DEFINITIONSU.K.

For the purposes of this Decision, the following definitions shall apply:

• ‘Accreditation’ means the process leading to a formal statement by the Security Accreditation Authority (SAA) that a system is approved to operate with a defined level of classification, in a particular security mode in its operational environment and at an acceptable level of risk, based on the premise that an approved set of technical, physical, organisational and procedural security measures has been implemented;

• ‘Asset’ means anything that is of value to an organisation, its business operations and their continuity, including information resources that support the organisation’s mission;

• ‘Authorisation for access to EUCI’ means a decision by the GSC Appointing Authority taken on the basis of an assurance given by a competent authority of a Member State that a GSC official, other servant or seconded national expert may, provided his ‘need-to-know’ has been determined and he has been appropriately briefed on his responsibilities, be granted access to EUCI up to a specified level (CONFIDENTIEL UE/EU CONFIDENTIAL or above) until a specified date;

• ‘CIS life-cycle’ means the entire duration of existence of a CIS, which includes initiation, conception, planning, requirements analysis, design, development, testing, implementation, operation, maintenance and decommissioning;

• ‘Classified contract’ means a contract entered into by the GSC with a contractor for the supply of goods, execution of works or provision of services, the performance of which requires or involves access to or the creation of EUCI;

• ‘Classified subcontract’ means a contract entered into by a contractor of the GSC with another contractor (i.e. the subcontractor) for the supply of goods, execution of works or provision of services, the performance of which requires or involves access to or the creation of EUCI;

• ‘Communication and information system’ (CIS) — see Article 10(2);

• ‘Contractor’ means an individual or legal entity possessing the legal capacity to undertake contracts;

• ‘Cryptographic (Crypto) material’ means cryptographic algorithms, cryptographic hardware and software modules, and products including implementation details and associated documentation and keying material;

• ‘Cryptographic product’ means a product whose primary and main functionality is the provision of security services (confidentiality, integrity, availability, authenticity, non-repudiation) through one or more cryptographic mechanisms;

• ‘CSDP operation’ means a military or civilian crisis management operation under Title V, Chapter 2, of the TEU;

• ‘Declassification’ means the removal of any security classification;

• ‘Defence in depth’ means the application of a range of security measures organised as multiple layers of defence;

• ‘Designated Security Authority’ (DSA) means an authority responsible to the National Security Authority (NSA) of a Member State which is responsible for communicating to industrial or other entities national policy on all matters of industrial security and for providing direction and assistance in its implementation. The function of DSA may be carried out by the NSA or by any other competent authority;

• ‘Document’ means any recorded information regardless of its physical form or characteristics;

• ‘Downgrading’ means a reduction in the level of security classification;

• ‘EU classified information’ (EUCI) — see Article 2(1);

• ‘Facility Security Clearance’ (FSC) means an administrative determination by an NSA or DSA that, from the security viewpoint, a facility can afford an adequate level of protection to EUCI of a specified security classification level;

• ‘Handling’ of EUCI means all possible actions to which EUCI may be subject throughout its life-cycle. It comprises its creation, processing, carriage, downgrading, declassification and destruction. In relation to CIS it also comprises its collection, display, transmission and storage;

• ‘Holder’ means a duly authorised individual with an established need-to-know who is in possession of an item of EUCI and is accordingly responsible for protecting it;

• ‘Industrial or other entity’ means an entity involved in supplying goods, executing works or providing services; this may be an industrial, commercial, service, scientific, research, educational or development entity or a self-employed individual;

• ‘Industrial security’ — see Article 11(1);

• ‘Information Assurance’ — see Article 10(1);

• ‘Interconnection’ — see Annex IV, paragraph 32;

• ‘Management of classified information’ — see Article 9(1);

• ‘Material’ means any document, data carrier or item of machinery or equipment, either manufactured or in the process of manufacture;

• ‘Originator’ means the Union institution, body or agency, Member State, third state or international organisation under whose authority classified information has been created and/or introduced into the Union’s structures;

• ‘Personnel security’ — see Article 7(1);

• ‘Personnel Security Clearance’ (PSC) means a statement by a competent authority of a Member State which is made following completion of a security investigation conducted by the competent authorities of a Member State and which certifies that an individual may be granted access to EUCI up to a specified level (CONFIDENTIEL UE/EU CONFIDENTIAL or above) until a specified date;

