SlideShare a Scribd company logo

The security rules for protecting EU classified information

Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001

The document outlines the security rules for protecting classified information in the European Union as defined in Council Decision 2013/488/EU. It describes the various levels of EU classified information and their abbreviations. It also summarizes the key requirements for personnel security, physical security, management of classified information, protection of EU classified information handled in communication and information systems, industrial security, and the process for reporting breaches of security or compromises of EU classified information. Additional security requirements are defined for information classified as EU Confidential or above.

Law
1 of 27
Download to read offline
The security rules for protecting EU classified information Andrey Prozorov, CISM
Main document (requirements) • 2013/488/EU: Council Decision of 23 September 2013 on the security rules for protecting EU classified information • http://data.europa.eu/eli/dec/2 013/488/oj • Whereas (1 page), Decision (7) and Annexes (42) 2
DECISION (Articles) + Annexes 1. Purpose, scope and definitions 2. Definition of EUCI, security classifications and markings 3. Classification management 4. Protection of classified information 5. Security risk management 6. Implementation of this Decision 7. Personnel security 8. Physical security 9. Management of classified information 10. Protection of EUCI handled in communication and information systems 11. Industrial security 12. Sharing EUCI 13. Exchange of classified information with third States and international organisations 14. Breaches of security and compromise of EUCI 15. Responsibility for implementation 16. The organisation of security in the Council 17. Security Committee 18. Replacement of previous decision 19. Entry into force • ANNEX I Personnel security • ANNEX II Physical security • ANNEX III Management of classified information • ANNEX IV Protection of EUCI handled in CIS • ANNEX V Industrial security • ANNEX VI Exchange of classified information with third States and international organisations • Appendix A Definitions • Appendix B Equivalence of security classifications • Appendix C List of national security authorities (NSAs) • Appendix D List of abbreviations EUCI - EU classified information CIS - Communication and information system 3
Purpose and scope Article 1. Purpose, scope and definitions 1. This Decision lays down the basic principles and minimum standards of security for protecting EUCI. 2. These basic principles and minimum standards shall apply to the Council and the GSC and be respected by the Member States in accordance with their respective national laws and regulations, in order that each may be assured that an equivalent level of protection is afforded to EUCI. 4
EUCI term ‘EU classified information’ (EUCI) means any information or material designated by a EU security classification, the unauthorised disclosure of which could cause varying degrees of prejudice to the interests of the European Union or of one or more of the Member States. 5
Levels of EUCI and abbreviations TRÈS SECRET UE / EU TOP SECRET Information and material the unauthorised disclosure of which could cause exceptionally grave prejudice to the essential interests of the European Union or of one or more of the Member States TS-UE/EU-TS SECRET UE / EU SECRET Information and material the unauthorised disclosure of which could seriously harm the essential interests of the European Union or of one or more of the Member States S-UE/EU-S CONFIDENTIEL UE / EU CONFIDENTIAL Information and material the unauthorised disclosure of which could harm the essential interests of the European Union or of one or more of the Member States C-UE/EU-C RESTREINT UE / EU RESTRICTED Information and material the unauthorised disclosure of which could be disadvantageous to the interests of the European Union or of one or more of the Member States R-UE/EU-R !!! Label «Non-public» is not mentioned in the document !!! 6 
7
Protection of classified information Article 4. Protection of classified information 1. EUCI shall be protected in accordance with this Decision. 2. The holder of any item of EUCI shall be responsible for protecting it in accordance with this Decision. … 8
Requirements Security Risk Management Physical security Personnel security Management of classified information Protection of EUCI handled in communication and information systems Industrial security Sharing EUCI Exchange of classified information with third States and international organisations Breaches of security and compromise of EUCI 9
Security risk management Article 5. Security risk management 1. Risk to EUCI shall be managed as a process. This process shall be aimed at determining known security risks, defining security measures to reduce such risks to an acceptable level in accordance with the basic principles and minimum standards set out in this Decision and at applying those measures in line with the concept of defence in depth as defined in Appendix A. The effectiveness of such measures shall be continuously evaluated. 2. Security measures for protecting EUCI throughout its lifecycle shall be commensurate in particular with its security classification, the form and the volume of the information or material, the location and construction of facilities housing EUCI and the locally assessed threat of malicious and/or criminal activities, including espionage, sabotage and terrorism. 3. Contingency plans shall take account of the need to protect EUCI during emergency situations in order to prevent unauthorised access, disclosure or loss of integrity or availability. 4. Preventive and recovery measures to minimise the impact of major failures or incidents on the handling and storage of EUCI shall be included in business continuity plans. 10
Personnel security Article 7. Personnel security 1. Personnel security is the application of measures to ensure that access to EUCI is granted only to individuals who have: — a need-to-know, — been security cleared to the relevant level, where appropriate, and — been briefed on their responsibilities. 2. Personnel security clearance procedures shall be designed to determine whether an individual, taking into account his loyalty, trustworthiness and reliability, may be authorised to access EUCI. 11
Physical Security Article 8. Physical security 1. Physical security is the application of physical and technical protective measures to prevent unauthorised access to EUCI. 2. Physical security measures shall be designed to deny surreptitious or forced entry by an intruder, to deter, impede and detect unauthorised actions and to allow for segregation of personnel in their access to EUCI on a need-to-know basis. Such measures shall be determined based on a risk management process. … ANNEX II Physical Security 2. Physical security measures shall be designed to prevent unauthorised access to EUCI by: (a) ensuring that EUCI is handled and stored in an appropriate manner; (b) allowing for segregation of personnel in terms of access to EUCI on the basis of their need-to-know and, where appropriate, their security clearance; (c) deterring, impeding and detecting unauthorised actions; and (d) denying or delaying surreptitious or forced entry by intruders. 12
Physical security measures ANNEX II Physical Security 4. The competent security authority, applying the concept of defence in depth, shall determine the appropriate combination of physical security measures to be implemented. These can include one or more of the following: (a) a perimeter barrier: a physical barrier which defends the boundary of an area requiring protection; (b) intrusion detection systems (IDS): an IDS may be used to enhance the level of security offered by a perimeter barrier, or in rooms and buildings in place of, or to assist, security staff; (c) access control: access control may be exercised over a site, a building or buildings on a site or to areas or rooms within a building. Control may be exercised by electronic or electro-mechanical means, by security personnel and/or a receptionist, or by any other physical means; (d) security personnel: trained, supervised and, where necessary, appropriately security-cleared security personnel may be employed, inter alia, in order to deter individuals planning covert intrusion; (e) closed circuit television (CCTV): CCTV may be used by security personnel in order to verify incidents and IDS alarms on large sites or at perimeters; (f) security lighting: security lighting may be used to deter a potential intruder, as well as to provide the illumination necessary for effective surveillance directly by security personnel or indirectly through a CCTV system; and (g) any other appropriate physical measures designed to deter or detect unauthorised access or prevent loss of or damage to EUCI. 13
