67. Regulation of the Federal Government, which is changed the regulation on information security (information security regulation, InfoSiV)
On the basis of § 6 of the Security Act, InfoSiG, Federal Law Gazette I no. 23/2002, as last amended by Federal Act, Federal Law Gazette I no. 10/2006, is prescribed:
The regulation of the Federal Government on information security (information security regulation, InfoSiV), Federal Law Gazette II No. 548/2003, is amended as follows:
1. the heading "Content" shall be replaced by the heading "Table of contents"; This is as follows:
"§ 1 scope § 2. classified information § 3. classification levels § 4. information security officers § 5 access to classified information § 6 teaching § 7 delivery classified information § 8 marking classified section 9 electronic processing and delivery information § 10 service obligations § 11 administrative treatment § 12. registration of classified information § 13 custody of classified information § 14 copies and translations § 15 destruction of classified information § 16 control" 2. In article 2, paragraph 1, the phrase is replaced "Information, facts, objects and messages" by the phrase "With a classification notice for information and materials as well as messages".
3. § 2 par. 2 Nos. 3 and 4 is:
"3. electronically processed data and the data carriers (E.g. E-Mail);
4. sound and image carriers;"
4. paragraph 3 section 2:
"(2) the classification, declassification, as well as the downgrading of information is done by their copyright. The declassification is to put in writing. Recipient of classified information are to inform of the declassification."
5. in article 5, paragraph 1, the word is the word "Appendix 1" in the parenthetical expression "pattern:" prefix.
6. in section 5, para 3 Z 2 is the point by the word 'and' replaced and added following no. 3:
"3. they committed themselves to non-disclosure of classified information after the end of the occupation."
7 § § 6 to 9 together with headings are:
6. (1) the instruction according to § 5 ABS. 4 anyway, about the InfoSiG, the applicable international and European Union law obligations, this regulation and any in writing issued implementation regulations of the Department and the confidentiality obligations and sanctions for violations of these must be made.
(2) the training is designed to raise awareness of threats to the security of classified information and to ensure that the intended safety standards and all security breaches, even a suspicion of those reported. It has to be done before the opening of access to classified information and must be repeated regularly. The proof of the training is to put in writing (pattern: Appendix 2).
Transmission of classified information
Section 7 (1) is before of the transmission of classified information by examining in each individual case or for that purpose provided general rules to ensure that the conditions of InfoSiG and this regulation are given by the recipient.
(2) in the framework of mutual assistance, classified information may be transmitted only if the requesting organ expressly requested this and indicates that it is able to provide the required protection standard and the human conditions required by the law and the regulation. The information security officer is to use by the intended transfer in knowledge.
(3) documents of the classification level are constrained to submit in sealed envelopes and documents of the classification level confidential or higher in a double sealed opaque envelope, to specify the classification level including the address of the recipient and on the inner envelope only and a receipt to enclose is (pattern: Annex 3). Notes on the outer envelope must be close not on the content.
(4) for the transmission of classified information to the level of top secret, the written consent of the copyright holder is required.
(5) the transmission of classified information to third States or international organisations, as well as to a contractor that is established in a third country is allowed only with prior written consent of the author, if not international law or Union law obligations provide for transfer without such consent.
(6) classified information are to provide in the following ways:
1. oral transmission: meetings with content from the classification level confidential the Meeting Manager for has to take care, that the participants according to sicherheitsüberprüft or verlässlichkeitsgeprüft and are taught. Records are classified. During the oral presentation of information classified as secret or top secret, measures against wiretapping must be taken.
2. personal delivery: classified information from the classification level confidential, which personally be handed out, are to be given against receipt. The transmission within a building has to be made that are authorized for the respective classification level, and in a sealed envelope, only the recipient's name appears on the; by persons the answer is to acknowledge receipt. Within a building or an enclosed group of buildings, information may be carried strictly confidential to the level in a sealed opaque envelope.
