DECISION AB n° 13/2015 OF THE ADMINISTRATIVE BOARD OF THE AGENCY FOR THE COOPERATION OF ENERGY REGULATORS of 17 September 2015 establishing security measures and procedures in the form of a Security Policy and an operational Security Manual THE ADMINISTRATIVE BOARD OF THE AGENCY FOR THE COOPERATION OF ENERGY REGULATORS, HAVING REGARD to Regulation (EC) No 713/2009 of the European Parliament and of the Council of 13 July 2009 establishing an Agency for the Cooperation of Energy Regulators1 and, in particular, Articles 1(1) and 13(4) thereof, WHEREAS: (1) It is appropriate to establish operational procedures and measures to ensure that all activities which require handling EU classified information (EUCI) are covered by a comprehensive security system for protecting classified information. (2) In accordance with national laws and regulations and to the extent required for the functioning of the Agency, the Member States should respect this Decision when their competent authorities, personnel or contractors handle EUCI, in order that each may be assured that an equivalent level of protection is afforded to EUCI. (3) The Agency should determine the appropriate framework for sharing EUCI held by the Agency with other Union institutions, bodies, offices or agencies, as appropriate, in accordance with this Decision and inter-institutional arrangements in force. (4) EU Special Representatives and the members of their teams should apply the security rules adopted by the Agency for protecting EUCI where so provided in the relevant Agency act. (5) In order to ensure the application of the security rules for protecting EUCI in a timely manner this Decision should enter into force on the date of its publication, (6) It is necessary for the Agency to establish an operational structure for crisis management in the form of procedures, alert states and measures to be used under all foreseeable security conditions. Having appropriate and proportionate security measures in place will ensure that the Agency staff and its premises are adequately equipped to respond to the relevant risk level. 1 OJ L211, 14.8.2009, p.1 Page 1 of 124 (7) It is necessary to implement these principles through a security policy of the Agency and an operational security manual, HAS ADOPTED THIS DECISION: Article 1 The Security Policy and the Operational Security Manual, as annexed to this Decision as per Annex A and Annex B, are hereby adopted. Article 2 The Director of the Agency is delegated to adopt decisions and administrative notices to implement or make non-essential amendments to the Security Policy and the operational Security Manual. The Director of the Agency may delegate the tasks mentioned in the first paragraph of this Article to the Agency’s Security Officer by a separate delegation decision, in full compliance with the internal rules of procedure. Article 3 This Decision shall enter into force on the date of its signature. The Decision shall be communicated to the staff, brought to the attention of the Staff Committee and published on the intranet of the Agency. Done at Ljubljana on 17 September 2015. Fоr the Administrative Board: SIGNED Razvan Eugen Nicolescu Chairman of the Administrative Board Page 2 of 124 ANNEX A SECURITY POLICY OF THE AGENCY FOR THE COOPERATION OF ENERGY REGULATORS Page 3 of 124 Article 1 Purpose, scope and definitions 1. This Decision lays down the basic principles and minimum standards of security for protecting EU Classified Information (EUCI). 2. These basic principles and minimum standards shall apply to the Agency and be respected by the counterparties belonging to Member States which may engage in exchange or use of information owned by or in the custody of the Agency in accordance with their respective national laws and regulations, in order that each may be assured that an equivalent level of protection is afforded to EUCI. 3. For the purposes of this Decision, the definitions set out in Appendix A of Annex A shall apply. Article 2 Definition of EUCI, security classifications and markings 1. EUCI means any information or material designated by a EU security classification, the unauthorised disclosure of which could cause varying degrees of prejudice to the interests of the European Union or of one or more of the Member States. 2. EUCI shall be classified at one of the following levels: a) TRES SECRET UE/EU TOP SECRET: information and material the unauthorised disclosure of which could cause exceptionally grave prejudice to the essential interests of the European Union or of one or more of the Member States; b) SECRET UE/EU SECRET: information and material the unauthorised disclosure of which could seriously harm the essential interests of the European Union or of one or more of the Member States; c) CONFIDENTIEL UE/EU CONFIDENTIAL: information and material the unauthorised disclosure of which could harm the essential interests of the European Union or of one or more of the Member States; d) RESTREINT UE/EU RESTRICTED: information and material the unauthorised disclosure of which could be disadvantageous to the interests of the European Union or of one or more of the Member States. 3. EUCI shall bear a security classification marking in accordance with paragraph 2. It may bear additional markings to designate the field of activity to which it relates, identify the originator, limit distribution, restrict use or indicate releasability. Page 4 of 124 Article 3 Classification management 1. The competent authorities shall ensure that EUCI is appropriately classified, clearly identified as classified information and retains its classification level for only as long as necessary. 2. EUCI shall not be downgraded or declassified nor shall any of the markings referred to in Article 2(3) be modified or removed without the prior written consent of the originator. 3. The Agency shall approve a security policy on creating EUCI which shall include a practical classification guide. Article 4 Protection of classified information 1. EUCI shall be protected in accordance with this Decision. 