Physically protected areas ANNEX II Physical Security 14 14. For Administrative Areas: (a) a visibly defined perimeter shall be established which allows individuals and, where possible, vehicles to be checked; (b) unescorted access shall be granted only to individuals who are duly authorised by the competent authority; and (c) all other individuals shall be escorted at all times or be subject to equivalent controls. 15. For Secured Areas: (a) a visibly defined and protected perimeter shall be established through which all entry and exit are controlled by means of a pass or personal recognition system; (b) unescorted access shall be granted only to individuals who are security-cleared and specifically authorised to enter the area on the basis of their need-to-know; and (c) all other individuals shall be escorted at all times or be subject to equivalent controls.
Management of classified information Article 9. Management of classified information 1. The management of classified information is the application of administrative measures for controlling EUCI throughout its life- cycle to supplement the measures provided for in Articles 7, 8 and 10 and thereby help deter and detect deliberate or accidental compromise or loss of such information. Such measures relate in particular to the creation, registration, copying, translation, downgrading, declassification, carriage and destruction of EUCI.EN 15.10.2013 Official Journal of the European Union L 274/3 15
Classification Management • Classifications and markings • Markings • Abbreviated classification markings • Creation of EUCI • Downgrading and declassification of EUCI 16
Creation of EUCI ANNEX III. Management of classified information Creation of EUCI 13. When creating an EU classified document: (a) each page shall be marked clearly with the classification level; (b) each page shall be numbered; (c) the document shall bear a reference number and a subject, which is not itself classified information, unless it is marked as such; (d) the document shall be dated; and (e) documents classified SECRET UE/EU SECRET or above shall bear a copy number on every page, if they are to be distributed in several copies. 17
IA and CIS Article 10. Protection of EUCI handled in communication and information systems 1. Information Assurance (IA) in the field of communication and information systems is the confidence that such systems will protect the information they handle and will function as they need to, when they need to, under the control of legitimate users. Effective IA shall ensure appropriate levels of confidentiality, integrity, availability, non-repudiation and authenticity. IA shall be based on a risk management process. 2. ‘Communication and Information System’ (CIS) means any system enabling the handling of information in electronic form. A CIS shall comprise the entire assets required for it to operate, including the infrastructure, organisation, personnel and information resources. This Decision shall apply to CIS handling EUCI. 3. CIS shall handle EUCI in accordance with the concept of IA. 18
IA properties and concepts ANNEX IV. Protection of EUCI handled in communication and information systems 2. The following IA properties and concepts are essential for the security and correct functioning of operations on CIS: • Authenticity: the guarantee that information is genuine and from bona fide sources; • Availability: the property of being accessible and usable upon request by an authorised entity; • Confidentiality: the property that information is not disclosed to unauthorised individuals, entities or processes; • Integrity: the property of safeguarding the accuracy and completeness of information and assets; • Non-repudiation: the ability to prove an action or event has taken place, so that this event or action cannot subsequently be denied. 19
Information assurance principles • Security risk management • Security throughout the CIS life-cycle • Best practice • Defence in depth • Principle of minimality and least privilege • Information Assurance awareness • Evaluation and approval of IT-security products • Transmission within Secured and Administrative Areas • Secure interconnection of CIS • Computer storage media • Emergency circumstances 20
Technical and non-technical security measures ANNEX IV. Protection of EUCI handled in communication and information systems Defence in depth 16. To mitigate risk to CIS, a range of technical and non-technical security measures, organised as multiple layers of defence, shall be implemented. These layers shall include: (a) Deterrence: security measures aimed at dissuading any adversary planning to attack the CIS; (b) Prevention: security measures aimed at impeding or blocking an attack on the CIS; (c) Detection: security measures aimed at discovering the occurrence of an attack on the CIS; (d) Resilience: security measures aimed at limiting impact of an attack to a minimum set of information or CIS assets and preventing further damage; and (e) Recovery: security measures aimed at regaining a secure situation for the CIS. The degree of stringency of such security measures shall be determined following a risk assessment. 21
Information Assurance awareness ANNEX IV. Protection of EUCI handled in communication and information systems Information Assurance awareness 21. Awareness of the risks and available security measures is the first line of defence for the security of CIS. In particular all personnel involved in the life- cycle of CIS, including users, shall understand: (a) that security failures may significantly harm the CIS; (b) the potential harm to others which may arise from interconnectivity and interdependency; and (c) their individual responsibility and accountability for the security of CIS according to their roles within the systems and processes. 22. To ensure that security responsibilities are understood, IA education and awareness training shall be mandatory for all personnel involved, including senior management and CIS users. 22
Cryptography ANNEX IV. Protection of EUCI handled in communication and information systems 6. Where the protection of EUCI is provided by cryptographic products, such products shall be approved as follows: (a) the confidentiality of information classified SECRET UE/EU SECRET and above shall be protected by cryptographic products approved by the Council as Crypto Approval Authority (CAA), upon recommendation by the Security Committee; (b) the confidentiality of information classified CONFIDENTIEL UE/EU CONFIDENTIAL or RESTREINT UE/EU RESTRICTED shall be protected by cryptographic products approved by the Secretary-General of the Council (‘the Secretary- General‘) as CAA, upon recommendation by the Security Committee. Notwithstanding point (b), within Member States’ national systems, the confidentiality of EUCI classified CONFIDENTIEL UE/EU CONFIDENTIAL or RESTREINT UE/EU RESTRICTED may be protected by cryptographic products approved by a Member State’s CAA. 23
Industrial security Article 11. Industrial security 1. Industrial security is the application of measures to ensure the protection of EUCI by contractors or subcontractors in pre- contract negotiations and throughout the life-cycle of classified contracts. Such contracts shall not involve access to information classified TRИS SECRET UE/EU TOP SECRET. … 24
Breaches and compromise Article 14. Breaches of security and compromise of EUCI 1. A breach of security occurs as the result of an act or omission by an individual which is contrary to the security rules laid down in this Decision. 2. Compromise of EUCI occurs when, as a result of a breach of security, it has wholly or in part been disclosed to unauthorised persons 3. Any breach or suspected breach of security shall be reported immediately to the competent security authority. 25
Additional requirements for EU CONFIDENTIAL and above 26 Personnel Security • Additional clearance requirements • Authorised by the GSC Appointing Authority Physical security • Handled in a Secured Areas • Shall be used only approved equipment or devices Management of classified information • Shall be registered for security purposes prior to distribution and on receipt Protection of EUCI handled in communication and information systems • Protection against compromise of such information through unintentional electromagnetic emanations (‘TEMPEST security measures’).
• !!! Высокие требования ИБ уже от уровня Classified. Мы не можем обрабатывать Confidential (нужен допуск людей и что-то типа «аккредитации» для компании) • По сути Конфидентиал типа нашего ДСП, если бы регуляторам хватило воли… • Риск Менеджмент • Отдельные требования для «Industrial security» • Уведомление об утечках • Критерии для security clearance, что проверяют для уровня Confidential и выше • Общие требования к защите Секретно и выше вполне доступны • Модель мер схожа с NIST Deterrence, Prevention, Detection, Resilience, Recovery • Awareness • СКЗИ проходят обобрение уже с уровня Restricted • Проверка персонала разынх уровней Security investigation criteria 27 Thanks!

