Council Decision of 31 March 2011 on the security rules for protecting EU classified information (2011/292/EU)

Appendix ADEFINITIONS

For the purposes of this Decision, the following definitions shall apply:

• ‘Accreditation’ means the process leading to a formal statement by the Security Accreditation Authority (SAA) that a system is approved to operate with a defined level of classification, in a particular security mode in its operational environment and at an acceptable level of risk, based on the premise that an approved set of technical, physical, organisational and procedural security measures has been implemented;

• ‘Asset’ means anything that is of value to an organisation, its business operations and their continuity, including information resources that support the organisation’s mission;

• ‘CIS life-cycle’ means the entire duration of existence of a CIS, which includes initiation, conception, planning, requirements analysis, design, development, testing, implementation, operation, maintenance and decommissioning;

• ‘Classified contract’ means a contract entered into by the GSC with a contractor for the supply of goods, execution of works or provision of services, the performance of which requires or involves access to or the creation of EUCI;

• ‘Classified subcontract’ means a contract entered into by a contractor of the GSC with another contractor (i.e. the subcontractor) for the supply of goods, execution of works or provision of services, the performance of which requires or involves access to or the creation of EUCI;

• ‘Communication and information system’ (CIS) — see Article 10(2);

• ‘Contractor’ means an individual or legal entity possessing the legal capacity to undertake contracts;

• ‘Cryptographic (Crypto) material’ means cryptographic algorithms, cryptographic hardware and software modules, and products including implementation details and associated documentation and keying material;

• ‘CSDP operation’ means a military or civilian crisis management operation under Title V, Chapter 2, of the TEU;

• ‘Declassification’ means the removal of any security classification;

• ‘Defence in depth’ means the application of a range of security measures organised as multiple layers of defence;

• ‘Designated Security Authority’ (DSA) means an authority responsible to the National Security Authority (NSA) of a Member State which is responsible for communicating to industrial or other entities national policy on all matters of industrial security and for providing direction and assistance in its implementation. The function of DSA may be carried out by the NSA or by any other competent authority;

• ‘Document’ means any recorded information regardless of its physical form or characteristics;

• ‘Downgrading’ means a reduction in the level of security classification;

• ‘EU classified information’ (EUCI) — see Article 2(1);

• ‘Facility Security Clearance’ (FSC) means an administrative determination by an NSA or DSA that, from the security viewpoint, a facility can afford an adequate level of protection to EUCI of a specified security classification level and its personnel who require access to EUCI have been appropriately security cleared and briefed on the relevant security requirements necessary to access and protect EUCI;

• ‘Handling’ of EUCI means all possible actions to which EUCI may be subject throughout its life-cycle. It comprises its creation, processing, carriage, downgrading, declassification and destruction. In relation to CIS it also comprises its collection, display, transmission and storage;

• ‘Holder’ means a duly authorised individual with an established need-to-know who is in possession of an item of EUCI and is accordingly responsible for protecting it;

• ‘Industrial or other entity’ means an entity involved in supplying goods, executing works or providing services; this may be an industrial, commercial, service, scientific, research, educational or development entity or a self-employed individual;

• ‘Industrial security’ — see Article 11(1);

• ‘Information Assurance’ — see Article 10(1);

• ‘Interconnection’ — see Annex IV, paragraph 31;

• ‘Management of classified information’ — see Article 9(1);

• ‘Material’ means any document or item of machinery or equipment, either manufactured or in the process of manufacture;

• ‘Originator’ means the EU institution, agency or body, Member State, third state or international organisation under whose authority classified information has been created and/or introduced into the EU’s structures;

• ‘Personnel security’ — see Article 7(1);

• ‘Personnel Security Clearance’ (PSC) means either or both of the following:

  • ‘EU Personnel Security Clearance’ (EU PSC) for access to EUCI means an authorisation by the GSC Appointing Authority which is taken in accordance with this Decision following completion of a security investigation conducted by the competent authorities of a Member State and which certifies that an individual may, provided his ‘need-to-know’ has been determined, be granted access to EUCI up to a specified level (CONFIDENTIEL UE/EU CONFIDENTIAL or above) until a specified date; the individual thus described is said to be ‘security cleared’,

  • ‘National Personnel Security Clearance’ (national PSC) for access to EUCI means a statement by a competent authority of a Member State which is made following completion of a security investigation conducted by the competent authorities of a Member State and which certifies that an individual may, provided his ‘need-to-know’ has been determined, be granted access to EUCI up to a specified level (CONFIDENTIEL UE/EU CONFIDENTIAL or above) until a specified date; the individual thus described is said to be ‘security cleared’;

