Commission Decision (EU, Euratom) 2015/444Show full title

CHAPTER 3U.K. PHYSICAL SECURITY AIMED AT PROTECTING CLASSIFIED INFORMATION

Article 16U.K.Basic principles

1.Physical security measures shall be designed to deny surreptitious or forced entry by an intruder, to deter, impede and detect unauthorised actions and to allow for segregation of personnel in their access to EUCI on a need-to-know basis. Such measures shall be determined based on a risk management process, in accordance with this Decision and its implementing rules.

2.In particular, physical security measures shall be designed to prevent unauthorised access to EUCI by:

(a)ensuring that EUCI is handled and stored in an appropriate manner;

(b)allowing for segregation of personnel in terms of access to EUCI on the basis of their need-to-know and, where appropriate, their security authorisation;

(c)deterring, impeding and detecting unauthorised actions; and

(d)denying or delaying surreptitious or forced entry by intruders.

3.Physical security measures shall be put in place for all premises, buildings, offices, rooms and other areas in which EUCI is handled or stored, including areas housing communication and information systems as referred to in Chapter 5.

4.Areas in which EUCI classified CONFIDENTIEL UE/EU CONFIDENTIAL or above is stored shall be established as Secured Areas in accordance with this Chapter and accredited by the Commission Security Accreditation Authority.

5.Only equipment or devices approved by the Commission Security Authority shall be used for protecting EUCI at the level CONFIDENTIEL UE/EU CONFIDENTIAL or above.

Article 17U.K.Physical security requirements and measures

1.Physical security measures shall be selected on the basis of a threat assessment made by the Commission Security Authority, where appropriate in consultation with other Commission departments, other Union institutions, agencies or bodies and/or competent authorities in the Member States. The Commission shall apply a risk management process for protecting EUCI on its premises to ensure that a commensurate level of physical protection is afforded against the assessed risk. The risk management process shall take account of all relevant factors, in particular:

(a)the classification level of EUCI;

(b)the form and volume of EUCI, bearing in mind that large quantities or a compilation of EUCI may require more stringent protective measures to be applied;

(c)the surrounding environment and structure of the buildings or areas housing EUCI; and

(d)the assessed threat from intelligence services which target the Union, its institutions, bodies or agencies, or the Member States and from sabotage, terrorist, subversive or other criminal activities.

2.The Commission Security Authority, applying the concept of defence in depth, shall determine the appropriate combination of physical security measures to be implemented. To that effect, the Commission Security Authority shall develop minimum standards, norms and criteria, set out in implementing rules.

3.The Commission Security Authority is authorised to conduct entry and exit searches to act as a deterrent to the unauthorised introduction of material or the unauthorised removal of EUCI from premises or buildings.

4.When EUCI is at risk of being overlooked, even accidentally, the Commission departments concerned shall take the appropriate measures, as defined by the Commission Security Authority, to counter this risk.

5.For new facilities, physical security requirements and their functional specifications shall be defined in consent with the Commission Security Authority as part of the planning and design of the facilities. For existing facilities, physical security requirements shall be implemented in accordance with the minimum standards, norms and criteria set out in implementing rules.

Article 18U.K.Equipment for the physical protection of EUCI

1.Two types of physically protected areas shall be established for the physical protection of EUCI:

(a)Administrative Areas; and

(b)Secured Areas (including technically Secured Areas).

2.The Commission Security Accreditation Authority shall establish that an area meets the requirements to be designated as an Administrative Area, a Secured Area or a technically Secured Area.

3.For Administrative Areas:

(a)a visibly defined perimeter shall be established which allows individuals and, where possible, vehicles to be checked;

(b)unescorted access shall be granted only to individuals who are duly authorised by the Commission Security Authority or any other competent authority; and

(c)all other individuals shall be escorted at all times or be subject to equivalent controls.

4.For Secured Areas:

(a)a visibly defined and protected perimeter shall be established through which all entry and exit is controlled by means of a pass or personal recognition system;

(b)unescorted access shall be granted only to individuals who are security-cleared and specifically authorised to enter the area on the basis of their need-to-know;

(c)all other individuals shall be escorted at all times or be subject to equivalent controls.

5.Where entry into a Secured Area constitutes, for all practical purposes, direct access to the classified information contained in it, the following additional requirements shall apply:

(a)the level of highest security classification of the information normally held in the area shall be clearly indicated;

(b)all visitors shall require specific authorisation to enter the area, shall be escorted at all times and shall be appropriately security cleared unless steps are taken to ensure that no access to EUCI is possible.

