Commission Decision (EU, Euratom) 2017/46Show full title

‘Accountable’ means to be answerable for actions, decisions and performance.

‘CERT-EU’ is the Computer Emergency Response Team for the EU institutions and agencies. Its mission is to support the European Institutions to protect themselves against intentional and malicious attacks that would hamper the integrity of their IT assets and harm the interests of the EU. The scope of CERT-EU's activities covers prevention, detection, response and recovery.

‘Commission department’ means any Commission Directorate-General or service, or any Cabinet of a Member of the Commission.

‘Commission Security Authority’ refers to the role laid down in Decision (EU, Euratom) 2015/444.

‘Communication and information system’ or ‘CIS’ means any system enabling the handling of information in electronic form, including all assets required for its operation, as well as infrastructure, organisation, personnel and information resources. This definition includes business applications, shared IT services, outsourced systems, and end-user devices.

‘Corporate Management Board’ (CMB) provides the highest level of corporate management oversight for operational and administrative issues in the Commission.

‘Data owner’ means the individual responsible for ensuring the protection and use of a specific data set handled by a CIS.

‘Data set’ means a set of information which serves a specific business process or activity of the Commission.

‘Emergency procedure’ means a predefined set of methods and responsibilities for responding to urgent situations in order to prevent a major impact on the Commission.

‘Information security policy’ means a set of information security objectives, which are or have to be established, implemented and checked. It comprises, but is not limited to, Decisions (EU, Euratom) 2015/444 and (EU, Euratom) 2015/443.

‘Information Security Steering Board’ (ISSB) means the governance body that supports the Corporate Management Board in its IT-security-related tasks.

‘Internal IT service provider’ means a Commission department providing shared IT services.

‘IT security’ or ‘security of CIS’ means the preservation of confidentiality, integrity and availability of CISs and the data sets that they process.

‘IT security guidelines’ consist of recommended but voluntary measures that help support IT security standards or serve as a reference when no applicable standard is in place.

‘IT security incident’ means an event that could adversely affect the confidentiality, integrity or availability of a CIS.

‘IT security measure’ means a technical or organisational measure aimed at mitigating IT security risks,

‘IT security need’ means a precise and unambiguous definition of the levels of confidentiality, integrity and availability associated with a piece of information or an IT system with a view to determining the level of protection required.

‘IT security objective’ means a statement of intent to counter specified threats and/or satisfy specified organisational security requirements or assumptions.

‘IT security plan’ means the documentation of the IT security measures required to meet the IT security needs of a CIS.

‘IT security policy’ means a set of IT security objectives, which are or have to be established, implemented and checked. It comprises this decision and its implementing rules.

‘IT security requirement’ means a formalised IT security need through a predefined process.

‘IT security risk’ means an effect that an IT security threat might induce on a CIS by exploiting a vulnerability. As such, an IT security risk is characterised by two factors: (1) uncertainty, i.e. the likelihood of an IT security threat to cause an unwanted event; and (2) impact, i.e. the consequences that such an unwanted event may have on a CIS.

‘IT security standards’ means specific mandatory IT security measures that help enforce and support the IT security policy.

‘IT security strategy’ means a set of projects and activities which are designed to achieve the objectives of the Commission and which have to be established, implemented and checked.

‘IT security threat’ means a factor that can potentially lead to an unwanted event which may result in harm to a CIS. Such threats may be accidental or deliberate and are characterised by threatening elements, potential targets and attack methods.

‘Local Informatics Security Officer’ or ‘LISO’ means the officer who is responsible for IT security liaison for a Commission department.

‘Personal data’, ‘processing of personal data’, ‘controller’ and ‘personal data filing system’ shall have the same meaning as in Regulation (EC) No 45/2001, and in particular Article 2 thereof.

‘Processing of information’ means all functions of a CIS with respect to data sets, including creation, modification, display, storage, transmission, deletion and archiving of information. Processing of information can be provided by a CIS as a set of functionalities to users and as IT services to other CIS.

‘Professional secrecy’ means the protection of business data information of the kind covered by the obligation of professional secrecy, in particular information about undertakings, their business relations or their cost components as laid down in Article 339 of the TFEU.

‘Responsible’ means having the obligation to act and take decisions to achieve required outcomes.

‘Security in the Commission’ means the security of persons, assets and information in the Commission, and in particular the physical integrity of persons and assets, the integrity, confidentiality and availability of information and communication and information systems, as well as the unobstructed functioning of Commission operations.

‘Shared IT service’ means the service a CIS provides to other CISs in the processing of information.

‘System owner’ is the individual responsible for the overall procurement, development, integration, modification, operation, maintenance, and retirement of a CIS.

‘User’ means any individual who uses functionality provided by a CIS, whether inside or outside the Commission.