Commission Decision (EU, Euratom) 2017/46Dangos y teitl llawn

CHAPTER 2 ORGANISATION AND RESPONSIBILITIES

Article 4Corporate Management Board

The Corporate Management Board shall take the overall responsibility for the governance of IT security as a whole within the Commission.

Article 5Information Security Steering Board (ISSB)

1.The ISSB shall be chaired by the Deputy Secretary-General responsible for IT security governance in the Commission. Its members shall represent business, technology and security interests across the Commission departments and include representatives of the Directorate-General for Informatics, the Directorate-General for Human Resources and Security, the Directorate-General for Budget, and, on a 2-year rotating basis, representatives of four other Commission departments involved where IT security is a major concern for their operations. Membership is at senior management level.

2.The ISSB shall support the Corporate Management Board in its IT-security-related tasks. The ISSB shall take the operational responsibility for the governance of IT security as a whole within the Commission.

3.The ISSB shall recommend the Commission's IT security policy for adoption by the Commission.

4.The ISSB shall review and report biannually to the Corporate Management Board on governance matters as well as on IT-security-related issues, including serious IT security incidents.

5.The ISSB shall monitor and review the overall implementation of this decision and report on it to the Corporate Management Board.

6.On the proposal of the Directorate-General for Informatics, the ISSB shall review, approve and monitor the implementation of the rolling IT security strategy. The ISSB shall report on it to the Corporate Management Board.

7.The ISSB shall monitor, evaluate and control the corporate information risk treatment landscape and shall have the power to issue formal requirements for improvements wherever necessary.

The processes related to these responsibilities and activities shall be further detailed in implementing rules.

Article 6The Directorate-General for Human Resources and Security

In relation to IT security, the Directorate-General for Human Resources and Security has the following responsibilities. It shall:

The processes related to these responsibilities and activities shall be further detailed in implementing rules.

Article 7The Directorate-General for Informatics

In relation to the overall IT security of the Commission, the Directorate-General for Informatics has the following responsibilities. It shall:

The related processes and more detailed responsibilities shall be further defined in implementing rules.

Article 8Commission departments

In relation to IT security in their department, each Head of Commission department shall:

The processes related to these responsibilities and activities shall be further detailed in implementing rules.

Article 9System owners

1.The system owner is responsible for the IT security of the CIS, and reports to the Head of the Commission department.

2.In relation to IT security, the system owner shall:

(a)ensure the compliance of the CIS with the IT security policy;

(b)ensure that the CIS is accurately recorded in the relevant inventory;

(c)assess IT security risks and determine the IT security needs for each CIS, in collaboration with the data owners and in consultation with the Directorate-General for Informatics;

(d)prepare a security plan, including, where appropriate, details of the assessed risks and any additional security measures required;

(e)implement appropriate IT security measures, proportionate to the IT security risks identified and follow recommendations endorsed by the ISSB;

(f)identify any dependencies on other CISs or shared IT services and implement security measures as appropriate based on the security levels proposed by those CISs or shared IT services;

(g)manage and monitor IT security risks;

(h)report regularly to the head of the Commission department on the IT security risk profile of their CIS and report to the Directorate-General for Informatics on the related risks, risk management activities and security measures taken;

(i)consult the LISO of the relevant Commission department(s) on aspects of IT Security;

(j)issue instructions for users on the use of the CIS and associated data as well as on the responsibilities of users related to CIS;

(k)request authorisation from the Directorate-General for Human Resources and Security, acting as the Crypto Authority, for any CIS that uses encrypting technology.

(l)consult the Commission Security Authority in advance concerning any system processing EU classified information;

(m)ensure that back-ups of any decryption keys are stored in an escrow account. The recovery of encrypted data shall be carried out only when authorised in accordance with the framework defined by the Directorate-General for Human Resources and Security;

(n)respect any instructions from the relevant Data Controller(s) concerning the protection of personal data and the application of data protection rules on security of the processing;

(o)notify the Directorate-General for Informatics of any exceptions to the Commission's IT security policy including relevant justifications;

(p)report any unresolvable disagreements between the data owner and the system owner to the head of the Commission department, communicate IT security incidents to the relevant stakeholders in a timely manner as appropriate according to their severity as laid down in Article 15;

(q)for outsourced systems, ensure that appropriate IT security provisions are included in the outsourcing contracts and that IT security incidents occurring in the outsourced CIS are reported in accordance with Article 15;

(r)for CIS providing shared IT services, ensure that a defined security level is provided, clearly documented and security measures are implemented for that CIS in order to reach the defined security level.

3.System owners may formally delegate some or all of their IT security tasks but they remain responsible for the IT security of their CIS

The processes related to these responsibilities and activities shall be further detailed in implementing rules.

Article 10Data owners

1.The data owner is responsible for the IT security of a specific data set to the Head of the Commission department and is accountable for the confidentiality, integrity and availability of the data set.

2.In relation to this data set, the data owner shall:

(a)ensure that all data sets under his or her responsibility are appropriately classified in accordance with Decision (EU, Euratom) 2015/443 and (EU, Euratom) 2015/444;

(b)define the information security needs and inform the relevant system owners of these needs;

(c)participate in the CIS risk assessment;

(d)report any unresolvable disagreements between the data owner and the system owner to the head of the Commission department;

(e)communicate IT security incidents as provided for in Article 15.

3.Data owners may formally delegate some or all of their IT security tasks but they maintain their responsibilities as defined in this Article.

The processes related to these responsibilities and activities shall be further detailed in implementing rules.

Article 11Local Informatics Security Officers (LISOs)

In relation to IT security, the LISO shall:

The processes related to these responsibilities and activities shall be further detailed in implementing rules.

Article 12Users

1.In relation to IT security, users shall:

(a)comply with the IT security policy and the instructions issued by the system owner on the use of each CIS;

(b)communicate IT security incidents as provided for in Article 15.

2.Use of the Commission's CIS in breach of the IT security policy or instructions issued by the system owner may give rise to disciplinary proceedings.

The processes related to these responsibilities and activities shall be further detailed in implementing rules