security classification levels. In case of contracts let within a program/project, such elements of information derive from the programme (project) security instructions issued for that programme

Security Aspects Letter (SAL)

A document, issued by the appropriate authority, as part of any NATO classified contract or sub-contract, other than Major Programmes/Projects, identifying the security requirements or those elements thereof requiring security protection

Security Escorts Armed or unarmed national police, military, or other government personnel. Their function would be to facilitate the secure movement of the material, but they would not have direct responsibility in matters of the protection of the material itself

Security Guards Civilian (Government or participating contractor employees) or military personnel who may be armed or unarmed. They may be assigned for security duties only or may combine security guard duties with other duties

Sub-contract A contract entered into by a prime contractor with another contractor (i.e., the sub-contractor) for the furnishing of goods or services

Sub-contractor A contractor to whom a prime contractor lets a sub-contract

Threat The potential for the accidental or deliberate compromise/loss of NATO classified information or NATO assets. A threat may be defined by its source, motivation or result; it may be deliberate or accidental, violent or surreptitious, external or internal.

Vulnerability A weakness or lack of control that would allow or facilitate a threat actuation against NATO classified information or NATO assets

NORTH ATLANTIC TREATY ORGANISATION - NATO Reports/20130901... · NORTH ATLANTIC TREATY ORGANISATION...

Documents

Transcript of NORTH ATLANTIC TREATY ORGANISATION - NATO Reports/20130901... · NORTH ATLANTIC TREATY ORGANISATION...