92/242/EEC: Council Decision of 31 March 1992 in the field of security of information systems
OJ L 123, 8.5.1992, p. 19–25 (ES, DA, DE, EL, EN, FR, IT, NL, PT)
Special edition in Finnish: Chapter 16 Volume 2 P. 25 - 31
Special edition in Swedish: Chapter 16 Volume 2 P. 25 - 31
Special edition in Czech: Chapter 16 Volume 01 P. 6 - 12
Special edition in Estonian: Chapter 16 Volume 01 P. 6 - 12
Special edition in Hungarian Chapter 16 Volume 01 P. 6 - 12
Special edition in Lithuanian: Chapter 16 Volume 01 P. 6 - 12
Special edition in Latvian: Chapter 16 Volume 01 P. 6 - 12
Special edition in Maltese: Chapter 16 Volume 01 P. 6 - 12
Special edition in Polish: Chapter 16 Volume 01 P. 6 - 12
Special edition in Slovak: Chapter 16 Volume 01 P. 6 - 12
Special edition in Slovene: Chapter 16 Volume 01 P. 6 - 12
Special edition in Bulgarian: Chapter 16 Volume 01 P. 6 - 12
Special edition in Romanian: Chapter 16 Volume 01 P. 6 - 12
Special edition in croatian Chapter 16 Volume 001 P. 6 - 12
COUNCIL DECISION of 31 March 1992 in the field of security of information systems (92/242/EEC)
THE COUNCIL OF THE EUROPEAN COMMUNITIES,
Having regard to the Treaty establishing the European Economic Community, and in particular Article 235 thereof,
Having regard to the proposal from the Commission (1),
Having regard to the opinion of the European Parliament (2),
Having regard to the opinion of the Economic and Social Committee (3),
Whereas the Community has as its task, by establishing a common market and progressively approximating the economic policies of the Member States, to promote throughout the Community a harmonious development of economic activities, a continuous and balanced expansion, an increase in stability, an accelerated raising of the standard of living and closer relations between the Member States;
Whereas information stored, processed and transmitted electronically plays an increasingly important role in economic and social activities;
Whereas the advent of efficient global communications and the pervasive use of electronic handling of information emphasizes the need for adequate protection;
Whereas the European Parliament has repeatedly stressed the importance of the security of information systems in its debates and resolutions;
Whereas the Economic and Social Committee has emphasized the need to address issues relating to the security of information systems in Community forms of action, particularly in view of the impact of the completion of the internal market;
Whereas forms of action at national, international and Community levels provide a good basis;
Whereas there is a close link between telecommunications, information technology, standardization, the information market and research, development and technology (RDT) policies, as well as the work already undertaken in these areas by the Community;
Whereas it is appropriate to ensure that efforts are concerted by building on existing national and international work and by promoting cooperation between the principal parties concerned; whereas it is therefore appropriate to proceed within the framework of a coherent action plan;
Whereas the complexity of the security of information systems calls for the development of strategies to enable the free movement of information within the single market while ensuring the security of the use of information systems throughout the Community;
Whereas it is the responsibility of each Member State to take into account the constraints imposed by security and public order;
Whereas the responsibilities of the Member States in this area imply a concerted approach based on close collaboration with senior officials of the Member States;
Whereas provision should be made for a plan of action for an initial period of twenty-four months and the setting-up of a Committee of Senior Officials with a long-term mandate to advise the Commission on forms of action in the area of security of information systems;
Whereas an amount of ECU 12 million is considered necessary to implement the action for an initial period of twenty-four months; whereas for 1992, in the context of the present financial perspective, the amount estimated necessary is ECU 2 million;
Whereas the amounts to be committed in order to finance the programme for the period following the 1992 budget year will form part of the existing Community financial framework,
HAS DECIDED AS FOLLOWS:
An action in the field of the security of information systems is hereby adopted. It comprises:
- development of overall strategies for the security of information systems (action plan) for an initial period of 24 months, and
- setting-up Senior Officials Group with a long-term mandate to advise the Commission on action to be undertaken in the field of the security of information systems, hereinafter referred to as the 'Committee'.
