11.1.2017   

EN

Official Journal of the European Union

L 6/40

(1)

The Commission's communication and information systems are an integral part of the functioning of the Commission and IT security incidents can have a serious impact on the Commission's operations as well as on third parties, including individuals, businesses and Member States.

(2)

There are many threats that can harm the confidentiality, integrity or availability of the Commission's communication and information systems and of the information processed therein. These threats include accidents, errors, deliberate attacks and natural events, and need to be recognised as operational risks.

(3)

Communication and information systems need to be provided with a level of protection commensurate with the likelihood, impact and nature of the risks to which they are exposed.

(4)

IT security in the Commission should ensure that the Commission's CISs protect the information they process and they function as they need to, when they need to, under the control of legitimate users.

(5)

The IT security policy of the Commission should be implemented in a manner which is consistent with the policies on security in the Commission.

(6)

The Security Directorate of the Directorate-General for Human Resources and Security has the general responsibility for security in the Commission under the authority and responsibility of the Member of the Commission responsible for security.

(7)

The Commission's approach should take into account EU policy initiatives and legislation on network and information security, industry standards and good practices, to comply with all relevant legislation and to allow interoperability and compatibility.

(8)

Appropriate measures should be developed and implemented by the Commission departments responsible for communication and information systems and IT security measures for protecting communication and information systems should be coordinated across the Commission to ensure efficiency and effectiveness.

(9)

Rules and procedures for access to information in the context of IT security, including IT security incident handling, should be proportionate to the threat to the Commission or its staff and compliant with the principles laid down in Regulation (EC) No 45/2001 of the European Parliament and of the Council (1), on the protection of individuals with regard to the processing of personal data by the Union institutions and bodies and on the free movement of such data and taking account of the principle of professional secrecy, as provided in Article 339 of the TFEU.

(10)

The policies and rules for communication and information systems processing EU classified information (EUCI), sensitive non-classified information, and unclassified information are to be fully in line with Commission Decisions (EU, Euratom) 2015/443 (2) and (EU, Euratom) 2015/444 (3).

(11)

There is a need for the Commission to review and update the provisions on the security of communication and information systems used by the Commission.

(12)

The Commission Decision C(2006) 3602 should therefore be repealed,

(1)

‘Accountable’ means to be answerable for actions, decisions and performance.

(2)

‘CERT-EU’ is the Computer Emergency Response Team for the EU institutions and agencies. Its mission is to support the European Institutions to protect themselves against intentional and malicious attacks that would hamper the integrity of their IT assets and harm the interests of the EU. The scope of CERT-EU's activities covers prevention, detection, response and recovery.

(3)

‘Commission department’ means any Commission Directorate-General or service, or any Cabinet of a Member of the Commission.

(4)

‘Commission Security Authority’ refers to the role laid down in Decision (EU, Euratom) 2015/444.

(5)

‘Communication and information system’ or ‘CIS’ means any system enabling the handling of information in electronic form, including all assets required for its operation, as well as infrastructure, organisation, personnel and information resources. This definition includes business applications, shared IT services, outsourced systems, and end-user devices.

(6)

‘Corporate Management Board’ (CMB) provides the highest level of corporate management oversight for operational and administrative issues in the Commission.

(7)

‘Data owner’ means the individual responsible for ensuring the protection and use of a specific data set handled by a CIS.

(8)

‘Data set’ means a set of information which serves a specific business process or activity of the Commission.

(9)

‘Emergency procedure’ means a predefined set of methods and responsibilities for responding to urgent situations in order to prevent a major impact on the Commission.

(10)

‘Information security policy’ means a set of information security objectives, which are or have to be established, implemented and checked. It comprises, but is not limited to, Decisions (EU, Euratom) 2015/444 and (EU, Euratom) 2015/443.

(11)

‘Information Security Steering Board’ (ISSB) means the governance body that supports the Corporate Management Board in its IT-security-related tasks.

(12)

‘Internal IT service provider’ means a Commission department providing shared IT services.

(13)

‘IT security’ or ‘security of CIS’ means the preservation of confidentiality, integrity and availability of CISs and the data sets that they process.

