Classified information means a fact or material from the field of work of an authority that relates to public security, defence, foreign affairs or the intelligence and security activities of the state that must be protected from unauthorised persons and which has been designated and marked as classified.
Classified information may be marked with the following levels of classification:
- TOP SECRET.
Personnel security with regard to the protection of classified information means that every person who has access to classified information in order to perform his or her tasks or functions at his or her workplace must complete the personnel security authorisation procedure. This entails that in the security authorisation procedure, the loyalty, trustworthiness and reliability of the person concerned is verified for the purpose of issuing him or her a personnel security clearance to access classified information, or allowing him or her to maintain such security clearance. In the course of a security authorisation procedure, any aspects of the person's character or circumstances that might result in potential security problems are considered.
Documentation security defines a uniform system for the designation and marking of classified information, its transmission, copying, recording, destruction and archiving, and the procedure in the event of the abuse of classified information. The relevant legal basis to be considered in this regard consists of regulations governing classified information and regulations governing the handling of documentary and archival material in general.
Documentation security and the organisational measures thereof for handling classified information is intertwined with physical and technical security measures for the protection of classified information, and together they form a comprehensive system for protecting classified information that aims to prevent any unauthorised access and ensure the traceability of information throughout its life-cycle.
EU documentation security
The Council of the EU, the European Commission and all Member States must ensure that the entire public administration, contract partners and EU institutions and agencies respect the minimum security standards for the protection of classified information, such that any EU classified information can be transmitted with the assurance that each of the above parties will handle it in the same way. Such minimum security standards must include procedures for the protection of EU classified information (EUCI).
The security classification levels as laid down in the Classified Information Act are harmonised with the security classification levels established by the EU Council and the Commission Decisions.
Listed below are Slovenian and European classification levels:
|Security classification levels in Slovenia||EU security classification levels|
|INTERNO||RESTREINT UE/EU RESTRICTED|
|ZAUPNO||CONFIDENTIEL UE/EU CONFIDENTIAL|
|TAJNO||SECRET UE/EU SECRET|
|STROGO TAJNO||TRES SECRET UE/EU TOP SECRET|
With the adoption of the regulations governing classified information, Slovenian legislation is now fully aligned with European legislation also in terms of the additional marking of classified information, as provided in the EU Council Decision. Slovenian legislation governing documentation security has also been harmonised with European regulations regarding the issues of classifying classified information according to security classification levels, the use of security classification levels and changes to and the cancellation of security classification levels.
The preparation and transmission of EU classified information
Each page of a document containing classified information shall be marked, above and below in the middle of the page, with a security classification level. Each page must bear the current page number and the total number of pages of the document (e.g. 5/12). Documents containing information classified as TOP SECRET and SECRET must have the document code written on each page. Copies of the document must be marked and the copy number must appear on the first page of the document. Documents containing information classified as CONFIDENTIAL or above must have all annexes and supplements listed on the first page of the document. Documents containing information classified as TOP SECRET may only be exchanged through the EUCI registry system. EUCI registries must record all documents containing information classified as CONFIDENTIAL and above upon their entry or exit from an institution. The information to be recorded must enable the identification of documents and be entered in the workbook or stored on a specially secured computer storage medium.
Carriage of EU classified information
Documents containing information classified as TOP SECRET may only be carried within the country by members of a courier service, and only in exceptional cases by public employees, provided that the conditions laid down in the EU Council Decision are met. Documents containing information classified as CONFIDENTIAL or SECRET may be carried within a Member State by an authorised courier service and authorised individuals who have been security cleared and who have an appropriate personnel security clearance.
The carriage of documents containing information classified as EU CONFIDENTIAL and above between Member States shall only be permitted by diplomatic mail or a military courier service. Documents containing information classified as RESTRICTED may be carried in such a way that they cannot fall into unauthorised hands.
Documents containing information classified as CONFIDENTIAL shall be transmitted in durable, opaque double envelopes. The internal envelope shall be marked with an appropriate EU classification level and, to the extent possible, with full information on the official working title and address of the addressee.
An acknowledgement of receipt shall be placed in the internal envelope, which can only be acknowledged by an EUCI registry control officer or his or her alternate, unless the envelope is addressed to an individual person. In such case, the EU registry shall record the receipt of the envelope, whereas the internal envelope may only be opened, and receipt of the documents contained therein acknowledged by the person to whom it is addressed.
An acknowledgement of receipt is not classified information but must contain the code of the case(s), the date of the document and the copy number, but never the content of the document.