1. The Commission shall consult the Committee systematically on issues relating to the security of the information systems for the various activities carried out by the Community, in particular on the definition of work strategies and programmes.
2. The action plan, as indicated in the Annex, shall include preparatory work under the following themes:
I. development of a strategic framework for the security of information systems;
II. identification of user and service provider requirements for the security of information systems;
III. solutions for immediate and interim needs of users, suppliers and service providers;
IV. development of specifications, standardization, evaluation and certification in respect of the security of information systems;
V. technological and operational developments in the security of information systems;
VI. provision of security of information systems.
1. The Community funds estimated as necessary for the execution of the action amount to ECU 12 million for the initial period, including ECU 2 million for 1992 within the 1988-1992 financial perspective.
For the subsequent period of application of the programme, the amount will have to be included in the Community financial framework in force.
2. The budgetary authority shall determine the appropriations available for each financial year, taking into account the principles of sound management referred to in Article 2 of the Financial Regulation applicable to the general budget of the European Communities.
An evaluation of the progress achieved during the initial period shall be carried out for the Commission by a group of indepedent experts. This group's report, together with any comments by the Commission, shall be submitted to the European Parliament and the Council.
1. The Commission shall be responsible for implementing the action. It shall be assisted by an advisory committee composed of representatives of the Member States and chaired by the representative of the Commission.
2. The action plan shall be implemented in accordance with the objectives set out in Article 2 and updated where necessary. It shall set out the detailed objectives and types of actions to be undertaken, and the financial arrangements to be made for them. The Commission shall make calls for proposals on the basis of the action plan.
3. The action plan shall be implemented in close collaboration with the sector actors. It shall take into account, promote and complement the European and international standardization activities under way in this field.
1. The procedure laid down in Article 7 shall apply to:
- measures relating to Community policy in the field of the security of information systems;
2. The procedure laid down in Article 8 shall apply to:
- the preparation and updating of the action plan referred to in Article 5;
- the contents of the calls for proposals, the assessment of proposals and the estimated amount of the Community's contribution to measures where this amount exceeds ECU 200 000;
- the cooperation in any activity under this Decision of non-Community organizations;
- arrangements for the dissemination, protection and exploitation of the results of the measures;
- the measures to be undertaken to evaluate the action.
3. Where the amount of the Community contribution to the measures is less than, or equal to, ECU 200 000, the Commission shall consult the Committee on the measures to be taken and inform the Committee of the outcome of its assessment.
The representative of the Commission shall submit to the Committee a draft of the measures to be taken. The Committee shall deliver its opinion on the draft, within a time limit which the Chairman may lay down according to the urgency of the matter, if necessary by taking a vote.
The opinion shall be recorded in the minutes; in addition, each Member State shall have the right to ask to have its position recorded in the minutes.
The Commission shall take the utmost account of the opinion delivered by the Committee. It shall inform the Committee of the manner in which its opinion has been taken into account.
The representative of the Commission shall submit to the Committee a draft of the measures to be taken. The Committee shall deliver its opinion on the draft within a time limit which the Chairman may lay down according to the urgency of the matter. The opinion shall be delivered by the majority laid down in Article 148 (2) of the Treaty in the case of decisions which the Council is required to adopt on a proposal from the Commission. The votes of the representatives of the Member States within the Committee shall be weighted in the manner set out in that Article. The Chairman shall not vote.
The Commission shall adopt the measures envisaged if they are in accordance with the opinion of the Committee.
If the measures envisaged are not in accordance with the opinion of the Committee, of if no opinion is delivered, the Commission shall, without delay, submit to the Council a proposal relating to the measures to be taken. The Council shall act by a qualified majority.
If, on the expiry of a period of three months from the date of referral to it the Council has not acted, the proposed measures shall be adopted by the Commission, save where the Council has decided against the said measures by a simple majority. Done at Brussels, 31 March 1992. For the Council
(1) OJ No C 277, 5. 11. 1990, p. 18. (2) OJ No C 94, 13. 3. 1992. (3) OJ No C 159, 17. 6. 1991, p. 38.