(14)

‘IT security guidelines’ consist of recommended but voluntary measures that help support IT security standards or serve as a reference when no applicable standard is in place.

(15)

‘IT security incident’ means an event that could adversely affect the confidentiality, integrity or availability of a CIS.

(16)

‘IT security measure’ means a technical or organisational measure aimed at mitigating IT security risks,

(17)

‘IT security need’ means a precise and unambiguous definition of the levels of confidentiality, integrity and availability associated with a piece of information or an IT system with a view to determining the level of protection required.

(18)

‘IT security objective’ means a statement of intent to counter specified threats and/or satisfy specified organisational security requirements or assumptions.

(19)

‘IT security plan’ means the documentation of the IT security measures required to meet the IT security needs of a CIS.

(20)

‘IT security policy’ means a set of IT security objectives, which are or have to be established, implemented and checked. It comprises this decision and its implementing rules.

(21)

‘IT security requirement’ means a formalised IT security need through a predefined process.

(22)

‘IT security risk’ means an effect that an IT security threat might induce on a CIS by exploiting a vulnerability. As such, an IT security risk is characterised by two factors: (1) uncertainty, i.e. the likelihood of an IT security threat to cause an unwanted event; and (2) impact, i.e. the consequences that such an unwanted event may have on a CIS.

(23)

‘IT security standards’ means specific mandatory IT security measures that help enforce and support the IT security policy.

(24)

‘IT security strategy’ means a set of projects and activities which are designed to achieve the objectives of the Commission and which have to be established, implemented and checked.

(25)

‘IT security threat’ means a factor that can potentially lead to an unwanted event which may result in harm to a CIS. Such threats may be accidental or deliberate and are characterised by threatening elements, potential targets and attack methods.

(26)

‘Local Informatics Security Officer’ or ‘LISO’ means the officer who is responsible for IT security liaison for a Commission department.

(27)

‘Personal data’, ‘processing of personal data’, ‘controller’ and ‘personal data filing system’ shall have the same meaning as in Regulation (EC) No 45/2001, and in particular Article 2 thereof.

(28)

‘Processing of information’ means all functions of a CIS with respect to data sets, including creation, modification, display, storage, transmission, deletion and archiving of information. Processing of information can be provided by a CIS as a set of functionalities to users and as IT services to other CIS.

(29)

‘Professional secrecy’ means the protection of business data information of the kind covered by the obligation of professional secrecy, in particular information about undertakings, their business relations or their cost components as laid down in Article 339 of the TFEU.

(30)

‘Responsible’ means having the obligation to act and take decisions to achieve required outcomes.

(31)

‘Security in the Commission’ means the security of persons, assets and information in the Commission, and in particular the physical integrity of persons and assets, the integrity, confidentiality and availability of information and communication and information systems, as well as the unobstructed functioning of Commission operations.

(32)

‘Shared IT service’ means the service a CIS provides to other CISs in the processing of information.

(33)

‘System owner’ is the individual responsible for the overall procurement, development, integration, modification, operation, maintenance, and retirement of a CIS.

(34)

‘User’ means any individual who uses functionality provided by a CIS, whether inside or outside the Commission.

(a)

authenticity: the guarantee that information is genuine and from bona fide sources;

(b)

availability: the property of being accessible and usable upon request by an authorised entity;

(c)

confidentiality: the property that information is not disclosed to unauthorised individuals, entities or processes.

(d)

integrity: the property of safeguarding the accuracy and completeness of assets and information;

(e)

non-repudiation: the ability to prove an action or event has taken place, so that this event or action cannot subsequently be denied;

(f)

protection of personal data: the provision of appropriate safeguards in regard to personal data in full compliance with Regulation (EC) No 45/2001;

(g)

professional secrecy: the protection of information of the kind covered by the obligation of professional secrecy, in particular information about undertakings, their business relations or their cost components as laid down in Article 339 of the TFEU.