• ‘Personnel Security Clearance Certificate’ (PSCC) means a certificate issued by a competent authority establishing that an individual is security cleared and holds a valid security clearance certificate or authorisation from the Appointing Authority for access to EUCI, and which shows the level of EUCI to which that individual may be granted access (CONFIDENTIEL UE/EU CONFIDENTIAL or above), the date of validity of the relevant PSC and the date of expiry of the certificate itself;

• ‘Physical security’ — see Article 8(1);

• ‘Programme/Project Security Instruction’ (PSI) means a list of security procedures which are applied to a specific programme/project in order to standardise security procedures. It may be revised throughout the programme/project;

• ‘Registration’ — see Annex III, paragraph 18;

• ‘Residual risk’ means the risk which remains after security measures have been implemented, given that not all threats are countered and not all vulnerabilities can be eliminated;

• ‘Risk’ means the potential that a given threat will exploit internal and external vulnerabilities of an organisation or of any of the systems it uses and thereby cause harm to the organisation and to its tangible or intangible assets. It is measured as a combination of the likelihood of threats occurring and their impact.

  • ‘Risk acceptance’ is the decision to agree to the further existence of a residual risk after risk treatment.

  • ‘Risk assessment’ consists of identifying threats and vulnerabilities and conducting the related risk analysis, i.e. the analysis of probability and impact.

  • ‘Risk communication’ consists of developing awareness of risks among CIS user communities, informing approval authorities such risks and reporting them to operating authorities.

  • ‘Risk treatment’ consists of mitigating, removing, reducing (through an appropriate combination of technical, physical, organisational or procedural measures), transferring or monitoring the risk;

• ‘Security Aspects Letter’ (SAL) means a set of special contractual conditions issued by the contracting authority which forms an integral part of any classified contract involving access to or the creation of EUCI, that identifies the security requirements or those elements of the contract requiring security protection;

• ‘Security Classification Guide’ (SCG) means a document which describes the elements of a programme or contract which are classified, specifying the applicable security classification levels. The SCG may be expanded throughout the life of the programme or contract and the elements of information may be re-classified or downgraded; where an SCG exists it shall be part of the SAL;

• ‘Security investigation’ means the investigative procedures conducted by the competent authority of a Member State in accordance with its national laws and regulations in order to obtain an assurance that nothing adverse is known which would prevent an individual from being granted a PSC or an authorisation for access to EUCI up to a specified level (CONFIDENTIEL UE/EU CONFIDENTIAL or above);

• ‘Security mode of operation’ means the definition of the conditions under which a CIS operates based on the classification of information handled and the clearance levels, formal access approvals, and need-to-know of its users. Four modes of operation exist for handling or transmitting classified information: dedicated mode, system-high mode, compartmented mode and multilevel mode:

  • ‘Dedicated mode’ means a mode of operation in which all individuals with access to the CIS are cleared to the highest classification level of information handled within the CIS, and with a common need-to-know for all of the information handled within the CIS,

  • ‘System-high mode’ means a mode of operation in which all individuals with access to the CIS are cleared to the highest classification level of information handled within the CIS, but not all individuals with access to the CIS have a common need-to-know for the information handled within the CIS; approval to access information may be granted by an individual,

  • ‘Compartmented mode’ means a mode of operation in which all individuals with access to the CIS are cleared to the highest classification level of information handled within the CIS, but not all individuals with access to the CIS have a formal authorisation to access all of the information handled within the CIS; formal authorisation implies a formal central management of access control as distinct from an individual’s discretion to grant access,

  • ‘Multilevel mode’ means a mode of operation in which not all individuals with access to the CIS are cleared to the highest classification level of information handled within the CIS, and not all individuals with access to the CIS have a common need-to-know for the information handled within the CIS;

• ‘Security risk management process’ means the entire process of identifying, controlling and minimising uncertain events that may affect the security of an organisation or of any of the systems it uses. It covers the entirety of risk-related activities, including assessment, treatment, acceptance and communication;

• ‘TEMPEST’ means the investigation, study and control of compromising electromagnetic emanations and the measures to suppress them;

• ‘Threat’ means a potential cause of an unwanted incident which may result in harm to an organisation or any of the systems it uses; such threats may be accidental or deliberate (malicious) and are characterised by threatening elements, potential targets and attack methods;

• ‘Vulnerability’ means a weakness of any nature that can be exploited by one or more threats. A vulnerability may be an omission or it may relate to a weakness in controls in terms of their strength, completeness or consistency and may be of a technical, procedural, physical, organisational or operational nature.