1.CIS shall handle EUCI in accordance with the concept of IA.
2.For CIS handling EUCI, compliance with the Commission's information systems security policy, as referred to in Commission Decision C(2006)3602(1), implies that:
(a)the Plan-Do-Check-Act approach shall be applied for the implementation of the information systems security policy during the full life-cycle of the information system;
(b)the security needs must be identified through a business impact assessment;
(c)the information system and the data therein must undergo a formal asset classification;
(d)all mandatory security measures as determined by the policy on security of information systems must be implemented;
(e)a risk management process must be applied, consisting of the following steps: threat and vulnerability identification, risk assessment, risk treatment, risk acceptance and risk communication;
(f)a security plan, including the Security Policy and the Security Operating Procedures, is defined, implemented, checked and reviewed.
3.All staff involved in the design, development, testing, operation, management or usage of CIS handling EUCI shall notify to the SAA all potential security weaknesses, incidents, breaches of security or compromise which may have an impact on the protection of the CIS and/or the EUCI therein.
4.Where the protection of EUCI is provided by cryptographic products, such products shall be approved as follows:
(a)preference shall be given to products which have been approved by the Council or by the Secretary-General of the Council in its function as crypto approval authority of the Council, upon recommendation of the Commission Security Expert Group;
(b)where warranted on specific operational grounds, the Commission Crypto Approval Authority (CAA) may, upon recommendation of the Commission Security Expert Group, waive the requirements referred to under a) and grant an interim approval for a specific period.
5.During transmission, processing and storage of EUCI by electronic means, approved cryptographic products shall be used. Notwithstanding this requirement, specific procedures may be applied under emergency circumstances or in specific technical configurations after approval by the CAA.
6.Security measures shall be implemented to protect CIS handling information classified CONFIDENTIEL UE/EU CONFIDENTIAL or above against compromise of such information through unintentional electromagnetic emanations (‘TEMPEST security measures’). Such security measures shall be commensurate with the risk of exploitation and the level of classification of the information.
7.The Commission Security Authority shall assume the following functions:
IA Authority (IAA),
Security Accreditation Authority (SAA),
TEMPEST Authority (TA),
Crypto Approval Authority (CAA),
Crypto Distribution Authority (CDA).
8.The Commission Security Authority shall appoint for each system the IA Operational Authority.
9.The responsibilities of the functions described in paragraphs 7 and 8 will be defined in the implementing rules.
C(2006) 3602 of 16 August 2006 concerning the security of information systems used by the European Commission.