(1)

assure alignment between the IT security policy and the Commission's information security policy;

(2)

establish a framework for the authorisation of the use of encrypting technologies for the storage and communication of information by CISs;

(3)

inform the Directorate-General for Informatics about specific threats which could have a significant impact on the security of CISs and the data sets that they process;

(4)

perform IT security inspections to assess the compliance of the Commission's CISs with the security policy, and report the results to the ISSB;

(5)

establish a framework for the authorisation of access and the associated appropriate security rules to Commission CISs from external networks and develop the related IT security standards and guidelines in close cooperation with the Directorate-General for Informatics;

(6)

propose principles and rules for the outsourcing of CISs in order to maintain appropriate control of security of the information;

(7)

develop the related IT security standards and guidelines in relation to Article 6, in close cooperation with the Directorate-General for Informatics.

(1)

develop IT security standards and guidelines, except as provided in Article 6, in close cooperation with the Directorate-General for Human Resources and Security, in order to assure consistency between the IT security policy and the Commission's information security policy, and propose them to the ISSB;

(2)

assess the IT security risk management methods, processes and outcomes of all Commission departments and report on this regularly to the ISSB;

(3)

propose a rolling IT security strategy for revision and approval by the ISSB and further adoption by the Corporate Management Board, and propose a programme, including the planning of projects and activities implementing the IT security strategy;

(4)

monitor the execution of the Commission's IT security strategy and report on this regularly to the ISSB;

(5)

monitor the IT security risks and IT security measures implemented in CISs and report on this regularly to the ISSB;

(6)

report regularly on the overall implementation and compliance with this decision to the ISSB;

(7)

after consulting with the Directorate-General for Human Resources and Security, request system owners to take specific IT security measures in order to mitigate IT security risks to Commission's CISs;

(8)

ensure that there is an adequate catalogue of the Directorate-General for Informatics IT security services available for the system owners and data owners to fulfil their responsibilities for IT security and to comply with the IT security policy and standards;

(9)

provide adequate documentation to system and data owners and consult with them, as appropriate, on the IT security measures implemented for their IT services in order to facilitate compliance with the IT security policy and support the system owners in IT risk management;

(10)

organise regular meetings of the LISOs network and supporting LISOs in carrying out their duties;

(11)

define the training needs and coordinate training programmes on IT security in cooperation with the Commission departments, and develop, implement and coordinate awareness-raising campaigns on IT security in close cooperation with the Directorate-General for Human Resources;

(12)

ensure that system owners, data owners and other roles with IT security responsibilities in Commission departments are made aware of the IT security policy;

(13)

inform the Directorate-General for Human Resources and Security on specific IT security threats, incidents and exceptions to the Commission's IT security policy notified by the system owners which could have a significant impact on security in the Commission;

(14)

in respect of its role as an internal IT service provider, deliver to the Commission a catalogue of shared IT services that provide defined levels of security. This shall be done by systematically assessing, managing and monitoring IT security risks to implement the security measures in order to reach the defined security level.

(1)

formally appoint a system owner, who is an official or a temporary agent, for each CIS who will be responsible for IT security of that CIS and formally appoint a data owner for each data set handled in a CIS who should belong to the same administrative entity which is the Data Controller for data sets subject to Regulation (EC) No 45/2001;

(2)

formally designate a Local Informatics Security Officer (LISO) who can perform the responsibilities independently from system owners and data owners. A LISO can be designated for one or more Commission departments

(3)

ensure that appropriate IT security risk assessments and IT security plans have been made and implemented

(4)

ensure that a summary of IT security risks and measures is reported on a regular basis to the Directorate-General for Informatics;

(5)

ensure, with the support of the Directorate-General for Informatics, that appropriate processes, procedures and solutions are in place to ensure efficient detection, reporting and resolution of IT security incidents relating to their CISs;

(6)

launch an emergency procedure in case of IT security emergencies;

(7)

hold ultimate accountability for IT security including the responsibilities of the system owner and data owner;

(8)

own the risks relating to their CISs and data sets;

(9)

resolve any disagreements between data owners and system owners and in case of continued disagreement bring the issue before the ISSB for resolution;

(10)

ensure that IT security plans and IT security measures are implemented and the risks are adequately covered.