6.Secured Areas protected against eavesdropping shall be designated technically Secured Areas. The following additional requirements shall apply:

(a)such areas shall be equipped with an Intrusion Detection System (‘IDS’), be locked when not occupied and be guarded when occupied. Any keys shall be managed in accordance with Article 20;

(b)all persons and material entering such areas shall be controlled;

(c)such areas shall be regularly physically and/or technically inspected by the Commission Security Authority. Such inspections shall also be conducted following any unauthorised entry or suspicion of such entry; and

(d)such areas shall be free of unauthorised communication lines, unauthorised telephones or other unauthorised communication devices and electrical or electronic equipment.

7.Notwithstanding point (d) of paragraph 6, before being used in areas where meetings are held or work is being performed involving information classified SECRET UE/EU SECRET and above, and where the threat to EUCI is assessed as high, any communications devices and electrical or electronic equipment shall first be examined by the Commission Security Authority to ensure that no intelligible information can be inadvertently or illicitly transmitted by such equipment beyond the perimeter of the Secured Area.

8.Secured Areas which are not occupied by duty personnel on a 24-hour basis shall, where appropriate, be inspected at the end of normal working hours and at random intervals outside normal working hours, unless an IDS is in place.

9.Secured Areas and technically Secured Areas may be set up temporarily within an Administrative Area for a classified meeting or any other similar purpose.

10.The LSO of the Commission department concerned shall draw up Security Operating Procedures (SecOPs) for each Secured Area under his responsibility stipulating, in accordance with the provisions of this Decision and its implementing rules:

(a)the level of EUCI which may be handled and stored in the area;

(b)the surveillance and protective measures to be maintained;

(c)the individuals authorised to have unescorted access to the area by virtue of their need-to-know and security authorisation;

(d)where appropriate, the procedures for escorts or for protecting EUCI when authorising any other individuals to access the area;

(e)any other relevant measures and procedures.

11.Strong rooms shall be constructed within Secured Areas. The walls, floors, ceilings, windows and lockable doors shall be approved by the Commission Security Authority and afford protection equivalent to a security container approved for the storage of EUCI of the same classification level.

Article 19U.K.Physical protective measures for handling and storing EUCI

1.EUCI which is classified RESTREINT UE/EU RESTRICTED may be handled:

(a)in a Secured Area,

(b)in an Administrative Area provided the EUCI is protected from access by unauthorised individuals, or

(c)outside a Secured Area or an Administrative Area provided the holder carries the EUCI in accordance with Article 31 and has undertaken to comply with compensatory measures, set out in implementing measures, to ensure that EUCI is protected from access by unauthorised persons.

2.EUCI which is classified RESTREINT UE/EU RESTRICTED shall be stored in suitable locked office furniture in an Administrative Area or a Secured Area. It may temporarily be stored outside an Administrative Area or a Secured Area provided the holder has undertaken to comply with compensatory measures laid down in implementing rules.

3.EUCI which is classified CONFIDENTIEL UE/EU CONFIDENTIAL or SECRET UE/EU SECRET may be handled:

(a)in a Secured Area;

(b)in an Administrative Area provided the EUCI is protected from access by unauthorised individuals; or

(c)outside a Secured Area or an Administrative Area provided the holder:

4.EUCI which is classified CONFIDENTIEL UE/EU CONFIDENTIAL and SECRET UE/EU SECRET shall be stored in a Secured Area in a security container or a strong room.

5.EUCI which is classified TRES SECRET UE/EU TOP SECRET shall be handled in a Secured Area, set up and maintained by the Commission Security Authority, and accredited to that level by the Commission Security Accreditation Authority.

6.EUCI which is classified TRES SECRET UE/EU TOP SECRET shall be stored in a Secured Area, accredited to that level by the Commission Security Accreditation Authority, under one of the following conditions:

(a)in a security container in accordance with the provisions of Article 18 with one or more of the following supplementary controls:

(b)in an IDS-equipped strong room in combination with security response personnel.

Article 20U.K.Management of keys and combinations used for protecting EUCI

1.Procedures for managing keys and combination settings for offices, rooms, strong rooms and security containers shall be laid down in implementing rules according to Article 60 below. Such procedures shall be intended to guard against unauthorised access.

2.Combination settings shall be committed to memory by the smallest possible number of individuals needing to know them. Combination settings for security containers and strong rooms storing EUCI shall be changed:

(a)on receipt of a new container;

(b)whenever there is a change in personnel knowing the combination;

(c)whenever a compromise has occurred or is suspected;

(d)when a lock has undergone maintenance or repair; and

(e)at least every 12 months.