3. delivery by delivery services (mail or private courier service), military, and diplomatic couriers and diplomatic baggage: a) classified information of level may be transmitted by post or private courier service, military and diplomatic couriers, diplomatic baggage or hand baggage of a person who is appropriately trained, restricted. The information security Committee decides on the implementation of protective measures.
(b) classified information of the level confidential may -, delivered by post or private courier services within the EU Member States as well as in States with which a bilateral agreement in accordance with § 14 of InfoSiG or other international agreement with regulations on the transfer of such information in this way, as long as the services have appropriate protective measures, the information security Committee decides on compliance;
-with diplomatic baggage or by military and diplomatic couriers as well as hand luggage are transported, unless the person (or the courier) submitted the classified information is verified at least until confidential and this empowered (pattern: Annex 4).
c) classified secret information of the level post or private courier services may - be transmitted domestically through which, unless they have appropriate protective measures, the information security Committee decides on compliance;
-by military and diplomatic couriers as well as hand luggage be promoted, provided that the person (or the courier) submitted the classified information is verified at least until secret and empowered (pattern: Annex 4);
-in exceptional cases by the diplomatic baggage be transmitted, if no other delivery option available.
(d) classified information of level must strictly confidential by military and diplomatic couriers and carried as hand baggage, unless the person (or the courier), which submitted the classified information, audited secret until strict is authorized (pattern: Annex 4).
Classified information are section 8 (1) uniquely and clearly by the in section 3 or in international law or Union law regulations to identify defined markings.
(2) in the case of information in paper form are the date, the business number, the author and to install top and bottom and a page numbering on each side of the marking. If required, also can be installed:
1. an identification of the intellectual property;
2. more information, such as distribution restrictions (on each side);
3. a time for the downgrading of the classification.
(3) in the case of information in electronic form, the file name with the relevant classification level is to be provided.
(4) all annexes and attachments are confidential on the first page of document of the classification level or higher to enumerate.
Electronic processing and transmission of classified information
§ 9 (1) requires special precautionary measures, which are dependent on the processing of classified information in information and communication systems of
1. the classification level, 2. the degree of radiation safety of devices, 3. the nature and the extent of networking, 4. the storage capability and 5 local circumstances.
(2) information from the classification level confidential may be processed on all information and communication systems, unless there is an accreditation by the Commission of information security. The specific requirements (requirements, as well as scale and level of detail) are to set this in coordination with the information security Committee. For information and communication systems, which restricted process information of classification level, depending on the nature and scope of the system (the level of risk and complexity and networking), the requirements of the information security Committee must be observed. In any case, measures to identify and logging of access must be provided. Information and communication systems, which the fulfillment of tasks of the armed forces in accordance with article 79 paragraph 1 serve B-VG, which takes these tasks by the Federal Minister of national defence and sports for its scope certain CA true.
(3) information from the confidential classification level processed on electronic devices, are to protect, that of information about electromagnetic radiation unauthorized knowledge can be obtained (TEMPEST - safety precautions).
(4) for the transmission of classified information electronically, special protections are to note in particular the encryption corresponding to the respective classification level, as well as the requirements of the information security Committee. Notwithstanding this requirement special procedures or special technical configurations can be applied in emergency situations in accordance with the information security Committee. The transmission of classified information from the classification level is confidential to log in accordance with the requirements of the information security Committee using qualified signature or automatic transmission with technically equivalent safety requirements.
(5) the interconnection of information and communication systems, in which classified information is processed, with other systems require appropriate protective measures."
8. in article 10 the following paragraph 3 is added:
"(3) the loss of classified information is immediately to report the head of the unit and the information security officer. These have all necessary measures to find the information, avoiding any further disadvantages and clarification of the incident. These measures are in an appropriate manner to hold. The loss also that place is to communicate this information comes from the."
9. in the heading to section 11, the word "Kanzleimäßige" is replaced by the word "Administrative".
10. in paragraph 11, the word is in the bracket expression in paragraph 1 the word "Appendix 1" "pattern:" prefix, and in paragraph 2, the word "Registry systems" replaced by the word "Management systems".
