The establishing regulation of the Agency spells out a number of security measures that mandate the Security to develop the system-specific security plans, as well as the Agency business continuity and disaster recovery plans in order to ensure the continuous service of the Agency.
Security measures in practice: Exclusive ownership of Agency's encryption keys
The safety of eu-LISA's communication network requires the Agency's encryption keys never to be outsourced to any external entity. Therefore, the Security must assure that the cryptographic equipment will remain under the full operational management of the Agency.
The Agency receives also recommendations from an informal network composed by security experts from the Member States and the security experts present in the Advisory Groups. The fora where the security experts meet allow for an effective communication of the mutually beneficial security measures.
The application of the Commission security principles is the responsibility of the Security Officer, who is appointed by the Agency's Management Board. The Security Officer has, on the part of the accountability mechanism, the obligation to report to the Advisory Groups of the three systems, to the Management Board and to the Executive Director of the Agency on incidents and activities, and to the Council and the Commission on the functioning and the security of the systems.