Information Security Regulation, Infosiv

Original Language Title: Änderung der Informationssicherheitsverordnung, InfoSiV

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now for only USD$20 per month, or Get a Day Pass for only USD$4.99.

67. Regulation of the Federal Government, amending the Regulation on Information Security (Information Security Regulation, InfoSiV)

On the basis of § 6 of the Information Security Act, InfoSiG, BGBl. I n ° 23/2002, as last amended by Federal Law, BGBl. I n ° 10/2006, shall be arranged:

The Federal Government's Regulation on Information Security (Information Security Regulation, InfoSiV), BGBl. II No 548/2003, shall be amended as follows:

1. The heading "Content" is given by the heading "Table of Contents" which is replaced by:

" § 1.

Scope

§ 2.

Classified information

§ 3.

Classification levels

§ 4.

Information Security Officer

§ 5.

Access to classified information

§ 6.

Briefing

§ 7.

Transmission of classified information

§ 8.

Marking

§ 9.

Electronic processing and transmission of classified information

§ 10.

Service obligations

§ 11.

Administrative treatment

§ 12.

Registration of classified information

§ 13.

Safekeeping of classified information

§ 14.

Copies and translations

§ 15.

Destruction of classified information

§ 16.

Control "

2. In § 2 (1) the word order shall be "Information, facts, objects and news" through the phrase "Information and materials provided with a classification note and news" replaced.

3. § 2 (2) Z 3 and 4 reads:

" 3.

electronically processed data and their data carriers (e.g. e-mail);

4.

Sound and image carriers; "

4. § 3 (2) reads:

" (2) The classification, declassification and the downgrading of information shall be made by its author. The declassification shall be recorded in writing. Recipients of classified information shall be informed of the declassification. "

5. In § 5 (1), the word "shall be used in the expression" Appendix 1 " the word "Pattern:" .

6. In Section 5 (3) (2) (2), the point shall be replaced by the word "and" and the following Z 3 shall be added:

" 3.

they have committed themselves to the secrecy of classified information even after the end of the activity. "

7. § § 6 to 9 together with headings:

" Substatement

§ 6. (1) In any case, the instruction pursuant to section 5 (4) shall have the information on the InfoSiG, this Regulation, the applicable international and European legal obligations, any implementing regulations of the resort, as well as the provisions of the Confidentiality requirements and penalties for infringements of these obligations shall be made.

(2) The instruction shall be used to raise awareness of threats to the security of classified information and shall ensure that the safety standards laid down are complied with and that all security breaches, even suspicions, are respected. such, are reported. It must be made prior to the opening of access to classified information and shall be repeated on a regular basis. Proof of instruction must be recorded in writing (sample: Appendix 2).

Transmission of classified information

§ 7. (1) Prior to the transmission of classified information, it shall be ensured, by examination in individual cases or by compliance with the general rules laid down for this purpose, that the beneficiary meets the requirements of the InfoSiG and this Regulation. are given.

(2) In the framework of mutual assistance, classified information may only be transmitted if the requesting body expressly requests it and proves that it has the necessary standard of protection and the required protection by the law and the regulation. staffing conditions can be guaranteed. The Information Security Officer shall be informed of the intended transfer.

(3) Documents of classification level RESTRICTED are to be transmitted in a closed envelope and documents of classification level CONFIDENTIAL or higher in a double opaque closed envelope, only at the inner envelope of the envelope The classification level, including the address of the consignee, must be indicated and an acknowledgement of receipt shall be attached (samples: Appendix 3 ). Note that the contents of the external envelope must not be allowed to close.

(4) The written consent of the originator is required for the transmission of classified information of the STRICTLY SECRET level.

(5) The transmission of classified information to third countries or international organisations as well as to a contractor established in a third country is only permitted with the prior written consent of the author, unless require disclosure without such consent in accordance with international law or obligations under international law.

(6) Classified information shall be transmitted in the following ways:

1.

Oral transmission : In meetings with a content from the CONFIDENTIAL classification level, the meeting leader shall ensure that the participants are appropriately security-checked or reliable, and are in accordance with the requirements. Records shall be classified. In the oral presentation of information classified as GEHEIM or STRICTLY SECRET, measures are to be taken against interception.

2.

Personal transmission : Classified information from the CONFIDENTIAL classification level, which will be handed out in person, must be handed over against acknowledgement of receipt. The communication within a building must be carried out by persons authorised to do so, and in a closed envelope, on which only the name of the consignee appears; the receipt shall be made by: Acknowledgement of receipt. Within a building or a closed building group, information may be transported to the TOP SECRET level in a closed opaque envelope.

3.

