Skip to main content

CIS SECURITY

 

Communication and Information System Security (CIS Security) or the protection of classified information in communication and information systems (CIS) defines and implements measures for the protection of classified information handled in the CIS and other electronic systems against inadvertent or advertent loss of confidentiality, integrity or availability of classified information, and the integrity or availability of the CIS.

 

The objective of security measures and procedures for classified information in the CIS is to prevent unauthorised access to classified information, disclosure of classified information, potential denial of an authorised person's access to classified information, misuse, and unauthorised modification or deletion of classified information.

 

The CIS is composed of software, hardware, communication and other equipment which can be connected to a network or standalone, and is intended for collecting, processing, distribution, use and other handling of classified information in an electronic form.

 

The CIS in which classified information is stored or handled must be accredited for the protection and handling of classified information in the system. The accreditation certifies that all measures and procedures for the secure operation of the system are implemented. It is issued on the basis of a security approval procedure in which the implementation of minimum physical, organisational and technical safeguards for the protection of classified information in the CIS is checked. The following documents must be prepared in the accreditation procedure:

-         security risk assessment;

-         system security requirement statement;

-         security operating procedures.

 

Classified information may be transmitted via the (security approved) CIS outside administrative areas and secured areas only when encoded with approved cryptographic solutions. Furthermore, the cryptographic solutions used in the CIS must be approved by the Information Security Commission or any other authority designated by law and must have a security certificate issued by the Government Office for the Protection of Classified Information or any other authority designated by law. The approved minimum requirements for marking, distributing and using cryptographic solutions are attached to this certificate.

Cryptographic solutions include cryptographic equipment (hardware and software) and systems used for the cryptographic protection of classified information in the CIS. Also included are all modules (assemblies) incorporated in the separate system parts and intended to protect information through encoding.

Cryptographic evaluation, or the approval of a cryptographic solution, is a procedure used to determine the adequacy of a proposed cryptographic solution for the protection of classified information at a specific level of classification.

 

All system parts in which information classified CONFIDENTIAL or above is handled must be protected against compromising electromagnetic emanations. Devices emit electromagnetic radiation that spreads uncontrollably, thus enabling the interception of classified information; TEMPEST countermeasures significantly reduce or even prevent the interception of classified information. Secured areas where TEMPEST zones are defined by measurements are the key security measure and a means to define the appropriate equipment to be installed in such secured areas.