2. The holder of any item of EUCI shall be responsible for protecting it in accordance with this Decision. 3. Where Member States introduce classified information bearing a national security classification marking into the structures or networks of the Union, the Agency shall protect that information in accordance with the requirements applicable to EUCI at the equivalent level as set out in the table of equivalence of security classifications contained in Appendix B. 4. An aggregate of EUCI may warrant a level of protection corresponding to a higher classification than that of its individual components. Article 5 Security risk management 1. Risk to EUCI shall be managed as a process. This process shall be aimed at determining known security risks, defining security measures to reduce such risks to an acceptable level in accordance with the basic principles and minimum standards set out in this Decision and at applying those measures in line with the concept of defence in depth as defined in Appendix A of Annex A. The effectiveness of such measures shall be continuously evaluated. 2. Security measures for protecting EUCI throughout its life-cycle shall be commensurate in particular with its security classification, the form and the volume of the information or material, the location and construction of facilities housing EUCI and the locally assessed threat of malicious and/or criminal activities, including espionage, sabotage and terrorism. 3. Contingency plans shall take account of the need to protect EUCI during emergency situations in order to prevent unauthorised access, disclosure or loss of integrity or availability. Page 5 of 124 4. Preventive and recovery measures to minimise the impact of major failures or incidents on the handling and storage of EUCI shall be included in business continuity plans. Article 6 Implementation of this Decision 1. Where necessary, the Director, on recommendation by the Security Committee, shall approve security policies setting out measures for implementing this Decision. 2. The Agency Security Committee may agree at its level security guidelines to supplement or support this Decision and any security policies approved by the Director. Article 7 Personnel security 1. Personnel security is the application of measures to ensure that access to EUCI is granted only to individuals who have: a) a need-to-know, b) been security cleared to the relevant level, where appropriate, and c) been briefed on their responsibilities. 2. Personnel security clearance procedures shall be designed to determine whether an individual, taking into account his loyalty, trustworthiness and reliability, may be authorised to access EUCI. 3. All staff members in the Agency whose duties require them to have access to or handle EUCI classified CONFIDENTIEL UE/EU CONFIDENTIAL or above shall be security cleared to the relevant level before being granted access to such EUCI. Such individuals must be authorised by the ASA to access EUCI up to a specified level and up to a specified date. 4. Personnel of counterparties belonging to a Member States referred to in Article 15(3) whose duties may require access to EUCI classified CONFIDENTIEL UE/EU CONFIDENTIAL or above shall be security cleared to the relevant level or otherwise duly authorised by virtue of their functions, in accordance with national laws and regulations, before being granted access to such EUCI. 5. Before being granted access to EUCI and at regular intervals thereafter, all individuals shall be briefed on and acknowledge their responsibilities to protect EUCI in accordance with this Decision. 6. Provisions for implementing this Article are set out in Annex I. Article 8 Physical security 1. Physical security is the application of physical and technical protective measures to prevent unauthorised access to EUCI. Page 6 of 124 2. Physical security measures shall be designed to deny surreptitious or forced entry by an intruder, to deter, impede and detect unauthorised actions and to allow for segregation of personnel in their access to EUCI on a need-to-know basis. Such measures shall be determined based on a risk management process. 3. Physical security measures shall be put in place for all premises, buildings, offices, rooms and other areas in which EUCI is handled or stored, including areas housing communication and information systems as defined in Article 10(2). 4. Areas in which EUCI classified CONFIDENTIEL UE/EU CONFIDENTIAL or above is stored shall be established as Secured Areas in accordance with Annex II and approved by the competent security authority. 5. Only approved equipment or devices shall be used for protecting EUCI at the level CONFIDENTIEL UE/EU CONFIDENTIAL or above. 6. Provisions for implementing this Article are set out in Annex II. Article 9 Management of classified information 1. The management of classified information is the application of administrative measures for controlling EUCI throughout its life-cycle to supplement the measures provided for in Articles 7, 8 and 10 and thereby help deter and detect deliberate or accidental compromise or loss of such information. Such measures relate in particular to the creation, registration, transmission, copying, translation, downgrading, declassification, carriage and destruction of EUCI. 2. Information classified CONFIDENTIEL UE/EU CONFIDENTIAL or above shall be registered for security purposes prior to distribution and on receipt. The Director and the counterparties in the Member States shall establish a registry system for this purpose. Information classified TRES SECRET UE/EU TOP SECRET shall be registered in designated registries. 3. Services and premises where EUCI is handled or stored shall be subject to regular inspection by the European Commission Directorate General Human Resources and Security – Security Directorate or by the Agency Security Office. 