Recommended

NIST Zero Trust Explained
NIST Zero Trust ExplainedNIST Zero Trust Explained
NIST Zero Trust Explained
rtp2009
 
Physical security
Physical securityPhysical security
Physical security
Dhani Ahmad
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber Resilience
Donald Tabone
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
Edureka!
 
Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES
Priyanka Aash
 
Iso 27001 foundation sample slides
Iso 27001 foundation sample slidesIso 27001 foundation sample slides
Iso 27001 foundation sample slides
Stratos Lazaridis
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
Krutarth Vasavada
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 

Recommended

NIST Zero Trust Explained
NIST Zero Trust ExplainedNIST Zero Trust Explained
NIST Zero Trust Explained
rtp2009
 
Physical security
Physical securityPhysical security
Physical security
Dhani Ahmad
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber Resilience
Donald Tabone
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
Edureka!
 
Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES
Priyanka Aash
 
Iso 27001 foundation sample slides
Iso 27001 foundation sample slidesIso 27001 foundation sample slides
Iso 27001 foundation sample slides
Stratos Lazaridis
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
Krutarth Vasavada
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
Lesson 1 - Technical Controls
Lesson 1 - Technical ControlsLesson 1 - Technical Controls
Lesson 1 - Technical Controls
MLG College of Learning, Inc
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity Monitoring
Kimberly Simon MBA
 
[Round table] zeroing in on zero trust architecture
[Round table] zeroing in on zero trust architecture[Round table] zeroing in on zero trust architecture
[Round table] zeroing in on zero trust architecture
Denise Bailey
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
Elliott Franklin
 
Osint {open source intelligence }
Osint {open source intelligence }Osint {open source intelligence }
Osint {open source intelligence }
AkshayJha40
 
Hacktivism: Motivations, Tactics and Threats
Hacktivism: Motivations, Tactics and ThreatsHacktivism: Motivations, Tactics and Threats
Hacktivism: Motivations, Tactics and Threats
Eric Vanderburg
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2
Tanmay Shinde
 
Lesson 3- Remote Access
Lesson 3- Remote AccessLesson 3- Remote Access
Lesson 3- Remote Access
MLG College of Learning, Inc
 
8. operations security
8. operations security8. operations security
8. operations security
7wounders
 
IT compliance
IT complianceIT compliance
IT compliance
Phan Vuong
 
CA_Module_1.pptx
CA_Module_1.pptxCA_Module_1.pptx
CA_Module_1.pptx
YazanSalileh
 
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
NIST Cybersecurity Framework (CSF) 2.0: What has changed?NIST Cybersecurity Framework (CSF) 2.0: What has changed?
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORKZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
Maganathin Veeraragaloo
 
Staff awareness: developing a security culture
Staff awareness: developing a security cultureStaff awareness: developing a security culture
Staff awareness: developing a security culture
IT Governance Ltd
 
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPrivacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
PECB
 
Domain 6 - Security Assessment and Testing
Domain 6 - Security Assessment and TestingDomain 6 - Security Assessment and Testing
Domain 6 - Security Assessment and Testing
Maganathin Veeraragaloo
 
How to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience
How to Steer Cyber Security with Only One KPI: The Cyber Risk ResilienceHow to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience
How to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience
Priyanka Aash
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
PECB
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overview
Julia Urbina-Pineda
 
NQA ISO 27001 27017 27018 27701 Mapping
NQA ISO 27001 27017 27018 27701 MappingNQA ISO 27001 27017 27018 27701 Mapping
NQA ISO 27001 27017 27018 27701 Mapping
NQA
 
4. Define communication security, information security, network secu.pdf
4. Define communication security, information security, network secu.pdf4. Define communication security, information security, network secu.pdf
4. Define communication security, information security, network secu.pdf
arvindarora20042013
 
Celex 32015 d0444 en txt
Celex 32015 d0444 en txtCelex 32015 d0444 en txt
Celex 32015 d0444 en txt
Henry652090
 

More Related Content

What's hot

8. operations security
8. operations security8. operations security
8. operations security
7wounders
 
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPrivacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
PECB
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
PECB
 

What's hot (20)

Lesson 1 - Technical Controls
Lesson 1 - Technical ControlsLesson 1 - Technical Controls
Lesson 1 - Technical Controls
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity Monitoring
 
