2002-2012 Urad Vlade Republike Slovenije za varovanje tajnih podatkov Government Office For The Protection Of Classified Information (NSA) Proceedings of the Office of the Government of the Republic of Slovenia for the Protection of Classified Information to mark its 10th anniversary (2002–2012) Zbornik Urada Vlade Republike Slovenije za varovanje tajnih podatkov ob 10. obletnici delovanja, 2002—2012 Naročnik: Urad Vlade Republike Slovenije za varovanje tajnih podatkov, Gregorčičeva 27, 1000 Ljubljana Avtorji besedil in slik (po abecednem vrstnem redu): Tatjana Balorda, Igor Eršte, mag. Mateja Kapš, Uroš Kogoj, Gregor Majcen, v. d. direktorja urada, Boris Mohar, dr. Boštjan Petelinc, Marko Rosandič, Maja Rožaj, mag. Erik Schlegel in Miran Skobe. Odgovorna oseba: Gregor Majcen v. d. direktorja Uredil: dr. Boštjan Petelinc, Urad Vlade Republike Slovenije za varovanje tajnih podatkov Oblikovala: Peter Hazler, Urad Republike Slovenije za makroekonomske analize in razvoj, in dr. Boštjan Petelinc, Urad Vlade Republike Slovenije za varovanje tajnih podatkov Leto izida: 2012 Urad Vlade RS za varovanje tajnih podatkov, Gregorčičeva 27, 1000 Ljubljana telefon: (01) 478 13 90 telefaks: (01) 478 13 99 e-pošta: gp.uvtp(at)gov.si Published by: the Office of the Government of the Republic of Slovenia for the Protection of Classified Information, Gregorčičeva 27, SI-1000 Ljubljana Authors of articles and photographs (in alphabetical order): Tatjana Balorda, Igor Eršte, Mateja Kapš, Uroš Kogoj, Gregor Majcen, Boris Mohar, Boštjan Petelinc, Marko Rosandič, Maja Rožaj, Erik Schlegel, and Miran Skobe. Responsible person: Director of the Office Gregor Majcen, Acting Edited by: Boštjan Petelinc, Office of the Government of the Republic of Slovenia for the Protection of Classified Information Design: Peter Hazler, Institute of Macroeconomics Analysis and Development; and Boštjan Petelinc, Office of the Government of the Republic of Slovenia for the Protection of Classified Information First edition: 2012 Office of the Government of the Republic of Slovenia for the Protection of Classified Information, Gregorčičeva 27, SI-1000 Ljubljana Phone: (01) 478 13 90 Fax: (01) 478 13 99 Email: gp.uvtp@gov.si Izdal, založil in tiskal Urad Vlade Republike Slovenije za varovanje tajnih podatkov, Gregorčičeva 27, 1000 Ljubljana, uporaba in objava podatkov dovoljena le z navedbo vira. Issued, published and printed by the Office of the Government of the Republic of Slovenia for the Protection of Classified Information. The use and publication of the information contained herein is only permissible with reference to the source. Vsebina zbornika je dostopna tudi na spletni strani http://www.uvtp.gov.si/ The proceedings are published online at http://www. uvtp.gov.si/ ForThe TheProtection Protectionof OfClassified ClassifiedInformation Information(NSA) (NSA) 10 years of Government Office for 1 Kazalo Table of Contents 1 O Uradu Vlade Republike Slovenije za varovanje tajnih podatkov................................ 15 1 About the Office................................................ 15 1.1 Tasks and objectives........................................ 16 1.1 Naloge in cilji..................................................... 16 1.2 UVTP emblem.................................................... 19 1.2 Znak UVTP......................................................... 19 1.3 UVTP employees............................................... 21 1.3 Zaposleni na UVTP............................................ 21 2 2 Zakonodaja na področju varovanja tajnih podatkov............................................................ 22 Legislation relating to protection of classified information....................................... 22 3 3 Varovanje tajnih podatkov v Republiki Sloveniji............................................................. 24 Protection of Classified Information in the Republic of Slovenia.........................................24 3.1 3.1.1 3.1.2 Osebna varnost................................................. 24 Osnovna varnost................................................. 24 Postopek pridobivanja dovoljenja za dostop do nacionalnih tajnih podatkov................................. 24 3.1.2.1 Medresorska delovna skupina za osebno varnost................................................................ 25 3.1.3 Dovoljenje za dostop do tajnih podatkov EU...... 26 3.1.4 Dovoljenje za dostop do tajnih podatkov zveze Nato.................................................................... 26 3.2 3.2.1 3.2.2 3.2.3 Dokumentacijska varnost................................ 29 Medresorska delovna skupina za dokumentacijsko varnost.................................... 30 Registrski sistem za tajne podatke EU in zveze Nato.................................................................... 31 Komisija Vlade Republike Slovenije za presojanje upravičenosti prevladujočega javnega interesa v zvezi z razkritjem podatkov, ki so označeni kot tajni........................................ 32 3.3 Fizična varnost.................................................. 34 3.4 3.4.1 3.4.2 3.4.3 3.4.4 3.4.4.1 Informacijska varnost....................................... 36 Komisija Vlade RS za informacijsko varnost.......37 Natova delavnica Infosec.................................... 38 Tempest.............................................................. 38 Kriptologija.......................................................... 39 Medresorska strokovna delovna skupina za komunikacijsko varnost....................................... 41 EU NDA – nacionalni organ Evropske unije za razdeljevanje kriptografskega materiala (CM).... 42 3.4.5 3.5 3.5.1 Industrijska varnost.......................................... 44 Medresorska projektna skupina za industrijsko in fizično varnost................................................. 46 3.6 Usposabljanje....................................................48 4 Mednarodno sodelovanje.................................50 4.1 Varovanje tajnih podatkov tujih držav ali mednarodnih organizacij................................. 50 4.2 Povzetek iz Zakona o tajnih podatkih............. 50 4.3 4.3.1 Dvostransko sodelovanje................................ 54 Sporazumi COMSEC.......................................... 58 4.4 Večstransko sodelovanje................................. 59 4.5 EVROPSKA UNIJA............................................ 60 4.5.1.1 Galileo................................................................. 62 4.5.1.2 EGNOS (European Geostacionary Navigation Overlay Service)................................................. 63 4.5.1.3 GMES (Global Monitoring for Environment and Security).............................................................. 63 4.5.1.4 Sedmi okvirni program evropskih raziskav (FP7)................................................................... 64 2 3.1 3.1.1 3.1.2 Personnel security............................................ 24 Basic security...................................................... 24 Security clearance process to access national classified information.......................................... 24 3.1.2.1 Inter-ministerial working group for personnel security................................................................ 26 3.1.3 EU Security Clearance........................................26 3.1.4 NATO Security Clearance................................... 27 3.2 3.2.1 3.2.2 3.2.3 Documentation security................................... 29 Inter-ministerial working group for documentation security....................................... 31 Registry system for EU and NATO classified information.......................................................... 32 Government Commission for Assessing the Legitimacy of the Prevailing Public Interest in the Disclosure of Secret Classified Information.......................................................... 32 3.3 Physical security............................................... 34 3.4 3.4.1 3.4.2 3.4.3 3.4.4 3.4.4.1 Information security.......................................... 36 Government Commission for IT Security............ 37 NATO InfoSec workshop..................................... 38 TEMPEST........................................................... 38 Cryptography....................................................... 40 Inter-Ministerial Expert Working Group for Communication Security..................................... 42 EU NDA – National Crypto Distribution Authority.............................................................. 42 3.4.5 3.5 3.5.1 Industrial security............................................. 44 Inter-Ministerial Project Group for Industrial and Physical Security................................................. 46 3.6 Training.............................................................. 48 4 International cooperation................................. 50 4.1 Protection of Classified Information of Foreign Countries or International Organisations.................................................... 50 4.2 Summary of the Classified Information Act... 50 4.3 4.3.1 Bilateral Co-operation...................................... 54 COMSEC Agreements........................................ 58 4.4 Multilateral cooperation................................... 59 4.5 EUROPEAN UNION........................................... 60 4.5.1.1 GALILEO.............................................................62 4.5.1.2 EGNOS (European Geostationary Navigation Overlay Service)................................................. 63 4.5.1.3 Global Monitoring for Environment and Security............................................................... 64 4.5.1.4 The EU’s seventh framework programme for research.............................................................. 64 4.6 NATO.................................................................. 65 10 let Urada RS za varovanje tajnih podatkov 4.6 4.6.1 4.6.2 4.6.3 4.6.4 4.7 4.7.1 NATO.................................................................. 65 Varnostni odbor NATA......................................... 66 Natova mednarodna konferenca (Nato Security Committee/AdHoc Working Group).................... 67 Sporazum ATOMAL............................................ 68 MISWG 2010...................................................... 68 4.6.1 4.6.2 Regionalno sodelovanje...................................72 South East European National Security Authorities........................................................... 72 4.7 4.7.1 4.6.3 4.6.4 NATO Security Committee.................................. 66 NATO international conference (NATO Security Committee/Ad Hoc Working Group)................... 67 ATOMAL Agreement........................................... 68 Multinational Industrial Security Working Group, 2010........................................................ 68 Regional cooperation....................................... 72 South-East European National Security Authorities........................................................... 72 10 years of Government Office for The Protection of Classified Information (NSA) 3 4 10 let Urada RS za varovanje tajnih podatkov Predgovor GREGOR MAJCEN, vršilec dolžnosti direktorja urada od 9. marca 2012 Foreword GREGOR MAJCEN, Acting Director of the Office since 9 March 2012 Dear reader, This publication is issued by the Office of the Government of the Republic of Slovenia for the Protection of Classified Information (hereinafter: UVTP or the Office). Its history and development, areas of work, and some of its achievements are outlined herein. Spoštovani, predstavljamo vam publikacijo Urada Vlade Republike Slovenije za varovanje tajnih podatkov (v nadaljevanju UVTP), s katero želimo na kratko prikazati ustanovitev in razvoj, osvetliti področja dela ter našteti nekaj dosežkov našega urada. Urad Vlade Republike Slovenije za varovanje tajnih podatkov (UVTP) je bil ustanovljen zaradi usklajevanja zakonodaje s pravnim redom EU in zveze Nato ter s tem uvedbe enotnih standardov varovanja tajnih podatkov. Prvotni Zakon o tajnih podatkih (ZTP), veljaven je postal 23. 11. 2001, je za izvajanje nalog s področja varovanja tajnih podatkov, predpisanih z ZTP in predpisi, sprejetimi na njegovi podlagi, predvideval ustanovitev urada, zato je bil sprejet Sklep o ustanovitvi, nalogah in organizaciji Urada Vlade Republike Slovenije za varovanje tajnih podatkov, ki je začel veljati 26. 1. 2002. UVTP je z ustanovitvijo prevzel tudi vlogo Nacionalnega varnostnega organa (v nadaljevanju NSA – National Security Authority) po standardih Nata in EU in je zato tudi naslednik Komisije Vlade RS za varovanje zaupnih dokumentov Zveze Nato in Komisije Vlade RS za varovanje dokumentov Zahodnoevropske unije. Letos torej praznujemo deseto obletnico ustanovitve. UVTP je nastal zaradi zahtev mednarodne skupnosti in je v mednarodno okolje še vedno močno vpet prek konferenc, sestankov, delovnih skupin, s sklepanjem sporazumov in podobno. To od nas zahteva veliko angažiranosti, samoiniciativnosti in izobraževanja, saj mednarodno okolje pričakuje kompetentnega in zaupanja vrednega sogovornika. Hkrati seveda izkušnje in znanje prenašamo naprej, saj UVTP kot koordinativni organ na področju varovanja The UVTP was established in order to harmonise the relevant national legislation with the acquis communautaire in order to comply with the legal obligations and commitments of NATO membership, thereby introducing common standards for the protection of classified information. The original Classified Information Act, which entered into force on 23 November 2001, envisaged the establishment of an office to perform tasks pertaining to the protection of classified information stipulated by the relevant provisions and rules adopted under this Act. Therefore, the Decision on the establishment, tasks and organisation of the Office of the Government of Slovenia for the Protection of Classified Information, which took effect on 26 January 2002, was adopted. The newly established UVTP also assumed the duties and tasks of the National Security Authority (hereinafter: NSA), in accordance with NATO and EU standards, thereby succeeding the Commission of the Government of the Republic of Slovenia for the Protection of NATO Classified Information and the Commission of the Government of the Republic of Slovenia for the Protection of the Western European Union Classified Information. This year, we therefore celebrate the 10th anniversary of its establishment. The UVTP was set up as a response to the requirements of the international community. It takes part in conferences, meetings, working groups, the conclusion of agreements, and the like, and is strongly integrated into the international environment. This requires great commitment, proactivity and further training on our part, as our international partners expect us to be a competent and credible counterpart. Moreover, we disseminate our experience and skills; as the UVTP is a coordination body in the protection of classified information, it monitors the current situation, and provides for the development and enforcement of standards, the implementation of international commitments and treaties, prepares draft regulations, provides opinions, keeps records and carries out several other tasks. 10 years of Government Office for The Protection of Classified Information (NSA) 5 tajnih podatkov spremlja stanje, skrbi za razvoj in uveljavljanje standardov, skrbi za izvajanje sprejetih mednarodnih obveznosti in mednarodnih pogodb, pripravlja predloge predpisov, daje mnenja, vodi evidence in opravlja še vrsto drugih nalog. Svet se naglo spreminja, živimo v času informacijske tehnologije, hitrih sprememb in nenehnega pretoka množice informacij, kar seveda prinaša izzive tudi na našem delovnem področju. Zveza Nato in EU iščeta odgovore v krepitvi varnostnih struktur in jasni določenosti pogojev in načinov obravnave tajnih podatkov, čemur se kot članica obeh pridružuje tudi Slovenija. Zavedamo se, da je popolna varnost žal samo teoretičen pojem, za katerega dosego si prizadevamo, enako velja tudi za področje varovanja tajnih podatkov. Pri razpravah o varnosti se vedno srečamo s pojmom varnostna kultura. Poudaril bi, da varnostna kultura ni nekaj, kar bi se dalo na hitro naučiti, niti ni samo nabor ukrepov ali postopkov, ki bi se lahko upoštevali, ampak je skupek vrednot, odgovornosti, zavedanja nevarnosti ter načinov vedenja in hkrati nekaj, kar moramo ponotranjiti ter skladno s tem živeti poklicno in zasebno. Upam si trditi, da v slovenskem prostoru varnostna kultura narašča, vendar moramo kljub temu še veliko narediti. Delo UVTP je samo delček v mozaiku varnostne kulture, za katero si moramo vsi prizadevati. Obdobje, ki je pred nami, bo polno preizkušenj in trdega dela: spremembe normativne ureditve, sodelovanje z ustreznimi organi EU in zveze Nato ter tujimi NSA, sklepanje dvo- in večstranskih sporazumov ter druge naloge, katerih namen je v prvi vrsti zagotavljanje učinkovitega varovanja tajnih podatkov in odpiranje poslovnih možnosti za naše gospodarstvo. The world is changing rapidly. We live in an era of information technologies, sudden changes and a permanent and massive flow of information, which, of course, also poses challenges to our areas of work. NATO and the EU are seeking answers to these challenges by strengthening security structures and clearly defining the conditions for and methods of handling of classified information, a policy which is also adhered to by Slovenia as a member of these two associations. Although we are striving to achieve complete security, we are aware that it is, unfortunately, only a theoretical concept; the same is also true of the protection of classified information. When discussing security, we always come across the concept of security culture. I would like to emphasise that security culture is neither something that can be learned quickly nor a set of measures and procedures to be complied with, but rather a combination of values, responsibilities, risk awareness and methods of conduct, as well as something that we must internalise and comply with in our professional and private lives. I dare say that the security culture in Slovenia is improving; however there is still a lot to be done to this end. The work performed by the UVTP is only a piece in the jigsaw that is security culture, for which we all must strive. The period ahead will be full of challenges and hard work. This, among other things, includes modifications to the normative framework, cooperation with the relevant EU and NATO authorities and foreign NSAs, the conclusion of bilateral and multilateral agreements, and other tasks which are focused on providing the effective protection of classified information and business opportunities for the Slovenian economy. Danes UVTP uživa visoko stopnjo zaupanja. Za to gre zahvala mojim predhodnikom – Ludviku Čarniju, Vojku Kosu, mag. Milanu Tarmanu, vsem njihovim in mojim sodelavcem ter vsem posameznikom, organom in organizacijam, ki so prispevali, da je UVTP prepoznaven in cenjen doma in v tujini ter pri varnostnih strukturah Nata in EU. Vsem sem hvaležen za opravljeno delo. Today, the UVTP enjoys a high level of confidence. Thanks for this should go to my predecessors Ludvik Čarni, Vojko Kos and Milan Tarman, as well as to all our colleagues, other individuals, bodies and organisations. They have all contributed to ensuring that the UVTP is recognisable and respected at home and abroad, and within the EU and NATO security structures. I am very grateful to them all for their hard work. Gregor Majcen v. d. direktorja Gregor Majcen Acting Director 6 10 let Urada RS za varovanje tajnih podatkov Uvodna beseda dosedanjih direktorjev UVTP Foreword by former UVTP directors LUDVIK ČARNI – from 7 February 2002 to 31 May 2005 LUDVIK ČARNI – od 7. februarja 2002 do 31. maja 2005 Urad Vlade Republike Slovenije za varovanje tajnih podatkov je bil ustanovljen leta 2002 kot organ, ki naj bi imel pristojnosti spremljanja stanja na področju določanja in varovanja tajnih podatkov ter skrb za razvoj in uveljavljanje enotnih fizičnih, organizacijskih in tehničnih standardov varovanja tajnih podatkov v državnih organih, organih lokalnih skupnosti, pri nosilcih javnih pooblastil ter gospodarskih družbah in organizacijah, ki pridobijo tajne podatke ali razpolagajo z njimi. Urad je prevzel delovne naloge od Komisije Vlade RS za varovanje tajnih podatkov zveze Nato in Zahodnoevropske unije. V obdobju ustanovitve urada so v Sloveniji potekale intenzivne priprave za vstop Slovenije v Evropsko unijo in Nato. Ob tem je imel urad še veliko nalog glede priprave postopkov in izdelave podzakonskih aktov, ki jih je bilo treba na ravni domače zakonodaje uskladiti s pravnim redom Evropske unije in Natovimi predpisi. Delo je v ustanovitvenih letih od 2002 do 2005 opravljalo od 5 do 9 oseb, ki so bile takrat v uradu zaposlene kot detaširane iz posameznih ministrstev. Zaposleni so imeli zaradi svojih prejšnjih funkcij dovolj izkušenj iz varovanja tajnih podatkov na različnih strokovnih področjih. Na tej podlagi so bili detaširani iz ministrstva za notranje zadeve, slovenske obveščevalne agencije in ministrstva za obrambo. Na začetku se je urad zaradi novosti, predpisanih v podzakonskih aktih, soočil tudi z nerazumevanjem dela strokovne javnosti, zato je bila vložena ustavna pritožba na nekatera določila podzakonskih aktov, kar je povzročilo blokado delovanja urada, dokler o zadevi ni ponovno odločalo Ustavno sodišče Republike Slovenije. Naloge urada so postale vse številčnejše in obsežnejše, zato je bila sprejeta odločitev o kadrovski popolnitvi urada. Prav tako se je urad v svojem nastajanju spopadal še z drugimi težavami, kakor na primer ustrezna sistemizacija delovnih mest, zagotovitev ustreznih prostorov in podobno. Urad je v začetnem obdobju svojega delovanja pripravil vse podzakonske akte, potrebne zaradi na The UVTP was established in 2002 as a body to be entrusted with the responsibility of monitoring the situation in the area of the identification and protection of classified information, and to provide for the development and implementation of common physical, organisational and technical standards of safeguarding classified information in Government agencies, local community agencies, holders of public authorisations, and companies and organisations that acquire or possess such information. The Office assumed its operational tasks from the Commissions of the Government of the Republic of Slovenia for the Protection of NATO and Western European Union Classified information. While the Office was in the process of being established, Slovenia was intensively preparing for its accession to the European Union and NATO. Moreover, the Office had several other tasks to address regarding the preparation of procedures and the design of statutory instruments, which, at the level of domestic legislation, had to be harmonised with the acquis communautaire and NATO rules. During is early years, i.e. from 2002 to 2005, the Office's work was performed by five to nine members of staff, who were seconded from other line ministries. Their previous functions enabled them to obtain the experience required to protect classified information in various fields of expertise. Therefore, they were seconded to the Office from the Ministry of the Interior, the Slovenian Intelligence Agency and the Ministry of Defence. Owing to new provisions incorporated in the statutory instruments, the Office was faced with a certain scepticism in its early days, which was articulated by a part of the expert public. As a result, a constitutional complaint was lodged against certain provisions of the statutory instruments blocking the Office's operations, until the case was remanded to the Slovenian Constitutional Court for re-adjudication. The ever increasing number and complexity of tasks to address led to the adoption of a decision to augment the Office's staff. During its early years, the Office was also faced with other issues, including the problem of classifying posts appropriately, the provision of appropriate facilities, and similar issues. 