1.   This Decision establishes the security organisation and measures (security plan) for the protection of the Central SIS II and the data processed therein against threats to their availability, integrity and confidentiality within the meaning of Article 16(1) of Regulation (EC) No 1987/2006 and of Article 16(1) of Decision 2007/533/JHA on the establishment, operation and use of the second generation Schengen Information System (SIS II) during a transitional period, until the Management Authority takes up its responsibilities.

2.   This Decision establishes the security organisation and measures (security plan) for the protection of the Communication Infrastructure against threats to their availability, integrity and confidentiality within the meaning of Article 16 of Regulation (EC) No 1987/2006 and of Article 16 of Decision 2007/533/JHA on the establishment, operation and use of the second generation Schengen Information System (SIS II).

1.   The Commission shall implement and monitor the effectiveness of the security measures for Central SIS II referred to in this Decision.

2.   The Commission shall implement and monitor the effectiveness of the security measures for the Communication Infrastructure referred to in this Decision.

3.   The Commission shall designate a System Security Officer from among its officials. The System Security Officer shall be appointed by the Director General of the Directorate-General for Justice, Freedom and Security of the Commission. The tasks of the System Security Officer shall include in particular:

1.   Without prejudice to Article 8, the Commission shall designate a Local Security Officer for Central SIS II from among its officials. Conflicts of interest between the duty of Local Security Officer and any other official duty shall be prevented. The Local Security Officer for Central SIS II shall be appointed by the Director General of the Directorate-General for Justice, Freedom and Security of the Commission.

2.   The Local Security Officer for Central SIS II shall ensure that the security measures referred to in this Decision are implemented and the security procedures are followed in the principal CS-SIS. As regards the backup CS-SIS, the Local Security Officer for Central SIS II shall further ensure that security measures referred to in this Decision, except those referred to in Article 9, are implemented and the security procedures relating thereto are followed.

3.   The Local Security Officer for Central SIS II may assign any of his or her tasks to subordinate personnel. Conflicts of interest between the duty to execute these tasks and any other official duty shall be prevented. A single contact phone number and address shall allow reaching the Local Security Officer or his or her on-duty subordinate at any time.

4.   The Local Security Officer for Central SIS II shall perform the tasks resulting from security measures to be taken at the premises where the principal CS-SIS and the backup CS-SIS are located, within the limits of paragraph 1, including in particular:

1.   Without prejudice to Article 8, the Commission shall designate a Local Security Officer for the Communication Infrastructure from among its officials. Conflicts of interest between the duty of Local Security Officer and any other official duty shall be prevented. The Local Security Officer for the Communication Infrastructure shall be appointed by the Director General of the Directorate-General for Justice, Freedom and Security of the Commission.

2.   The Local Security Officer for the Communication Infrastructure shall monitor the functioning of the Communication Infrastructure and ensure that the security measures are implemented and the security procedures are followed.

3.   The Local Security Officer for the Communication Infrastructure may assign any of his or her tasks to subordinate personnel. Conflicts of interest between the duty to execute these tasks and any other official duty shall be prevented. A single contact phone number and address shall allow reaching the Local Security Officer or his or her on-duty subordinate at any time.

4.   The Local Security Officer for the Communication Infrastructure shall perform the tasks resulting from security measures to be taken at the Communication Infrastructure, including in particular:

1.   Any event that has or may have an impact on the security of SIS II and may cause damage or loss to SIS II shall be considered as a security incident, especially where access to data may have occurred or where the availability, integrity and confidentiality of data has or may have been compromised.

2.   Security incidents shall be managed to ensure a quick, effective and proper response in compliance with the Security Policy. Procedures shall be established to recover from an incident.

3.   Information regarding a security incident that has or may have an impact on the operation of SIS II in a Member State or on the availability, integrity and confidentiality of the data entered or sent by a Member State, shall be provided to the Member State concerned. Security incidents shall be notified to the Data Protection Officer of the Commission.

1.   All staff and contractors involved in developing, managing or operating SIS II shall be required to note and report any observed or suspected security weaknesses in the Communication Infrastructure to the System Security Officer or the Local Security Officer for the Communication Infrastructure.

2.   In case of detection of any incident that has or may have an impact on the security of SIS II, the Local Security Officer for the Communication Infrastructure shall inform as quickly as possible the System Security Officer and, where appropriate, the single national contact point for SIS II security, if such a contact point exists in the Member State in question, in writing or, in case of extreme urgency, via other communication channels. The report shall contain the description of the security incident, the level of risk, the possible consequences and the measures that have been or should be taken to mitigate the risk.