When dispatching documents containing information classified as CONFIDENTIAL, couriers shall receive an acknowledgement of receipt with information that must correspond to the dispatch information.
Information classified as CONFIDENTIAL and SECRET may only be carried through accredited communication centres and networks and/or terminals and systems.
Copies, translations and extracts of EUCI
Copies or translations of documents containing information classified as TOP SECRET may only be authorised by the originator (author) of the document Documents containing information classified as SECRET and below may be copied, translated or extracted by the addressee, in accordance with national regulations governing the handling of classified information.
All EU registries shall carry out inventories of all documents containing information classified as TOP SECRET. Random internal document checks shall also be carried out. The archiving of EUCI on microfilm or magnetic or optical media is also permitted provided that the data carriers are protected in the same way as the original document. Each data carrier may only store information of one classification level.
Destruction of EUCI
Documents containing information classified as TOP SECRET may only be destroyed at the Central EUCI Registry. These documents may only be destroyed on the record, in accordance with the "three persons" rule. Destruction certificates and documents on transmission shall be kept by the Central EUCI Registry for a period of at least ten years from the date of destruction.
Documents containing information classified as SECRET shall be destroyed by the responsible EUCI registries. Destruction certificates and documents on transmission shall be kept by the responsible EUCI registries for a period of at least three years from the date of destruction. Documents containing information classified as CONFIDENTIAL shall be destroyed by the responsible EUCI registries. Destruction certificates and documents on transmission shall be kept by the responsible EUCI registries in accordance with national rules. Documents containing information classified as RESTRICTED shall be destroyed by the responsible EU registries or by the user, if so provided by national rules governing classified information.
The purpose of the EUCI registry system for information classified as TOP SECRET is to ensure that such information is properly recorded, archived, handled, distributed and destroyed. The Central EUCI Registry in a Member State shall act as the principal receiving and expediting body. If necessary, Member States may set up sub-registries for the EU TOP SECRET classification level. These sub-registries shall be responsible for the management of documents containing information classified as TOP SECRET if the Central Registry is not able to cover all the Member State’s needs. Sub-registries may not transmit information classified as TOP SECRET directly to other EUCI sub-registries without the approval of the Central EUCI Registry. Every twelve months, all EUCI sub-registries and the Central EUCI Registry shall carry out an inventory of all documents containing information classified as TOP SECRET for which they are responsible. EUCI sub-registries shall send the inventory's findings to the Central EUCI Registry, which shall report on the situation relating to information classified as TOP SECRET to the National Security Authority (NSA).
Security measures during meetings held outside the premises of the Council of the EU
At meetings, delegations are responsible for bringing in, removing and protecting documents containing classified information. Delegations may request assistance from the host Member State for the delivery and removal of such documents to and from the place of the meeting.
The protection of EUCI in information technology and communication systems
Technical measures for the protection of classified information also include the control and traceability of information. For information classified as SECRET and above, a record of access, which may be automatic or manual, shall be kept. When transmitting printouts generated by an EUCI processing system from a secured area to a remote terminal (working station) area, the procedures approved by the Security Accreditation Authorities (SAA) shall be determined for remote transmission control. All interchangeable computer storage media for information classified as CONFIDENTIAL and above must be appropriately marked. EUCI must be stored on computer storage media together with appropriately marked classification and protection levels. The security classification levels of computer storage media used for the entry of EUCI may be downgraded, except for computer storage media for information classified as TOP SECRET. Computer storage media for information classified as TOP SECRET may not be reused. Where the security classification level of a computer storage medium may not be revoked or it may not be reused, the computer storage medium shall be destroyed in accordance with an approved national procedure.
NATO documentation security
NATO security policy is coordinated, monitored and implemented by the NATO Office of Security (NOS). The Director of the NOS is the chief advisor to the Secretary-General for Security Affairs and the Chairman of the NATO Security Committee (NSC).
The Parties have obligations as laid down in the Act Ratifying the Agreement between the Parties to the North Atlantic Treaty for the Security of Information, which provides that:
- they shall protect and safeguard:
- classified information, marked as such, which is originated by NATO or which is submitted to NATO by a member state;
- classified information, marked as such, of the member states submitted to another member state in support of a NATO programme, project, or contract; or
- a NATO treaty,
- they shall maintain the security classification of information as defined by NATO regulations governing classified information, and make every effort to safeguard such accordingly;
- they shall not use classified information as defined by NATO regulations governing classified information for purposes other than those laid down in the North Atlantic Treaty and the decisions and resolutions pertaining to this Treaty;
- they shall not disclose information classified as NATO classified information by NATO regulations governing classified information to non-NATO parties without the consent of the originator.
The Act determines that the Parties shall establish and implement security standards ensuring a common degree of protection for classified information.
NATO classified information is defined by this Act as follows:
- information shall mean knowledge that can be communicated in any form,
- classified information shall mean information or material determined to require protection against unauthorised disclosure and which has been so designated by a security classification,
- the word "material" shall mean documents and also any item of machinery or equipment or weapons, either manufactured or in the process of manufacture,
- the term "document" shall mean any recorded information regardless of its physical form or characteristics, including, without limitation, written or printed material, data processing cards and tapes, maps, charts, photographs, paintings, drawings, engravings, sketches, working notes and papers, carbon copies and ink ribbons, or reproductions by a means or process, and sound, voice, magnetic or electronic or optical or video recordings in any form, and portable equipment for automated data processing with resident computer storage media, and removable computer storage media.
Below follows an overview of Slovenian and NATO security level classifications:
|Security classification levels in Slovenia||NATO security classification levels|
|STROGO TAJNO||COSMIC TOP SECRET|
Physical security is an important element of the overall system of classified information protection. Its main objective is to deter, prevent and/or detect unauthorised access to classified information. Physical security consists of various procedures and measures of protection: organisational, security-technical and mechanical, and procedures and measures for physical protection. All of the above factors are closely interconnected; therefore, the efficiency of the overall physical security system for classified information depends on the efficiency of its individual components.
In deciding which level of physical security is necessary, various factors are taken into account: the security classification level and the nature of the information to be protected, the quantity thereof, the form and method of storage, the threat assessment and the safety culture level of the employees.
Designation of an administrative area
In accordance with established practices regarding the protection of classified information, legal regulations normally lay down minimum standards that have to be met in order to satisfy the basic conditions regarding security standards. In evaluating the adequacy of physical, technical and other security measures in the protection of classified information, we take the view that the level of protection is an aggregate of various security measures and depends on the quality of individual factors in the overall concept of securing the area where classified information is handled (protected).
Security measures should be adapted to the type, form, quantity and classification level of the information to be handled (protected) in a given area, and other characteristics of the situation in situ (possibly 24-hour physical protection of the facility and similar), which shall be taken into account in the assessment of the security level. By complying with the standards determined by regulations governing classified information, problems in assessing whether a certain level of protection is appropriate or not can be avoided.
In view of the above, the head of an authority or organisation shall designate an administrative area by a ruling.
Designation of a secured area
An authority or organisation shall decide to undertake the procedure for establishing a secured area as a result of the need to protect documents containing classified information. Such decision may also be taken on the basis of the anticipated need to obtain or protect classified information. The establishment of a secured area may also be necessary to enable external users to access the classified information of the authority concerned.
Designation of the level of a secured area
An authority shall designate the level of a secured area on the basis of the security classification levels of the information already held or to be held by the authority, and on the basis of the mode of operation of the secured area. If the secured area is to operate in such a way that the classified information will not be visible at the time of entry into the area, then a Level II Secured Area will be established, and if the classified information is to be accessed by merely entering the secured area, a Level I Secured Area will be established.
Designation of the size of a secured area
In designating the size of a secured area, it is important to know whether the secured area will include premises in which staff will work (large spaces with appropriate additional spaces where classified information will also be processed), or whether the area will only serve for the storage and recording of classified information. What is important in deciding on the size of the area is whether the secured area will also be used by external users, which means that more premises are needed, and which also entails a change in the regime of the secured area itself.
When planning the size of the secured area, the type of media on which the classified information is stored must also be taken into consideration. It is necessary to know whether only classified information in paper form will be handled (protected), or whether classified information stored on electronic media will also be handled (protected) in the security area.
Drafting a secured area plan
Following the collection of basic data, a draft secured area plan should be prepared in order to determine the size of the area and outline the main routes as well as access routes within the secured area. The regulations in force (national, EU, NATO) need to be obtained in advance, as they should be studied carefully, and personnel security clearance procedures for work in the secured area should be instituted.
The initiation of a personnel security authorisation procedure
In the period of preparing for the establishment of a secured area, a personnel security authorisation procedure should be initiated, for both personnel within the secured area and for those who will be in charge of reading and processing classified information.
Secured area personnel must use the following forms (Note: no format is prescribed):
- a record sheet of entries into the secured area,
- a record sheet of the receipt and examination of a document containing classified information,
- a record sheet of copied documents containing classified information,
- a record sheet or minutes on the destruction of documents containing classified information,
- a record sheet of security container repairs,
- a record sheet of combinations of electronic locks for security containers,
- a record sheet of security incidents in the secured area,
- a list of all employees in the secured area,
- a distribution sheet of those employed with the authority who have access to individual security classification levels of classified information.
Secured area protection plan
Prior to the beginning of operation of the secured area, the head of the secured area must draw up a protection plan that defines all procedures, measures and tasks of both personnel employed in the secured area and those persons and services that participate in the protection of classified information.
Industrial security ensures that measures are taken to protect classified information exchanged between companies and organisations in cases where contracts and awards of contracts contain classified information. Classified information may only be transmitted to an organisation that has a security clearance that meets the requirements for the safe handling of classified information.
Industrial security shall mean the application of security measures and procedures for preventing, detecting and recovering losses or for eliminating a threat to documents containing classified information held by the contractor or subcontractor during the negotiations prior to the awarding of a classified contract or a classified subcontract and during the implementation thereof.
A classified contract is any contract for the supply of products, the execution of works or the provision of services whose performance requires or involves access to or the creation of classified information. A classified subcontract is any contract entered into by a contractor with another contractor (i.e. a subcontractor) for the supply of goods, the execution of works or the provision of services whose performance requires or involves access to or the creation of classified information.
Regarding such, the Government Office for the Protection of Classified Information recommends to, or calls on, all Slovenian companies to examine how, in the context of their organisations and activities, they could institute the conditions that they must satisfy if they enter calls for tenders that require access to classified information in an international environment.
If they hold an international security clearance, companies can participate in NATO and EU tenders that specify, in the terms of contract, that classified information will have to be accessed in order to implement the contract. Information on these tenders is also available on the website of the Ministry of Economic Development and Technology. One advantage of holders of security clearances is also that they are able to sign commercial contracts whose execution requires access to classified information with organisations from the countries with which the Republic of Slovenia has signed a so-called security agreement.
Communication and information systems
Information security, i.e. the protection of classified information in communication and information systems, shall include the designation and application of security measures for protecting classified information handled (protected) by means of communication, information and other electronic systems against accidental or deliberate loss of confidentiality, integrity or availability, and measures to prevent the loss of the integrity and availability of such systems themselves.
Measures and procedures for the protection of classified information in communication and information systems shall prevent unauthorised persons from accessing classified information, the disclosure of classified information to unauthorised persons, the possibility of refusing authorised users access to classified information, and the abuse, unauthorised alteration or deletion of classified information.
Communication and information systems consist of software, hardware, communication and other equipment operating autonomously or within a network, and which are intended for the collection, processing, distribution, use and other processing of data in electronic form.
Communication and information systems in which classified information is protected must have a security clearance for their operation allowing the handling (protection) of classified information in the system, and approving the implementation of all measures and procedures to ensure the safe operation of the system. Security clearance for the operation of a system shall be obtained on the basis of a security clearance procedure in which compliance with the minimum physical, organisational and technical measures and procedures for protecting classified information in systems is verified. The following documents have to be drawn up in the process of granting a security clearance for the operation of a system:
- the assessment of security risks,
- a system protection plan,
- security instructions for working in the system.
The carriage of classified information through (security cleared) communication and information systems outside administrative and secured areas is only permitted in encrypted form using approved cryptographic products. These systems may only use cryptographic products that have been approved by the Information Security Commission or any other body designated by law, and for which the Government Office for the Protection of Classified Information or any other body designated by law has issued a security clearance certificate. The security clearance certificate shall be accompanied by the approved minimum security requirements for the marking, distribution and use of each cryptographic product.
Cryptographic products shall mean encryption facilities (hardware and software) and systems used for cryptographic data protection in communication and information systems in which classified information is handled. Cryptographic products include all modules (assemblies) that are integrated into the components of systems and are intended for cryptographic information protection.
Cryptographic evaluation, or the approval of a cryptographic product, is a procedure used to determine the adequacy of a proposed cryptographic product for the protection of classified information at a specific level of classification.
All components of systems within which information classified as CONFIDENTIAL or above is handled (protected) must be protected against the compromise of such information through unintentional electromagnetic emanations. Electromagnetic emanations are emanations that spread uncontrollably, thus enabling the leak of classified information (the word TEMPEST is a synonym in all languages). TEMPEST countermeasures in this context shall mean a set of measures and activities that significantly reduce or even fully prevent the leak of classified information. Such basic measures and activities include secured areas where TEMPEST zones are defined by measurements, which form the basis for determining the appropriate equipment to be installed in such secured areas.
In accordance with the regulations governing classified information, basic and advanced training in the field of classified information is organised for persons who need such training.