Security
| Pages | 15-16 |
Report on the VIS 15
infrastructure will have a capacity almost seven times higher than before and will be ready to s upport the entry
into operation of the EES and ETIAS.
In 2018, a second encryption layer40 pilot on the VIS communication infrastructure w as initiated. The first
part of the pilot was successfully conducted by implementing the solution for three Mem ber States on the
pre-production network. The second encryption layer of the VIS and the EES need to co-exist since they use the
same communication infrastructure, while at the same time they need to adhere to the requirements of the
legal provisions (i.e. logical separation of data). More clarity on the design of the EES second encryption layer is
required before rolling out the VIS second encryption layer to all Member States to avoid the risk of additional
cost and unavailability if bot h second encryption layer solutions are not design ed in parallel. The project has
thus been put on hold until more clarity on the EES side is available.
4. Security
eu-LISA ensures the operational effectiveness of the security controls at VIS central level, and the continuous
improvement of the securit y strategy, in line with the requirements of the VIS Regulation and relevant
Commission Decisions in terms of data protection and information security. Security is a core element of all
activities undertaken at eu-LISA, due to the stringent legal framework. Furthermore, the Agency is growing into
a centre of excellence in the provision of IT services, emphasising assurance of system and data security in all its
activities.
In the context of the Agencys security monitoring and incident management processes no critical s ecurity
incidents occurred during the reporting period. The Agencys security unit continued to maintain and develop
security measures concerning both physical and system security. As a core element of its Information Security
Management Framework, the Agency operates and continuously develops its Information Security
Management System (ISMS), in compliance with the relevant ISMS standards and ISO270 01. Continuous
monitoring and management of the residual risks took place to provide assurance that the appropriate security
controls for the large-scale IT systems have been properly implemented and managed.
In accordance with the relevant security principles, standards and good practices mentioned, th e VIS security
and continuity risk management strategy covers all layers of the security spectrum: physical security, personnel
security, network security, operating systems security, application security, business continuity and data
security. Security requirements are embedded in all development projects, changes and maintenance activities.
The eu-L)SAs Security Unit is part of the VIS Operational Change Advisory Board, and takes part in any VIS
development project from the initial phase to develop requirements.
During the reporting period, the VIS central system went through numerous
major upgrades embedding new technologies and components (e.g.
capacity increase, new test environments, background databases,
virtualisation). To reflect the security state of VIS-BMS after the latest
evolutions, the revision of the Security Risk Assessment, the Security Plan
and the Business Continuity Plan of the central VIS were deemed
necessary. A thorough security assessment was initiated in Q3 2019 aimed at
reviewing, with the support of the MWO contractor, the VIS-BMS Security
Documentation.
After several months of preparation, eu-LISA and eight Member States 41
together with ENISA and the Commission ran the first VIS business
continuity exercise in October 2017 . The end-to-end business continuity exerc ise aimed to test the security,
40 While the SIS communication infra structure has a second encryption layer to ensure that a third party cannot have access to clear-text data, the VIS
communication infrastructure has no second encryption layer.
41 Estonia, Finland, Germany, Greece, Netherlands, Portugal, Slovenia and Sweden .
To continue reading
Request your trial