3.   Any evidence in relation to the security incident shall be secured immediately by the Local Security Officer for the Communication Infrastructure. To the extent possible under applicable data protection provisions, such evidence shall be made available to the System Security Officer upon request of the latter.

4.   Feedback processes shall be defined in the Security Policy to ensure that information about the type, handling and outcome of a security incident is communicated to the System Security Officer and to the Local Security Officer for the Communication Infrastructure, once the incident has been dealt with and is no longer in progress.

5.   Paragraphs (1) to (4) shall apply mutatis mutandis to incidents in Central SIS II. To that extent, any reference to the Local Security Officer for the Communication Infrastructure in paragraphs (1) to (4) shall be read as a reference to the Local Security Officer for Central SIS II.

1.   The Director-General of the Directorate General for Justice, Freedom and Security shall establish, update and regularly review a binding Security Policy in accordance with this Decision. The Security Policy shall provide for the detailed procedures and measures to protect against threats to the availability, integrity and confidentiality of the Communication Infrastructure, including emergency planning, in order to ensure the appropriate level of security as prescribed by this Decision. The Security Policy shall comply with this Decision.

2.   The Security Policy shall be based on a risk assessment. The measures described by the Security Policy shall be proportionate to the risks identified.

3.   The risk assessment and the Security Policy shall be updated, if technological changes, identification of new threats or any other circumstances make it necessary. The Security Policy shall be reviewed in any event on an annual basis to ensure that it is still appropriately responding to the latest risk assessment or any other newly identified technological change, threat or other relevant circumstance.

4.   The Security Policy shall be prepared by the System Security Officer, in coordination with the Local Security Officer for Central SIS II and the Local Security Officer for the Communication Infrastructure.

5.   Paragraphs (1) to (4) shall apply mutatis mutandis to the Security Policy for Central SIS II. To that extent, any reference to the Local Security Officer for the Communication Infrastructure in paragraphs (1) to (4) shall be read as a reference to the Local Security Officer for Central SIS II.

1.   The implementation of tasks and requirements laid down in this Decision and in the Security Policy, including the task of designating a Local Security Officer, may be contracted out or entrusted to private or public bodies.

2.   In this case the Commission shall ensure through legally binding agreement that the requirements laid down in this Decision and in the Security Policy, are fully complied with. In case of delegation or contracting out of the task of designating a Local Security Officer, the Commission shall ensure through legally binding agreement that it will be consulted on the person to be designated as Local Security Officer.

1.   Security perimeters with appropriate barriers and entry controls shall be used to protect areas that contain data processing facilities.

2.   Within the security perimeters, secure areas shall be defined to protect the physical components (assets), including hardware, data media and consoles, plans and other documents on the SIS II as well as offices and other work places of staff involved in operating the SIS II. These secure areas shall be protected by appropriate entry controls to ensure that only authorised personnel are allowed access. Work in secure areas shall be subject to the detailed security rules set out in the Security Policy.

3.   Physical security for offices, rooms and facilities shall be foreseen and installed. Access points such as delivery and loading areas and other points where unauthorised persons may enter the premises shall be controlled and, if possible, isolated from data processing facilities to avoid unauthorised access.

4.   A physical protection of the security perimeters against damage from natural or man-made disaster shall be designed and applied proportionally to the risk.

5.   Equipment shall be protected from physical and environmental threats and from opportunities for unauthorised access.

6.   If such information is available to the Commission, it shall add to the list referred to in Article 2(3)(h) a single point of contact for monitoring the implementation of the provisions of this Article at the premises where the backup CS-SIS is located.

1.   Removable media containing data shall be protected against unauthorised access, misuse or corruption and its readability shall be ensured during the whole lifetime of the data.

2.   Media shall be disposed securely and safely when no longer required, in accordance with the detailed procedures to be set out in the Security Policy.

3.   Inventories shall ensure that information on the storage location, the applicable retention period and access authorisations are available.

4.   All important assets of the Communication Infrastructure shall be identified, so that they can be protected in accordance with their importance. An up-to-date register of relevant IT equipment shall be kept.

5.   An up-to-date documentation of the Communication Infrastructure shall be available. Such documentation must be protected against unauthorised access.

6.   Paragraphs (1) to (5) shall apply mutatis mutandis to Central SIS II. To that extent, any reference to the Communication Infrastructure shall be read as a reference to Central SIS II.