Summary of action lines
ORIENTATIONS FOR AN ACTION PLAN IN THE FIELD OF THE SECURITY OF INFORMATION SYSTEMS
The action plan shall have as its objective the development of overall strategies aiming to provide users and producers of electronically stored, processed or transmitted information with appropriate protection of information systems against accidental or deliberate threats.
The action plan shall take into account and complement the world-wide standardization activities under way in this field.
It shall include the following lines of action:
- development of a strategic framework for the security of information systems;
- identification of user and service provider requirements for the security of information systems;
- solutions for immediate and interim needs of users, suppliers and service providers;
- development of specifications, standardization, evaluation and certification in respect of the security of information systems;
- technological and operational developments in the security of information systems;
- provision of security of information systems.
The action plan shall be implemented by the Commission, in close association with related actions in Member States and in conjunction with related Community research and development actions.
1. Action line I - Development of a strategic framework for the security of information systems
Security of information systems is recognized as a pervasive quality necessary in modern society. Electronic information services need a secure telecommunications infrastructure, secure hard- and software as well as secure usage and management. An overall strategy, considering all aspects of security of information systems, needs to be established, avoiding a fragmented approach. Any strategy for the security of information processed in an electronic form must reflect the wish of any society to operate effectively yet protect itself in a rapidly changing world.
A strategically orientated framework has to be established to reconcile social, economic and political objectives with technical, operational and legislative options for the Community in an international context. The sensitive balance between different concerns, objectives and constraints are to be found by sector actors working together in the development of a common perception and agreed strategy framework. These are the prerequisites for reconciling interests and needs both in policy-making and in industrial developments.
1.3. Status and trends
The situation is characterized by growing awareness of the need to act. However, in the absence of an initiative to coordinate efforts, it seems very likely that dispersed efforts in various sectors will create a situation which will de facto be contradictory, creating progressively more serious legal, social and economic problems.
1.4. Requirements, options and priorities
Such a shared framework would need to address and situate risk analysis and risk management concerning the vulnerability of information and related services, the alignment of laws and regulations associated with computer/telecommunications abuse and misuse, administrative infrastructures including security policies, and how these may be effectively implemented by various industries/disciplines, and social and privacy concerns (e.g. the application of identification, authentication, non-repudiation and possibly authorization schemes in a democratic environment).
Clear guidance is to be provided for the development of physical and logical architectures for secure distributed information services, standards, guidelines and definitions for assured security products and services, pilots and prototypes to establish the viability of various administrative structures, architectures and standards related to the needs of specific sectors.
Security awareness must be created in order to influence the attitude of the users towards an increased concern about security in information technology (IT).
2. Action line II - Identification of user and service provider requirements for the security of information systems
Security of information systems is the inherent prerequisite for the integrity and trustworthiness of business applications, intellectual property and confidentiality. This leads inevitably to a difficult balance and sometimes choices, between a commitment to free trade and a commitment to securing privacy and intellectual property. These choices and compromises need to be based on a full appreciation of requirements and the impact of possible options for the security of information systems to respond to them.
User requirements imply the security functionalities of information systems interdependent with technological, operational and regulatory aspects. Therefore, a systematic investigation of security requirements for information systems forms an essential part of the development of appropriate and effective measures.
Establishing the nature and characteristics of requirements of users and service providers and their relation to security measures of information systems.
2.3. Status and trends
Hitherto, no concerted effort has been undertaken to identify the rapidly evolving and changing requirements of the major actors for the security of information systems. Member States of the Community have identified the requirements for harmonization of national activities (especially of the 'IT security evaluation criteria'). Uniform evaluation criteria and rules for mutual recognition of evaluation certificates are of major importance.
2.4. Requirements, options and priorities
As a basis for a consistent and transparent treatment of the justified needs of the sector actors, it is considered necessary to develop an agreed classification of user requirements and its relation to the provision of security in information systems.
It is also considered important to identify requirements for legislation, regulations and codes of practice in the light of an assessment of trends in service characteristics and technology, to identify alternative strategies for meeting the objectives by administrative, service, operational and technical provisions, and to assess the effectiveness, user-friendliness and costs of alternative security options and strategies for information systems for users, service providers and operators.