• ‘Personnel Security Clearance Certificate’ (PSCC) means a certificate issued by a competent authority establishing that an individual is security cleared and holds a valid national or EU PSC, and which shows the level of EUCI to which that individual may be granted access (CONFIDENTIEL UE/EU CONFIDENTIAL or above), the date of validity of the relevant PSC and the date of expiry of the certificate itself;

• ‘Physical security’ — see Article 8(1);

• ‘Programme/Project Security Instruction’ (PSI) means a list of security procedures which are applied to a specific programme/project in order to standardise security procedures. It may be revised throughout the programme/project;

• ‘Registration’ — see Annex III, paragraph 18;

• ‘Residual risk’ means the risk which remains after security measures have been implemented, given that not all threats are countered and not all vulnerabilities can be eliminated;

• ‘Risk’ means the potential that a given threat will exploit internal and external vulnerabilities of an organisation or of any of the systems it uses and thereby cause harm to the organisation and to its tangible or intangible assets. It is measured as a combination of the likelihood of threats occurring and their impact.

  • ‘Risk acceptance’ is the decision to agree to the further existence of a residual risk after risk treatment.

  • ‘Risk assessment’ consists of identifying threats and vulnerabilities and conducting the related risk analysis, i.e. the analysis of probability and impact.

  • ‘Risk communication’ consists of developing awareness of risks among CIS user communities, informing approval authorities such risks and reporting them to operating authorities.

  • ‘Risk treatment’ consists of mitigating, removing, reducing (through an appropriate combination of technical, physical, organisational or procedural measures), transferring or monitoring the risk.

• ‘Security Aspects Letter’ (SAL) means a set of special contractual conditions issued by the contracting authority which forms an integral part of any classified contract involving access to or the creation of EUCI, that identifies the security requirements or those elements of the contract requiring security protection;

• ‘Security Classification Guide’ (SCG) means a document which describes the elements of a programme or contract which are classified, specifying the applicable security classification levels. The SCG may be expanded throughout the life of the programme or contract and the elements of information may be re-classified or downgraded; where an SCG exists it shall be part of the SAL;

• ‘Security investigation’ means the investigative procedures conducted by the competent authority of a Member State in accordance with its national laws and regulations in order to obtain an assurance that nothing adverse is known which would prevent an individual from being granted a national or EU PSC for access to EUCI up to a specified level (CONFIDENTIEL UE/EU CONFIDENTIAL or above);

• ‘Security mode of operation’ means the definition of the conditions under which a CIS operates based on the classification of information handled and the clearance levels, formal access approvals, and need-to-know of its users. Four modes of operation exist for handling or transmitting classified information: dedicated mode, system-high mode, compartmented mode and multilevel mode:

  • ‘Dedicated mode’ means a mode of operation in which all individuals with access to the CIS are cleared to the highest classification level of information handled within the CIS, and with a common need-to-know for all of the information handled within the CIS,

  • ‘System-high mode’ means a mode of operation in which all individuals with access to the CIS are cleared to the highest classification level of information handled within the CIS, but not all individuals with access to the CIS have a common need-to-know for the information handled within the CIS; approval to access information may be granted by an individual,

  • ‘Compartmented mode’ means a mode of operation in which all individuals with access to the CIS are cleared to the highest classification level of information handled within the CIS, but not all individuals with access to the CIS have a formal authorisation to access all of the information handled within the CIS; formal authorisation implies a formal central management of access control as distinct from an individual’s discretion to grant access,

  • ‘Multilevel mode’ means a mode of operation in which not all individuals with access to the CIS are cleared to the highest classification level of information handled within the CIS, and not all individuals with access to the CIS have a common need-to-know for the information handled within the CIS;

• ‘Security risk management process’ means the entire process of identifying, controlling and minimising uncertain events that may affect the security of an organisation or of any of the systems it uses. It covers the entirety of risk-related activities, including assessment, treatment, acceptance and communication;

• ‘TEMPEST’ means the investigation, study and control of compromising electromagnetic emanations and the measures to suppress them;

• ‘Threat’ means a potential cause of an unwanted incident which may result in harm to an organisation or any of the systems it uses; such threats may be accidental or deliberate (malicious) and are characterised by threatening elements, potential targets and attack methods;

• ‘Vulnerability’ means a weakness of any nature that can be exploited by one or more threats. A vulnerability may be an omission or it may relate to a weakness in controls in terms of their strength, completeness or consistency and may be of a technical, procedural, physical, organisational or operational nature.