[Round table] zeroing in on zero trust architecture
[Round table] zeroing in on zero trust architecture[Round table] zeroing in on zero trust architecture
[Round table] zeroing in on zero trust architecture
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
 
Osint {open source intelligence }
Osint {open source intelligence }Osint {open source intelligence }
Osint {open source intelligence }
 
Hacktivism: Motivations, Tactics and Threats
Hacktivism: Motivations, Tactics and ThreatsHacktivism: Motivations, Tactics and Threats
Hacktivism: Motivations, Tactics and Threats
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2
 
Lesson 3- Remote Access
Lesson 3- Remote AccessLesson 3- Remote Access
Lesson 3- Remote Access
 
8. operations security
8. operations security8. operations security
8. operations security
 
IT compliance
IT complianceIT compliance
IT compliance
 
CA_Module_1.pptx
CA_Module_1.pptxCA_Module_1.pptx
CA_Module_1.pptx
 
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
NIST Cybersecurity Framework (CSF) 2.0: What has changed?NIST Cybersecurity Framework (CSF) 2.0: What has changed?
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
 
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORKZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
 
Staff awareness: developing a security culture
Staff awareness: developing a security cultureStaff awareness: developing a security culture
Staff awareness: developing a security culture
 
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPrivacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
 
Domain 6 - Security Assessment and Testing
Domain 6 - Security Assessment and TestingDomain 6 - Security Assessment and Testing
Domain 6 - Security Assessment and Testing
 
How to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience
How to Steer Cyber Security with Only One KPI: The Cyber Risk ResilienceHow to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience
How to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overview
 
NQA ISO 27001 27017 27018 27701 Mapping
NQA ISO 27001 27017 27018 27701 MappingNQA ISO 27001 27017 27018 27701 Mapping
NQA ISO 27001 27017 27018 27701 Mapping
 

Similar to The security rules for protecting EU classified information

4. Define communication security, information security, network secu.pdf
4. Define communication security, information security, network secu.pdf4. Define communication security, information security, network secu.pdf
4. Define communication security, information security, network secu.pdf
arvindarora20042013
 
Enterprise_Bank_Security_Manual_2.doc
Enterprise_Bank_Security_Manual_2.docEnterprise_Bank_Security_Manual_2.doc
Enterprise_Bank_Security_Manual_2.doc
richardkimlopez
 
(U fouo) committee on national security systems supply chain risk management ...
(U fouo) committee on national security systems supply chain risk management ...(U fouo) committee on national security systems supply chain risk management ...
(U fouo) committee on national security systems supply chain risk management ...
PublicLeaker
 
(U fouo) committee on national security systems supply chain risk management ...
(U fouo) committee on national security systems supply chain risk management ...(U fouo) committee on national security systems supply chain risk management ...
(U fouo) committee on national security systems supply chain risk management ...
PublicLeaks
 
ADAM ADLER FLORIDA
ADAM ADLER FLORIDA ADAM ADLER FLORIDA
ADAM ADLER FLORIDA
AdamAdler10
 
Physical security.docx
Physical security.docxPhysical security.docx
Physical security.docx
MVNVKUMAR
 

Similar to The security rules for protecting EU classified information (20)

4. Define communication security, information security, network secu.pdf
4. Define communication security, information security, network secu.pdf4. Define communication security, information security, network secu.pdf
4. Define communication security, information security, network secu.pdf
 
Celex 32015 d0444 en txt
Celex 32015 d0444 en txtCelex 32015 d0444 en txt
Celex 32015 d0444 en txt
 
Enterprise_Bank_Security_Manual_2.doc
Enterprise_Bank_Security_Manual_2.docEnterprise_Bank_Security_Manual_2.doc
Enterprise_Bank_Security_Manual_2.doc
 
Introduction to Security
Introduction to SecurityIntroduction to Security
Introduction to Security
 
(U fouo) committee on national security systems supply chain risk management ...
(U fouo) committee on national security systems supply chain risk management ...(U fouo) committee on national security systems supply chain risk management ...
(U fouo) committee on national security systems supply chain risk management ...
 
(U fouo) committee on national security systems supply chain risk management ...
(U fouo) committee on national security systems supply chain risk management ...(U fouo) committee on national security systems supply chain risk management ...
(U fouo) committee on national security systems supply chain risk management ...
 
Chapter 3 Orientation with Security Equipment's and Functionality and Fire F...
Chapter 3 Orientation with Security Equipment's and Functionality and Fire F...Chapter 3 Orientation with Security Equipment's and Functionality and Fire F...
Chapter 3 Orientation with Security Equipment's and Functionality and Fire F...
 
Working paper icao
Working paper icaoWorking paper icao
Working paper icao
 
Crisp kaleidoscope presentation 13112015
Crisp kaleidoscope presentation 13112015Crisp kaleidoscope presentation 13112015
Crisp kaleidoscope presentation 13112015
 
ADAM ADLER FLORIDA
ADAM ADLER FLORIDA ADAM ADLER FLORIDA
ADAM ADLER FLORIDA
 
Accellion - The European Information Security Summit, London
Accellion - The European Information Security Summit, LondonAccellion - The European Information Security Summit, London
Accellion - The European Information Security Summit, London
 
BLE 1213 MUST (PSY - Session 1).pptx-Student HO.
BLE 1213 MUST (PSY - Session 1).pptx-Student HO.BLE 1213 MUST (PSY - Session 1).pptx-Student HO.
BLE 1213 MUST (PSY - Session 1).pptx-Student HO.
 
BLE 1213 MUST (PSY - Session 1).pptx-Student HO.
BLE 1213 MUST (PSY - Session 1).pptx-Student HO.BLE 1213 MUST (PSY - Session 1).pptx-Student HO.
BLE 1213 MUST (PSY - Session 1).pptx-Student HO.
 