10 years of Government Office for The Protection of Classified Information (NSA) 7 novo sprejetega Zakona o tajnih podatkih, zato smo veliko časa posvetili proučevanju pravnega reda EU in Natovih predpisov. Tu je vsekakor treba omeniti veliko pomoč osebja varnostnih organov EU, zlasti NOS (takratni direktor NOS W. Raichak, Robert Keil in Rolf Ultes so samo nekateri od njih), ki je v pristopnem obdobju k Natu in takoj po vstopu veliko pomagalo takratnemu osebju našega urada. Kljub vsem začetnim težavam, ki se pojavljajo ob ustanovitvi novega organa in nalogah urada na nacionalni ravni, ter pred vstopom in na začetku članstva v EU in Nato, menim, da je »začetna ekipa« opravila naložene naloge strokovno in s tem pripravila dobre temelje za delovanje urada, ki tudi danes opravlja vse naloge. 8 During the initial period of its operation, the Office prepared all the statutory instruments required pursuant to the adoption of the new Classified Information Act. We therefore devoted a great deal of our time to examining the acquis communautaire and NATO rules. In this regard, mention should be made of the extensive assistance provided by the personnel of the EU security authorities, particularly the NSAs (NSA Director W. Raichak, Robert Keil and Rolf Ultes, amongst others), who were of great help to the staff working for the Office, both during and immediately after the period of accession to NATO. Despite all the initial difficulties that usually emerge when a new agency is being established, and despite all the tasks assumed by the Office at the national level, prior to accession and at the outset of EU and NATO membership, I believe that the »first team« accomplished the tasks to which they were entrusted in a professional manner, thereby putting a solid foundation in place for the current operation of the Office and the performance of its numerous tasks. 10 let Urada RS za varovanje tajnih podatkov VOJKO KOS – od 1. junija 2005 do 22. novembra 2007 VOJKO KOS – from 1 June 2005 till 22 November 2007 In May 2005, I was given the opportunity to assume the management of the UVTP. Maja 2005 mi je bila dana priložnost, da prevzamem vodenje nacionalnega varnostnega organa Republike Slovenije, to je Urada Vlade Republike Slovenije za varovanje tajnih podatkov. Ob prevzemu vodenja UVTP sem pristojnim predstavil svojo vizijo o tem, kako je treba urediti področje obravnavanja tajnih podatkov, da bodo tajni podatki Republike Slovenije ustrezno zavarovani. Pri tem sem poudaril stroške, in sicer v tem smislu, da pri obravnavi tajnih podatkov ne bi bilo nepotrebnih stroškov, da obravnavanje tajnih podatkov ne bi povzročalo nepotrebnih administrativnih težav pri vsakdanjem delu in da bo delo s tajnimi podatki v Republiki Sloveniji primerljivo z obravnavo tajnih podatkov v mednarodnem okolju, zlasti v EU in Natu. Za uresničevanje dogovorjenih ciljev mi ni nihče postavljal omejitev na zakonodajnem področju, to pomeni pri pripravi sprememb Zakona o tajnih podatkih in na njem temelječih podzakonskih aktih. Pri tem sem moral zagotoviti le to, da bo obravnavanje tajnih podatkov v Republiki Sloveniji skladno z obravnavanjem tajnih podatkov v mednarodnem okolju. Kadrovske in finančne omejitve (naloge je bilo treba opraviti v okviru odobrenih kadrovskih in finančnih virov) pa so zame dejansko predstavljale izziv. Z delom od jutra do večera vse dni v tednu, tudi ob sobotah in nedeljah in med dopustom, je uspela tako imenovana »misija nemogoče«. UVTP sem iz najetih in dragih ter varnostno neustreznih prostorov preselil v skromne, a hkrati ustrezne prostore v lasti Republike Slovenije, ki omogočajo in zagotavljajo ustrezno izvajanje nalog nacionalnega varnostnega organa. UVTP so okrepili javni uslužbenci, ki sem jih dobro poznal kot skromne, visoko strokovne in nepopustljive osebe, ki nikoli ne vprašajo, kakšne osebne koristi bodo imele zaradi opravljenega dela, Upon taking over the post of UVTP Director, I presented to the competent authorities my vision as to how the handling of classified documents would be regulated in order to ensure that national classified information would be suitably protected. In so doing, I highlighted measures to avoid unnecessary costs in the handling of classified information. Moreover, I stated that the handling of classified information should not cause excessive administrative burdens in day-to-day work and that work related to classified information in the Republic of Slovenia should be comparable to the handling of such information in the international environment, particularly in the EU and NATO. There were no objections to achieving the goals agreed upon by suggesting legislative restrictions – that is to say, any restrictions related to the preparation of amendments to the Classified Information Act and its related statutory instruments. The only promise I had to make was that the handling of classified information in Slovenia would be in compliance with the relevant international standards. For me, however, the real challenge was the restrictions in place regarding human resources and financial means, since our tasks had to be performed within the framework of the human and financial resources approved. Working every day from morning until evening, including Saturdays, Sundays and during our holidays, we managed to accomplish »mission impossible«. I moved the UVTP from rented, costly and – in terms of security – inadequate premises to modest yet suitable Government-owned premises, which facilitated and ensured the effective performance of NSA tasks. The UVTP's staff was reinforced by public servants whom I knew to be modest, highly professional and tenacious people – people who would never ask about how they would benefit personally from the work done, people who would never argue that the work they were doing alone required additional staff, and people who would never stop working until their tasks had been accomplished. Alone and without signing expensive contracts with external experts, UVTP employees succeeded in preparing draft amendments to the Classified Information Act, through which we completely revised the Act then in force. We prepared an Act that regulates the handling of classified information in an intelligible, effective, rational and transparent manner, 10 years of Government Office for The Protection of Classified Information (NSA) 9 ki nikoli ne poudarjajo, da sami opravljajo delo, za katero bi potrebovali več ljudi, in ki ne prenehajo delati, dokler naloga ni opravljena. Sami, brez dragih avtorskih pogodb z zunanjimi strokovnimi izvajalci, smo zaposleni v UVTP uspeli pripraviti predlog sprememb Zakona o tajnih podatkih, s katerimi smo takratni veljavni zakon vsebinsko popolnoma preuredili. Pripravili smo zakon, ki področje obravnavanja tajnih podatkov ureja jasno, učinkovito, racionalno, pregledno, brez nepotrebnih pravnih ali administrativnih zapletanj. Ureditev obravnavanja tajnih podatkov, ki smo jo predlagali, je bila vsebinsko popolnoma usklajena z zahtevami in standardi, ki sta jih pri obravnavanju tajnih podatkov sprejela EU in Nato. Predlagani zakon smo uspeli uskladiti z državnimi organi Republike Slovenije, s strokovno javnostjo ter pravnima službama vlade in državnega zbora. Pri tem moram posebej poudariti, da so predlagane rešitve po usklajevanju in sprejetju zakona v državnem zboru ostale vsebinsko nespremenjene. Podobno nam je uspelo tudi pri pripravi in sprejetju vseh podzakonskih aktov. without any unnecessary legal or administrative ambiguities. The regulatory framework we proposed was, in terms of content, fully harmonised with the requirements and standards adopted by the EU and NATO in relation to the handling of classified information. We succeeded in coordinating the draft Act with the Slovenian public authorities, the expert public and with the Government's and National Assembly's legal services. In this connection, I would particularly like to emphasise that the content of the solutions proposed remained unchanged following the coordination and adoption procedure in the National Assembly. We managed to accomplish practically the same for the preparation and adoption of all the statutory instruments. The fact that we did an excellent job was confirmed by the transposition of certain legislative solutions of the Classified Information Act into domestic legislation covering other areas. This, for example, applies to certain solutions regarding the performance of tasks in the areas of private security, the physical protection of courts, and nuclear facilities and substances in Slovenia. Da smo delo odlično opravili, dokazujejo posamezne zakonske rešitve, ki so bile povzete po rešitvah v Zakonu o tajnih podatkih tudi na drugih področjih domače zakonodaje, na primer posamezne rešitve glede izvajanja nalog zasebnega varovanja, nalog na področju fizičnega varovanja sodišč v Sloveniji in nalog na področju fizičnega varovanja jedrskih objektov ter jedrskih materialov v Sloveniji. The UVTP's international activities were quite modest at the beginning of my term of office. International commitments and the associated tasks were at first mainly fulfilled and performed in cooperation with public servants from other state authorities. This situation began to change when appropriate arrangements were made at the national level. Dejavnost UVTP na mednarodni ravni je bila na začetku mojega mandata zelo skromna. Pri mednarodnih obveznostih so sprva v večjem obsegu sodelovali in naloge opravljali javni uslužbenci iz drugih državnih organov. Stanje smo začeli spreminjati potem, ko smo uredili razmere na nacionalni ravni. Despite the aforementioned circumstances, also laid solid foundations for our activities at international level, and gradually started to take initiative in concluding international treaties on mutual handling of confidential information with and NATO member states. Kljub navedenemu smo tudi na mednarodni ravni postavili zanesljive temelje in postopoma začeli prevzemati pobudo pri sklepanju mednarodnih sporazumov za vzajemno obravnavanje tajnih podatkov z državami članicami Nato in EU. The quality of work my colleagues and I performed is also evidenced by the fact that, following my departure from the UVTP, the Classified Information Act and the statutory instruments covering the handling of confidential information have remained, in terms of content, unchanged. And neither has the trust held in my colleagues at the UVTP wavered since my departure. They continue to perform their tasks at the Office with great success. Kakovost dela, ki sem ga opravil s sodelavci, dokazuje tudi dejstvo, da se Zakon o tajnih podatkih in podzakonski akti o obravnavanju tajnih podatkov po mojem odhodu iz UVTP vsebinsko niso spreminjali. Prav tako se po mojem odhodu ni spremenilo zaupanje v sodelavce v UVTP in vsi še vedno uspešno opravljajo svoje naloge v tem uradu. Osebno sem ponosen tudi na to, da sem primopredajo nalog direktorja UVTP opravil z mag. Milan Tarmanom temeljito, strokovno in korektno. S sodelavci smo zadeve predali z obširnimi zapisniki za vse vsebinske sklope. Dejansko je primopredaja 10 we the the the EU I am also very proud of the thorough, professional and proper way in which the handover of the UVTP Director's duties to Milan Tarman was carried out. Together with my colleagues, I handed over the relevant matters supported by corresponding and comprehensive records. The area-by-area handover actually took several months to complete. We carried this out by observing a common goal – to ensure the further appropriate handling of the 10 let Urada RS za varovanje tajnih podatkov po področjih potekala več mesecev. Opravili smo jo s skupnim ciljem – zagotoviti nadaljnje ustrezno ravnanje s tajnimi podatki Republike Slovenije in tajnimi podatki drugih držav in organizacij, ki so bili z mednarodnimi sporazumi dani Republiki Sloveniji v obravnavo in varovanje. Ob praznovanju 10-letnice UVTP vsem želim vse najboljše, zlasti da bi sodelavci in direktor v UVTP še naprej uspešno opravljali svoje delo na področju obravnavanja tajnih podatkov v Sloveniji, tajnih podatkov drugih držav ter tajnih podatkov EU in Nata. confidential information of the Republic of Slovenia and the confidential information of other countries and organisations, i.e. information provided to the Republic of Slovenia for processing and protection under international treaties. On the 10th anniversary of the UVTP, I would like to wish everyone all the best and, in particular, that the UVTP's employees and its Director continue to successfully perform their duties in handling national classified information, as well as that of other countries, the EU and NATO. 10 years of Government Office for The Protection of Classified Information (NSA) 11 mag. MILAN TARMAN – od 23. novembra 2007 do 8. marca 2012 MILAN TARMAN – from 23 November 2007 to 8 March 2012 Dear reader, It is my honour and pleasure to share with you some thoughts and views related to the past period on the occasion of the 10th anniversary of the operation of the UVTP. Spoštovani, ob letošnji 10-letnici delovanja Urada Vlade Republike Slovenije za varovanje tajnih podatkov mi je v čast in veselje deliti z vami nekaj misli in pogledov na preteklo obdobje. Osebno sem ponosen, da sem bil v sodelovanju z vami del delovanja UVTP, ki je kot nacionalni varnostni organ – NSA – normativno nosilec področja varovanja tajnih podatkov ter spremlja in usklajuje izvajanje zakona in drugih predpisov, sprejetih na njegovi podlagi, ter mednarodnih pogodb, ki jih je sklenila Republika Slovenija. Pristojen je tudi za delovanje in spremljanje ter oblikovanje varnostnih politik, strategij, direktiv ter predpisov v varnostnih odborih in delovnih skupinah Sveta EU, Evropske komisije in Nata. V obdobju delovanja, ko sem imel privilegij in zadovoljstvo voditi to službo z zelo kompetentnimi in prijetnimi sodelavkami in sodelavci, naj izpostavim nekaj skupnih dosežkov in rezultatov. UVTP je proaktivno vodil in deloval v različnih oblikah medresorskega sodelovanja: Komisiji za informacijsko varnost; Komisiji za presojanje upravičenosti prevladujočega javnega interesa v zvezi z razkritjem podatkov, ki so določeni kot tajni; Medresorski delovni skupini za industrijsko varnost; Medresorski delovni skupini za osebno varnost; Medresorski delovni skupini za dokumentacijsko varnost; Medresorski strokovni delovni skupini za komunikacijsko varnost in Medresorski strokovni delovni skupini za izvajanje zaščite pred nezaželenim elektromagnetnim sevanjem (pripravljal imenovanje). Dejavnost smo izvajali skladno z Resolucijo o strategiji nacionalne varnosti Republike Slovenije, s smernicami in akcijskim načrtom za delovanje 12 I am very proud that, together with you, I could be part of the UVTP team who, in its role as NSA, is a statutory holder of powers in the protection of classified information, and monitors and coordinates the implementation of the relevant Act, the regulations adopted on its basis, and international treaties concluded by the Republic of Slovenia. The UVTP is also responsible for taking part in the activities of the security committees and working groups of the EU Council, the European Commission and NATO, and to monitor and co-design security policies, strategies, directives and rules within their framework. Allow me to highlight some of the joint achievements and results of my term of office, when I had the privilege of heading this agency and its highly competent and pleasant staff. The UVTP was in charge of and proactively participated in various forms of inter-ministerial cooperation within the framework of the following bodies: Commission for IT Security; Commission for Assessing the Legitimacy of the Prevailing Public Interest in the Disclosure of Secret Classified Information; Inter-Ministerial Working Group for Industrial Security; Inter-Ministerial Working Group for Personnel Security; Inter-Ministerial Working Group for Documentation Security; Inter-Ministerial Expert Working Group for Communication Security; and Inter-Ministerial Expert Working Group for Unintentional Compromising Emanations. The relevant activities were carried out in compliance with the Resolution on the National Security Strategy of the Republic of Slovenia, the guidelines and action plan related to Slovenia's policies in the Western Balkans, and other strategic documents and rules. We carried out all the internal legal procedures required in order to adopt, sign and ratify several bilateral agreements on the exchange and mutual protection of classified information. In addition, the agreements yet to be concluded with several countries are in various phases of the adoption process. As an appropriate legal basis, bilateral agreements facilitate cooperation between state authorities and economic entities, and strengthen mutual trust. 10 let Urada RS za varovanje tajnih podatkov Republike Slovenije na Zahodnem Balkanu ter drugimi strateškimi dokumenti in predpisi. Izpeljali smo vse potrebne notranjepravne postopke za sprejetje in podpis ter ratifikacijo več dvostranskih sporazumov o izmenjavi in vzajemnem varovanju tajnih podatkov, v različnih fazah sprejemanja so še sporazumi s številnimi državami. Dvostranski sporazumi kot ustrezna pravna podlaga omogočajo sodelovanje državnih organov in gospodarskih subjektov ter krepijo medsebojno zaupanje. Največ dejavnosti v okviru delovanja EU je bilo namenjenih sprejetju novih pravil o varovanju tajnih podatkov EU v okviru Sveta EU in posvetovanjem o sprejetju tovrstnih pravil Evropske komisije in evropske službe za zunanjepolitično delovanje (EEAS). V okviru varnostnega odbora Sveta EU je bil usklajen in izveden postopek ratifikacije za sporazum med državami članicami Evropske unije o varovanju tajnih podatkov, ki se izmenjujejo v interesu Evropske unije. Ta bo olajšal medsebojno sodelovanje na vseh področjih EU, ki vključujejo obravnavo tajnih podatkov EU. UVTP je sodeloval in še danes dejavno sodeluje tudi pri spremembi varnostne politike, direktivi na področju industrijske varnosti ter na področju informacijske in kibernetske varnosti v zvezi Nato. UVTP je uspešno organiziral in vsebinsko pripravil več mednarodnih dogodkov in konferenc, ki so pripomogli k večji prepoznavnosti naše države in nacionalnega gospodarstva: v letu 2009 je organiziral dve konferenci v okviru zveze Nato, in sicer v januarju konferenco INFOSEC, junija konferenco NSC AHWG, leta 2010 pa mednarodno konferenco o industrijski varnosti (Multinational Industrial Security Working Group - v nadaljevanju MISWG. V letu 2011 so stekle priprave za organizacijo mednarodnega dogodka, načrtovanega v maju 2012 v okviru držav članic jugovzhodne Evrope, s sodelovanjem regionalnega centra za sodelovanje EU, Nata in slovenskega zunanjega ministrstva. Pri uresničevanju letnih programov UVTP v obdobju mojega vodenja naj kot ključne izpostavim naslednje dosežke: – – – uspešno medresorsko sodelovanje z okrepitvijo delovanja medresorskih delovnih skupin s predstavniki pristojnih ministrstev in služb, koordinacija in izvedba Natovih inšpekcij v letih 2009 in 2011, iz česar izhaja pozitivna ocena Republike Slovenije na področju obravnave in varovanja tajnih podatkov, uspešno in mednarodno prepoznavno delovanje UVTP kot »National Security Authority – NSA« Republike Slovenije v odborih ter delovnih telesih Evropske unije, Evropske komisije in zveze Nato, Most of our activities within the framework of the EU were dedicated to the adoption of new rules on the protection of EU classified information within the EU Council, and to consultations on the adoption of such rules within the European Commission and the European External Action Service. In addition, the procedure for the ratification of the agreement between the EU's Member States on the protection of classified information exchanged in the interests of the European Union was coordinated and carried out by the EU Council Security Committee. This will facilitate mutual cooperation in all areas pertinent to the handling of EU classified information. The UVTP has participated, and still does, in the security policy modification procedure, and drafting directives on industrial security and NATO information and cyber security. The UVTP successfully organised and prepared relevant topics for several conferences and other international events, all of which have contributed to increasing the visibility of our country and its economy. In 2009 it organised two conferences within the framework of NATO: the InfoSec conference held in January and the NSC AHWG conference held in June, while in 2010 it organised the Multinational Industrial Security Working Group (hereinafter: MISWG) conference on industrial security. The year of 2011 saw the beginning of the organisational preparations for an international event to take place in 2012 between the countries of SouthEast Europe, in cooperation with the EU Regional Cooperation Centre, NATO and the Slovenian Ministry of Foreign Affairs. With regard to the implementation of UVTP annual programmes during my term of office, I would like to highlight the following key achievements: – – – – – successful inter-ministerial cooperation as a result of the augmentation of the relevant working groups with representatives from the competent ministries and agencies; the coordination and implementation of NATO inspections in 2009 and 2011, resulting in a favourable evaluation of the Republic of Slovenia in the handling and protection of classified information; the successful and internationally recognisable participation of the UVTP, in its role as the Slovenian NSA, in the activities of the EU, the European Commission and NATO committees and working groups; promoting and facilitating the activities of Slovenian economic operators; and the preservation and reinforcement of the Office's status. 