3. Action line III - Solutions for immediate and interim needs of users, suppliers and service providers
At present it is possible to protect adequately computers from unauthorized access from the outside world by 'isolation', i.e. by applying conventional organizational and physical measures. This applies also to electronic communications within a closed user group operating on a dedicated network. The situation is very different if the information is shared between user groups or exchanged via a public, or generally accessible, network. Neither the technology, terminals and services nor the related standards and procedures are generally available to provide comparable security for information systems in these cases.
The objective has to be to provide, at short notice, solutions which can respond to the most urgent needs of users, service providers and manufacturers. This includes the use of common IT-security evaluation criteria. These should be conceived as open towards future requirements and solutions.
3.3. Status and trends
Some user groups have developed techniques and procedures for their specific use responding, in particular, to the need for authentication, integrity and non-repudiation. In general, magnetic cards or smart cards are being used. Some are using more or less sophisticated cryptographic techniques. Often this implied the definition of user-group specific 'authorities'. However, it is difficult to generalize these techniques and methods to meet the needs of an open environment.
ISO is working on OSI Information System Security (ISO DIS 7498-2) and CCITT in the context of X400. It is also possible to insert security segments into the messages. Authentication, integrity and non-repudiation are being addressed as part of the messages (EDIFACT) as well as part of the X400 MHS.
At present, the Electronic Data Interchange (EDI) legal framework is still at the stage of conception. The International Chamber of Commerce has published uniform rules of conduct for the exchange of commercial data via telecommunications networks.
Several countries (e.g. Germany, France, the United Kingdom and the United States) have developed, or are developing, criteria to evaluate the trustworthiness of IT and telecommunication products and systems and the corresponding procedures for conducting evaluations. These criteria have been co-ordinated with the national manufacturers and will lead to an increasing number of reliable products and systems starting with simple products. The establishment of national organizations which will conduct evaluations and offer certificates will support this trend.
Confidentiality provision is considered by most users as less immediately important. In the future, however, this situation is likely to change as advanced communication services and, in particular, mobile services will have become all-pervasive.
3.4. Requirements, options and priorities
It is essential to develop as soon as possible the procedures, standards, products and tools suited to assure security both in information systems as such (computers, peripherals) and in public communications networks. A high priority should be given to authentication, integrity and non-repudiation. Pilot projects should be carried out to establish the validity of the proposed solutions. Solutions to priority needs on EDI are looked at in the TEDIS programme within the more general content of this action plan.
4. Action line IV - Development of specifications, standardization, evaluation and certification in respect of the security of information systems
Requirements for the security of information systems are pervasive and as such common specifications and standards are crucial. The absence of agreed standards and specifications for IT security may present a major barrier to the advance of information-based processes and services throughout the economy and society. Actions are also required to accelerate the development and use of technology and standards in several related communication and computer network areas that are of critical importance to users, industry and administrations.
Efforts are required to provide a means of supporting and performing specific security functions in the general areas of OSI, ONP, ISDN/IBC and network management. Inherently related to standardization and specification are the techniques and approaches required for verification, including certification leading to mutual recognition. Where possible, internationally agreed solutions are to be supported. The development and use of computer systems with security functions should also be encouraged.
4.3. Status and trends
The United States, in particular, has taken major initiatives to address the security of information systems. In Europe the subject is treated in the context of IT and telecommunications standardization in the context of ETSI and CEN/CENELEC in preparation of CCITT and ISO work in the field.
In view of growing concern, the work in the United States is rapidly intensifying and both vendors and service providers are increasing their efforts in this area. In Europe, France, Germany and the United Kingdom have independently started similar activities, but a common effort corresponding to the United States is evolving only slowly.
4.4. Requirements, options and priorities
In the security of information systems there is inherently a very close relationship between regulatory, operational, administrative and technical aspects. Regulations need to be reflected in standards, and provisions for the security of information systems need to comply in a verifiable manner to the standards and regulations. In several aspects, regulations require specifications which go beyond the conventional scope of standardization, i.e. include codes of practice. Requirements for standards and codes of practice are present in all areas of security of information systems, and a distinction has to be made between the protection requirements which correspond to the security objectives and some of the technical requirements which can be entrusted to the competent European standards bodies (CEN/CENELEC/ETSI).