BLE 1213 MUST.pptx- basics principles of Physical Security
BLE 1213 MUST.pptx- basics principles of Physical SecurityBLE 1213 MUST.pptx- basics principles of Physical Security
BLE 1213 MUST.pptx- basics principles of Physical Security
 
Physical security.docx
Physical security.docxPhysical security.docx
Physical security.docx
 
QLD EILS Seminar: Emerging Issues in Workplace Privacy
QLD EILS Seminar: Emerging Issues in Workplace PrivacyQLD EILS Seminar: Emerging Issues in Workplace Privacy
QLD EILS Seminar: Emerging Issues in Workplace Privacy
 
Membangunkan Dokumentasi KKP untuk Makmal
Membangunkan Dokumentasi KKP untuk MakmalMembangunkan Dokumentasi KKP untuk Makmal
Membangunkan Dokumentasi KKP untuk Makmal
 
Dive into anything.pdf
Dive into anything.pdfDive into anything.pdf
Dive into anything.pdf
 
Security audit
Security auditSecurity audit
Security audit
 
Chapter008
Chapter008Chapter008
Chapter008
 

More from Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001

More from Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001 (20)

pr ISMS Documented Information (lite).pdf
pr ISMS Documented Information (lite).pdfpr ISMS Documented Information (lite).pdf
pr ISMS Documented Information (lite).pdf
 
ISO Survey 2022: ISO 27001 certificates (ISMS)
ISO Survey 2022: ISO 27001 certificates (ISMS)ISO Survey 2022: ISO 27001 certificates (ISMS)
ISO Survey 2022: ISO 27001 certificates (ISMS)
 
12 Best Privacy Frameworks
12 Best Privacy Frameworks12 Best Privacy Frameworks
12 Best Privacy Frameworks
 
Cybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfCybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdf
 
My 15 Years of Experience in Using Mind Maps for Business and Personal Purposes
My 15 Years of Experience in Using Mind Maps for Business and Personal PurposesMy 15 Years of Experience in Using Mind Maps for Business and Personal Purposes
My 15 Years of Experience in Using Mind Maps for Business and Personal Purposes
 
From NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdfFrom NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdf
 
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdfISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
 
ISO 27001 How to accelerate the implementation.pdf
ISO 27001 How to accelerate the implementation.pdfISO 27001 How to accelerate the implementation.pdf
ISO 27001 How to accelerate the implementation.pdf
 
How to use ChatGPT for an ISMS implementation.pdf
How to use ChatGPT for an ISMS implementation.pdfHow to use ChatGPT for an ISMS implementation.pdf
How to use ChatGPT for an ISMS implementation.pdf
 
pr Privacy Principles 230405 small.pdf
pr Privacy Principles 230405 small.pdfpr Privacy Principles 230405 small.pdf
pr Privacy Principles 230405 small.pdf
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
 
ISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdf
 
ISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdfISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdf
 
ISO Survey 2021: ISO 27001.pdf
ISO Survey 2021: ISO 27001.pdfISO Survey 2021: ISO 27001.pdf
ISO Survey 2021: ISO 27001.pdf
 
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdfAll about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
 
Supply management 1.1.pdf
Supply management 1.1.pdfSupply management 1.1.pdf
Supply management 1.1.pdf
 
Employee Monitoring and Privacy.pdf
Employee Monitoring and Privacy.pdfEmployee Monitoring and Privacy.pdf
Employee Monitoring and Privacy.pdf
 
GDPR RACI.pdf
GDPR RACI.pdfGDPR RACI.pdf
GDPR RACI.pdf
 
GDPR and Personal Data Transfers 1.1.pdf
GDPR and Personal Data Transfers 1.1.pdfGDPR and Personal Data Transfers 1.1.pdf
GDPR and Personal Data Transfers 1.1.pdf
 

Recently uploaded

Sensual Moments: +91 9999965857 Independent Call Girls Vasundhara Delhi {{ Mo...
Sensual Moments: +91 9999965857 Independent Call Girls Vasundhara Delhi {{ Mo...Sensual Moments: +91 9999965857 Independent Call Girls Vasundhara Delhi {{ Mo...
Sensual Moments: +91 9999965857 Independent Call Girls Vasundhara Delhi {{ Mo...
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
Appeal and Revision in Income Tax Act.pdf
Appeal and Revision in Income Tax Act.pdfAppeal and Revision in Income Tax Act.pdf
Appeal and Revision in Income Tax Act.pdf
PoojaGadiya1
 
Audience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxx
Audience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxxAudience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxx
Audience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxx
MollyBrown86
 
Russian Call Girls Rohini Sector 6 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...
Russian Call Girls Rohini Sector 6 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...Russian Call Girls Rohini Sector 6 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...
Russian Call Girls Rohini Sector 6 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
6th sem cpc notes for 6th semester students samjhe. Padhlo bhai
6th sem cpc notes for 6th semester students samjhe. Padhlo bhai6th sem cpc notes for 6th semester students samjhe. Padhlo bhai
6th sem cpc notes for 6th semester students samjhe. Padhlo bhai
ShashankKumar441258
 
一比一原版牛津布鲁克斯大学毕业证学位证书
一比一原版牛津布鲁克斯大学毕业证学位证书一比一原版牛津布鲁克斯大学毕业证学位证书
一比一原版牛津布鲁克斯大学毕业证学位证书
E LSS
 
Rohini Sector 25 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 25 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 25 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 25 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
一比一原版旧金山州立大学毕业证学位证书
一比一原版旧金山州立大学毕业证学位证书 一比一原版旧金山州立大学毕业证学位证书
一比一原版旧金山州立大学毕业证学位证书
SS A
 
CAFC Chronicles: Costly Tales of Claim Construction Fails
CAFC Chronicles: Costly Tales of Claim Construction FailsCAFC Chronicles: Costly Tales of Claim Construction Fails
CAFC Chronicles: Costly Tales of Claim Construction Fails
Aurora Consulting
 

Recently uploaded (20)

Sensual Moments: +91 9999965857 Independent Call Girls Vasundhara Delhi {{ Mo...
Sensual Moments: +91 9999965857 Independent Call Girls Vasundhara Delhi {{ Mo...Sensual Moments: +91 9999965857 Independent Call Girls Vasundhara Delhi {{ Mo...
Sensual Moments: +91 9999965857 Independent Call Girls Vasundhara Delhi {{ Mo...
 
