The Regulation of the Agency spells out a number of security measures that mandate the eu-LISA to develop system-specific security plans, as well as business continuity and disaster recovery plans in order to ensure the continuous service of the Agency.
Security measures in practice: Exclusive ownership of Agency's encryption keys
The safety of eu-LISA's communication network requires the Agency's encryption keys never to be outsourced to any external entity. Therefore, the Security Unit must assure that the Agency’s cryptographic equipment remains under its full operational management.
The Agency shares best practices in Security and Business Continuity with an informal network composed of security experts from the Member States and the European Commission. The fora in which the security experts meet allow for an effective communication of mutually beneficial security measures.
The application of the Commission's security principles is the responsibility of the Security Officer, who is appointed by the Agency's Management Board. The Security Officer has, within the accountability mechanism, the obligation to report to the system Advisory Groups, to the Management Board and to the Executive Director of the Agency on incidents and activities, and to the Council and the Commission on the functioning and the security of the systems.
eu-LISA operates a video surveillance system, monitoring its buildings and perimeter. The system is used for the safety and security of its buildings, assets, staff and visitors. The Agency's Video Surveillance Policy and
Privacy Notices designed in accordance with the European Data Protection Supervisor guidelines, describe the video-surveillance system, the principles for its use and the safeguards that the Agency implements to protect personal data, privacy and other fundamental rights and legitimate interests of those persons and assets filmed by the cameras.