Article 7Security of data transmitted through SFC2014

1.

The Commission shall establish an information technology security policy (hereinafter referred to as ‘SFC IT security policy’) for SFC2014 applicable to personnel using SFC2014 in accordance with relevant Union rules, in particular Commission Decision C(2006)36028 and its implementing rules. The Commission shall designate one or more persons responsible for defining, maintaining and ensuring the correct application of the security policy for SFC2014.

2.

Member States and European institutions other than the Commission, who have received access rights to SFC2014, shall comply with the IT security terms and conditions published in the SFC2014 portal and the measures that are implemented in SFC2014 by the Commission to secure the transmission of data, in particular in relation to the use of the technical interface referred to in Article 6(1) of this Regulation.

3.

Member States and the Commission shall implement and ensure effectiveness of security measures adopted to protect the data they have stored and transmitted through SFC2014.

4.

Member States shall adopt national, regional or local information technology security policies covering access to SFC2014 and automatic input of data into it, ensuring a minimum set of security requirements. These national, regional or local IT security policies may refer to other security documents. Each Member State shall ensure that these IT security policies apply to all authorities using SFC2014.

5.

These national, regional or local IT security policies shall include:

(a)

the IT security aspects of the work performed by the person or persons responsible for managing the access rights referred to in Article 4(3) of this Regulation when working directly in SFC2014; and

(b)

the IT security measures for those national, regional or local computer systems connected to SFC2014 through a technical interface referred to in Article 6(1) of this Regulation.

For the purposes of point (b) of the first subparagraph, the following aspects of IT security shall be covered, as appropriate:

  1. (a)

    physical security;

  2. (b)

    data media and access control;

  3. (c)

    storage control;

  4. (d)

    access and password control;

  5. (e)

    monitoring;

  6. (f)

    interconnection to SFC2014;

  7. (g)

    communication infrastructure;

  8. (h)

    human resources; and

  9. (i)

    incident management.

6.

The national, regional or local IT security policies shall be based on a risk assessment and the measures described shall be proportionate to the risks identified.

7.

The documents setting out the national, regional or local IT security policies shall be made available to the Commission upon request.

8.

Member States shall designate, at a national or regional level, one or more persons responsible for maintaining and ensuring the application of the national, regional or local IT security policies. That person or those persons shall act as contact point with the person or persons designated by the Commission and referred to in paragraph 1.

9.

Both the SFC IT security policy and the relevant national, regional or local IT security policies shall be updated in the event of technological changes, the identification of new threats or other relevant developments. In any event, they shall be reviewed on an annual basis to ensure that they continue to provide an appropriate response.