Appeal and Revision in Income Tax Act.pdf
Appeal and Revision in Income Tax Act.pdfAppeal and Revision in Income Tax Act.pdf
Appeal and Revision in Income Tax Act.pdf
 
Chp 1- Contract and its kinds-business law .ppt
Chp 1- Contract and its kinds-business law .pptChp 1- Contract and its kinds-business law .ppt
Chp 1- Contract and its kinds-business law .ppt
 
PPT- Voluntary Liquidation (Under section 59).pptx
PPT- Voluntary Liquidation (Under section 59).pptxPPT- Voluntary Liquidation (Under section 59).pptx
PPT- Voluntary Liquidation (Under section 59).pptx
 
pnp FIRST-RESPONDER-IN-CRIME-SCENEs.pptx
pnp FIRST-RESPONDER-IN-CRIME-SCENEs.pptxpnp FIRST-RESPONDER-IN-CRIME-SCENEs.pptx
pnp FIRST-RESPONDER-IN-CRIME-SCENEs.pptx
 
How do cyber crime lawyers in Mumbai collaborate with law enforcement agencie...
How do cyber crime lawyers in Mumbai collaborate with law enforcement agencie...How do cyber crime lawyers in Mumbai collaborate with law enforcement agencie...
How do cyber crime lawyers in Mumbai collaborate with law enforcement agencie...
 
8. SECURITY GUARD CREED, CODE OF CONDUCT, COPE.pptx
8. SECURITY GUARD CREED, CODE OF CONDUCT, COPE.pptx8. SECURITY GUARD CREED, CODE OF CONDUCT, COPE.pptx
8. SECURITY GUARD CREED, CODE OF CONDUCT, COPE.pptx
 
Audience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxx
Audience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxxAudience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxx
Audience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxx
 
Russian Call Girls Rohini Sector 6 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...
Russian Call Girls Rohini Sector 6 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...Russian Call Girls Rohini Sector 6 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...
Russian Call Girls Rohini Sector 6 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...
 
6th sem cpc notes for 6th semester students samjhe. Padhlo bhai
6th sem cpc notes for 6th semester students samjhe. Padhlo bhai6th sem cpc notes for 6th semester students samjhe. Padhlo bhai
6th sem cpc notes for 6th semester students samjhe. Padhlo bhai
 
MOCK GENERAL MEETINGS (SS-2)- PPT- Part 2.pptx
MOCK GENERAL MEETINGS (SS-2)- PPT- Part 2.pptxMOCK GENERAL MEETINGS (SS-2)- PPT- Part 2.pptx
MOCK GENERAL MEETINGS (SS-2)- PPT- Part 2.pptx
 
THE FACTORIES ACT,1948 (2).pptx labour
THE FACTORIES ACT,1948 (2).pptx labourTHE FACTORIES ACT,1948 (2).pptx labour
THE FACTORIES ACT,1948 (2).pptx labour
 
一比一原版牛津布鲁克斯大学毕业证学位证书
一比一原版牛津布鲁克斯大学毕业证学位证书一比一原版牛津布鲁克斯大学毕业证学位证书
一比一原版牛津布鲁克斯大学毕业证学位证书
 
Rohini Sector 25 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 25 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 25 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 25 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Relationship Between International Law and Municipal Law MIR.pdf
Relationship Between International Law and Municipal Law MIR.pdfRelationship Between International Law and Municipal Law MIR.pdf
Relationship Between International Law and Municipal Law MIR.pdf
 
一比一原版旧金山州立大学毕业证学位证书
一比一原版旧金山州立大学毕业证学位证书 一比一原版旧金山州立大学毕业证学位证书
一比一原版旧金山州立大学毕业证学位证书
 
Andrea Hill Featured in Canadian Lawyer as SkyLaw Recognized as a Top Boutique
Andrea Hill Featured in Canadian Lawyer as SkyLaw Recognized as a Top BoutiqueAndrea Hill Featured in Canadian Lawyer as SkyLaw Recognized as a Top Boutique
Andrea Hill Featured in Canadian Lawyer as SkyLaw Recognized as a Top Boutique
 
Shubh_Burden of proof_Indian Evidence Act.pptx
Shubh_Burden of proof_Indian Evidence Act.pptxShubh_Burden of proof_Indian Evidence Act.pptx
Shubh_Burden of proof_Indian Evidence Act.pptx
 
Human Rights_FilippoLuciani diritti umani.pptx
Human Rights_FilippoLuciani diritti umani.pptxHuman Rights_FilippoLuciani diritti umani.pptx
Human Rights_FilippoLuciani diritti umani.pptx
 
CAFC Chronicles: Costly Tales of Claim Construction Fails
CAFC Chronicles: Costly Tales of Claim Construction FailsCAFC Chronicles: Costly Tales of Claim Construction Fails
CAFC Chronicles: Costly Tales of Claim Construction Fails
 