Delivery by delivery services (post or private courier services), military and diplomatic couriers and diplomatic baggage :

a)

Classified information of the RESTRICTED level may be transmitted by post or private courier services, military and diplomatic couriers, diplomatic baggage, or hand luggage of a person who is appropriately instructed. The Information Security Commission shall decide on the fulfilment of the safeguard measures.

b)

Classified information of the CONFIDENTIAL level may

-

by post or private courier services within the EU Member States and in States with which a bilateral agreement according to § 14 InfoSiG or any other international agreement with rules on the transmission of such information in this way shall be transmitted, provided that the services have appropriate protective measures to be taken by the Information Security Commission;

-

with diplomatic baggage or by military and diplomatic couriers, as well as hand luggage, provided that the person (s) The courier), which shall transmit the classified information, at least until CONFIDENTIAL, and is authorised to do so (samples: Appendix 4 ).

c)

Classified information of the level GEHEIM may

-

shall be transmitted domestily by post or private courier services, provided that they have the appropriate protective measures to be taken by the Information Security Commission;

-

be transported by military and diplomatic couriers and by hand luggage, provided that the person (s) The courier), which shall transmit the classified information, at least until GEHEIM is checked and authorized (samples: Appendix 4 );

-

in exceptional cases, the diplomatic baggage shall be transmitted if no other means of transmission is available.

d)

Classified information of the TOP SECRET level may be carried by military and diplomatic couriers and by hand luggage, provided that the person (s) (or The courier), which shall transmit the classified information until STRICTLY SECRET is checked and authorized (samples: Appendix 4 ).

Marking

§ 8. (1) Classified information shall be clearly and clearly identifiable by means of the markings defined in § 3 or in international or EU law regulations.

(2) For information in paper form, the date, the number of business, the originator and on each side the marking must be displayed at the top and bottom and a page numbering. If necessary, it is also possible to:

1.

a copyright identification;

2.

more information, such as Distribution restrictions (on each page);

3.

a date for the downgrading of the classification.

(3) For information in electronic form, the file name shall be provided with the relevant classification level.

(4) On the first page of documents of classification level CONFIDENTIAL or higher, all attachments and attachments are to be listed.

Electronic processing and transmission of classified information

§ 9. (1) The processing of classified information in information and communication systems requires special security measures, which are dependent on:

1.

the classification level,

2.

the degree of radiation safety of the devices,

3.

the nature and extent of networking,

4.

the storage capacity and

5.

local conditions.

(2) Information from the classification level CONFIDENTIAL may be processed on all information and communication systems, provided that accreditation is provided by the Information Security Commission. The specific requirements (requirements as well as the scale and degree of detailed regulation) must be determined in coordination with the Information Security Commission. For information and communication systems that process information of the RESTRICTED classification level, depending on the type and scope of the system (risk level or Complexity and networking) to comply with the requirements of the Information Security Commission. In any case, measures must be taken to identify and record access to such access. In the case of information and communication systems which serve to fulfil the tasks of the Federal Army in accordance with Art. 79 (1) B-VG, these tasks shall be carried out by the Federal Minister for Defence and Sport for his sphere of action CA true.

(3) Information from the classification level CONFIDENTIAL which is processed on electronic equipment shall be protected in such a way as to prevent unauthorised knowledge of the information on electromagnetic radiation. (TEMPEST security arrangements).

(4) In the case of the transmission of classified information by electronic means, special protection measures, in particular the encryption corresponding to the respective classification level, as well as the requirements of the Information security commission to be taken into account. Notwithstanding this requirement, special procedures or special technical configurations may be used in emergency situations, in accordance with the information security commission. The transmission of classified information from the CONFIDENTIAL classification level is subject to the information security commission's specifications using a qualified signature, or in the case of automatic transmission with technically equivalent security requirements.

(5) The interconnection of an information and communication system in which classified information is processed, with other systems, requires appropriate protection measures. "

8. In § 10, the following paragraph 3 is added:

" (3) The loss of classified information shall be reported immediately to the Head of Service and to the Information Security Officer. They shall take all necessary measures to identify the information, to avoid any further disadvantages and to clarify the incident. These measures shall be recorded in an appropriate manner. The loss shall also be notified to the body from which this information originates. "

9. In the heading to § 11, the word shall be "Law Firm" by the word "Administrative" replaced.

10. In § 11, the expression in clause 1 shall be the word "Appendix 1" the word "Pattern:" preceded and in para. 2 the word "Kanzleisysteme" by the word "Administrative systems" replaced.

11. § § 12 to 14 together with the headings:

" Registration of classified information

§ 12. (1) The entrance and exit of each document classified as CONFIDENTIAL or above shall be registered, whereby in the register, in addition to the information in accordance with § 11 para. 1 of the originator, the date of the entry, the date of the transmission and the The management unit must be held (pattern: Appendix 1 ). Each phase of the circulation of the classified information shall be recorded in a suitable manner.

