Security throughout the CIS-life cycle
8.
Ensuring security shall be a requirement throughout the entire CIS life-cycle from initiation to withdrawal from service.
9.
The role and interaction of each actor involved in a CIS with regard to its security shall be identified for each phase of the life-cycle.
10.
Any CIS, including its technical and non-technical security measures, shall be subject to security testing during the accreditation process to ensure that the appropriate level of assurance of the implemented security measures is obtained and to verify that they are correctly implemented, integrated and configured.
11.
Security assessments, inspections and reviews shall be performed periodically during the operation and maintenance of a CIS and when exceptional circumstances arise.
12.
Security documentation for a CIS shall evolve over its life-cycle as an integral part of the process of change and configuration management.
Best practice
13.
The EEAS shall cooperate with GSC, Commission and Member States to develop best practice for protecting EUCI handled on CIS. Best practice guidelines shall set out technical, physical, organisational and procedural security measures for CIS with proven effectiveness in countering given threats and vulnerabilities.
14.
The protection of EUCI handled on CIS shall draw on lessons learned by entities involved in IA within and outside the EU.
15.
The dissemination and subsequent implementation of best practice shall help achieve an equivalent level of assurance for the various CIS operated by the EEAS which handle EUCI.
Defence in depth
16.
To mitigate risk to CIS, a range of technical and non-technical security measures, organised as multiple layers of defence, shall be implemented. These layers shall include:
(a) Deterrence
: security measures aimed at dissuading any adversary planning to attack the CIS;
(b) Prevention
: security measures aimed at impeding or blocking an attack on the CIS;
(c) Detection
: security measures aimed at discovering the occurrence of an attack on the CIS;
(d) Resilience
: security measures aimed at limiting impact of an attack to a minimum set of information or CIS assets and preventing further damage; and
(e) Recovery
: security measures aimed at regaining a secure situation for the CIS.
The degree of stringency and applicability of such security measures shall be determined following a risk assessment.
17.
The EEAS competent authorities shall ensure that they can respond to incidents which may transcend organisational and national boundaries to coordinate responses and share information about these incidents and the related risk (computer emergency response capabilities).
Principle of minimality and least privilege
18.
Only the functionalities, devices and services to meet operational requirements shall be implemented in order to avoid unnecessary risk.
19.
CIS users and automated processes shall be given only the access, privileges or authorisations they require to perform their tasks in order to limit any damage resulting from accidents, errors, or unauthorised use of CIS resources.
20.
Registration procedures performed by a CIS, where required, shall be verified as part of the accreditation process.
Information Assurance awareness
21.
Awareness of the risks and available security measures is the first line of defence for the security of CIS. In particular all personnel involved in the life-cycle of CIS, including users, shall understand:
(a) that security failures may significantly harm the CIS and the whole organisation;
(b) the potential harm to others which may arise from interconnectivity and interdependency; and
Feedback