The security rules for protecting EU classified information

  • 1. The security rules for protecting EU classified information Andrey Prozorov, CISM
  • 2. Main document (requirements) • 2013/488/EU: Council Decision of 23 September 2013 on the security rules for protecting EU classified information • http://data.europa.eu/eli/dec/2 013/488/oj • Whereas (1 page), Decision (7) and Annexes (42) 2
  • 3. DECISION (Articles) + Annexes 1. Purpose, scope and definitions 2. Definition of EUCI, security classifications and markings 3. Classification management 4. Protection of classified information 5. Security risk management 6. Implementation of this Decision 7. Personnel security 8. Physical security 9. Management of classified information 10. Protection of EUCI handled in communication and information systems 11. Industrial security 12. Sharing EUCI 13. Exchange of classified information with third States and international organisations 14. Breaches of security and compromise of EUCI 15. Responsibility for implementation 16. The organisation of security in the Council 17. Security Committee 18. Replacement of previous decision 19. Entry into force • ANNEX I Personnel security • ANNEX II Physical security • ANNEX III Management of classified information • ANNEX IV Protection of EUCI handled in CIS • ANNEX V Industrial security • ANNEX VI Exchange of classified information with third States and international organisations • Appendix A Definitions • Appendix B Equivalence of security classifications • Appendix C List of national security authorities (NSAs) • Appendix D List of abbreviations EUCI - EU classified information CIS - Communication and information system 3
  • 4. Purpose and scope Article 1. Purpose, scope and definitions 1. This Decision lays down the basic principles and minimum standards of security for protecting EUCI. 2. These basic principles and minimum standards shall apply to the Council and the GSC and be respected by the Member States in accordance with their respective national laws and regulations, in order that each may be assured that an equivalent level of protection is afforded to EUCI. 4
  • 5. EUCI term ‘EU classified information’ (EUCI) means any information or material designated by a EU security classification, the unauthorised disclosure of which could cause varying degrees of prejudice to the interests of the European Union or of one or more of the Member States. 5
  • 6. Levels of EUCI and abbreviations TRÈS SECRET UE / EU TOP SECRET Information and material the unauthorised disclosure of which could cause exceptionally grave prejudice to the essential interests of the European Union or of one or more of the Member States TS-UE/EU-TS SECRET UE / EU SECRET Information and material the unauthorised disclosure of which could seriously harm the essential interests of the European Union or of one or more of the Member States S-UE/EU-S CONFIDENTIEL UE / EU CONFIDENTIAL Information and material the unauthorised disclosure of which could harm the essential interests of the European Union or of one or more of the Member States C-UE/EU-C RESTREINT UE / EU RESTRICTED Information and material the unauthorised disclosure of which could be disadvantageous to the interests of the European Union or of one or more of the Member States R-UE/EU-R !!! Label «Non-public» is not mentioned in the document !!! 6 
  • 7. 7
  • 8. Protection of classified information Article 4. Protection of classified information 1. EUCI shall be protected in accordance with this Decision. 2. The holder of any item of EUCI shall be responsible for protecting it in accordance with this Decision. … 8
  • 9. Requirements Security Risk Management Physical security Personnel security Management of classified information Protection of EUCI handled in communication and information systems Industrial security Sharing EUCI Exchange of classified information with third States and international organisations Breaches of security and compromise of EUCI 9
  • 10. Security risk management Article 5. Security risk management 1. Risk to EUCI shall be managed as a process. This process shall be aimed at determining known security risks, defining security measures to reduce such risks to an acceptable level in accordance with the basic principles and minimum standards set out in this Decision and at applying those measures in line with the concept of defence in depth as defined in Appendix A. The effectiveness of such measures shall be continuously evaluated. 2. Security measures for protecting EUCI throughout its lifecycle shall be commensurate in particular with its security classification, the form and the volume of the information or material, the location and construction of facilities housing EUCI and the locally assessed threat of malicious and/or criminal activities, including espionage, sabotage and terrorism. 3. Contingency plans shall take account of the need to protect EUCI during emergency situations in order to prevent unauthorised access, disclosure or loss of integrity or availability. 4. Preventive and recovery measures to minimise the impact of major failures or incidents on the handling and storage of EUCI shall be included in business continuity plans. 10
  • 11. Personnel security Article 7. Personnel security 1. Personnel security is the application of measures to ensure that access to EUCI is granted only to individuals who have: — a need-to-know, — been security cleared to the relevant level, where appropriate, and — been briefed on their responsibilities. 2. Personnel security clearance procedures shall be designed to determine whether an individual, taking into account his loyalty, trustworthiness and reliability, may be authorised to access EUCI. 11
  • 12. Physical Security Article 8. Physical security 1. Physical security is the application of physical and technical protective measures to prevent unauthorised access to EUCI. 2. Physical security measures shall be designed to deny surreptitious or forced entry by an intruder, to deter, impede and detect unauthorised actions and to allow for segregation of personnel in their access to EUCI on a need-to-know basis. Such measures shall be determined based on a risk management process. … ANNEX II Physical Security 2. Physical security measures shall be designed to prevent unauthorised access to EUCI by: (a) ensuring that EUCI is handled and stored in an appropriate manner; (b) allowing for segregation of personnel in terms of access to EUCI on the basis of their need-to-know and, where appropriate, their security clearance; (c) deterring, impeding and detecting unauthorised actions; and (d) denying or delaying surreptitious or forced entry by intruders. 12
  • 13. Physical security measures ANNEX II Physical Security 4. The competent security authority, applying the concept of defence in depth, shall determine the appropriate combination of physical security measures to be implemented. These can include one or more of the following: (a) a perimeter barrier: a physical barrier which defends the boundary of an area requiring protection; (b) intrusion detection systems (IDS): an IDS may be used to enhance the level of security offered by a perimeter barrier, or in rooms and buildings in place of, or to assist, security staff; (c) access control: access control may be exercised over a site, a building or buildings on a site or to areas or rooms within a building. Control may be exercised by electronic or electro-mechanical means, by security personnel and/or a receptionist, or by any other physical means; (d) security personnel: trained, supervised and, where necessary, appropriately security-cleared security personnel may be employed, inter alia, in order to deter individuals planning covert intrusion; (e) closed circuit television (CCTV): CCTV may be used by security personnel in order to verify incidents and IDS alarms on large sites or at perimeters; (f) security lighting: security lighting may be used to deter a potential intruder, as well as to provide the illumination necessary for effective surveillance directly by security personnel or indirectly through a CCTV system; and (g) any other appropriate physical measures designed to deter or detect unauthorised access or prevent loss of or damage to EUCI. 13
  • 14. Physically protected areas ANNEX II Physical Security 14 14. For Administrative Areas: (a) a visibly defined perimeter shall be established which allows individuals and, where possible, vehicles to be checked; (b) unescorted access shall be granted only to individuals who are duly authorised by the competent authority; and (c) all other individuals shall be escorted at all times or be subject to equivalent controls. 15. For Secured Areas: (a) a visibly defined and protected perimeter shall be established through which all entry and exit are controlled by means of a pass or personal recognition system; (b) unescorted access shall be granted only to individuals who are security-cleared and specifically authorised to enter the area on the basis of their need-to-know; and (c) all other individuals shall be escorted at all times or be subject to equivalent controls.