1.   Appropriate measures shall be taken to ensure proper storage of data and the prevention of unauthorised access thereto.

2.   All items of equipment containing storage media shall be checked to ensure that sensitive data have been removed or fully overwritten prior to disposal, or shall be securely destroyed.

1.   All passwords shall be kept safely and treated confidentially. In case of suspicion that a password has been disclosed, the password has to be changed immediately or the relevant account has to be disabled. Unique and individual user identities shall be used.

2.   Procedures shall be defined in the Security Policy for logging in and out to prevent any unauthorised access.

1.   The Security Policy shall establish a formal staff registration and de-registration procedure in place for granting and revoking access to SIS II hardware and software for the purposes of the operational management. The allocation and use of adequate access credentials (passwords or other appropriate means) shall be controlled through a formal management process as laid down in the Security Policy.

2.   Access to SIS II hardware and software at the CS-SIS shall:

3.   Only the consoles and software authorised by the Local Security Officer for Central SIS II shall be used at the CS-SIS. The use of system utilities that might be capable of overriding system and application controls shall be restricted and controlled. There shall be procedures in place to control the installation of software.

1.   Appropriate measures shall be defined in the Security Policy to prevent unauthorised reading, copying, modification or deletion of personal data during the transmission to or from the SIS II or during the transport of data media. Provisions shall be laid down in the Security Policy with regard to the admissible types of dispatch or transport as well as in respect of accountability procedures for the transport of items and their arrival at the place of destination. The data medium shall not contain any data other than the data which is to be sent.

2.   Services delivered by third parties involving accessing, processing, communicating or managing data processing facilities or adding products or services to data processing facilities shall have appropriate integrated security controls.

1.   The Communication Infrastructure shall be adequately managed and controlled in order to protect it from threats and to ensure the security of the Communication Infrastructure itself and of Central SIS II, including data exchanged through it.

2.   Security features, service levels and management requirements of all network services shall be identified in the network service agreement with the service provider.

3.   Besides protecting the SIS II access points, any additional service being used by the Communication Infrastructure shall also be protected. Appropriate measures shall be defined in the Security Policy.

1.   Logs recording the information referred to in Article 18(1) of Regulation (EC) No 1987/2006 and Article 18(1) of Decision 2007/533/JHA relating to every access to and all exchanges of personal data within the CS-SIS shall be kept securely stored on, and accessible from, the premises where the principal CS-SIS and the backup CS-SIS are located for the maximum period referred to in Article 18(3) of Regulation (EC) No 1987/2006 and Article 18(3) of Decision 2007/533/JHA.

2.   Procedures for monitoring use or faults in data processing facilities shall be set out in the Security Policy and the results of the monitoring activities reviewed regularly. If necessary, appropriate action shall be taken.

3.   Logging facilities and logs shall be protected against tampering and unauthorised access in order to meet the requirements of collecting and retain evidence for the retention period.

1.   The Security Policy shall define the functions and responsibilities of persons who are authorised to access Central SIS II.

2.   The Security Policy shall define the functions and responsibilities of persons who are authorised to access the Communication Infrastructure.

3.   The security roles and responsibilities of Commission staff, contractors and staff involved in operational management shall be defined, documented and communicated to the persons concerned. The job description and the objectives shall state these roles and responsibilities for Commission staff; contracts or service level agreements shall state them for contractors.

4.   Confidentiality and secrecy agreements shall be concluded with all persons to whom no European Union or Member State public service rules apply. Staff required to work with SIS II data shall have the necessary clearance or certification in accordance with the detailed procedures to be set out in the Security Policy.

1.   All staff and contractors shall receive appropriate training in security awareness, legal requirements, policies and procedures, to the extent required by their duties.

2.   At the termination of the employment or contract, responsibilities related to job change or employment termination shall be defined for staff and contractors in the Security Policy, and procedures shall be set out in the Security Policy to manage the return of assets and the removal of access rights.

1.   This Decision shall become applicable as of the date fixed by the Council in accordance with Article 55(2) of Regulation (EC) No 1987/2006 and Article 71(2) of Decision 2007/533/JHA.

2.   Articles 1(1) and 2(1), Article 2(3)(b), (d), (f) and (i), Article 3, Articles 6(5), 7(5), 9(6), 10(6), 13(2) and (3), Articles 15 and 18 and Article 20(1) shall expire when the Management Authority takes up its responsibilities.