(2) Register books for classification levels CONFIDENTIAL and SECRET are at least restricted with the classification level RESTRICTED, register books for the classification level STRICTLY SECRET with the classification level GEHEIM.

(3) Subsections 1 and 2 shall also be complied with in the case of electronic registration.

Safekeeping of classified information

§ 13. (1) Information must be stored in the service rooms in accordance with the relevant classification level and may only be brought out of them if necessary in accordance with the service requirements.

(2) For the physical protection of classified information, the following areas are to be set up in accordance with the following:

1.

Administrative areas : areas with visible external demarcation to enable the control of persons and vehicles to be entered only by persons who have been granted authorisation. In the case of all other persons, a permanent escort or to ensure equal control.

2.

Specially protected areas : Areas with visible and protected demarcation with complete input control (ID control or control according to identification class 2 according to ÖNORM EN 50133-1:2003 "alarm systems-access control systems for security applications" from the 1.11.2003) and exit control (control according to identification class 0 according to ÖNORM EN 50133-1:2003), which can only be entered without sliding by safety-checked, reliable or specially authorised persons. In the case of all other persons, a permanent escort or to ensure equal control.

3.

Specially protected areas with interception protection : Areas which are additionally technically secured and equipped with burgling-in systems. Unauthorised communication links or electronic equipment or communication equipment shall be prohibited. In the course of the entrance inspection, persons entering the area are to be checked for the take-up of prohibited equipment. Regular inspections and technical inspections shall be carried out.

(3) The selection of appropriate measures for the physical security of the premises shall be carried out on the basis of an assessment of the threat situation by the competent authorities, with a distinction between administrative areas and particularly protected areas. . Such measures or a combination of these may be:

1.

entry barrier;

2.

Burglealarm system;

3.

access control;

4.

security personnel;

5.

Video surveillance;

6.

security lighting;

7.

other appropriate physical measures.

(4) Information in accordance with § 2 (2) (1), (2) and (4) of all classification levels shall be kept in blocked containers. For the classification level RESTRICTED OFFICE FURNITURE, for CONFIDENTIAL, SECRET or CONFIDENTIAL To use strictly secret securities in accordance with the assignment by the Information Security Commission.

(5) appropriate service instructions shall be laid down for administrative areas and particularly protected areas.

(6) Procedures relating to the management of the keys and codes shall be established by the relevant information security officer. These procedures must provide protection against unauthorised access.

Copies and translations

§ 14. (1) Where copies and/or translations of documents of the classification level CONFIDENTIAL, SECRET or TOP SECRET are made, this shall be recorded in an appropriate manner. Each copy is to be individualized by a suitable addition, which is to be noted on each page. The production of copies and translations of information of the classification level STRICTLY SECRET by recipients is only permitted with the prior written consent of the author. Copies may be made exclusively under the direct responsibility of the respective head of the organizational unit and under labelling as a copy.

(2) Documents of the classification level CONFIDENTIAL, SECRET or STRICTLY SECRET may only be copied, written, translated, scanned, archived or processed by such persons, which fulfil the requirements of § 5 paragraph 2. "

12. § 15 (1) reads:

" § 15. (1) The inventory of classified information shall be kept as low as possible. If information is no longer needed, it must be destroyed by means of appropriate procedures in accordance with international and national requirements. Registrant documents shall be destroyed by the competent registry at the instruction of the head of the holding body, and the registration information shall be updated accordingly. The destruction of information of the classification levels GEHEIM or higher shall be carried out in the presence of a witness who must have a safety check or a reliability test of the appropriate classification level; and is to be recorded in the protocol by signature (pattern: Appendix 5 ). The destruction of data carriers shall be carried out in accordance with the procedures approved by the Information Security Commission. "

13. § 16 together with the title shall be deleted; the text of the previous § 17 shall be replaced by the Section title "§ 16." ; furthermore, the word sequence "EDP systems" through the phrase "Communication and Information Systems" replaced.

14. The Appendix 1 reads:

Appendix 1

Register

In any case, register shall contain the following information. They can be managed centrally or decentrally, for deprivation, redirects and distributions.

EvidenceList

Document Name

Number of Business (Foreign)

Issue Number

Date

Page Size

Classification Level

Originator

Input

.................... .....................

Date Signature

My Business Number

Transmission to

.................... .....................

Date Signature

or supplement of the acknowledgement of receipt

Destruction

.................... .....................

Date Signature

Faymann Spindelegger Fekter Heinisch-Hosek Stöger Mikl-Leitner Karl Berlakovich Darabos Schmied Bures Mitterlehner Töchterle