10 years of Government Office for The Protection of Classified Information (NSA) 13 – – spodbujanje, omogočanje in promocija dejavnosti slovenskih gospodarskih subjektov, ohranitev in krepitev statusa službe. Prav tako gre zahvala tudi mojim predhodnikom in nasledniku na mestu direktorja – vsi so prispevali in prispevajo svoj del k uspešnemu delovanju UVTP. Posebno zahvalo izrekam tudi vsem posameznikom, organom in organizacijam, s katerimi smo sodelovali in sodelujemo doma ter v tujini in po delu z njimi ostajajo nepozabni kolektivni in osebni spomini. Vse navedeno je bilo mogoče samo v sodelovanju z izjemno motiviranimi sodelavkami in sodelavci z visoko pripadnostjo timskemu duhu. I would also like to thank my predecessors and my successor – they have all contributed and continue to contribute towards the efficient operation of the UVTP. Special thanks should also go to all the people, agencies and organisations with whom we have cooperated, both at home and abroad. Working with them left behind unforgettable collective and personal memories. Everything I have mentioned could only be achieved through cooperation with highly motivated colleagues with a strong sense of team spirit. So, with great gratitude, thanks again to everyone I have mentioned. It would be my great pleasure to have the opportunity to meet you again. Vsem omenjenim še enkrat izražam veliko zahvalo – v veliko osebno zadovoljstvo mi bodo ponovni stiki in srečanja z vami. 14 10 let Urada RS za varovanje tajnih podatkov 1 O Uradu Vlade Republike Slovenije za varovanje tajnih podatkov Na področju varovanja tajnih podatkov sta od začetka leta 1995 delovali dve komisiji, in sicer Komisija Vlade Republike Slovenije za varovanje zaupnih podatkov zveze Nato in Komisija Vlade Republike Slovenije za varovanje dokumentov Zahodnoevropske unije. V obeh komisijah, ki sta imeli sedež na slovenskem zunanjem ministrstvu, so sodelovali poleg ministrstva za zunanje zadeve še predstavniki ministrstva za obrambo, notranje zadeve in pravosodja. Slovenija je z Natom podpisala varnostni sporazum julija 1994 in ga ratificirala oktobra 1997. Na njegovi podlagi je slovenska vlada julija 1997 ustanovila nacionalni varnostni organ (NSA) – Komisijo za varovanje zaupnih dokumentov Nato, to področje pa je z Evropsko unijo urejala v sklopu predpristopnih pogajanj za članstvo v njej. Področje varovanja tajnih podatkov Zahodnoevropske unije je urejal Varnostni sporazum med Vlado Republike Slovenije in Zahodnoevropsko unijo, podpisan v Bruslju 24. julija 1998. Na podlagi delovanja teh komisij in pristopnih pogajanj je Republika Slovenija leta 2001 s sklepom številka 023-32/2001-1 z dne 17. januarja 2002 ustanovila Urad Vlade Republike Slovenije za varovanje tajnih podatkov. 1 About the Office As of early 1995, the protection of classified information was covered by two commissions: the Commission of the Government of the Republic of Slovenia for the Protection of NATO Classified Information and the Commission of the Republic of Slovenia for the Protection of the Western European Union Classified Information. Alongside the Ministry of Foreign Affairs, where the two commissions were based, representatives of the Ministry of Defence, the Ministry of the Interior and the Ministry of Justice also took part in their work. Slovenia signed a security agreement with NATO in July 1994, which it then ratified in October 1997. On its basis, the Slovenian Government established the National Security Authority (NSA) – the Commission for the Protection of NATO Classified Information – in July 1997. In relation to the European Union, this area was regulated in the context of the preaccession negotiations for EU membership. The protection of Western European Union classified information was regulated by the Security Agreement between the Government of the Republic of Slovenia and the Western European Union, which was signed in Brussels on 24 July 1998. Based on the activities of these commissions and on the accession negotiations, the Republic of Slovenia established, pursuant to Decision no. 023-32/2001-1 of 17 January 2002, the Office of the Government of the Republic of Slovenia for the Protection of Classified Information. 10 years of Government Office for The Protection of Classified Information (NSA) 15 1.1 Naloge in cilji 1.1 Tasks and objectives Dela in naloge UVTP so opredeljeni v Sklepu o ustanovitvi, nalogah in organizaciji UVTP (Uradni list RS, št. 6/02), Zakonu o tajnih podatkih (Uradni list RS, št. 50/06 – uradno prečiščeno besedilo, 9/10 in 60/11, v nadaljnjem besedilu: ZTP) in Aktu o notranji organizaciji in sistemizaciji delovnih mest v UVTP. The UVTP's duties and tasks are laid down in the Decision on the Establishment, Tasks and Organisational Structure of the Government Office for the Protection of Classified Information (Uradni list RS [Official Gazette of the Republic of Slovenia], no. 6/02), the Classified Information Act (Uradni list RS, no. 50/06 – official consolidated text, 9/10 and 60/11) and the Act on the Internal Organisation and Post Classification of the Government Office for the Protection of Classified Information. UVTP skladno z njimi opravlja naslednje poglavitne naloge: Spremlja stanje na področju določanja in varovanja tajnih podatkov ter skrbi za razvoj in izvajanje fizičnih, organizacijskih in tehničnih standardov varovanja tajnih podatkov v državnih organih, organih lokalnih skupnosti, pri nosilcih javnih pooblastil ter v gospodarskih družbah in organizacijah, ki pridobijo tajne podatke ali razpolagajo z njimi. Skrbi za izvajanje sprejetih mednarodnih obveznosti in mednarodnih pogodb o varovanju tajnih podatkov ter na tem področju sodeluje z ustreznimi organi tujih držav in mednarodnih organizacij. Skrbi za zagotavljanje varnosti tajnih podatkov v nacionalnih organih in v tujini ter v zvezi s tem opravlja zlasti naslednje naloge: izdaja dovoljenja za dostop do tajnih podatkov, varnostna potrdila pravnim osebam, varnostna potrdila za sisteme in naprave za prenos, hrambo in obdelavo tajnih podatkov, potrjuje izpolnjevanje predpisanih pogojev za obravnavanje tajnih podatkov s strani posameznega organa tujim državam in organizacijam, predlaga varnostno preverjanje za izdajo dovoljenja za dostop do tajnih podatkov, katerih predlagatelji niso zajeti v 22. členu ZTP in potrebujejo dovoljenje za dostop do tajnih podatkov tuje države ali mednarodne organizacije, izdaja navodila za ravnanje s tajnimi podatki tuje države ali mednarodne organizacije, nadzoruje izvajanje fizičnih, organizacijskih in tehničnih ukrepov za varovanje tajnih podatkov tuje države ali mednarodne organizacije in skladno z ugotovitvami nadzora izdaja obvezna navodila za odpravo ugotovljenih pomanjkljivosti, ki jih morajo organi izvesti takoj, ter izmenjuje podatke z nacionalnimi varnostnimi organi in mednarodnimi organizacijami. Pripravlja predloge predpisov, ki so potrebni za izvajanje ZTP, daje mnenje o skladnosti splošnih aktov o določanju, varovanju in dostopu do tajnih podatkov z ZTP, usklajuje delovanje državnih organov, pristojnih za varnostno preverjanje, in predlaga ukrepe za izboljšanje varovanja tajnih podatkov. Vodi evidenco dovoljenj za dostop do tajnih podatkov (22. člen ZTP), dovoljenj fizičnim osebam za dostop do tujih tajnih podatkov (43. b člen ZTP), izdanih 16 In accordance with these acts, the UVTP performs the following main tasks: 1. to monitor the situation in the classification and protection of classified data, and ensure the development and implementation of the physical, organisational and technical standards of classified information protection in government agencies, local community agencies, holders of public authorisations and those companies and organisations that either obtain or possess classified information; 2. to ensure the implementation of binding international obligations and international treaties on the protection of classified information, and to cooperate with the corresponding foreign agencies and international organisations in this area; 3. to ensure the security of classified information in national agencies and those abroad, and to perform the following tasks: – – – – – – – issue personnel security clearance; issue facility security clearance; issue security permissions for the systems and devices used to transmit, store and process classified information; certify that an agency fulfils the conditions for handling classified information set out by foreign countries and organisations; propose security clearance process for requestors who are not included in Article 22 of the Classified Information Act and who require permission to access the classified information of a foreign country or international organisation; issue instructions for handling the classified information of a foreign country or international organisation; supervise the implementation of physical, organisational and technical measures for the protection of the classified information of a foreign country or international organisation and, in accordance with the findings of the supervision procedure, issue directives for corrective measures to be implemented by the agencies immediately in order to eliminate the shortcomings identified 10 let Urada RS za varovanje tajnih podatkov Slika 1: Zastava Evropske unije, Republike Slovenije in zveze Nato Figure 1: Flags of the European Union, the Republic of Slovenia, and NATO Slika 2: Prostori Urada Vlade Republike Slovenije za varovanje tajnih podatkov Figure 2: Premises of the Office of the Government of the Republic of Slovenia for the Protection of Classified Information 10 years of Government Office for The Protection of Classified Information (NSA) 17 varnostnih dovoljenj organizacijam (35. člen ZTP), izdanih varnostnih dovoljenj organizacijam za dostop do tujih tajnih podatkov (43. b člen ZTP) in začasnih dostopov do tajnih podatkov (30. člen ZTP). 4. 5. Organizira in izvaja usposabljanja s področja varovanja tajnih podatkov in opravlja druge naloge, določene s predpisi, sprejetimi na podlagi ZTP. 6. 7. 8. 18 and exchange information with national security agencies and international organisations. to draw up the draft regulations required for the implementation of the Classified Information Act. to give opinions as to the compliance of general acts on the determination, protection of and access to classified information with the Classified Information Act. to coordinate the activities of government agencies responsible for security clearance and to propose measures to improve the protection of classified information. to keep records of personnel security clearances (Article 22 of the Classified Information Act), personnel security clearances to access foreign classified information (Article 43b of the Classified Information Act), facility security clearances (Article 43b of the Classified Information Act), and temporary security clearances (Article 30 of the Classified Information Act). to organise and carry out training in the area of the protection of classified information, and to perform other tasks set forth by regulations adopted on the basis of the Classified Information Act. 10 let Urada RS za varovanje tajnih podatkov 1.2 Znak UVTP 1.2 UVTP emblem Uredba o obliki in uporabi znaka UVTP (Uradni list RS, št. 1/08) določa obliko in uporabo znaka, ki simbolizira varnostno ključavnico. The Decree on the Design and Use of the UVTP Emblem (Uradni list RS, no. 1/08) prescribes the design and use of the emblem, which is symbolised by a safety lock. Znak sestavlja šest koncentričnih krogov. V notranjem krogu je stiliziran napis UVTP, sestavljen iz začetnic besed imena UVTP. V zgornji polovici zunanjega kroga je napis Republika Slovenija, v spodnji polovici pa napis Urad Vlade RS za varovanje tajnih podatkov. V zunanjem krogu so grb Republike Slovenije ter znaka Evropske unije in Nata. The emblem comprises six concentric circles. The inner circle contains a stylised logo made up from the initials of the Office's name. The upper half of the external circle bears the inscription »Republic of Slovenia« and the lower half the inscription »Office of the Government of the Republic of Slovenia for the Slika 3: Znak Urada Vlade Republike Slovenije za varovanje tajnih podatkov Figure 3: Emblem of the Office of the Government of the Republic of Slovenia for the Protection of Classified Information Slika 4: Pozlačeni znak in znak v lesenem okvirju Figure 4: Gilded emblem and emblem encased in a wooden frame 10 years of Government Office for The Protection of Classified Information (NSA) 19 Vsi trije znaki so razporejeni tako, da sestavljajo enakostranični trikotnik, pri čemer je grb Republike Slovenije med besedama Republika Slovenija, znak Evropske unije je na levi, znak Nata pa na desni strani. Vmesna kroga vsebujeta črtne in številčne oznake varnostne ključavnice. Na zadnji strani znaka so obris zemljevida Republike Slovenije ter napisa Republika Slovenija z grbom med besedama in spodaj Urad Vlade RS za varovanje tajnih podatkov. Znak se lahko uporablja na dokumentih in uradnih dokazilih, ki jih za službene namene uporabljajo uslužbenci urada, in sicer na potrdilih, vabilih, čestitkah, vizitkah in podobno. Izdela se lahko v različnih grafičnih oblikah, tudi poenostavljenih in stiliziranih, v različnih velikostih, dvo- ali tridimenzionalno. Uporablja se kot namizna zastavica, nalepka, kovinska značka, obesek, kovanec in podobno ter vnese na različne materiale (papir, tkanina, usnje, plastika, kovina, steklo). Protection of Classified Information«. In the external circle there are the coats-of-arms of the Republic of Slovenia, and the European Union and NATO emblems. All three signs are arranged so as to make up an equilateral triangle, whereby Slovenia's coat-of-arms is placed between the words »Republika Slovenija«, while the EU emblem is on the left-hand side and the NATO emblem is on the right. The intervening circles contain the bar and numerical codes of a safety lock. The reverse of the emblem shows the contours of the Republic of Slovenia, while the lower half bears the inscription »Office of the Government of the Republic of Slovenia for the Protection of Classified Information«. The emblem may be used on documents and official evidence used by the Office's employees for official purposes on certificates, letters of invitation and congratulation, visiting cards, etc. It can be manufactured in various graphic forms, including simplified and stylised forms, in different sizes and in a two- or three-dimensional designs. It can be used as a miniature table flag, a label, a metal badge, a tag, and a coin and similar, and inserted in various materials (paper, fabric, leather, plastics, metal or glass). 20 10 let Urada RS za varovanje tajnih podatkov 1.3 Zaposleni na UVTP 1.3 UVTP employees UVTP danes zaposluje ljudi s področja vojaških in obrambnih ved, poslovodnih in upravljalnih ved, naravoslovja, varstvoslovja, matematike in informatike, agronomije, poslovnih in upravnih ved, prava, družbenih ved in humanistike. Currently, the UVTP employs people who obtained their qualifications in the following areas: military and defence sciences, management, natural sciences, mathematics and informatics, agronomy, law, social sciences and the humanities. Izobrazbena struktura Education strukture Visoka strokovna / College Univerzitetna / Univerity Strokovni magisterij / Specialisation Magisterij znanosti / M.Sc. Doktor znanosti / Ph.D. Slika 5: Sedanja izobrazbena struktura zaposlenih na UVTP Figure 5: Current UVTP employee educational structure 10 years of Government Office for The Protection of Classified Information (NSA) 21 2 Zakonodaja na področju varovanja tajnih podatkov 2 Legislation relating to protection of classified information Državni zbor Republike Slovenije je na seji 25. oktobra 2001 sprejel Zakon o tajnih podatkih (ZTP), ki je v 43. členu predvidel ustanovitev Urada Vlade Republike Slovenije za varovanje tajnih podatkov – tega je morala vlada ustanoviti za spremljanje izvajanja tega zakona in drugih predpisov, sprejetih na njegovi podlagi. In its session of 25 October 2001, the National Assembly of the Republic of Slovenia adopted the Classified Information Act (ZTP), which provides in Article 43 for the establishment of the UVTP; this was set up by the Government of the Republic of Slovenia for the purposes of monitoring the implementation of the aforementioned Act and of other regulations adopted pursuant to it. Omenjeni zakon je v poglavju o prehodnih in končnih določbah predvidel tudi ustanovitev urada v šestih mesecih po uveljavitvi zakona. Vlada Republike Slovenije je s sklepom, objavljenim v Uradnem listu Republike Slovenije 25. januarja 2002, ustanovila Urad Vlade Republike Slovenije za varovanje tajnih podatkov ter skladno z zakonom določila strokovne naloge urada in njegovo organizacijo. Zakonodaja, ki ureja delovanje in naloge Urada Vlade RS za varovanje tajnih podatkov: Zakon o tajnih podatkih (Uradni list RS, št. 50/06 – uradno prečiščeno besedilo, 9/10 in 60/11), Uredba o varovanju tajnih podatkov (Uradni list RS, št. 74/05, 7/11 (24/11 popr.)), Uredba o obliki in uporabi znaka Urada Vlade RS za varovanje tajnih podatkov (Uradni list RS, št. 1/08), Uredba o notranjem nadzoru nad izvajanjem zakona o tajnih podatkih in predpisov, izdanih na njegovi podlagi (Uradni list RS, št. 106/02), Uredba o izvajanju inšpekcijskega nadzora na področju varovanja tajnih podatkov in vsebini posebnega dela strokovnega izpita za inšpektorja (Uradni list RS, št. 94/06), Uredba o varnostnem preverjanju in izdaji dovoljenj za dostop do tajnih podatkov (Uradni list RS, št. 71/06 in 138/06), Uredba o načinu in postopku ugotavljanja pogojev za izdajo varnostnega dovoljenja organizaciji (Uradni list RS, št. 70/07), Sklep o določitvi pogojev za varnostnotehnično opremo, ki se sme vgrajevati v varnostna območja (Uradni list RS, št. 94/06), 22 The chapter on the transitional and final provisions of the mentioned act provided for the establishment of the aforementioned office within six months following its entry into force. On 25 January 2002, the Government of the Republic of Slovenia, by virtue of its decision published in the Uradni list Republike Slovenije, established the UVTP and, pursuant to the law, laid down its professional tasks and system of organisation. The legislation regulating the operation and the tasks of the UVTP is as follows: The Classified Information Act (Uradni list RS, no. 50/06 – official consolidated text, 9/10 and 60/11) Decree on the Protection of Classified Information (Uradni list RS, no. 74/05, 7/11 (24/11 corrigendum)) Decree Determining the Form and Use of the Government Office for the Protection of Classified Information Emblem (Uradni list RS, no. 1/08) Decree on Internal Supervision of the Implementation of the Classified Information Act and Relevant Implementing Regulations (Uradni list RS, no. 106/02) Decree on the Conduct of Inspections in the Field of Classified Information Protection and the Subject Matter of a Special Part of Professional Examination for Inspectors (Uradni list RS, no. 94/06) Decree on vetting and issuing of personnel security clearances (Uradni list RS, nos 71/06 and 138/06) Decree on the Method and Procedure for Assessing the Conditions for Issuing Facility Security Clearance (Uradni list RS, no. 70/07) Decision Determining Conditions for Technical Security Equipment Permitted to be Installed in Security Areas (Uradni list RS, no. 94/06) 10 let Urada RS za varovanje tajnih podatkov Uredba o varovanju tajnih podatkov v komunikacijskoinformacijskih sistemih (Uradni list RS, št. 48/07 in 86/11). Decree on the Protection of Classified Information in Communication and Information Systems (Uradni list RS, Nos 48/07 and 86/11) Poleg navedenega področje tajnih podatkov urejajo tudi drugi sistemski postopkovni zakoni in mednarodne pogodbe, ki jih je sklenila Republika Slovenija. In addition to the legislation stated above, classified information is regulated by other systemic procedural laws and international agreements concluded by the Republic of Slovenia. 10 years of Government Office for The Protection of Classified Information (NSA) 23 3 Varovanje tajnih podatkov v Republiki Sloveniji 3 Protection of Classified Information in the Republic of Slovenia 3.1 Osebna varnost 3.1.1 Osnovna varnost Osebna varnost pri varovanju tajnih podatkov pomeni, da so vse osebe, ki dostopajo do tajnih podatkov zaradi opravljanja nalog ali funkcije na svojem delovnem mestu, ustrezno varnostno preverjene. To pomeni, da se v postopku varnostnega preverjanja osebe preverijo njena lojalnost, zanesljivost in verodostojnost, in sicer z namenom osebi izdati ali ji podaljšati dovoljenje za dostop do tajnih podatkov. V postopku varnostnega preverjanja se obravnavajo vidiki, ki zadevajo osebnostni značaj, in okoliščine, ki bi lahko povzročile nastanek potencialnih varnostnih problemov. 3.1.2 Postopek pridobivanja dovoljenja za dostop do nacionalnih tajnih podatkov 3.1 Personnel security 3.1.1 Personnel security with regard to the protection of classified information means that every person who requires access to classified information in order to discharge his/her tasks or functions must undergo a personnel security clearance procedure. The personnel security clearance procedure is used to determine the loyalty, dependability and authenticity of the person concerned for the purposes of delivering or extending personnel security clearance. During the personnel security clearance procedure, any circumstances and aspects of the person's character which might result in potential security problems are considered. 3.1.2 Vsaka oseba, ki se mora pri delu seznaniti s tajnimi podatki, mora biti pred dostopom do tajnih podatkov ustrezno varnostno preverjena. Varnostno preverjanje osebe je poizvedba, ki jo pred izdajo dovoljenja za dostop do tajnih podatkov opravi pristojni organ, in katere namen je zbrati podatke o morebitnih varnostnih zadržkih za dostop do tajnih podatkov. Postopek za pridobitev dovoljenja za dostop do tajnih podatkov je skladen z določili Zakona o tajnih podatkih (Uradni list RS, št. 50/06 – uradno prečiščeno besedilo, 9/10 in 60/11) in Uredbe o varnostnem preverjanju in izdaji dovoljenj za dostop do tajnih podatkov (Uradni list RS, št. 71/06 in 138/06). Postopek varnostnega preverjanja se začne na pisni predlog predlagatelja (predstojnik organa ali neposredno od njega pooblaščena oseba) in mora vsebovati osebno ime, rojstni datum osebe, ki jo je treba varnostno preveriti, in stopnjo tajnosti tajnih podatkov, za dostop do katerih je dan predlog za izdajo dovoljenja. Predlagatelj iz 22. f člena Zakona o tajnih podatkih mora preverjano osebo, ki je prej opravila usposabljanje za obravnavo in varovanje tajnih podatkov (osnovno usposabljanje), seznaniti z razlogi za pridobitev dovoljenja za dostop do tajnih podatkov 24 Basic security Security clearance process to access national classified information Any person required to have knowledge of relevant classified information in the performance of his/her work must be security cleared prior to obtaining access to classified information. Personnel security clearance is an inquiry carried out by a competent authority prior to issuing permission to access classified information; its aim is to gather data on any possible security restrictions regarding access to classified information. The procedure for obtaining personnel security clearance complies with the provisions of the Classified Information Act (Uradni list RS, no. 50/06 – official consolidated text, 9/10 and 60/11) and with the Decree on the vetting and issuing of personnel security clearances (Uradni list RS, nos 71/06 and 138/06). The personnel security clearance procedure is initiated on the written proposal of the proposer (either the head of the authority or a person authorised by the head) and must contain the name and date of birth of the person to be vetted and the level of classification allocated for the proposal to issue a security clearance certificate. 