  • 15. Management of classified information Article 9. Management of classified information 1. The management of classified information is the application of administrative measures for controlling EUCI throughout its life- cycle to supplement the measures provided for in Articles 7, 8 and 10 and thereby help deter and detect deliberate or accidental compromise or loss of such information. Such measures relate in particular to the creation, registration, copying, translation, downgrading, declassification, carriage and destruction of EUCI.EN 15.10.2013 Official Journal of the European Union L 274/3 15
  • 16. Classification Management • Classifications and markings • Markings • Abbreviated classification markings • Creation of EUCI • Downgrading and declassification of EUCI 16
  • 17. Creation of EUCI ANNEX III. Management of classified information Creation of EUCI 13. When creating an EU classified document: (a) each page shall be marked clearly with the classification level; (b) each page shall be numbered; (c) the document shall bear a reference number and a subject, which is not itself classified information, unless it is marked as such; (d) the document shall be dated; and (e) documents classified SECRET UE/EU SECRET or above shall bear a copy number on every page, if they are to be distributed in several copies. 17
  • 18. IA and CIS Article 10. Protection of EUCI handled in communication and information systems 1. Information Assurance (IA) in the field of communication and information systems is the confidence that such systems will protect the information they handle and will function as they need to, when they need to, under the control of legitimate users. Effective IA shall ensure appropriate levels of confidentiality, integrity, availability, non-repudiation and authenticity. IA shall be based on a risk management process. 2. ‘Communication and Information System’ (CIS) means any system enabling the handling of information in electronic form. A CIS shall comprise the entire assets required for it to operate, including the infrastructure, organisation, personnel and information resources. This Decision shall apply to CIS handling EUCI. 3. CIS shall handle EUCI in accordance with the concept of IA. 18
  • 19. IA properties and concepts ANNEX IV. Protection of EUCI handled in communication and information systems 2. The following IA properties and concepts are essential for the security and correct functioning of operations on CIS: • Authenticity: the guarantee that information is genuine and from bona fide sources; • Availability: the property of being accessible and usable upon request by an authorised entity; • Confidentiality: the property that information is not disclosed to unauthorised individuals, entities or processes; • Integrity: the property of safeguarding the accuracy and completeness of information and assets; • Non-repudiation: the ability to prove an action or event has taken place, so that this event or action cannot subsequently be denied. 19
  • 20. Information assurance principles • Security risk management • Security throughout the CIS life-cycle • Best practice • Defence in depth • Principle of minimality and least privilege • Information Assurance awareness • Evaluation and approval of IT-security products • Transmission within Secured and Administrative Areas • Secure interconnection of CIS • Computer storage media • Emergency circumstances 20
  • 21. Technical and non-technical security measures ANNEX IV. Protection of EUCI handled in communication and information systems Defence in depth 16. To mitigate risk to CIS, a range of technical and non-technical security measures, organised as multiple layers of defence, shall be implemented. These layers shall include: (a) Deterrence: security measures aimed at dissuading any adversary planning to attack the CIS; (b) Prevention: security measures aimed at impeding or blocking an attack on the CIS; (c) Detection: security measures aimed at discovering the occurrence of an attack on the CIS; (d) Resilience: security measures aimed at limiting impact of an attack to a minimum set of information or CIS assets and preventing further damage; and (e) Recovery: security measures aimed at regaining a secure situation for the CIS. The degree of stringency of such security measures shall be determined following a risk assessment. 21
  • 22. Information Assurance awareness ANNEX IV. Protection of EUCI handled in communication and information systems Information Assurance awareness 21. Awareness of the risks and available security measures is the first line of defence for the security of CIS. In particular all personnel involved in the life- cycle of CIS, including users, shall understand: (a) that security failures may significantly harm the CIS; (b) the potential harm to others which may arise from interconnectivity and interdependency; and (c) their individual responsibility and accountability for the security of CIS according to their roles within the systems and processes. 22. To ensure that security responsibilities are understood, IA education and awareness training shall be mandatory for all personnel involved, including senior management and CIS users. 22
  • 23. Cryptography ANNEX IV. Protection of EUCI handled in communication and information systems 6. Where the protection of EUCI is provided by cryptographic products, such products shall be approved as follows: (a) the confidentiality of information classified SECRET UE/EU SECRET and above shall be protected by cryptographic products approved by the Council as Crypto Approval Authority (CAA), upon recommendation by the Security Committee; (b) the confidentiality of information classified CONFIDENTIEL UE/EU CONFIDENTIAL or RESTREINT UE/EU RESTRICTED shall be protected by cryptographic products approved by the Secretary-General of the Council (‘the Secretary- General‘) as CAA, upon recommendation by the Security Committee. Notwithstanding point (b), within Member States’ national systems, the confidentiality of EUCI classified CONFIDENTIEL UE/EU CONFIDENTIAL or RESTREINT UE/EU RESTRICTED may be protected by cryptographic products approved by a Member State’s CAA. 23
  • 24. Industrial security Article 11. Industrial security 1. Industrial security is the application of measures to ensure the protection of EUCI by contractors or subcontractors in pre- contract negotiations and throughout the life-cycle of classified contracts. Such contracts shall not involve access to information classified TRИS SECRET UE/EU TOP SECRET. … 24
  • 25. Breaches and compromise Article 14. Breaches of security and compromise of EUCI 1. A breach of security occurs as the result of an act or omission by an individual which is contrary to the security rules laid down in this Decision. 2. Compromise of EUCI occurs when, as a result of a breach of security, it has wholly or in part been disclosed to unauthorised persons 3. Any breach or suspected breach of security shall be reported immediately to the competent security authority. 25
  • 26. Additional requirements for EU CONFIDENTIAL and above 26 Personnel Security • Additional clearance requirements • Authorised by the GSC Appointing Authority Physical security • Handled in a Secured Areas • Shall be used only approved equipment or devices Management of classified information • Shall be registered for security purposes prior to distribution and on receipt Protection of EUCI handled in communication and information systems • Protection against compromise of such information through unintentional electromagnetic emanations (‘TEMPEST security measures’).
  • 27. • !!! Высокие требования ИБ уже от уровня Classified. Мы не можем обрабатывать Confidential (нужен допуск людей и что-то типа «аккредитации» для компании) • По сути Конфидентиал типа нашего ДСП, если бы регуляторам хватило воли… • Риск Менеджмент • Отдельные требования для «Industrial security» • Уведомление об утечках • Критерии для security clearance, что проверяют для уровня Confidential и выше • Общие требования к защите Секретно и выше вполне доступны • Модель мер схожа с NIST Deterrence, Prevention, Detection, Resilience, Recovery • Awareness • СКЗИ проходят обобрение уже с уровня Restricted • Проверка персонала разынх уровней Security investigation criteria 27 Thanks!