4. EUCI shall be conveyed between services and premises outside physically protected areas as follows: Page 7 of 124 (a) as a general rule, EUCI shall be transmitted by electronic means protected by cryptographic products approved in accordance with Article 10(6); (b) when the means referred to in point (a) are not used, EUCI shall be carried either: (i) on electronic media (e.g. USB sticks, CDs, hard drives) protected by cryptographic products approved in accordance with Article 10(6); or (ii) in all other cases, as prescribed by the competent security authority in accordance with the relevant protective measures laid down in Annex III. 5. Provisions for implementing this Article are set out in Annexes III and IV. Article 10 Protection of EUCI handled in communication and information systems 1. Information Assurance (IA) in the field of communication and information systems is the confidence that such systems will protect the information they handle and will function as they need to, when they need to, under the control of legitimate users. Effective IA shall ensure appropriate levels of confidentiality, integrity, availability, non-repudiation and authenticity. IA shall be based on a risk management process. 2. ‘Communication and Information System’ (CIS) means any system enabling the handling of information in electronic form. A CIS shall comprise the entire assets required for it to operate, including the infrastructure, organisation, personnel and information resources. This Decision shall apply to CIS handling EUCI. 3. CIS shall handle EUCI in accordance with the concept of IA. 4. All CIS shall undergo an accreditation process. Accreditation shall aim at obtaining assurance that all appropriate security measures have been implemented and that a sufficient level of protection of the EUCI and of the CIS has been achieved in accordance with this Decision. The accreditation statement shall determine the maximum classification level of the information that may be handled in a CIS as well as the corresponding terms and conditions. 5. Security measures shall be implemented to protect CIS handling information classified CONFIDENTIEL UE/EU CONFIDENTIAL and above against compromise of such information through unintentional electromagnetic emanations (‘TEMPEST security Page 8 of 124 measures’). Such security measures shall be commensurate with the risk of exploitation and the level of classification of the information. 6. Where the protection of EUCI is provided by cryptographic products, such products shall be approved as follows: (a) the confidentiality of information classified SECRET UE/EU SECRET and above shall be protected by cryptographic products approved by the Director as Crypto Approval Authority (CAA), upon recommendation by the Agency Security Committee; (b) the confidentiality of information classified CONFIDENTIEL UE/EU CONFIDENTIAL or RESTREINT UE/EU RESTRICTED shall be protected by cryptographic products approved by the Director as CAA, upon recommendation by the Agency Security Committee. Notwithstanding point (b), within Member States’ national systems, the confidentiality of EUCI classified CONFIDENTIEL UE/EU CONFIDENTIAL or RESTREINT UE/EU RESTRICTED may be protected by cryptographic products approved by a Member State’s CAA. 7. During transmission of EUCI by electronic means, approved cryptographic products shall be used. Notwithstanding this requirement, specific procedures may be applied under emergency circumstances or specific technical configurations as specified in Annex IV. 8. The Director and the competent authorities of the Member States respectively shall establish or identify the following IA functions: (a) an IA Authority (IAA); (b) a TEMPEST Authority (TA); (c) a Crypto Approval Authority (CAA); ((d) a Crypto Distribution Authority (CDA). 9. For each system, the competent authorities of the Agency and of the Member States respectively shall establish: (a) a Security Accreditation Authority (SAA); Page 9 of 124 (b) an IA Operational Authority. 10. Provisions for implementing this Article will be defined following the conclusion of agreements with supervisory authorities, international organisations and the administrations of third countries. Article 11 Industrial security 1. Industrial security is the application of measures to ensure the protection of EUCI by contractors or subcontractors in pre-contract negotiations and throughout the life-cycle of classified contracts. Such contracts shall not involve access to information classified TRES SECRET UE/EU TOP SECRET. 2. The Agency may entrust tasks involving or entailing access to or the handling or storage of EUCI by industrial or other entities registered in a Member State or in a third State which has concluded an agreement or an administrative arrangement in accordance with point (a) or (b) of Article 13(2). 3. The Agency, as contracting authority, shall ensure that the minimum standards on industrial security set out in this Decision, and referred to in the contract, are complied with when awarding classified contracts to industrial or other entities. 4. The National Security Authority (NSA), the Designated Security Authority (DSA) or any other counterparties of each Member State shall ensure, to the extent possible under national laws and regulations, that contractors and subcontractors registered in their territory take all appropriate measures to protect EUCI in pre-contract negotiations and when performing a classified contract. 5. The NSA, DSA or any other competent security authority of each Member State shall ensure, in accordance with national laws and regulations, that contractors or subcontractors registered in the respective Member State participating in classified contracts or sub-contracts which require access to information classified CONFIDENTIEL UE/EU CONFIDENTIAL or SECRET UE/EU SECRET within their facilities, either in the performance of such contracts or during the pre- contractual stage, hold a Facility Security Clearance (FSC) at the relevant classification level. 6. Contractor or subcontractor personnel who, for the performance of a classified contract, require access to information classified CONFIDENTIEL UE/EU Page 10 of 124
Description: