ICT Security

The security of communication and information systems that handle, store or transfer classified information is determined by the protective measures that were taken to ensure the availability, integrity and confidentiality of these systems. The measures are applied on the basis of a risk assessment. There are various types of measures such as the installation of encryption products or shielding security systems from unwanted electromagnetic radiation. It goes without saying that the persons who digitally process classified information must also be holder of a security clearance.

ICT protection and encryption products

Organizations with secured communication and information systems must use protection products that have been approved by the competent National Security Authority or international organizations. More information can be found in the relevant regulations and in the safety instructions of classified contracts.

The National Distribution Authority (NDA) manages the material for cryptographic protection of classified information in Belgium.

For the protection of national classified information and provided prior consent, the NSA also allows the use of ICT security products that were approved by the Council of the European Union or NATO.

 

TEMPEST measures (protection against technical surveillance, eavesdropping and espionage)

Classified information of the level ‘confidential’ must also be protected against the abuse of unwanted electromagnetic radiation. This is done via security measures that protect against electronic systems including eavesdropping and technical surveillance. Here also, the Council of the European Union and NATO work with products from certified companies. With prior permission, the NSA can allow the use of these products.

 

Homologation of information and communication systems

When a company or administration uses communication and information systems that handle classified information, they are subjected to prior approval by the NSA. The certification procedure determines, through a risk assessment, if communication and information systems offer adequate protection in accordance with the applicable standards. All interconnections of communication and information systems need also be approved.

If you want to apply for certification of a communication and information system you have to transfer the conformity certificate to NSA  through your local accreditation government (LSAA). On the basis of this certificate and upon an audit, the NSA will decide on whether it approves your information and communication systems.

A certification must be requested for:

  • New communication and information systems
  • Relocation of communication and information systems or interconnections
  • Introduction of approved fixed abilities (e.g. introduction of Web servers)
  • Introduction of new capacities (e.g. introduction of self-developed software)

 

The homologation of CIS and any eventual interconnections takes place in two stages:

 

1. Test phase

During this phase, tests are carried out for a limited period. In the testing phase only unclassified information may be exchanged.

2. Certification

During the second phase it will be assessed whether certification is granted. A certification is in principle valid for maximum 3 years.

In exceptional and urgent cases, where delay would cause serious damage, an accelerated procedure can be applied. Certification may then temporarily be allowed after approval. However, the relevant communications and information systems should be certified as soon as possible in accordance with the regular procedure described above.