10 let Urada RS za varovanje tajnih podatkov ustrezne stopnje tajnosti, obsegom varnostnega preverjanja ter vsebino in postopkom za pridobitev dovoljenja za dostop do tajnih podatkov ustrezne stopnje tajnosti ter jo pozvati, naj da pisno soglasje za začetek varnostnega preverjanja. Ko preverjana oseba da svoje pisno soglasje za začetek varnostnega preverjanja in podpiše izjavo o seznanitvi s predpisi s področja tajnih podatkov, ji predlagatelj izroči ustrezne varnostne vprašalnike za varnostno preverjanje. Preverjana oseba vrne izpolnjene varnostne vprašalnike predlagatelju v zaprti ovojnici. Na sprednjo stran ovojnice preverjana oseba napiše ime in priimek, organ zaposlitve in opombo »vprašalnik za varnostno preverjanje«. Če preverjana oseba ne da soglasja za začetek postopka varnostnega preverjanja, se varnostno preverjanje ne opravi. Pisni predlog, podpisano soglasje in izjavo, dokazilo o osnovnem usposabljanju (to ne sme biti starejše od enega leta) ter ovojnico z izpolnjenimi varnostnimi vprašalniki predlagatelj predloži pristojnemu organu za vodenje postopka varnostnega preverjanja in izdajo dovoljenja za dostop do tajnih podatkov. Če v postopku varnostnega preverjanja varnostni zadržki niso bili ugotovljeni, se preverjani osebi izda dovoljenje za dostop do nacionalnih tajnih podatkov. Varnostno preverjanje opravljajo z zakonom določeni organi, in sicer: • • • Ministrstvo za notranje zadeve (MNZ) opravlja varnostno preverjanje za osebe, zaposlene v MNZ, ter za osebe, zaposlene v drugih organih in organizacijah Republike Slovenije (razen MO, SOVA), če ne gre za opravljanje obrambnih dolžnosti ali vojaške službe. Ministrstvo za obrambo – Obveščevalnovarnostna služba (MO OVS) opravlja varnostno preverjanje za zaposlene v MO in kadar gre za opravljanje obrambnih dolžnosti ali vojaške službe. Slovenska obveščevalno-varnostna agencija (SOVA) opravlja varnostno preverjanje za zaposlene v SOVI. The proposer referred to in Article 22.f of the Classified Information Act is required to inform a person who has completed training in the handling and protecting classified information (basic training) of the reasons for the following: obtaining a personnel security clearance of the relevant classification level; and of the scope of personnel security clearance and of the contents and procedures for obtaining personnel security clearance at the relevant classification level – and call upon this person to consent in writing to the commencement of personnel security clearance. When a person subject to security clearance provides his/her written consent to commence personnel security clearance and declares in writing that he/she has knowledge of the regulations on classified information, the proposer forwards him/ her the relevant personnel security clearance questionnaires. The person subject to security clearance returns the completed personnel security clearance questionnaires to the proposer in a sealed envelope. The front of the envelope must bear the person's name, his/her employment agency/organisation, and the words »personnel security clearance questionnaire«. If the person subject to security clearance does not give consent to the commencement of the personnel security clearance procedure, personnel security clearance shall not be carried out. The written proposal, the signed consent, the evidence of basic training (this may not be older than a year) and the envelope containing the personnel security clearance questionnaires completed are submitted by the proposer to the authority competent for vetting and issuing personnel security clearance. Where no security restrictions are established during the personnel security clearance procedure, the person subject to security clearance will be delivered a personnel security clearance certificate granting him/her access to national classified information. Personnel security clearance is carried out by the authorities defined by law. These are as follows: • 3.1.2.1 Medresorska delovna skupina za osebno varnost Od leta 2009 deluje na področju osebne varnosti tudi medresorska delovna skupina za osebno varnost, ki jo imenuje direktor UVTP. Poleg predstavnikov UVTP jo sestavljajo še predstavniki ministrstva za notranje zadeve, ministrstva za obrambo in Slovenske • Ministry of the Interior (MNZ); it carries out personnel security clearance for the persons employed in this ministry and for persons employed in other bodies and organisations of the Republic of Slovenia (with the exception of the Ministry of Defence and the Slovenian Intelligence and Security Agency (SOVA)), where their work does not involve the performance of defence duties or military service. Ministry of Defence – Intelligence and Security Service (MO OVS); it carries out personnel security clearance for the persons employed 10 years of Government Office for The Protection of Classified Information (NSA) 25 obveščevalno-varnostne agencije. Osnovne naloge medresorske delovne skupine so reševanje odprtih vprašanj in sprejemanje usmeritev na področju osebne varnosti ter priprava predlogov sprememb predpisov s področja obravnavanja in varovanja tajnih podatkov, ki vključujejo področje osebne varnosti. 3.1.3 Dovoljenje za dostop do tajnih podatkov EU 3.1.2.1 Inter-ministerial personnel security Če oseba na svojem delovnem mestu opravlja funkcijo ali delovne naloge, zaradi katerih bi se morala seznaniti z vsebino tajnih podatkov EU, je treba zaprositi za dovoljenje za dostop do tajnih podatkov EU. Dovoljenje za dostop do tajnih podatkov EU izda UVTP na podlagi pisnega predloga predlagatelja iz 22. f člena Zakona o tajnih podatkih, če ima oseba veljavno dovoljenje za dostop do nacionalnih tajnih podatkov. Pisni predlog mora vsebovati osebno ime, datum in kraj rojstva osebe, za katero se predlaga izdaja dovoljenja za dostop do tajnih podatkov EU, navedbo tuje države ali mednarodne organizacije, do katere tajnih podatkov naj bi imela oseba dostop (EU), stopnjo tajnosti tajnih podatkov EU in navedbo delovnega mesta osebe. Pisnemu predlogu mora predlagatelj priložiti izjavo o seznanitvi s predpisi, ki urejajo obravnavanje in varovanje tajnih podatkov EU (Sklep Sveta 2011/292/ EU, Sklep Komisije 2001/844/ES, Euratom), in zaprosilo za dostop do tajnih podatkov EU. Na zaprosilu mora biti glava organa predlagatelja. Pisni predlog, podpisano predlagatelj pošlje UVTP. izjavo in zaprosilo Dovoljenje za dostop do tajnih podatkov EU izda UVTP z veljavnostjo za čas, ko oseba potrebuje dostop do tajnih podatkov EU, vendar ne dlje, kakor velja dovoljenje za dostop do nacionalnih tajnih podatkov. 3.1.4 Dovoljenje za dostop do tajnih podatkov zveze Nato Če oseba na svojem delovnem mestu opravlja funkcijo ali delovne naloge, zaradi katerih bi se morala seznaniti z vsebino tajnih podatkov zveze Nato, je treba zaprositi za dovoljenje za dostop do tajnih podatkov zveze Nato. Dovoljenje za dostop do tajnih podatkov zveze Nato izda UVTP na podlagi pisnega predloga predlagatelja 26 • in this ministry and for persons involved in the performance of defence duties or military service. Slovenian Intelligence and Security Agency (SOVA); it carries out personnel security clearance for its own employees. working group for The inter-ministerial working group for personnel security, which is appointed by the UVTP director, has been active in the field of personnel security since 2009. Apart from the UVTP's representatives, the group is composed of representatives of the Ministry of the Interior, Ministry of Defence and of the Slovenian intelligence and Security Agency. The basic tasks of the inter-ministerial working group are to find solutions to open issues, adopt guidelines in the field of personnel security, and draft proposals for amendments to regulations on the handling and protection of classified information, including personnel security. 3.1.3 EU Security Clearance When a person performs a function or tasks for which he/she should have knowledge of the content of EU classified information, a request for EU security clearance must be made. EU security clearance shall be issued by the UVTP on the basis of a written proposal by the proposer, as referred to in Article 22.f of the Classified Information Act, if the person concerned has a valid security clearance certificate which permits access to national classified information. The written proposal must contain the name, date, and place of birth of the person for whom the proposal is made for EU security clearance, an indication of the country or international organisation whose classified information is to be accessed by that person (EU), the EU classified information level, and the employment position of the person concerned. The proposer shall annex to the written proposal a statement to the effect that the person has been acquainted with the regulations governing the handling and protection of EU classified information (Council Decision 2011/292/EU, Commission Decision 2001/844/EC, Euratom), and a request for EU security clearance. The letter of request must contain the header of the proposing authority. The written proposal, the signed statement and the request shall be submitted to the UVTP by the proposer. 10 let Urada RS za varovanje tajnih podatkov The UVTP shall issue the EU security clearance with a period of validity that corresponds to the time the person requires access to the EU classified information requested; however, this should not exceed the period of validity applicable to national classified information. iz 22. f člena Zakona o tajnih podatkih, če ima oseba veljavno dovoljenje za dostop do nacionalnih tajnih podatkov. Pisni predlog mora vsebovati osebno ime, datum in kraj rojstva osebe, za katero se predlaga izdaja dovoljenja za dostop do tajnih podatkov zveze Nato, navedbo tuje države ali mednarodne organizacije, do katere tajnih podatkov naj bi imela oseba dostop (zveza Nato), stopnjo tajnosti tajnih podatkov zveze Nato in navedbo delovnega mesta osebe. 3.1.4 When a person performs a function or tasks for which he/she should have knowledge of the content of EU classified information, a request must be made for NATO security clearance. Pisnemu predlogu mora predlagatelj priložiti izjavo o seznanitvi s predpisi, ki urejajo obravnavanje in varovanje tajnih podatkov zveze Nato, ter zaprosilo za dostop do tajnih podatkov zveze Nato. Na zaprosilu mora biti glava organa predlagatelja. Pisni predlog, podpisano predlagatelj pošlje UVTP. izjavo in NATO Security Clearance NATO security clearance shall be issued by the UVTP on the basis of a written proposal by the proposer, as referred to in Article 22.f of the Classified Information Act, if that person already has personnel security clearance to access national classified information. zaprosilo Dovoljenje za dostop do tajnih podatkov zveze Nato izda UVTP z veljavnostjo za čas, ko oseba potrebuje dostop do tajnih podatkov zveze Nato, vendar ne dlje, kakor velja dovoljenje za dostop do nacionalnih tajnih podatkov. The written proposal must contain the name, date, and place of birth of the person for whom the proposal is made for NATO security clearance, an indication of the country or international organisation whose classified information is to be accessed by the person concerned (NATO), the level of NATO classified information, and the employment position of the person concerned. Overjeno kopijo dovoljenja za dostop do tajnih podatkov zveze Nato izda UVTP na podlagi pravilno izpolnjenega zaprosila za izdajo overjene kopije dovoljenja. Overjeno kopijo dovoljenja izda UVTP v angleščini in je namenjena udeležbi na sestankih, projektih in podobno zveze Nato v tujini. The proposer shall annex to the written proposal a statement to the effect that the person has been acquainted with the regulations governing the handling 1600 Število izdanih dovoljenj / Number of permissions delivered 1400 1200 1000 Nato 800 EU 600 400 200 0 2007 2008 2009 2010 2011 Leto veljavnosti / Year of validity Slika 6: Število izdanih dovoljenj za Nato in EU z začetkom veljavnosti v koledarskem letu Figure 6: Number of NATO and EU security clearances delivered per calendar year 10 years of Government Office for The Protection of Classified Information (NSA) 27 and protection of NATO classified information, and a request for NATO security clearance. The letter of request must contain the header of the proposing authority. The written proposal, the signed statement and the request shall be forwarded to UVTP by the proposer. UVTP shall issue the NATO security clearance with a period of validity that corresponds to the time the person requires access to the NATO classified information requested; however, this should not exceed the period of validity applicable to national classified information. A certified copy of the NATO security clearance shall be delivered by the UVTP on the basis of a duly completed letter of request. A certified copy of the permission will be issued by the UVTP in the English language and will be used for the purposes of participating in NATO meetings, projects and the like, held abroad. 28 10 let Urada RS za varovanje tajnih podatkov 3.2 Dokumentacijska varnost 3.2 Documentation security Tajni podatki državi omogočajo, da z oznako tajnosti varuje svoje vitalne interese in tako zadosti svoji nacionalni varnosti. Tajni podatek je dejstvo ali sredstvo z delovnega področja organa, ki se nanaša na javno varnost, obrambo, zunanje zadeve ali obveščevalno in varnostno dejavnost države, sisteme, naprave, projekte in načrte pomembne za javno varnost, obrambo, zunanje zadeve ter obveščevalno in varnostno dejavnost državnih organov Republike Slovenije, znanstvene, raziskovalne, tehnološke, gospodarske in finančne zadeve, pomembne za javno varnost, obrambo, zunanje zadeve ter obveščevalno in varnostno dejavnost državnih organov Republike Slovenije, ki ga je treba zaradi zakonsko določenih razlogov zavarovati pred nepoklicanimi osebami in, ki je v skladu z zakonom določeno in označeno za tajno. Classified information allows countries to safeguard their vital interests and to satisfy their national security needs. Classified information is a fact or means from the sphere of an agency relating to public security, defence, foreign affairs or intelligence, and the security activities of the country, systems, appliances, projects and plans related to public security, defence, foreign affairs and intelligence, and the security activities of government agencies of the Republic of Slovenia, the scientific, research, technological, economic and financial affairs of relevance to public security, defence, foreign affairs and intelligence and security activities of Government agencies of the Republic of Slovenia, which, on statutory grounds, must be protected against unauthorised persons and which has been defined and marked as confidential. Classified information may be designated as RESTRICTED, CONFIDENTIAL, SECRET OR TOP SECRET. Tajni podatek je lahko označen s stopnjo tajnosti INTERNO, ZAUPNO, TAJNO ali STROGO TAJNO. OZNAKA MERILO po ZTP: možne škodljive posledice, če bi bil podatek razkrit nepoklicani osebi STROGO TAJNO razkritje bi ogrozilo vitalne interese Republike Slovenije ali jim povzročilo nepopravljivo škodovalo TAJNO razkritje bi lahko hudo škodovalo varnosti ali interesom Republike Slovenije ZAUPNO razkritje bi lahko škodovalo varnosti ali interesom Republike Slovenije INTERNO razkritje bi lahko škodovalo delovanju ali izvajanju nalog organa Preglednica 1: Pomen oznak stopnje zaupnosti po ZTP Dokumentacijska varnost opredeljuje enoten sistem določanja in označevanja tajnih podatkov, prenosa, razmnoževanja, evidentiranja, uničevanja in arhiviranja ter postopka ob zlorabi tajnega podatka. Pravno podlago, ki se pri tem upošteva, tvorijo predpisi s področja tajnih podatkov, in predpisi, ki obravnavajo ravnanje z dokumentarnim in arhivskim gradivom nasploh. Dokumentacijska varnost se z organizacijskimi ukrepi obravnave tajnih podatkov prepleta s fizičnimi in tehničnimi ukrepi varovanja tajnih podatkov, ki tvorijo celovit sistem varovanja tajnih podatkov, katerega cilj je preprečitev dostopa nepooblaščenim osebam ter sledljivost podatkov v njihovi življenjski dobi. Dokumentacijska varnost je opredeljena v Uredbi o varovanju tajnih podatkov (Uradni list RS, št. 74/05, 7/11 in 24/11– popr.). MARKING CRITERION in accordance with the CLASSIFIED INFORMATION ACT: possible adverse effects for the disclosure of classified information to unauthorised persons TOP SECRET Disclosure to unauthorised persons would cause irreparable damage to or put in jeopardy the vital interests of the Republic of Slovenia SECRET Disclosure to unauthorised persons could seriously harm the security or interests of the Republic of Slovenia CONFIDENTIAL Disclosure to unauthorised persons could harm the security or interests of the Republic of Slovenia RESTRICTED Disclosure to unauthorised persons could harm the activities or performance of tasks of an agency Table 1: Classification level markings in accordance with the Classified Information Act Documentation security defines a unique system for the determining and marking of classified information, its transmission, copying, recording, destruction, archiving and the procedure that applies in dealing with the abuse of classified information. The relevant legal basis to be considered in this regard consists of regulations governing classified information and of regulations governing the handling of documentary and archival material in general. In the domain of documentation security, organisational measures on the handling of classified information are intertwined with physical and technical measures of protection; the latter constitute a comprehensive system of classified 10 years of Government Office for The Protection of Classified Information (NSA) 29 Predpisi o tajnih podatkih med drugim opredeljujejo pristojnost določanja tajnih podatkov in v zvezi s tem tudi materialna in formalna merila tajnosti, dolžnost varovanja tajnosti ter tudi postopka ob morebitni zlorabi tajnega podatka. Po ZTP je namreč tajen le tisti podatek, ki kumulativno izpolnjuje materialno in formalno merilo tajnosti. Materialno merilo tajnosti podatka se opira na sámo vsebino podatka in določa, da se lahko podatek določi za tajnega le takrat, če je tako pomemben, da bi z njegovim razkritjem nepoklicani osebi lahko nastale ali bi očitno nastale škodljive posledice za varnost države ali za njene politične in gospodarske koristi ter se obenem nanaša izključno na že zgoraj navedena področja: javna varnost, obramba, zunanje zadeve, obveščevalna in varnostna dejavnost državnih organov Republike Slovenije oziroma se nanaša na sisteme, naprave, projekte in načrte ali znanstvene, raziskovalne, tehnološke, gospodarske in finančne zadeve, ki so pomembni za omenjene cilje. Materialno merilo torej vključuje dva vidika – prvi je v tem, da bi z razkritjem podatka lahko nastala ali bi očitno nastala določena škoda, drugi pa v povezavi škode s taksativno naštetimi interesnimi področji države. Oba materialna elementa se zrcalita v formalnem merilu tajnega podatka. Podatek je upravičeno označen kot tajen le, če so izpolnjeni naslednji trije formalni elementi. Prvi tak element je, da lahko podatek za tajnega določi le za to pooblaščena oseba. Načeloma je to po ZTP predstojnik organa ali oseba na najvišjih delovnih mestih in položajih, s čimer je zagotovljeno, da odločitve o tajnosti sprejemajo osebe, ki imajo dovolj informacij in znanja, da lahko ocenijo pomen morebitnih škodljivih posledic ob razkritju tajnega podatka. ZTP predpisuje tudi način in postopek določanja tajnosti, katerega bistvo je v izdelavi pisne ocene možnih škodljivih posledic, ki bi lahko nastale z razkritjem podatka. Pisna ocena predstavlja drugi element formalnega merila tajnosti in dejansko določa objekt varstva, torej interes, ki bi bil z razkritjem nepooblaščeni osebi ogrožen. Pisna ocena se hrani kot priloga dokumenta pri organu, ki je podatku določil stopnjo tajnosti. Prav ta pisna ocena možnih škodljivih posledic omogoča tudi naknadno preverjanje in ugotavljanje razlogov in okoliščin za odločitev, da se podatek določi za tajnega. Tretji element formalnega merila pa temelji na pravilni oznaki, saj je tajen samo tisti podatek, ki je ustrezno označen kot tajen. 3.2.1 Medresorska delovna skupina za dokumentacijsko varnost UVTP spremlja in usklajuje zadeve na področju dokumentacijske varnosti v najširšem smislu. V ta namen je ustanovljena tudi medresorska delovna 30 information protection aimed at preventing access to unauthorised persons and ensuring the traceability of information during its lifetime. Documentation security is defined in the Decree on the Protection of Classified Information (Uradni list RS, no. 74/05, 7/11 (24/11 corrigendum)). Regulations on classified information lay down inter alia who is competent for the classification of information, as well as relevant material and the formal criteria of secrecy, the duty to protect the confidentiality of information, and the procedure that applies in the event of a potential abuse of classified information. Under the Classified Information Act, only those pieces of information which cumulatively satisfy the material and formal criteria of secrecy shall be deemed classified. The material criterion of the secrecy of a piece of information relies on its very content and provides that a piece of information may be designated as classified only when it is of such importance that its disclosure to unauthorised persons could or might clearly prejudice the security of the country or its political or economic interests, and is exclusively related to the areas referred to above: public security, defence, foreign affairs, intelligence and security activities of Government agencies of the Republic of Slovenia, or which relates to systems, appliances, projects and plans or scientific, research, technological, economic and financial affairs of importance for the mentioned objectives. The material criterion therefore includes two aspects – the first being that the disclosure of a piece of information could or might obviously result in some adverse effects, and the second in relating such adverse effects to all the specified areas of interest of the country. These two material elements are reflected in a formal criterion for a classified piece of information. A piece of information is correctly marked as classified when the following three formal elements have been fulfilled: first, a piece of information can be designated as classified only by a person authorised to do so. Under the Classified Information Act, such persons are, in principle, the heads of agencies, or officials occupying the highest positions and ranks, this being a guarantee for decisions on secrecy to be taken by persons who possess sufficient information and knowledge to assess the importance of possible adverse effects resulting from the disclosure of classified information. In addition, the Classified Information Act lays down the manner and procedures for the classification of information, the essence of which is the elaboration of a written assessment of any possible adverse effects that might result from the disclosure of information. Such a written assessment constitutes the second formal criterion of secrecy and actually defines the subject of protection, i.e. 10 let Urada RS za varovanje tajnih podatkov skupina za dokumentacijsko varnost, ki skrbi za usklajevanje mnenj, enotno interpretacijo predpisov in iskanje odgovorov na odprta vprašanja, ki se dnevno porajajo ob konkretnem delu s tajnimi podatki. To delovno skupino tvorijo poleg UVTP tudi predstavniki ministrstev, pristojnih za obrambo, notranje zadeve, zunanje zadeve, javno upravo, finance in zdravje ter agencije za obveščevalno dejavnost. Na delovnih sestankih preučujejo zahtevnejša vprašanja s področja varovanja tajnih podatkov in z izmenjavo izkušenj dobrih praks iščejo odgovore na praktična vprašanja. the interest that would be jeopardised through the disclosure of information to an unauthorised person. The written assessment shall be attached as an annex to the document, and kept with the authority that determined the level of classification. Such an assessment allows for the subsequent verification and determination of the grounds and circumstances resulting in the decision leading to the information being designated classified. The third element of the formal criteria is based on the accuracy of the marking, since only properly marked information can be deemed classified. Vse več pozornosti se posveča tajnim podatkom v elektronski obliki, saj gre razvoj informacijskokomunikacijske opreme in sistemov nezadržno naprej. 3.2.1 Inter-ministerial working group for documentation security Z delovnimi sestanki z drugimi organi smo iskali optimalne rešitve glede obravnavanja tajnih podatkov tudi v sodnih postopkih oziroma v sodni veji oblasti. The UVTP monitors and coordinates documentation security matters in their broadest sense. To this end, an inter-ministerial working group for documentation security has been established. Its tasks include the coordination of views, the provision of a unique interpretation of the relevant regulations, and a search for answers to open issues resulting from day-to-day work on classified information. Apart from the UVTP, this working group is composed of representatives from the intelligence agency and the ministries responsible for defence, internal affairs, public administration, finance and health. As a rule, complex issues relating to the protection of classified Slika 7: Povezanost dokumentacijske in informacijske varnosti Figure 7: Interconnectivity of documentation and information security 3.2.2 information are discussed during working meetings, where answers to practical problems are also sought through the exchange of examples of good practice. Nekaj tém, ki jih je obravnavala omenjena komisija: elektronsko poslovanje s tajnimi podatki, ocena možnih škodljivih posledic, če bi bil tajni podatek razkrit nepooblaščeni osebi, arhiviranje tajnih podatkov, celostna grafična podoba tajnih podatkov, smiselnost uvedbe morebitne dodatne kategorije varovanih podatkov … Registrski sistem za tajne podatke EU in zveze Nato Za obravnavo tajnih podatkov zveze Nato in EU je sprejeto Navodilo za delo s tajnimi podatki zveze Nato in Evropske unije. Postopki so usklajeni s predpisi zveze Nato in EU na področju varovanja tajnih Hand in hand with the relentless development of information-communication equipment, more attention is increasingly paid to classified information in electronic form. 10 years of Government Office for The Protection of Classified Information (NSA) 31 podatkov ter z nacionalno zakonodajo, ki v nekaterih segmentih predpisuje celo zahtevnejše standarde varovanja od minimalnih. Bistvo registrskega sistema je sledljivost tajnemu podatku od prejema do uničenja ali arhiviranja. Registrski sistem za obravnavo tajnih podatkov EU in Nata je ustrezno vzpostavljen in deluje skladno s predpisi. Registrski sistem za obravnavo EU tajnih podatkov obsega centralni register vzpostavljen na zunanjem ministrstvu ter deset podregistrov vzpostavljenih na različnih ministrstvih. Registrski sistem za obravnavo tajnih zveze Nato obsega centralni register vzpostavljen na obrambnem ministrstvu ter trinajst podregistrov in tri kontrolne točke vzpostavljenih na različnih lokacijah. 3.2.3 Komisija Vlade Republike Slovenije za presojanje upravičenosti prevladujočega javnega interesa v zvezi z razkritjem podatkov, ki so označeni kot tajni Komisija Vlade RS za presojanje upravičenosti prevladujočega javnega interesa v zvezi z razkritjem podatkov, ki so označeni kot tajni, obravnava zahteve po razkritju tajnega podatka in pri tem predvsem na podlagi ocene možnih škodljivih posledic presoja težo in tehta interes za razkritje tajnega podatka ali ohranitev njegove tajnosti. Komisijo vodi UVTP, v njej pa sodelujejo tudi predstavniki ministrstva za obrambo, ministrstva za notranje zadeve, ministrstva za zunanje zadeve ter Slovenske obveščevalnovarnostne agencije. Razumljivo je, da je načelo javnosti v demokratični družbi pomembna pravica, vendar pa si tudi najbolj demokratična država ne more privoščiti popolne javnosti delovanja, saj postane ranljiva za nedemokratične pritiske, neuspešna in neučinkovita ter kot taka sama pomeni največjo grožnjo demokraciji. Za varovanje tajnosti mora vzpostaviti instrumente, ki ščitijo zasebnost države pred javnostjo in dejanskim ali potencialnim nasprotnikom. S tem ko se državi dopusti zaščita tajnosti, pa je treba zagotoviti tudi dovolj močne vzvode, ki onemogočajo in otežujejo zlorabo tega instituta. Eden teh vzvodov je tudi javna odgovornost oblasti in njena odgovornost do volivcev in javnosti. Primeri, ki jih navedena komisija obravnava, jasno kažejo na občutljivo ravnovesje med tajnostjo in javnostjo, ko je treba demokratičnemu načelu javnosti zadostiti tako, da ni škodljivih posledic za načelo tajnosti, in da se tančica tajnosti odstre toliko, da se ob spoštovanju načela tajnosti zadosti načelo javnosti. Tajnost je torej kompleksen pojav, ki vključuje pravico države do zasebnosti in varovanja svojih tajnosti. 32 Some of the topics discussed by the aforementioned Commission include electronic commerce with classified information, an assessment of the possible adverse effects in the event of the disclosure of classified information to unauthorised person(s), the archiving of classified information, the corporate design identity of classified information, and the appropriateness of introducing a possible additional classified information category, amongst others. In addition, optimum solutions regarding the handling of classified information in court proceedings were sought at working meetings held with other relevant authorities. 3.2.2 Registry system for EU and NATO classified information The handling of NATO and EU classified information required the adoption of the Instructions for Handling NATO and EU Classified Information. Relevant procedures have been harmonised with NATO and EU regulations on classified information, as well as with national legislation which, in certain areas, provides for even stricter standards of protection than the minimum prescribed. The essence of the registry system is to ensure the traceability of classified information from the moment it is received until it is destroyed or archived. The registry system for handling EU and NATO classified information has been properly put in place, and operates in compliance with the relevant regulations. The registry system for handling EU classified information comprises the central registry established at the Ministry of Foreign Affairs and ten sub-registries set up at various other ministries. The registry system for handling NATO classified information comprises the central registry established at the Ministry of Defence plus thirteen sub-registries and three control points set up at different locations. 3.2.3 Government Commission for Assessing the Legitimacy of the Prevailing Public Interest in the Disclosure of Secret Classified Information The Commission for Assessing the Legitimacy of the Prevailing Public Interest in the Disclosure of Secret Classified Information considers relevant requests for the disclosure of classified information and, based on an examination of any possible adverse effects, assesses the importance of and the interest in disclosing the information or keeping it secret. The Commission is led by the UVTP and brings together representatives of the Ministry of Defence, Ministry of the Interior, Ministry of Foreign 10 let Urada RS za varovanje tajnih podatkov Slika 8: Simbolična tehtnica interesa tajnosti in interesa javnosti Figure 8: Scales symbolising the weighing up of secrecy interests against the public interest Velikokrat so državni organi in pooblaščene osebe soočeni z dilemo, ali neki podatek pomeni tajnost, in če jo, katere stopnje naj bo. Zato se zgodi, da imajo oznako tajnosti podatki, ki naj bi dejansko ne bili tajni, ker ne zadoščajo predpisanim merilom tajnosti. Ocena možnih škodljivih posledic je zato pomemben dokument, v katerem je treba pisno pojasniti, kateri podatek se dejansko stopnjuje in razloge za stopnjevanje ter oceniti, kakšna škoda bi lahko dejansko nastala ob morebitnem razkritju nepooblaščeni osebi. Affairs and of the Slovenian Intelligence and Security Agency. It is understandable that in a democratic society the principle of public interest constitutes an important right; however, even the most democratic countries cannot afford absolute transparency in their operations, since this may make them vulnerable to undemocratic pressures, unsuccessful and inefficient and, as a result, a significant threat to democracy. In order to safeguard secrecy, every country must put in place mechanisms which protect the privacy of the state from the public and from existing or potential rivals. Allowing the state to protect its secrecy requires the provision of sufficiently strong leverage which is capable of preventing and hindering the abuse of this institute. One such lever is the public responsibility of the authorities in power and their responsibilities to the voters and the public. The cases considered by the aforementioned Commission clearly point to a sensitive equilibrium between secrecy and publicity when the democratic principle of public interest has to be satisfied in such a way that the principle of secrecy can suffer no adverse effects and that the veil of secrecy is drawn back only to the extent allowing the principle of public interest to get proper satisfaction. Secrecy is a complex phenomenon which includes the right of a state to privacy and to protect its secrets. State authorities and authorised persons are often faced with a dilemma as to whether some piece of information should be classified and – in the event of an affirmative answer – what classification level it should be allocated. As a result, certain information may be classified, despite not requiring classification, since it does not satisfy the statutory material criteria of secrecy. Therefore, an assessment of the possible adverse effects is a very important document wherein it is necessary to explain in writing which item of information is actually graded, including the reasons for its grading, and to assess the damage that would result from its eventual disclosure to an unauthorised person. 10 years of Government Office for The Protection of Classified Information (NSA) 33 3.3 Fizična varnost 3.3 Physical security Fizična varnost je pomemben element celotnega sistema varovanja tajnih in drugih pomembnih podatkov. Njen glavni cilj je odvrniti, preprečiti in/ ali odkriti nepooblaščene dostope do prostorov in predmetov, ki jih želimo zavarovati. Sistem fizične varnosti je sestavljen iz organizacijskih, varnostnotehničnih in mehanskih ukrepov ter postopkov in ukrepov fizičnega varovanja ali varovanja, ki ga opravljajo za to pooblaščene in usposobljene osebe. Vsi našteti dejavniki so med seboj tesno povezani, zato je učinkovitost celotnega sistema fizične varnosti odvisna od učinkovitosti njegovih posameznih elementov. Physical security is an important element in the entire system of the protection of classified and other relevant information. Its main objective is the dissuasion, prevention and/or detection of unauthorised access to premises and items requiring protection. The physical security system consists of organisational, security-technical and mechanical measures and procedures, and of physical protection or protectionrelated measures performed by duly authorised and qualified personnel. All the above stated factors are closely interconnected, what makes the efficiency of the overall physical security system dependent on the efficiency of its individual parts. Slika 9: Element fizičnega varovanja Figure 9: Physical security component Fizični varnostni ukrepi predstavljajo zgolj en vidik varnosti in morajo biti nujno podprti z drugimi elementi varovanja, kot so: osebna in dokumentacijska varnost ter varnost informacijskih sistemov, v kombinaciji s katerimi tvorijo t. i. integralni varnosti sistem. Pri odločanju o tem, katera stopnja fizične varnosti je potrebna, da so izpolnjena minimalna varnostna merila, je treba upoštevati različne dejavnike: stopnjo tajnosti in vrsto podatkov, ki se varujejo, njihovo količino, obliko in način hrambe, oceno ogroženosti in oceno tveganja ter stopnjo varnostne kulture pri zaposlenih. Physical security measures constitute only one of the security aspects and must have the inevitable support of other protection-related elements such as personnel and documentation security and the security of information systems, which, in combination with the former, constitute the integrated security system. When deciding on the degree of physical security required to ensure compliance with the minimum rules on security, the following should be taken into account: the classification level and type of classified information, its volume, form and method of storage, management of threats and risks, and the employees' awareness of security culture. Fizični ukrepi varovanja morajo biti takšni, da preprečijo vsakršen prikrit ali nasilen vstop ali dostop do varovane dobrine s strani zunanjih vsiljivcev, odvrnejo ali zaznajo zlonamerne aktivnosti zaposlenih, omogočijo izvajanje načela potrebe po seznanitvi ter zaznavo in ukrepanje zoper vsakršne varnostne postopke v najkrajšem možnem času. Zakonsko predpisani minimalni pogoji, ki veljajo v Sloveniji in jim mora ustrezati varnostnotehnična oprema varnostnih območij, so visoki, kar je neposredno tesno povezano z relativno visokimi stroški v zvezi z vzpostavitvijo varnostnih območij. Urad si zato v tesnem sodelovanju s pristojnimi resorji prizadeva, da bi se v slovensko zakonodajo, 34 Physical security measures must be such so as to prevent any covert or violent intrusion or access to protected assets by external intruders; they should discourage or detect any unauthorised activity by employees, facilitate the implementation of the needto-know principle, detect and take action against any actions that pose a threat to security activities in the shortest time possible. The statutory minimum conditions applicable in Slovenia and the security technical equipment installed in security areas to which they must comply are high; as a result, this is closely related to the 10 let Urada RS za varovanje tajnih podatkov ki ureja področje varovanja tajnih podatkov, uvedla metodologija upravljanja varnostnih tveganj, ki bi odpravila dosedanjo togo ureditev ter omogočila večjo prožnost pri izbiri cenovno primernih in hkrati učinkovitih varnostnih rešitev. relatively high costs of establishing security areas. For this reason, the UVTP, in close cooperation with the relevant sectors, makes efforts to incorporate such a methodology into national legislation (regulating the area of classified information protection) for security risk management, which would eliminate the present rigid system and allow for more flexibility regarding the choice of suitable and more cost-effective security solutions. 10 years of Government Office for The Protection of Classified Information (NSA) 35 3.4 Informacijska varnost 3.4 Information security Informacijska varnost ima pri sodobnem poslovanju, kjer je vedno več poslovnih postopkov podprtih z informacijsko tehnologijo, čedalje pomembnejšo vlogo, kar velja tudi za državno in celotno javno upravo. Tu se vsak dan prejme, ustvari, dopolni in spremeni veliko podatkov, med njimi tudi precejšnje število tajnih podatkov. Information security in modern business operations, where more and more operators use IT technology support has an ever increasing role; this applies to both the state and the public administration. Here, large amounts of information are received, created, supplemented and amended every day; much of it is classified information. Za celovitejše varovanje tajnih podatkov v komunikacijsko-informacijskih sistemih je vlada sredi leta 2007 sprejela Uredbo o varovanju tajnih podatkov v komunikacijsko-informacijskih sistemih. In mid- 2007, in order to provide for more comprehensive protection of classified information in communication-information systems, the Government adopted the Decree on the protection of classified information in communication-information systems. The Decree lays down a system of minimum standards, procedures and technical measures corresponding to the classification level of the information processed in the communicationinformation systems, and prevents the disclosure of information to unauthorised persons. Ta uredba določa sistem minimalnih standardov, postopkov in tehničnih ukrepov, ki ustreza stopnji tajnosti podatkov, ki se obravnavajo v komunikacijskoinformacijskih sistemih, ter onemogoča njihovo razkritje nepooblaščenim osebam. S to uredbo so opredeljeni: postopki varnostne odobritve za delovanje za komunikacijskoinformacijskega sistema, varovanje ključnih in drugih sestavin takega sistema, obveščanje o kritičnem informacijskem varnostnem dogodku, identifikacija in overitev dostopa uporabnikov v sistem, selekcija dostopa uporabnikov do podatkov, spremljanje in nadzor pristopa v sistem, zaščita tajnih podatkov pri prenosu zunaj varnostnega območja, povezovanje sistemov ter izvajanje zaščite proti neželenemu elektromagnetnemu sevanju. V skladu s sklepom Vlade Republike Slovenije je UVTP kot krovni nacionalni varnostni organ prevzel koordinacijsko vlogo varnostnih organov, ki na podlagi obstoječih normativnih aktov že opravljajo naloge s področja informacijske varnosti. Tako je UVTP postal krovno koordinacijsko telo oziroma nacionalni organ za komunikacijsko varnost (NCSA), nacionalni organ za zaščito pred neželenim elektromagnetnim sevanjem (NTA) in nacionalni organ za distribucijo kriptografskega materiala (NDA). Konkretne naloge se še naprej opravljajo v okviru posameznih organov, ki so te naloge opravljali tudi v preteklosti (organi za potrebe varovanja tajnih podatkov EU so vzpostavljeni v UVTP, organ za potrebe varovanja nacionalnih obrambnih TP in TP zveze NATO so vzpostavljeni v MORS, nekateri resorni organi imajo za nacionalne potrebe ustanovljene posamezne organe). Zaradi lažjega izvajanja naloge so v okviru UVTP ustanovljene strokovne delovne skupine, v katerih sporazumno sodelujejo strokovnjaki iz Ministrstva za notranje zadeve Republike Slovenije – Policije, Ministrstva za obrambo Republike Slovenije, Slovenske obveščevalno-varnostne agencije ter predstavnik UVTP, ki strokovno delovno skupino tudi vodi. 36 The Decree regulates the procedures relating to communication-information security system accreditation, the protection of its most important and other relevant components, the notification of critical security events, system user identification and authentication, the selection of user access to information, the monitoring and control of access to the system, the protection of classified information during transmission outside the security area, the connection of systems, and carrying out protection against unintentional compromising emanations. In accordance with the Government's decision, the UVTP as an umbrella national security agency which has assumed the role of coordinator over security authorities that perform information security tasks on the basis of existing normative Acts. As a result, the UVTP became the umbrella coordination authority, i.e. the National Communications Security Authority (NCSA), the National TEMPEST Authority for Protection against Unintentional Compromising Emanations (NTA) and the National Distribution Authority for Cryptomaterial (NDA). Specific tasks continue to be carried out by the individual authorities that used to perform these tasks in the past (authorities providing protection for EU classified information are set up within the UVTP; the authority for the protection of national defence classified information and NATO classified information is set up at the Ministry of Defence; in order to satisfy national requirements, relevant individual authorities were set up with some sectoral bodies). In order to facilitate the implementation of its tasks, several expert working groups have been set up within the UVTP; these involve the consensual participation of experts from the Ministry of the Interior – Police sector, the Ministry of Defence, the 10 let Urada RS za varovanje tajnih podatkov UVTP je na podlagi zakona o tajnih podatkih pristojen za izdajanje in preklic varnostnih dovoljenj za naprave za prenos, hrambo in obdelavo tujih tajnih podatkov skladno s sprejetimi mednarodnimi pogodbami. Slovenian Intelligence and Security Agency and a representative from the UVTP as head of the expert working group. Tako je UVTP od vstopa v zvezo Nato in EU leta 2004 organ za varnostno odobritev (SAA – Security Accreditation Authority) delovanja komunikacijskoinformacijskih sistemov zveze Nato in EU na teritoriju Republike Slovenije. Under the Classified Information Act, the UVTP is responsible for the issue and revocation of security certificates relating to the transmission-, storage- and processing equipment used with foreign classified information, in accordance with the international agreements concluded. Varnostna odobritev prvih komunikacijskoinformacijskih sistemov zveze Nato v Republiki Sloveniji je bila izvedena leta 2004. Istega leta je bila pripravljena tudi zahtevana varnostna dokumentacija za prve komunikacijsko-informacijske sisteme EU. Since its accession to NATO and the EU in 2004, the UVTP acts as a national security accreditation authority (SAA) responsible for the operation of NATO and EU communication-information systems in the Republic of Slovenia. V okviru Nata UVTP dejavno sodeluje v varnostnem odboru zveze Nato za zagotavljanje informacijske varnosti ter v posameznih delovnih skupinah s tega področja (kriptografska zaščita, kibernetska obramba ter v odborih za varnostne akreditacije komunikacijsko-informacijskih sistemov. Sodelujemo tudi v delu odbora za zagotavljanje informacijske varnosti in kibernetsko obrambo. V okviru EU UVTP dejavno sodeluje v delu teles v okviru Sveta EU, Evropske komisije, evropske zunanje službe ter posameznih agencij. 3.4.1 Komisija Vlade RS za informacijsko varnost Ker je področje informacijske varnost zelo široko in ga je nemogoče opredeliti zgolj v enem dokumentu – treba je pripraviti posamezna izvedbena navodila in priporočila –, je vlada ustanovila komisijo za informacijsko varnost. Sestavljajo jo strokovnjaki iz ministrstva za javno upravo, ministrstva za notranje zadeve, ministrstva za obrambo, ministrstva za zunanje zadeve, Slovenske obveščevalno-varnostne agencije in UVTP, katerega predstavnik komisijo tudi vodi. Delo komisije ureja poslovnik, h kateremu da soglasje Vlada Republike Slovenije. Naloge komisije so priprava tehničnih in normativnih rešitev za varovanje tajnih podatkov v komunikacijskoinformacijskih sistemi, določanje primernih načinov in postopkov za identifikacijo in overitev dostopa uporabnikov v komunikacijsko-informacijske sisteme, potrjevanje šifrirnih sistemov, ki se lahko uporabljajo v komunikacijsko-informacijskih sistemih, izdelava zahtev za povezovanje komunikacijsko-informacijskih sistemov in priprava varnostnih zahtev za izvajanje zaščite proti neželenemu elektromagnetnemu sevanju. Security accreditation for the first NATO communication-information systems in the Republic of Slovenia was provided in 2004. That same year, the security documentation required was drawn up for the first EU communication-information systems. The UVTP actively participates in NATO's Security Committee for information security and in several other NATO working groups (cryptographic protection, cyber defence), as well as in committees for the security accreditation of communication-information systems. The Office also participates in the work of the committee responsible for ensuring the provision of information security and cyber defence. Within the EU framework, the UVTP plays an active role in the work of its bodies such as the European Council, the European Commission, EU external services, and individual agencies. 3.4.1 Government Commission for IT Security IT security is a very broad area which cannot be defined in a single document and requires the preparation of separate implementation guidelines and recommendations. For this purpose, the Government has established the Commission for IT Security. The Commission is composed of experts from the Ministry of Public Administration, the Ministry of the Interior, the Ministry of Defence, the Ministry of Foreign Affairs, the Slovenian Intelligence and Security Agency and the UVTP, whose representative is also the head of the Commission. The Commission's work is regulated by its rules of procedure, which have been approved by the Government. The tasks of the Commission are to prepare technical and regulatory solutions for the protection of classified information in communication and information systems, in order to define appropriate methods and procedures for the identification and authentication of users prior to their access to information and 10 years of Government Office for The Protection of Classified Information (NSA) 37 3.4.2 Natova delavnica Infosec Od 28. do 30. januarja 2008 je na Brdu pri Kranju potekala Natova delavnica INFOSEC, ki sta jo s pomočjo UVTP organizirala NATO HQ Consultation, Comand and Control Staff (NHQC3S) in NATO Office of Security (NOS). Delavnica je bila namenjena predstavitvi organov INFOSEC, njihovega dela in nalog, zaščite TEMPEST, postavitve NATO KIS, postopka varnostne odobritve (akreditacije) povabljenima državama za članstvo v zvezi Nato – Albaniji in Hrvaški – ter predstavitvi dobrih praks. Na delavnici je sodelovalo skoraj 40 udeležencev, med njimi pet iz Slovenije (UVTP in MORS). 3.4.3 Tempest V delovno področje UVTP spada tudi usklajevanje izvajanja ukrepov za zaščito pred neželenim elektromagnetnim sevanjem v komunikacijskoinformacijskih sistemih, v katerih se obravnavajo tajni podatki, označeni s stopnjo ZAUPNO ali višje – govorimo o t. i. zaščiti TEMPEST. Ta zaščita sistemov je predpisana v Uredbi o varovanju tajnih podatkov v komunikacijsko-informacijskih sistemih (Uradni list RS, št. 48/2007, 86/2011) in jo morajo zagotavljati upravljavci sistemov. Z enako mero morajo biti zaščiteni nacionalni tajni podatki in tudi tajni podatki, označeni s primerljivimi mednarodnimi oznakami istih stopenj. TEMPEST se pogosto razlaga kot kratica za Transient Electromagnetic Pulse Emanation Standard, vendar pa sam izraz TEMPEST ne pomeni le tega in ne obsega le standardov za zaščito pred neželenim elektromagnetnim sevanjem. Nanaša se na analize in raziskave oziroma preučevanje sevanja ter vrste ukrepov za njegovo zmanjšanje. Neželeno sevanje je opredeljeno kot sevanje, ki se nenadzorovano razširja in s tem omogoča nekontrolirano odtekanje tajnih podatkov. Prenašajo se namreč signali, ki jih je mogoče prestreči in analizirati ter s tem razkriti informacije, ki so bile poslane, prejete ali kako drugače obravnavane z opremo, ki seva. Deli sistemov, v katerih se obravnavajo tajni podatki, se delijo glede na stopnjo zaščite, ki jo dajejo. Stopnje so označene s črkami A, B ali C, pri čemer A pomeni največjo zaščito, C pa najnižjo. Potrebna stopnja zaščite je odvisna od tega, v kakšen prostor je sistem postavljen, kar pa je povezano s tem, kako blizu lahko pride potencialni napadalec. Prostori so označeni z oznakami cona 0, 1 ali 2, pri čemer cona 0 pomeni, da lahko napadalec pride v 38 communication systems, to certify cryptographic systems which may be used in communication and information systems, to define the requirements for interconnection of communication and information systems, and to define the security requirements for protection against unintentional compromising emanations. 3.4.2 NATO InfoSec workshop From 28 to 30 January 2008, a NATO InfoSec workshop was held at Brdo pri Kranju. It was organised by NATO HQ Consultation, Command and Control Staff (NHQC3S) and the NATO Office of Security (NOS) in cooperation with the UVTP. The purpose of the workshop was to present the InfoSec bodies, their work and tasks, TEMPEST protection, NATO CIS deployment, the security accreditation process for two NATO candidate countries – Albania and Croatia – and examples of good practice. The workshop was attended by almost forty participants, five of whom were from Slovenia (from the UVTP and the Ministry of Defence). 3.4.3 TEMPEST The UVTP's area of work includes the coordination of measures to be taken for protection against unintentional compromising emanations emitted from within the communication and information systems which process information classified CONFIDENTIAL or higher; it is called TEMPEST protection. Such a protection system is prescribed in the Decree on the protection of classified information in communication and information systems (Ur. l. RS, nos 48/2007 and 86/2011) and must be provided by system administrators. An equivalent degree of protection must apply to national classified information and classified information marked by comparable international markings of the same classification levels. The term TEMPEST is often interpreted as the abbreviation for Transient Electromagnetic Pulse Emanation Standard; however, this is not its sole meaning as it covers more than just the standards for protection against unintentional compromising emanations. It refers to analyses, investigations and studies of compromising emanations and all types of measures for reducing emanations. Unintentional compromising emanations are defined as emanations emitted without control, thereby facilitating the leaking of classified information. Emanations are modulated signals which, if intercepted and analysed, may disclose the information transmitted, received, handled or otherwise processed by any communication equipment. 10 let Urada RS za varovanje tajnih podatkov Slika 10: Lahki odjemalec SUEDZ Figure 10: Thin client SUEDZ neposredno bližino; cona 1, da se lahko napadalec približa do 20 metrov; cona 2 pa približanje do 100 metrov. Določitev cone je odvisna tudi od uporabljenih gradbenih materialov, zato je za uvrstitev za vsak prostor treba izvesti ustrezne meritve. The parts of the systems which process classified information are defined with regard to the levels of protection they provide. The levels are marked with the letters A, B or C, whereby A indicates the highest level of protection, while C indicates the lowest. Te lahko opravljajo delavci ministrstva za obrambo, Policije, Slovenske obveščevalno-varnostne agencije in drugi organi, ki jih pooblasti komisija za informacijsko varnost. The level of protection requirements depends on the location of the system; this is related to the assumption of how close the potential attacker may come. The environments are designated by Zone 0, 1 or 2. In Zone 0 it is assumed that an attacker has almost immediate access, in Zone 1 it is assumed that an attacker cannot get closer than about 20 metres, while in Zone 2 an attacker cannot get closer than 100 m. The definition of the zone depends on the building materials used; therefore, each environment can only be defined after appropriate measurements have been carried out. Na nacionalni ravni bo na podlagi sklepa vlade in soglasjem sekretariata Sveta za nacionalno varnost ustanovljena medresorska strokovna delovna skupina za izvajanje zaščite pred neželenim elektromagnetnim sevanjem. V njej bodo sodelovali strokovnjaki z ministrstva za notranje zadeve (Policije), ministrstva za obrambo, Slovenske obveščevalno-varnostne agencije in UVTP. Vodja te delovne skupine bo delavec UVTP, ta pa ima že zdaj vlogo in naloge nacionalne avtoritete TEMPEST — NTA (National TEMPEST Authority). UVTP sodeluje z državnimi organi in gospodarskimi subjekti ter organi EU in Nata. V EU je bila za to področje ustanovljena delovna skupina ITTF (Implementation Tempest Task Force), katere član je tudi predstavnik Slovenije, zveza Nato pa to področje obravnava v agenciji SECAN (Military Committee Communications Security & Evaluation Agency). Standardi zaščite so poenoteni v EU in Natu ter preneseni tudi v slovensko zakonodajo. 3.4.4 Kriptologija Z razvojem informacijskih tehnologij in s tem povezanim razvojem obdelave informacij je danes precej lažje prestreči in spremeniti zapise podatkov. Prav zato so se v informacijski dobi povečale zahteve These measurements can be made by employees of the Ministry of Defence, the Police, the Slovenian Intelligence and Security Agency and other bodies authorised by the Commission for IT Security. At the national level, an inter-ministerial expert working group for the protection against unintentional compromising emanations will be set up on the basis of a decision adopted by the Government in agreement with the Secretariat of the National Security Council. The group will be composed of experts from the Ministry of the Interior (the Police), the Ministry of Defence, the Slovenian Intelligence and Security Agency and the UVTP. The head of the working group will be an employee from the UVTP who has already been performing the role and tasks of the National TEMPEST Authority. The UVTP cooperates with national bodies and economic operators as well as with EU and NATO 10 years of Government Office for The Protection of Classified Information (NSA) 39 Slika 11: Shematski prikaz delovanja simetričnega kriptosistema za pošiljanje zaupnih sporočil, kjer pošiljatelj in prejemnik uporabljata isti tajni ključ. po varnosti. Poleg običajnih ukrepov računalniške varnosti (npr. vstopno uporabniško ime in pripadajoče geslo, protivirusni programi in programske ali strojne požarne pregrade) je v današnji družbi uporaba kriptografije ključna, če že ne nujna za zagotavljanje varnega delovanja komunikacijsko-informacijskih sistemov. Temeljni gradniki računalniške varnosti, ki so za posameznega uporabnika popolnoma nevidni, so večinoma izjemno zapleteni kriptografski algoritmi in protokoli. Kriptografija zaradi svoje prilagodljivosti digitalnim medijem omogoča najvišjo stopnjo varnosti v primerjavi z alternativnimi metodami, če je seveda pravilno uporabljena. Glede na svoj strateški pomen in občutljivost je bila kriptografija zgodovinsko gledano v domeni državnih obveščevalnih in tajnih služb ter vojaških organizacij. Nemalokrat je tudi vplivala na potek zgodovine, saj je razkritje pomembnih zašifriranih informacij velikokrat določalo nadaljnji tok dogodkov. Figure 11: Schematic presentation of the operation of a symmetric cryptographic system for transmitting secret messages, whereby the message sender and recipient use the same secret key. authorities. In the European Union, an Implementation TEMPEST Task Force (ITTF) has been established for this purpose, a member of which is a representative from Slovenia, while NATO deals with this area within the Military Committee Communications Security & Evaluation Agency (SECAN). The EU and NATO have uniform protection standards that have also been transposed into Slovenian legislation. 3.4.4 Cryptography Primer klasičnega kriptosistema je sistem, v katerem se uporablja en ključ, ki je poznan samo uporabnikom komunikacije in mora biti zato varovan ter hranjen v strogi tajnosti. Kriptosisteme s tajnimi ključi imenujemo tudi simetrični kriptosistemi ali simetrične šifre. Scenarij delovanja simetričnega kriptosistema je prikazan na sliki 11. The development of information technology and the related data processing development have made it easier to intercept and reconstruct data records. The information age therefore calls for a higher level of security. Apart from the ordinary computer security measures used in today's society (e.g. the entry of user names and passwords, anti-virus programmes and software or hardware firewalls), the use of cryptography is of key importance; if not as urgent, in order to ensure the safe operation of the communication and information systems. The basic components of computer security, which are entirely unknown by the typical layperson, are usually extremely complex cryptographic algorithms and protocols. On account of its adaptability to Slika 12: Shematski prikaz operacije seštevanja točk na eliptični krivulji. Figure 12: Schematic presentation of the addition of points on the elliptic curve 40 10 let Urada RS za varovanje tajnih podatkov Slabost simetričnih kriptosistemov je v tem, da je potreben dodaten varen kanal, po katerem se ključ pošlje uporabnikom. To bi bila v današnjem času zelo velika ovira, zato so se že pred časom pojavile želje/ ideje po rešitvi tega problema. Iskal se je način, po katerem bi lahko obvestili uporabnike o ključu brez uporabe varnega kanala. Problem se je rešil z vpeljavo koncepta kriptografije javnih ključev. Prva realizacija je bila zasnovana na problemu faktorizacije, kar je izjemno težko izračunljiv matematičen problem. V zadnjih desetletjih pa se vse bolj uporabljajo kriptosistemi z eliptičnimi krivuljami. Na sliki 10 je prikazana operacija seštevanja točk na eliptični krivulji, ki se uporablja v takih kriptosistemih. Po slovenski zakonodaji je dovoljeno hraniti, obravnavati ter prenašati tajne podatke v upravnem oziroma v varnostnem območju organa. Izven upravnega oziroma varnostnega območja organa je dovoljeno prenašati tajne podatke po akreditiranih sistemih, vendar le v šifrirni obliki. Nadalje, izmed šifrirnih rešitev je za namene prenašanja tajnih podatkov po akreditiranih sistemih dovoljeno uporabljati le tiste šifrirne rešitve, ki jih odobri komisija za informacijsko varnost ali drug zakonsko določen organ, ter izda UVTP ali drug zakonsko določen organ. Ob izdaji potrdila so izdane tudi odobrene minimalne varnostne zahteve za označevanje, distribucijo in uporabo. Šifrirne rešitve so šifrirna oprema (strojna in programska) ter sistemi, ki se uporabljajo za šifrirno varovanje podatkov v komunikacijsko-informacijskih sistemih, v katerih se obravnavajo tajni podatki. Med šifrirne rešitve spadajo tudi vsi moduli (sklopi), ki so vgrajeni v posamezne dele sistemov in namenjeni šifrirnemu varovanju podatkov. 3.4.4.1 Medresorska strokovna delovna skupina za komunikacijsko varnost Šifrirno ovrednotenje oziroma akreditacija šifrirne rešitve je postopek, v katerem se ugotovi primernost predlagane šifrirne rešitve za varovanje tajnih podatkov določene stopnje tajnosti. Za opravljanje akreditacij šifrirnih rešitev je UVTP na podlagi sklepa Vlade RS, soglasja Sekretariata Sveta za nacionalno varnost ter v soglasju z ministrstvom za notranje zadeve (Policijo), v soglasju z ministrstvom za obrambo in v soglasju s Slovensko obveščevalnovarnostno agencijo ustanovil medresorsko strokovno delovno skupino za komunikacijsko varnost (MDS KV) v aprilu 2011. Skupino MDS KV sestavljajo predstavniki ministrstva za obrambo, ministrstva za notranje zadeve (Policije), Slovenske obveščevalno-varnostne agencije in UVTP. Naloge skupine MDS KV so: vrednotenje šifrirnih rešitev skladno z Navodilom o postopku odobritve digital media, cryptography provides for the highest degree of security if compared to other methods. It must, however, be properly used. With regard to its strategic importance and sensitivity, cryptography has been throughout history in the domain of national security and intelligence services and military organisations. It has also had a significant impact on the course of history because the disclosure of important encrypted information often affected the future course of events. An example of a classic cryptographic system is a system using a single encryption key which is known only to communication users and must therefore be protected and kept completely confidential. Cryptographic systems with secret keys are also called symmetric cryptographic systems or symmetric ciphers. The scenario for the operation of a cryptographic system is shown in Figure 11. The weakness of symmetric cryptographic systems is that they require an additional safe channel through which the key is sent to the users. Today, this would represent a major hindrance; therefore, some time ago, the need and resulting ideas materialised to resolve this problem. Efforts were made to find a way in which users could be informed of the key without using a safe channel. The problem was resolved by introducing the concept of public key cryptography. The implementation of this concept was, at first, based on the factorisation problem, which is a very difficult maths problem. However, in recent decades, elliptic curve cryptographic systems have been increasingly used. Figure 10 shows an arithmetic operation – the addition of points on the elliptic curve – which is used in such cryptographic systems. According to Slovenian legislation, classified information may be stored, processed and transmitted in the administrative and security area of a government authority. Outside this area, classified information may only be transmitted via systems accredited for processing classified information, but only in encrypted form. Moreover, for the transmission of classified information via accredited systems, only those cryptographic solutions may be used which have been approved by the Commission for IT Security or another body determined by the law, and issued by the UVTP, or another body determined by law. When a certificate is issued, approved minimum security requirements for markings, distribution and application must also be issued. Cryptographic solutions include cryptographic equipment (hardware and software) and systems used for cryptographic information protection in the communication and information systems where classified information is processed. Cryptographic solutions also include all the modules (assemblies) incorporated in the separate system parts and intended for cryptographic information protection. 10 years of Government Office for The Protection of Classified Information (NSA) 41 uporabe šifrirnih rešitev v Republiki Sloveniji št. 02201/2010/61 z dne 7. 12. 2010, neposredno sodelovanje pri razvoju kriptografskih rešitev, vodenje evidence ter pregledovanja potrjenih kriptografskih rešitev, zagotavljanje učinkovitega in pravilnega izbora, uvajanja, upravljanja ter vzdrževanja kriptografskih rešitev, postavljanje nacionalnih standardnih kriptografskih primitivov, izvajanje nadzora nad tehničnimi informacijami v zvezi s kriptografskimi rešitvami zveze Nata in EU, ki se uporabljajo za obravnavanje nacionalnih tajnih podatkov ter tajnih podatkov Nata in EU v nacionalnih komunikacijskoinformacijskih sistemih, sodelovanje s sorodnimi organi v Sloveniji ter v drugih državah in mednarodnih organizacijah, ki so odgovorni za komunikacijsko varnost ter s tem povezanimi področji informacijske varnosti ter druge naloge s področja komunikacijske varnosti. 3.4.5 EU NDA – nacionalni organ Evropske unije za razdeljevanje kriptografskega materiala (CM) NDA je sestavni del informacijske varnosti, neposredno podrejen vodji informacijske varnosti pri nacionalnem varnostnem organu. Osnovna naloga: upravljanje in zagotavljanje pravilnega ravnanja s kriptografskim materialom EU in s tem povezanimi nalogami prevzemanja, evidentiranja, shranjevanja, uničevanja, rokovanja, razdeljevanja, sledenja, reševanja kriptografskih incidentov in izobraževanja uporabnikov. Učinkovito delovanje NDA je povezano z vsaj tremi do štirimi osebami: vodjo NDA, kriptografskim skrbnikom, njegovim namestnikom in inženirjem za komunikacijsko varnost. Naloge so razdeljene glede na področje delovanja: za varovanje in nadzor NDA skrbi vodja NDA, naloge, povezane s samim kriptomaterialom, prevzame kriptografski skrbnik ali njegov namestnik, inženir za komunikacijsko varnost pa pripravi vse potrebne postopke za delo s kriptomaterialom ter druge, povezane in soodvisne postopke. Delovanje je nujno hierarhično, saj se tako zagotavlja optimalna razdelitev dela in nalog. Povezano je predvsem s sprotnim in natančnim ter doslednim delom pri ravnanju s kriptomaterialom v vseh mogočih oblikah. NDA sodeluje z organi v EU (zlasti s področja kriptografije) in tudi znotraj Republike Slovenije (končni uporabniki kriptomateriala). 3.4.4.1 Inter-Ministerial Expert Working Group for Communication Security Cryptographic evaluation or the approval of a cryptographic solution is a procedure used to determine the adequacy of a proposed cryptographic solution for the protection of classified information at a specific level of classification. In April 2011, the UVTP established – on the basis of a decision by the Government of the Republic of Slovenia and in agreement with the Secretariat of the National Security Council, the Ministry of the Interior (the Police), the Ministry of Defence and the Slovenian Intelligence and Security Agency – the InterMinisterial Expert Working Group for Communication Security, which took over responsibility for the approval of cryptographic solutions. It is composed of representatives of the Ministry of Defence, the Ministry of the Interior (Police), the Slovenian Intelligence and Security Agency and the UVTP. The tasks of the Inter-Ministerial Expert Working Group for Communication Security are as follows: to evaluate cryptographic solutions in accordance with the Instructions on the approval procedure for the use of cryptographic solutions in the Republic of Slovenia, no. 0220-1/2010/61 of 7 December 2010; to directly participate in the development of cryptographic solutions, to keep records of and examine approved cryptographic solutions, to provide an effective and correct selection, to introduce, manage and maintain cryptographic solutions, to set international standards for cryptographic primitives, to carry out supervision over technical information related to NATO and EU cryptographic solutions being used for the processing of national classified information, and NATO and EU classified information in national communication and information systems, to cooperate with related bodies in Slovenia and other countries and the international organisations responsible for communication security and for similar IT security areas, and to carry out other tasks in the area of communication security. 3.4.5 EU NDA – National Crypto Distribution Authority The NDA constitutes an integral part of IT security, directly subordinate to the head responsible for IT security at the NSA. The basic task of the NDA is to manage and provide for the correct handling of EU cryptomaterial and to carry out related tasks, including the take-over, record keeping, storage, destruction, handling, distribution and tracking of material, to resolve cryptographic incidents, and to provide training for users. The NDA must involve at least the following three or four persons to be able to operate effectively: the 42 10 let Urada RS za varovanje tajnih podatkov head of the NDA, a crypto custodian, an alternate crypto custodian and a communications security officer. With regard to its area of operation, its tasks are distributed as follows: the head of the NDA is responsible for the protection and supervision of the NDA, the crypto custodian and the alternate crypto custodian are responsible for the crypto material, while the communications security officer is in charge of preparing all the procedures required for work with the cryptomaterial, and for interconnectivity and interdependency. Their operations must be organised hierarchically in order to provide for the optimum distribution of work and tasks. This mainly refers to continuous, accurate and consistent work related to cryptomaterial in all its possible forms. The NDA cooperates with EU authorities (particularly in the area of cryptography) and also with the authorities in Slovenia (final users of the cryptomaterial). 10 years of Government Office for The Protection of Classified Information (NSA) 43 3.5 Industrijska varnost 3.5 Industrial security Pojem industrijska varnost v ožjem smislu zajema zagotavljanje varnostnih postopkov in ukrepov, potrebnih za doseganje ustrezne ravni varnosti tajnih podatkov, ki jih država izmenjuje z gospodarskimi družbami. Gre za vzpostavitev takega sistema varovanja, ki učinkovito preprečuje nepooblaščeno razkritje, uničenje, odtujitev, spreminjanje ali kakršno koli drugačno zlorabo tajnih podatkov, opreme, objektov oziroma kakršnega koli premoženja, ki ga želi država zavarovati. Področje industrijske varnosti je multidisciplinarno, saj prepleta elemente s področja osebne, fizične, tehnične, dokumentacijske in informacijske varnosti. Za doseganje ustrezne ravni varovanja tajnih podatkov so zato potrebni organizacijski, administrativni in drugi postopki, ki omogočajo celostno oziroma integralno varovanje. V širšem smislu lahko pri industrijski varnosti govorimo tudi o sposobnosti države, da vzpostavi ustrezno ravnovesje med zaščito lastnih gospodarskih, političnih ali varnostnih interesov ob hkratnem spodbujanju gospodarske konkurenčnosti. In its narrowest sense, the term industrial security means the provision of security procedures and measures required to achieve the relevant levels of protection of classified information exchanged between the state and companies. It involves the introduction of a security system which effectively prevents the unauthorised disclosure, destruction, misappropriation, modification or any other misuse of classified information, equipment, facilities, or any kind of property the state wishes to protect. Industrial security is a multidisciplinary area integrating elements of personal, physical, technical, documentation and IT security. In order to achieve a relevant level of protection of classified information, organisational, administrative and other procedures are required to provide for comprehensive and integrated security. In its broader sense, industrial security can also be understood as the ability of the state to strike an adequate balance between protecting its own economic, political and security interests and, at the same time, promote economic growth. Da lahko neka gospodarska družba dostopa do tajnih podatkov, katerih lastnik je Republika Slovenija, mora pridobiti ustrezno varnostno dovoljenje. Varnostno dovoljenje je administrativna potrditev, da gospodarska družba izpolnjuje pogoje za varno obravnavanje tajnih podatkov od najnižje do vključno tiste stopnje tajnosti, do katere ji je bilo varnostno dovoljenje izdano. V zadnjih nekaj letih je na tem A company may be given access to classified information owned by the Republic of Slovenia if it obtains appropriate facility security clearance. Facility security clearance means an administrative determination that a company fulfils the conditions for the safe handling of classified information of the lowest classification level up to the same classification level as the clearance being granted. In recent years, Slika 13: Predstavitev podjetja na konferenci MISWG 2010 Figure 13: Presentation of a company at the MISWG 2010 Conference 44 10 let Urada RS za varovanje tajnih podatkov področju opazen znaten premik oziroma vedno večje število gospodarskih subjektov, ki so v možnosti sodelovanja v projektih, ki zahtevajo ali vključujejo dostop do tajnih podatkov, prepoznali poslovno priložnost. V Sloveniji je danes tako že skoraj dvesto gospodarskih družb z varnostnimi dovoljenji, ki jim omogočajo sodelovanje pri tajnih naročilih. Posedovanje varnostnega dovoljenja gospodarski družbi odpira tudi možnost sklepanja komercialnih pogodb, katerih izvedba pogojuje dostop do tajnih podatkov, z gospodarskimi družbami drugih držav, pri čemer pa je temeljnega pomena pogoj, da ima Republika Slovenija z zadevno državo sklenjen in veljaven varnostni sporazum. Dvostransko sodelovanje in meddržavni dogovori o vzajemnem varovanju tajnih podatkov so ena od pomembnih vlog nacionalnega varnostnega organa, katerega naloge opravlja Urad Vlade RS za varovanje tajnih podatkov. Število gospodarskih družb s pridobljenimi varnostnimi dovoljenji za dostop do tujih tajnih podatkov vsako leto narašča, vendar številka še zdaleč ne kaže dejanske konkurenčnosti slovenskega gospodarstva. Urad si zato v sodelovanju s pristojnimi resorji zelo prizadeva, da bi gospodarske družbe spodbudil k pridobivanju teh dovoljenj. S pridobljenim varnostnim dovoljenjem za dostop do tujih tajnih podatkov se gospodarskim družbam namreč odprejo tudi vrata za sodelovanje v razpisih zveze Nato in Evropske unije. Zaradi nenehno spreminjajočega se globalnega varnostnega okolja je področje industrijske varnosti eno najbolj razvijajočih se in intenzivnih področij delovanja in sodelovanja nacionalnih varnostih organov, hkrati pa se na tem področju vsake spremembe tudi najhitreje pokažejo. Prožnost in prilagodljivost vseh sodelujočih sta zato izjemnega pomena. Zaradi usklajevanja dejavnosti, razreševanja odprtih vprašanj in sprejemanja usmeritev na področju industrijske varnosti se pristojni organi na nacionalni in mednarodni ravni povezujejo v različne oblike sodelovanja. Na nacionalni ravni je treba omeniti medresorsko projektno skupino za industrijsko in fizično varnost, v kateri sodelujejo predstavniki različnih resorjev, ki so vključeni v proces industrijske varnosti, na mednarodni ravni pa je poleg delovnih odborov in teles EU in Nata, ki ustvarjajo varnostno politiko tega področja, treba omeniti delovanje skupine MISWG. Danes so za prepoznavanje raznih vrst ogroženosti in obvladovanje tveganj potrebna specifična znanja. Da bi UVTP dvignil raven varovanja tajnih podatkov in spodbudil razmišljanja o pomenu krepitve varnostne ozaveščenosti, je leta 2009 začel posebna usposabljanja vodilnih in za varnost odgovornih oseb iz gospodarskih družb z varnostnim dovoljenjem. significant progress has been observed in this area and the number of economic operators who have found a business opportunity in participating in projects requiring and involving access to classified information has also increased. Today, there are almost 200 companies in Slovenia that have obtained facility security clearance, which enables them to participate in security procurements. A company in possession of facility security clearance also has an opportunity to sign commercial contracts with companies from other countries, the implementation of which requires access to classified information; the precondition is, however, that Slovenia has signed a security agreement with the country in question and that the agreement is in force. Bilateral cooperation and interstate agreements on the mutual protection of classified information are among the most important NSA tasks performed by the UVTP. The number of companies who were granted facility security clearances for access to foreign classified information is increasing every year; however, the overall number is far from reflecting the actual competitiveness of the Slovenian economy. For this reason, the UVTP is making every effort – in cooperation with the relevant ministries – to encourage companies to acquire these clearances. By being granted facility security clearances for access to foreign classified information, companies may also get the opportunity to participate in NATO and EU tenders. Owing to the constantly changing global security environment, industrial security has become one of the most rapidly developing and intensive areas of operation and cooperation between national security authorities; it is also an area in which every change can be observed immediately. Flexibility and the adaptability of everyone involved are therefore two extremely important elements. The competent authorities at the national and international levels have entered into various forms of cooperation in order to coordinate their activities, resolve open issues and adopt guidelines relating to industrial security. At the national level, the Inter-Ministerial Project Group for Industrial and Physical Security should be mentioned, which consists of representatives from different ministries who are involved in the industrial security process, while at the international level, the most important authorities are EU and NATO working committees and bodies developing security policies in this area, and the MISWG. Today, specific knowledge is required for the identification of different types of threats and risk management. In 2009, the UVTP introduced special training programmes in order to improve the level of protection of classified information and to 10 years of Government Office for The Protection of Classified Information (NSA) 45 Poleg krepitve vezi med državo in gospodarskih sektorjem, ki je na področju varnosti tajnih podatkov ključnega pomena, je glavni namen takega usposabljanja približanje razumevanja koncepta varovanja vitalnih državnih interesov subjektom, ki se v procesu svojega delovanja srečujejo s tajnimi podatki. Poleg tega naj bi udeleženci navedenega usposabljanja pridobili tudi boljšo ozaveščenost o zaščiti lastnega znanja, inovacij in idej. Na tak način urad neposredno prispeva k zaščiti konkurenčnosti slovenskega gospodarstva, posredno pa k njegovi hitrejši gospodarski rasti in razvoju. 3.5.1 Medresorska projektna skupina za industrijsko in fizično varnost Na pobudo in poziv UVTP je bila leta 2008 ustanovljena medresorska projektna skupina za industrijsko varnost. Z novim sklepom o imenovanju leta 2012 je bila nazivu dodana tudi obveznost obravnave fizične varnosti. Poleg UVTP jo sestavljajo predstavniki ministrstva za notranje zadeve, obrambo, finance – Carinske uprave Republike Slovenije, ministrstva za gospodarstvo, za zunanje zadeve in Slovenske obveščevalno-varnostne agencije. Pri oblikovanju in usklajevanju določenih strokovnih vsebin, ki se nanašajo na področje industrijske in fizične varnosti, lahko pri delu komisije po odločitvi vodje delovne skupine sodelujejo tudi predstavniki drugih državnih organov in strokovnjaki s posameznih področij. Osnovne naloge projektne skupine na začetku delovanja so bile izdelava skrajšane in popolne izdaje priročnika o industrijski varnosti, poenotenje postopkov in uporabljenih standardov pri izdajanju varnostnih dovoljenj organizacijam pri vseh organih, proučevanje in dajanje predlogov rešitev pri novih problemskih situacijah, povezanih z industrijsko varnostjo, priprava letnih poročil o industrijski varnosti v Sloveniji za MISWG in priprava vsebinskih podlag za organizacijo konference MISWG, ki je leta 2010 potekala v Sloveniji. Pri aktualiziranju nalog smo letos črtali zadnjo alinejo, dodali pa obveznost priprave predlogov sprememb predpisov s področja obravnavanja in varovanja tajnih podatkov, ki vključujejo področje industrijske in fizične varnosti. Za obravnavo ožjega specifičnega področja v okviru svojih nalog lahko medresorska projektna skupina oblikuje podskupino, ki o svojih ugotovitvah in sklepih poroča medresorski delovni skupini. 46 encourage people to raise their security awareness. The programmes are intended for key management personnel and the persons responsible for security in companies which possess facility security clearances. The main purpose of the training is not only to strengthen ties between the state and the economic sector, which is crucial in the area of protection of classified information, but also to make the concept of protecting vital state interests more understandable to those entities that come across classified information in their working processes. The training participants should also be better aware of the need to protect their own knowledge, innovations and ideas. In this way, the UVTP directly contributes to protecting the competitiveness of the Slovenian economy, while indirectly also contributing to faster economic growth and development. 3.5.1 Inter-Ministerial Project Group for Industrial and Physical Security At the initiative and upon the request of the UVTP, the Inter-Ministerial Project Group for Industrial Security was established in 2008. On the basis of the new decision on the appointment adopted in 2012, the project group also took over the obligation of dealing with physical security and was therefore renamed the Inter-Ministerial Project Group for Industrial and Physical Security. Apart from the representatives of the UVTP, the project group involves representatives from the Ministry of the Interior, the Ministry of Defence, the Ministry of Finance (the Customs Administration of the Republic of Slovenia), the Ministry of the Economy, the Ministry of Foreign Affairs and the Slovenian Intelligence and Security Agency. In the development and coordination of certain professional contents which refer to industrial and physical security, the representatives of other state authorities and experts for individual areas may also participate in the work of the Commission, but only subject to the approval of the head of the project group. At the beginning of its operation, the basic tasks of the project group were to draw up a full- and short-form version of an industrial security manual, to introduce uniform procedures and applicable standards to be used by every authority issuing facility security clearances to organisations, to examine and submit proposals for solutions in new critical situations related to industrial security, to prepare annual reports on industrial security in Slovenia for the MISWG and to prepare substantive bases for the organisation of the MISWG Conference, which took place in Slovenia in 2010. In the process of updating the tasks, the obligation of preparing substantive bases for the organisation of the Conference was 10 let Urada RS za varovanje tajnih podatkov replaced by the obligation to prepare proposals for amendments to regulations which refer to the handling and protection of classified information, including the area of industrial and physical security. The Inter-Ministerial Project Group may also establish a subgroup to deal with more specific areas within its tasks; the subgroup shall be obliged to report to the inter-ministerial project group. 10 years of Government Office for The Protection of Classified Information (NSA) 47 3.6 Usposabljanje 3.6 Training UVTP skladno z Zakonom o tajnih podatkih in Uredbo o varnostnem preverjanju in izdaji dovoljenj za dostop do tajnih podatkov organizira in izvaja osnovna usposabljanja s področja obravnavanja in varovanja tajnih podatkov za osebe, ki tovrstno usposabljanje potrebujejo. Pursuant to the Classified Information Act and the Decree on the vetting and issuing of personal security clearances, the UVTP organises and carries out basic training for handling and protecting classified information which is intended for persons who need this kind of training to perform their work. Zaprosila za izvedbo usposabljanja ali prijave na usposabljanje se pošljejo na uradni elektronski naslov UVTP: gp.uvtp(at)gov.si. Requests for the performance of training and applications for training are to be sent to the official email address of the UVTP: gp.uvtp@gov.si. Prav tako urad izvaja izobraževanja, katerih vsebina je namenjena osebam, ki v organih in organizacijah (4. točka prvega odstavka 35. b člena ZTP) izvajajo izobraževanje in prenašajo ustrezno znanje s področja obravnavanja tajnih podatkov na druge osebe. Namen tovrstnega usposabljanja je udeležencem predstaviti integralni sistem obravnavanja tajnih podatkov ter spodbuditi razmišljanje o pomenu krepitve varnostne ozaveščenosti zaposlenih, da bi zagotovili čim višjo raven zaščite nacionalnih interesov Republike Slovenije, tako da bodo udeleženci v svojih delovnih okoljih uspešno prenašali tovrstno znanje sodelavcem. The UVTP also carries out training programmes, the contents of which are intended for persons who provide training in authorities and organisations and transfer the knowledge related to the handling of classified information to other persons. The purpose of such training programmes is to present to the participants an integral system of handling classified information and to encourage them to develop their viewpoint on the importance of strengthening security awareness of the employees. By transferring their knowledge successfully to their colleagues in their working environments, the training participants can also provide the highest possible level of protection of Slovenia's national interests. Osnovno in dodatno usposabljanje lahko v organih in organizacijah izvajajo osebe ali organizacijske enote, ki jih določi predstojnik. Praviloma naj usposabljanje opravljajo osebe, ki imajo ustrezna predznanja s področja varnostnih ved in dejansko izvajajo naloge s področja obravnavanja tajnih podatkov, kar In authorities and organisations, basic and advanced training may be carried out by persons or organisation units appointed by the head of an authority or organisation. As a rule, training should be carried out by persons who have adequate prior knowledge of Slika 14: Usposabljanje o tjnih podatkih Figure 14:Classified IT security training 48 10 let Urada RS za varovanje tajnih podatkov predstavlja neposreden prenos znanja in izkušenj drugim. Neposredni izvajalci usposabljanja so lahko strokovnjaki s področja obravnavanja tajnih podatkov, ki jih za izvedbo usposabljanja določi predstojnik (prvi odstavek 23. člena Uredbe o varnostnem preverjanju in izdaji dovoljenj za dostop do tajnih podatkov). Vsebina usposabljanja naj bo prilagojena sistemu obravnavanja in varovanja tajnih podatkov v organu/ organizaciji ter udeležencem in njihovim potrebam v zvezi z obravnavanjem tajnih podatkov. Izvajalci usposabljanj (organi/organizacije) izdajo udeležencem po usposabljanju potrdilo/dokazilo o udeležbi na usposabljanju, ta pa mora vsebovati vsaj osebno ime in rojstni datum udeleženca, vrsto usposabljanja (osnovno ali dodatno) ter navedbo organa ali organizacije, ki je opravila usposabljanje. criminal justice and security and actually carry out tasks related to the handling of classified information, which enables them to transfer their knowledge and experience directly to others. Direct providers of training may be experts in handling classified information and are appointed for that purpose by the head of an authority or organisation (first paragraph of Article 23 of the Decree on vetting and issuing of personal security clearances). The content of training should be adapted to the system of handling and protecting classified information in an authority or organisation and to the participants and their needs related to the handling of classified information. 10 years of Government Office for The Protection of Classified Information (NSA) 49 4 Mednarodno sodelovanje 4 International cooperation 4.1 Varovanje tajnih podatkov tujih držav ali mednarodnih organizacij 4.1 Protection of Classified Information of Foreign Countries or International Organisations Poleg delovanja in zastopanja varnostnih interesov Republike Slovenije v mednarodnih organizacijah je ena osnovnih nalog UVTP varovanje tujih tajnih podatkov. Osnova je zapisana v Zakonu o tajnih podatkih in podzakonskih aktih, osnovna načela izmenjave in vzajemnega varovanja tajnih podatkov po posameznih državah pa so sprejeta v dvostranskih sporazumih. One of the UVTP's main tasks, in addition to the operation and representation of the security interests of the Republic of Slovenia in international organisations, is the protection of foreign classified information. The basis is laid down in the Classified Information Act and its implementing acts, while the main principles of the exchange and mutual protection of classified information for individual countries are adopted in bilateral agreements. 