Domain

Verification points (1)

Regulatory guidance

Evidence guidance

Organisational and physical security

A.6 Organisation of Information Security

A.7 Human resource Security

A.11 Physical and Environmental security

On A.6 and A.11:

The repository must be physically located on the territory of the EU. Data must not be stored in or transferred to a third country. (Art. 15(8) Directive 2014/40/EU)

The repository must be guarded by security procedures and systems ensuring that access to the repository is only granted to competent authorities of Member States, the Commission and external auditors.

On A.7:

The provider of the repository, as well as any of its subcontractor(s), must be independent and exercise their functions impartially. The requirements on legal independence, financial independence, and absence of conflict of interest, apply. (Art. 35 of Implementing Regulation (EU) 2018/574)

Organisation’s organigram in place, job descriptions signed by key personnel, attended courses of relevance for the respective roles.

List of appointments (CISO, DPO, etc.), and description of responsibilities and tasks for security roles.

Evidence of personnel attendance at training (e.g. accepted invitation, date and agenda of training, signed participation list during the awareness workshop, etc.).

Policies/procedures for Human Resource security regularly reviewed and updated (procedures execution records).

Basic implementation of physical security measures and control of the surroundings, such as door and cabinet locks, burglar alarm, fire alarms, fire extinguishers, CCTVs, etc.

List of personnel with authorised access and authorisation credentials.

Documented policy for physical security measures and control of the surroundings, including description of the relevant facilities and systems.

Detailed inventory with hardware resources used for administration purposes.

Operations Security

A.12 Operations Security

On A.12.3:

All repository components and services must have sufficient back-up mechanisms in place. (Art. 25(1)(i) of Implementing Regulation (EU) 2018/574)

On A.12.4:

The repository must contain a complete audit trail of all operations concerning the stored data and users performing related operations, including the nature of these operations and the history of user access. (Art. 25(1)(m) of Implementing Regulation (EU) 2018/574)

Guidelines on evidence in relation to events and logging:

Maintenance security procedure properly documented and approved by senior management.

Clearly defined minimum security maintenance process.

List of all contracts with third parties (2).

Explicit security requirements in the contracts with third parties supplying IT products, IT services, outsourced business processes, helpdesks, etc.

Documented security policy for contracts with third parties

Documented comments or change logs of the policy.

Vendor risk assessment/management policy and/or procedure in place and maintained.

Documented amendment or termination of relationships with third parties.

Reports from related awareness and training exercises.

Systems, tools and procedures for incident detection and analysis.

Documented incident detection and analysis policy, addressing purpose, scope, roles and responsibilities and coordination among all related entities, including clients.

Existence of reports related to the detection and escalation of past security incidents.

Up-to-date documentation of the incident detection policy and related procedures and systems.

Inventory of major past incidents detected and escalated, including all related information (cause, impact, order of actions taken).

Evidence of past cyber exercises conducted, including the dates when they were conducted.

Access control (users and applications)

A.9 Access Control

A.14 System Acquisition, Development and Maintenance

On A.9:

Access to data facilities, and the data stored therein, must be limited to Member States, the European Commission, and approved external auditors. (Art. 15(8) of Directive 2014/40/EU; Art. 25(1)(j) of Implementing Regulation (EU) 2018/574)

Access control policy including description of roles, groups, access rights, procedures for granting and revoking the right to access the information systems.

Rule definition for deleting no longer used accounts after a short period of time.

Access control related matrices (e.g. control matrix for segregation of duties, remote access control, etc.).

Access rights section included in access control policy/procedures.

The access control policy includes a register of mapping of access rights to the relevant resources and/or processes.

Tailored and documented administration accounts with specific access rights given to the relevant personnel.

Documented management of administrator accounts process.

Logs of administrator account activity available.

Administration information systems isolated and segregated from the rest of the infrastructure for enhanced resilience.

Formally documented software requirements for ensuring compatibility.

Communications security

A.10 Cryptographics

A.13 Communications security

On A.13:

Data exchange between primary repositories and the secondary repository and router must take place in accordance with the technical specifications set out by the provider of the secondary repository. (Art. 28(1) of Implementing Regulation (EU) 2018/574)

All electronic communication must be carried out using secure means. Applicable security protocols and connectivity rules must be based on non-proprietary open standards. (Art. 36(1) of Implementing Regulation (EU) 2018/574)

Appropriate cryptographic processes exist.

Safeguards to protect the secrecy of (private) key(s) are in place.

System configuration policy and/or procedure in place and maintained.

System configuration tables.

Timetable and plan of system configuration review cycles.

Documented past exercises/tests of critical information systems in place.

Timetable and plan of security configuration reviews.

Documentation about the implementation of the segregation of the network and system and of the data.

Monitoring reports of critical network and information systems.

Documented policy for monitoring procedures, including minimum monitoring requirements.

Proof of existing tools for monitoring systems.

Business continuity

A.16 Information security incident Management

A.17 Information Security Aspects of Business Continuity Management

A.18 Compliance

On A.17:

All repository components and services must meet a monthly uptime of at least 99,5 %. (Art. 25(1)(i) of Implementing Regulation (EU) 2018/574)

Data portability must be secured in accordance with the applicable common data dictionary. (Art. 36(2) of Implementing Regulation (EU) 2018/574)

Provider must have in place an applicable exit plan. (Art. 19 of Delegated Regulation (EU) 2018/573)

On A.18.1:

Data processing activities must comply with Regulation (EU) 2016/679 (the General Data Protection Regulation), and be in line with the Data Processing Agreement (DPA) established between the provider of the primary repository and the provider of the secondary repository.

Formally documented service continuity strategy, including recovery time objectives for key services and processes.

Contingency plans for critical systems, including clear steps and procedures for common threats, triggers for activation, steps and recovery time objectives.

Records of individual training activities as well as post-exercise reports.

Measures in place for dealing with disasters (e.g. earthquake, flooding, fire), such as failover sites in other regions, backups of critical data that need to be carried out in a remote location (geographically distinct from the data centre collecting and processing the data), at a sufficient distance to escape any damage from a disaster at the main site etc.

Formally documented policy/procedures for deploying disaster recovery capabilities, including list of natural and/or major disasters that could affect the services, and a list of disaster recovery capabilities (either those available internally or provided by third parties).

Records of individual training activities for personnel involved in the disaster recovery operations.

Assets and Data integrity

A.8 Asset Management

On A.8.1:

Consider assets related with databases and repositories (i.e. database management system, database objects, database server).

On A.8.2:

High sensitivity. Data contains trade sensitive information. Data is used for investigations conducted by national and EU authorities.

Documented policy/procedures for asset management, including roles, responsibilities, assets and configurations that are subject to the policy.

List of centrally managed critical assets and critical system configurations managed and maintained.

Software/hardware asset management formally documented and maintained.

Up to date asset management policy/procedures, review comments and/or change logs.