11 § § 12-14 along with headings are:
"Registration of classified information
12. (1) the input and output is each as confidential or higher classified document to register in the register in addition to the indications referred to in article 11, paragraph 1, the author, the date of their arrival, the time of delivery and the administrative unit to hold being (pattern: Appendix 1). Each period of circulation of classified information is in an appropriate manner to record.
(2) registration books for the classification levels confidential and secret are restricted at least with the classification level to provide registration books for the classification level secret top secret with the classification level.
(3) section 1 and 2 are to comply also with electronic registration.
Storage of classified information
Information is section 13 (1) to keep the respective classification level secured in the premises and may be spent only for essential business needs from them.
(2) on the physical protection of classified information, according to secured areas are set up:
1. administrative areas: areas with visible external definition to enable the control of persons and vehicles that can be accessed only by persons may, have received an empowerment. A constant escort or equivalent control is to ensure in all other individuals.
2. specially protected areas: areas with visible and protected boundaries with complete input control (ID check or control after identification class 2 according to ÖNORM EN 50133-1:2003 "alarm systems - access control systems for backup applications" of the recognizedaccreditation) and output control (control after identification class 0 in accordance with ÖNORM EN 50133-1:2003), which allowed unaccompanied by security checked, reliability-tested or specially authorized persons only. A constant escort or equivalent control is to ensure in all other individuals.
3. specially protected areas with privacy protection: areas that are also technically protected and equipped with burglar alarms. Unauthorized communications or electronic equipment or communication devices are banned. In the course of the inspection, people entering the area, are prohibited devices must be checked. Regular inspections and technical checks are carried out.
(3) the selection of appropriate measures for the physical protection of the premises is carried out on the basis of an assessment of the threat situation by the competent authorities, taking into different administrative areas and specially protected areas. Such measures or a combination of these can be:
1. access blocking;
2. burglar alarm system;
3. access control;
4. security personnel;
5. video surveillance;
6 emergency lighting;
7. other appropriate physical measures.
(4) information in accordance with § 2 para 2 are Nos. 1, 2 and 4 of all classification levels to be kept in a locked container. This office furniture is limited to the classification level to use value containers according to the allocation by the Commission of information security for confidential, secret or top secret.
(5) for management and specially protected areas, appropriate SOPs are set.
(6) proceedings on the management of keys and codes are set by the competent information security officers. These procedures must provide protection against unauthorized access.
Copies and translations
14. (1) copies or translations of documents of the classification level are made confidential, secret, or top secret, so this is in an appropriate manner to hold. Each copy is a suitable addition which note is on every page, to customize. The making of copies and translations of information of classification level strictly confidential by recipient is allowed only with prior written consent of the author. Copies may be made only under the direct responsibility of the head of the OU and marking a copy.
(2) documents of the classification level confidential, secret, or top secret may be only by such persons copied, transcribed, translated, scanned, archived or processed, which fulfil the conditions of section 5 paragraph 2."
12 paragraph 15 paragraph 1:
"Section 15 (1) which is to minimize inventory of classified information. They are are information is no longer required, by means of appropriate procedures in compliance with international and national targets to destroy. Documents subject to registration will be destroyed by the competent Registrar's Office instructed the head of the stored unit and updated registry information in accordance with. The destruction of information of classification levels secret or higher has to be done through a security check in the presence of a witness, or have reliability check of the appropriate classification level must, and it should be noted in the Protocol by signature (pattern: Appendix 5). The destruction of data carriers has according to the procedures approved by the information security Commission to be made."
13 § 16 and heading deleted; the text of the former article 17 is paragraph labeled "§ 16."; Furthermore is replaced by the phrase 'communications and information systems' the phrase "Computer systems".
14. the annex 1 is as follows:
Registers have at least to contain the following information. You can be made centrally or decentrally, separately for withdrawals, redirects, and distributions.
Business number (foreign)
Number of pages
Own business number
or supplement of the acknowledgement of receipt
Smith of Faymann Spindelegger Fekter Heinisch-Hosek sands Mikl-Leitner Karl Berlakovich Darabos Bures Mitterlehner Töchterle