Specifications and standards must cover the subjects of security services of information systems (personal and enterprise authentication, non-repudiation protocols, legally acceptable electronic proof, authorization control), their communication services (image communication privacy, mobile communications voice and data privacy, data and image data-base protection, integrated services security), their communication and security management (public/private key system for open network operation, network management protection, service provider protection) and their certification (assurance criteria and levels, security assurance procedures for secure information systems).
5. Action line V - Technological and operational developments in the security of information systems
Systematic investigation and development of the technology to permit economically viable and operationally satisfactory solutions to a range of present and future requirements for the security of information systems is a prerequisite for the development of the services market and the competitiveness of the European economy as a whole.
Any technological developments in the security of information systems will have to include both the aspects of computer security and security of communications as most present-day systems are distributed systems, and access to such systems is through communications services.
Systematic investigation and development of the technology to permit economically viable and operationally satisfactory solutions to a range of present and future requirements for the security of information systems.
5.3. Requirements, options and priorities
Work on security of information systems would need to address development and implementation strategies, technologies, and integration and verification.
The strategic R& D work would have to cover conceptual models for secure systems (secure against compromise, unauthorized modifications and denial of service), functional requirements models, risk models and architectures for security.
The technology-orientated R& D work would have to include user and message authentication (e.g. through voice-analysis and electronic signatures), technical interfaces and protocols for encryption, access control mechanisms and implementation methods for provable secure systems.
Verification and validation of the security of the technical system and its applicability would be investigated through integration and verification projects.
In addition to the consolidation and development of security technology, a number of accompanying measures are required concerned with the creation, maintenance and consistent application of standards, and the validation and certification of IT and telecommunication products with respect to their security properties, including validation and certification of methods to design and implement systems.
The third RDT Community Framework Programme might be used to foster cooperative projects at precompetitive and prenormative levels.
6. Action line VI - Provision of security of information systems
Depending on the exact nature of the security features of information systems, the required functions will need to be incorporated at different parts of the information system including terminals/computers, services, network management to cryptographic devices, smart cards, public and private keys, etc. Some of these can be expected to be embedded in the hardware or software provided by vendors, while others may be part of distributed systems (e.g. network management), in the possession of the individual user (e.g. smart cards) or provided from a specialized organization (e.g. public/private keys).
Most of the security products and services can be expected to be provided by vendors, service providers or operators. For specific functions, e.g. the provision of public/private keys, auditing authorization, there may be the need to identify and mandate appropriate organizations.
The same applies for certification, evaluation and verification of quality of service which are functions which need to be addressed by organizations independent of the interests of vendors, service providers or operators. These organizations could be private, governmental, or licensed by government to perform delegated functions.
In order to facilitate a harmonious development of the provision of security of information systems in the Community for the protection of the public and of business interests, it will be necessary to develop a consistent approach as to its provision of security. Where independent organizations will have to be mandated, their functions and conditions will need to be defined and agreed and, where required, embedded into the regulatory framework. The objective would be to come to a clearly defined and agreed sharing of responsibilities between the different actors on a Community level as a prerequisite for mutual recognition.
6.3. Status and trends
At present, the provision of security of information systems is well organized only for specific areas and limited to addressing their specific needs. The organization on a European level is mostly informal, and mutual recognition of verification and certification is not yet established outside closed groups. With the growing importance of the security of information systems, the need for defining a consistent approach to the provision of security for information systems in Europe and internationally is becoming urgent.
6.4. Requirements, options and priorities
Because of the number of different actors concerned and the close relations to regulatory and legislative questions, it is particularly important to pre-agree on the principles which should govern the provision of the security of information systems.
In developing a consistent approach to this question, one will need to address the aspects of identification and specification of functions requiring, by their very nature, the availability of some independent organizations (or interworking organizations). This could include functions such as the administration of a public/private key system.
In addition, it is required to identify and specify, at an early stage, the functions which in the public interest need to be entrusted to independent organizations (or interworking organizations). This could, for example, include auditing, quality assurance, verification, certification and similar functions.