(a)

ensure the compliance of the CIS with the IT security policy;

(b)

ensure that the CIS is accurately recorded in the relevant inventory;

(c)

assess IT security risks and determine the IT security needs for each CIS, in collaboration with the data owners and in consultation with the Directorate-General for Informatics;

(d)

prepare a security plan, including, where appropriate, details of the assessed risks and any additional security measures required;

(e)

implement appropriate IT security measures, proportionate to the IT security risks identified and follow recommendations endorsed by the ISSB;

(f)

identify any dependencies on other CISs or shared IT services and implement security measures as appropriate based on the security levels proposed by those CISs or shared IT services;

(g)

manage and monitor IT security risks;

(h)

report regularly to the head of the Commission department on the IT security risk profile of their CIS and report to the Directorate-General for Informatics on the related risks, risk management activities and security measures taken;

(i)

consult the LISO of the relevant Commission department(s) on aspects of IT Security;

(j)

issue instructions for users on the use of the CIS and associated data as well as on the responsibilities of users related to CIS;

(k)

request authorisation from the Directorate-General for Human Resources and Security, acting as the Crypto Authority, for any CIS that uses encrypting technology.

(l)

consult the Commission Security Authority in advance concerning any system processing EU classified information;

(m)

ensure that back-ups of any decryption keys are stored in an escrow account. The recovery of encrypted data shall be carried out only when authorised in accordance with the framework defined by the Directorate-General for Human Resources and Security;

(n)

respect any instructions from the relevant Data Controller(s) concerning the protection of personal data and the application of data protection rules on security of the processing;

(o)

notify the Directorate-General for Informatics of any exceptions to the Commission's IT security policy including relevant justifications;

(p)

report any unresolvable disagreements between the data owner and the system owner to the head of the Commission department, communicate IT security incidents to the relevant stakeholders in a timely manner as appropriate according to their severity as laid down in Article 15;

(q)

for outsourced systems, ensure that appropriate IT security provisions are included in the outsourcing contracts and that IT security incidents occurring in the outsourced CIS are reported in accordance with Article 15;

(r)

for CIS providing shared IT services, ensure that a defined security level is provided, clearly documented and security measures are implemented for that CIS in order to reach the defined security level.

(a)

ensure that all data sets under his or her responsibility are appropriately classified in accordance with Decision (EU, Euratom) 2015/443 and (EU, Euratom) 2015/444;

(b)

define the information security needs and inform the relevant system owners of these needs;

(c)

participate in the CIS risk assessment;

(d)

report any unresolvable disagreements between the data owner and the system owner to the head of the Commission department;

(e)

communicate IT security incidents as provided for in Article 15.

(a)

proactively identify and inform system owners, data owners and other roles with IT security responsibilities in Commission department(s) about the IT security policy;

(b)

liaise on IT-security-related issues in Commission department(s) with the Directorate-General for Informatics as part of the LISO network;

(c)

attend the regular LISO meetings;

(d)

maintain an overview of the information security risk management process and of the development and implementation of information system security plans;

(e)

advise data owners, system owners and heads of Commission departments on IT-security-related issues;

(f)

cooperate with the Directorate-General for Informatics in disseminating good IT security practices and propose specific awareness-raising and training programmes;

(g)

report on IT security, identify shortfalls and improvements to the Head of the Commission department(s).

(a)

comply with the IT security policy and the instructions issued by the system owner on the use of each CIS;

(b)

communicate IT security incidents as provided for in Article 15.

(a)

have the right to access summary information for all incident records and full records upon request;

(b)

participate in IT security incidents crisis management groups and IT security emergency procedures;

(c)

be in charge of relations with law enforcement and intelligence services;

(d)

perform forensic analysis regarding cyber-security in accordance with Article 11 of Decision (EU, Euratom) 2015/443;

(e)

decide on the need to launch a formal inquiry;

(f)

inform the Directorate-General for Informatics of any IT security incidents that may present a risk to other CISs.

(a)

immediately notify their Head of Commission Departments, the Directorate-General for Informatics, the Directorate-General for Human Resources, the LISO and, where appropriate, the data owner of any major IT security incidents, in particular those involving a breach of data confidentiality;

(b)

cooperate and follow the instructions of the relevant Commission authorities on incident communication, response and remediation.