4.2 Povzetek iz Zakona o tajnih podatkih Tajni podatek tuje države je podatek, ki ga je Republiki Sloveniji ali njenim organom posredovala tuja država ali njen organ ali mednarodna organizacija ali njen organ v pričakovanju, da bo ostal tajen, ter podatek, ki je rezultat sodelovanja Republike Slovenije ali njenih organov s tujo državo ali mednarodno organizacijo ali njihovimi organi, in za katerega je dogovorjeno, da mora ostati tajen. Dostop do tajnih podatkov tuje države ali mednarodne organizacije, njihov prenos in varovanje se izvaja skladno z Zakonom o tajnih podatkih ali predpisi, izdanimi na njegovi podlagi, ali skladno z mednarodno pogodbo, ki jo je s tujo državo ali mednarodno organizacijo sklenila Republika Slovenija. Tajni podatki tuje države ali mednarodne organizacije praviloma ohranijo oznake, ki so v rabi v tej državi ali organizaciji, ali pa se označijo na način, določen z ZTP, pri čemer morajo biti stopnje tajnosti primerljive in morajo zagotavljati enakovredno varovanje. Z mednarodno pogodbo, ki jo v zvezi z izmenjavo ali posredovanjem tajnih podatkov s tujo državo ali mednarodno organizacijo sklepa Republika Slovenija, je določen način označevanja tajnih podatkov Republike Slovenije v tuji državi ali mednarodni organizaciji in raven varovanja teh podatkov. Standard varovanja ne sme biti nižji od tistega, določenega v ZTP. V mednarodni pogodbi je lahko zapisano, da pristojni varnostni organi Republike Slovenije in tujih držav ali mednarodnih organizacij lahko medsebojno sodelujejo pri varnostnem preverjanju oseb, če to ni v nasprotju s predpisi, ki v Republiki Sloveniji urejajo varstvo osebnih podatkov. 50 4.2 Summary of the Classified Information Act The classified information of a foreign country is information which a foreign country or its agency, or an international organisation or its agency, have conveyed to the Republic of Slovenia on the understanding that it will be kept secret, and information resulting from cooperation between the Republic of Slovenia or its agencies with a foreign country or an international organisation and its agencies which is to be kept secret by mutual agreement. Access to the classified information of a foreign country or an international organisation, and its transmission and protection shall be implemented in accordance with the Classified Information Act or the regulations based thereon, or in accordance with international treaties concluded between a foreign country or international organisation and the Republic of Slovenia. The markings of the classified information of a foreign country or international organisation shall, as a rule, remain in the form in which they are used in that country or international organisation. Such information may also be marked as provided by the Classified Information Act, on the condition that the levels of classification are comparable and ensure an equal degree of protection. The method of marking classified information of the Republic of Slovenia in a foreign country or international organisation, and the degree of protection afforded to that information, should be specified in an international treaty on the exchange or provision of classified information 10 let Urada RS za varovanje tajnih podatkov Izvajanje mednarodnih pogodb spremlja in usklajuje nacionalni varnostni organ. Naloge nacionalnega varnostnega organa v Republiki Sloveniji opravlja UVTP. between a foreign country or international organisation and the Republic of Slovenia. The degree of protection shall allocated not be inferior to the degree determined by the Classified Information Act. Nacionalni varnostni organ skrbi za izvajanje mednarodnih pogodb in sprejetih mednarodnih obveznosti, ki jih je v zvezi z obravnavanjem in varovanjem tajnih podatkov sklenila ali sprejela Republika Slovenija, ter na tem področju sodeluje z ustreznimi organi tujih držav in mednarodnih organizacij, razen če mednarodna pogodba ne določa drugače. International treaties may determine that, in carrying out personnel security clearance, the competent bodies of the Republic of Slovenia may cooperate with the security clearance agencies of foreign countries or international organisations, provided that this is not in conflict with the regulations on personal data protection in the Republic of Slovenia. Nacionalni varnostni organ usklajuje dejavnosti za zagotavljanje varnosti nacionalnih tajnih podatkov v tujini in tujih tajnih podatkov na območju Republike Slovenije. The implementation of international treaties shall be monitored and coordinated by the NSA. The tasks of the NSA in the Republic of Slovenia are carried out by the UVTP. V zvezi z izvajanjem mednarodnih pogodb in sprejetih mednarodnih obveznosti nacionalni varnostni organ opravlja zlasti naslednje naloge: izdaja in preklicuje dovoljenja fizičnim osebam za dostop do tujih tajnih podatkov, izdaja in preklicuje varnostna dovoljenja organizacijam za dostop do tujih tajnih podatkov, izdaja in preklicuje varnostna dovoljenja za sisteme in naprave za prenos, hrambo in obdelavo tujih tajnih podatkov skladno s sprejetimi mednarodnimi pogodbami, potrjuje izpolnjevanje predpisanih pogojev za obravnavanje tajnih podatkov s strani posameznega organa ali organizacije tujim državam in mednarodnim organizacijam, izdaja navodila za ravnanje s tajnimi podatki tuje države ali mednarodne organizacije, nadzoruje izvajanje fizičnih, organizacijskih in tehničnih ukrepov za varovanje tajnih podatkov tuje države ali mednarodne organizacije in skladno z ugotovitvami nadzora izdaja obvezna navodila za odpravo ugotovljenih pomanjkljivosti, ki jih morajo organi opraviti takoj, od pristojnega inšpektorata zahteva izvedbo inšpekcijskega nadzora pri določenem organu ali organizaciji in izmenjuje podatke z nacionalnimi varnostnimi organi tujih držav ter mednarodnimi organizacijami. The UVTP, in its role as NSA, shall ensure the implementation of international treaties and the international commitments and obligations undertaken, concluded or adopted by the Republic of Slovenia with reference to the handling and protection of classified information, and shall cooperate in this area with the relevant authorities of foreign countries and international organisations, unless otherwise provided by the international treaty in question. Pred izdajo dovoljenja fizičnim osebam ali varnostnega dovoljenja organizacijam za dostop do tujih tajnih podatkov lahko nacionalni varnostni organ, kadar prejme obvestilo tujega varnostnega organa o varnostnem zadržku, od organa, pristojnega za varnostno preverjanje, zahteva vmesno varnostno preverjanje osebe ali organizacije. Nacionalni varnostni organ izda dovoljenje fizični osebi za dostop do tujih tajnih podatkov na predlog predstojnika državnega organa, organa lokalne skupnosti, nosilca javnih pooblastil ali drugega organa, predstojnika gospodarske družbe in organizacije, ki pri izvajanju zakonsko določenih The UVTP, in its role as NSA, shall coordinate activities aimed at ensuring the security of national classified information abroad and foreign classified information in the territory of the Republic of Slovenia. In relation to the implementation of international treaties and the international commitments and obligations undertaken, the UVTP, in its role as NSA, shall perform in particular the following tasks: issue and revoke personnel security clearance to access foreign classified information; issue and revoke facility security clearance to access foreign classified information; issue and revoke security clearance for transmission systems and equipment; store and process foreign classified information in accordance with the international treaties adopted; approve compliance with the prescribed requirements for the handling of classified information by a particular authority or organisation for foreign countries or international organisations; issue instructions on the handling of the classified information of a foreign country or international organisation; supervise the implementation of physical, organisational and technical measures for the protection of the classified information of a foreign country or international organisation and issue, in compliance with the findings of the supervision, mandatory instructions for the elimination of established deficiencies which the bodies shall remedy immediately; make a request to the competent inspectorate to carry out inspection 10 years of Government Office for The Protection of Classified Information (NSA) 51 nalog pridobijo ali razpolagajo s tajnimi podatki za osebe, ki bodo dovoljenja potrebovala zaradi izvajanja nalog na delovnem mestu, ministra, pristojnega za gospodarstvo za osebe, ki bodo dovoljenje za dostop do tujih tajnih podatkov potrebovala zaradi izvajanja javnih in drugih naročil, v okviru katerih bodo potrebovale dostop do tajnih podatkov tuje države ali mednarodne organizacije in predstojnika nacionalnega varnostnega organa za primere, ki niso predhodno našteti. supervision of a certain body or organisation; and exchange data with the national security authorities of foreign countries and international organisations. Before issuing personnel security clearance or facility security clearance to access foreign classified information, the UVTP, in its role as NSA, may, upon receiving a foreign authority's notification on a security restriction, request an interim personnel or facility security clearance from the body competent for security clearance. Naštete osebe morajo imeti veljavno nacionalno dovoljenje za dostop do tajnih podatkov, opredeljeno v ZTP, in opravljajo funkcijo ali izvajajo naloge na delovnem mestu, na katerem potrebujejo dovoljenje za dostop do tujih tajnih podatkov. Dovoljenje se izda z veljavnostjo za čas, ko oseba potrebuje dostop do tujih tajnih podatkov, vendar ne dlje, kakor velja nacionalno dovoljenje za dostop do tajnih podatkov. Če oseba, ki ji je bilo izdano dovoljenje za dostop do tujih tajnih podatkov, ne izvaja več nalog, pri katerih potrebuje dostop do tujih tajnih podatkov, mora predstojnik organa ali organizacije o tem takoj obvestiti nacionalni varnostni organ. Nacionalni varnostni organ dovoljenje za dostop do tujih tajnih podatkov prekliče, ko prenehajo pogoji za njegovo uporabo. The UVTP, in its role as NSA, shall issue personnel security clearance to access foreign classified information on the proposal of the head of a national authority; local community authority; bearers of public authority or other authorities; head of a company or organisation who, during the implementation of their statutory tasks, obtains or disposes with the classified information for personnel who will need this security clearance to carry out their tasks; the minister responsible for the economy, for personnel who will need this security clearance to access foreign classified information for the purpose of implementing public and other procurements, where they will need to access the classified information of a foreign country or international organisation; and the head of the NSA for those cases not previously mentioned. Nacionalni varnostni organ izda varnostno dovoljenje organizaciji za dostop do tujih tajnih podatkov na predlog predstojnika državnega organa, organa lokalne skupnosti, nosilca javnih pooblastil ali drugega organa, predstojnika gospodarske družbe in organizacije, ki pri izvajanju zakonsko določenih nalog pridobijo ali razpolagajo s tajnimi podatki za organizacije, ki izvajajo naročila tega organa, in ministra, pristojnega za gospodarstvo za organizacije, ki potrebujejo varnostno dovoljenje za dostop do tujih tajnih podatkov zaradi sodelovanja na javnih razpisih ali izvedbe naročila tuje države ali mednarodne organizacije. Kot pogoj velja, da mora organizacija imeti veljavno nacionalno varnostno dovoljenje v skladu z ZTP, prav tako morajo tudi osebe, ki bodo imele v organizaciji dostop do tajnih podatkov, imeti veljavno dovoljenje za dostop do tujih tajnih podatkov. Pred izdajo varnostnega dovoljenja organizaciji za dostop do tujih tajnih podatkov lahko nacionalni varnostni organ, kadar to izhaja iz mednarodne pogodbe, zahteva od organizacije dodatno dokumentacijo ali opravi dodaten pregled varovanja tajnih podatkov. Varnostno dovoljenje za dostop do tujih tajnih podatkov se organizaciji izda za dobo, določeno v pogodbi o naročilu, ali čas veljavnosti nacionalnega varnostnega dovoljenja. Odgovorna oseba organizacije mora obveščati nacionalni varnostni organ o spremembi 52 The aforementioned personnel shall have valid national security clearance to access classified data, as defined in the Classified Information Act, and shall exercise the functions or tasks within their job for which they need security clearance to access foreign classified information. The security clearance shall be issued with a validity period that covers the time when a person needs to access foreign classified information, but not exceeding the validity period of the national security clearance to access classified information. If a person that was issued security clearance to access foreign classified information no longer performs functions or tasks requiring this access, the head of the agency or organisation shall immediately notify the NSA thereof. The UVTP, in its role as NSA, shall revoke the personnel security clearance to access foreign classified information when the conditions for its application cease to exist. The UVTP, in its role as NSA, shall issue facility security clearance to access foreign classified information on the proposal of the head of a national authority; local community authority; bearer of public authority or other authority; head of a company or organisation who, during the implementation of their statutory tasks, obtains or disposes with classified information for the organisations that carry out procurements on behalf of this authority; and the minister responsible 10 let Urada RS za varovanje tajnih podatkov pogojev, na podlagi katerih je organizacija varnostno dovoljenje pridobila. Nacionalni varnostni organ organizaciji prekliče varnostno dovoljenje za dostop do tujih tajnih podatkov, če ugotovi, da ne izpolnjuje več prej omenjenih pogojev. for the economy, for organisations who need security clearance to access foreign classified information in order to participate in public tenders or implement the procurement of a foreign country or international organisation. The condition shall be that such an organisation has valid national facility security clearance in accordance with the Classified Information Act; also, the persons who will access foreign classified information within the organisation shall have valid personnel security clearance to access foreign classified information. Before issuing a facility security clearance to access foreign classified information, the UVTP, in its role as NSA, may, when so stipulated in an international treaty, request the submission of additional documents from the organisation or carry out an additional inspection of classified information protection. Facility security clearance to access foreign classified information shall be issued for the period of time determined in the procurement contract or for the validity period of the national facility security clearance. The responsible person of the organisation shall notify the UVTP, in its role as NSA, of any change to conditions through which the organisation obtained the facility security clearance. The National Authority shall revoke the facility security clearance to access foreign classified information if it is established that the organisation no longer complies with the aforementioned conditions. 10 years of Government Office for The Protection of Classified Information (NSA) 53 4.3 Dvostransko sodelovanje 4.3 Bilateral Co-operation Ne glede na dejstvo, da zakon izrecno ne opredeljuje UVTP kot nosilca sklepanja dvostranskih sporazumov na področju tajnih podatkov, mu je vlada leta 2006 določila ta mandat. Despite the fact that the law does not specify that the UVTP is responsible for concluding bilateral agreements in the area of classified information, the Government entrusted the UVTP with this mandate in 2006. Postopek sklepanja dvostranskih sporazumov kot mednarodnih pogodb opredeljujejo določila V. poglavja Zakona o zunanjih zadevah z naslovom Mednarodne pogodbe, ki temeljijo na načelih Dunajske konvencije o pogodbenem pravu. Postopkovne določbe vsebuje tudi Poslovnik Državnega zbora Republike Slovenije v tretjem poglavju pod naslovom Ratifikacija mednarodnih pogodb. V tem pogledu predstavljajo podlago tudi določila Ustave Republike Slovenije, ki so relevantna za obravnavano tematiko. UVTP s sklenitvijo sporazuma ustvarja primerno podlago za izvajanje nalog državnih organov, ki pri svojem delu izmenjujejo tajne podatke s predstavniki drugih držav. Tudi za države članice EU in Nata je ne glede na članstvo za izmenjavo in medsebojno varovanje nacionalnih tajnih podatkov treba skleniti dvostranski sporazum. Med pomembnejšimi razlogi za sklenitev sporazumov je omogočanje enakovrednega nastopanja na natečajih in sklepanja The procedure for concluding bilateral agreements as international treaties is defined by the provisions of Chapter V of the Foreign Affairs Act under the title International Treaties, which are based on the principles of the Vienna Convention on the Law of Treaties. The procedural provisions are also determined by the Rules of Procedure of the National Assembly of the Republic of Slovenia in the third chapter under the title Ratification of International Treaties. In this respect, the basis is also provided by the provisions of the Constitution of the Republic of Slovenia which refer to the subject concerned. By concluding an agreement, the UVTP creates a relevant basis for the implementation of the tasks entrusted to the national authorities who exchange classified information with the representatives of other countries in the course of their working activities. It is necessary to conclude a bilateral agreement BILATERALNI SPORAZUMI O VAROVANJU TAJNIH PODATKOV - EVROPA BILATERAL AGREEMENTS OF THE PROTECTION OF CLASSIFIED INFORMATION - EUROPE LEGENDA SPORAZUMOV - STANJE 15.3.2012 AGREEMENT LEGEND - SITUATION AS AT 15 MARCH 2012 VELJAVNI SPORAZUMI / AGREEMENT IN FORCE PODPISANI SPORAZUMI / SIGNED AGREEMENTS SPORAZUMI PRED PODPISOM / AGREEMENT AWAITING SIGNATURE POGAJANJA O SPORAZUMIH V TEKU / AGREEMENT UNDER NEGOTIATION Slika 15: Zemljevid držav s sklenjenimi sporazumi 54 Figure 15: A map of countries with concluded agreements 10 let Urada RS za varovanje tajnih podatkov poslov, ki se vežejo na varovanje tajnih podatkov za slovenske gospodarske družbe in organizacije. Vsebine sporazumov se med seboj razlikujejo v delih, kjer se razlikujejo tudi rešitve v nacionalnih postopkih in merilih, cilj sporazuma pa je enotna ureditev slednjih. V sporazumih so po določitvi namena uporabe opredeljeni izrazi, ki se uporabljajo v besedilu. Navedeni so pristojni varnostni organi, odgovorni za splošno izvajanje sporazumov in ustrezen nadzor nad vsemi njegovimi vidiki. V nadaljevanju sporazumi določajo razvrstitev tajnih podatkov po stopnji tajnosti in primerljivosti klasifikacij pogodbenic. Določene so omejitve pri dostopu do tajnih podatkov, ki veljajo za vse stopnje tajnosti. Bistveno je določilo, da pogodbenice zagotavljajo tajnim podatkom iz sporazumov enako raven varovanja kakor svojim lastnim tajnim podatkom enakovredne stopnje tajnosti. Po opredelitvi pogojev za omejitev uporabe tajnih podatkov sledi določilo o prenosu tajnih podatkov. Določena so pravila pri razmnoževanju, prevajanju in uničevanju tajnih podatkov ter postopki in ravnanje pri pogodbah s tajnimi podatki ter obiskih. Nacionalni varnostni organi si na zahtevo zagotavljajo podatke o nacionalnih varnostnih standardih ter postopkih in praksah pri varovanju tajnih podatkov. Urad je do danes, največ po letu 2006, uskladil in izvedel postopek za sprejetje in ratifikacijo 15 sporazumov o izmenjavi in vzajemnem varovanju tajnih podatkov: • • • • • • • Sporazum med Vlado Republike Slovenije in Vlado Zvezne republike Nemčije o vzajemnem varovanju zaupnih podatkov (Uradni list RS, št. 2/2004) Sporazum med Vlado Republike Slovenije in Vlado Slovaške republike o vzajemnem varovanju tajnih podatkov (Uradni list RS, št. 49/2005) Sporazum o vzajemnem varovanju tajnih podatkov med Vlado Republike Slovenije in Vlado Kraljevine Norveške (Uradni list RS, št. 64/2006) Sporazum med Vlado Republike Slovenije in Vlado Republike Finske o izmenjavi in medsebojnem varovanju tajnih podatkov (Uradni list RS, št. 21/2009) Sporazum med Vlado Republike Slovenije in Avstrijsko zvezno vlado o izmenjavi in medsebojnem varovanju tajnih podatkov (Uradni list RS, št. 37/2009) Sporazum med Republiko Slovenijo in Češko republiko o izmenjavi in medsebojnem varovanju tajnih podatkov (Uradni list RS, št. 43/2009) Sporazum med Republiko Slovenijo in Ukrajino o izmenjavi in medsebojnem varovanju tajnih podatkov (Uradni list RS, št. 90/2009) on the exchange and mutual protection of national classified information even when EU Member States and NATO members are involved. The major reasons for the conclusion of agreements include enabling Slovenian companies and organisations to participate on an equal footing in tenders and the conclusion of business deals associated with the protection of classified information. The contents of agreements differ in those parts where there are also differences in solutions provided by the national procedures and criteria, whereas the goal of any agreement is their uniform arrangement. After stating the purpose of application, the terms used in the text are defined in agreements. The competent security authorities responsible for the general implementation of agreements and appropriate control over all of their aspects are stated. The agreements then determine the categorisation of classified information in accordance with their security classification level and the comparability of classifications between the parties to the agreement. Restrictions on access to classified information are defined and apply to all levels of classification. The most important is the provision that the parties to the agreement afford the same protection level to the classified information referred to in the agreement as to their own information of the corresponding security classification level. The definition of the conditions for restrictions on the use of classified information is followed by the provision on the transmission of classified information. The rules on copying, translating and destroying classified information are determined, together with the procedures on handling contracts involving classified data and procedures on visits. Upon request, the national security authorities shall provide data on national security standards, procedures and practices concerning the protection of classified information. Until the present date, mostly after 2006, the UVTP has been harmonised and implemented the procedures for the adoption and ratification of 15 agreements on the exchange and mutual protection of classified information: • • Agreement between the Government of the Republic of Slovenia and the Government of the Federal Republic of Germany on Mutual Protection of Classified Information (Ur. l. RS, no. 2/2004) Agreement between the Government of the Republic of Slovenia and the Government of the Slovak Republic on Mutual Protection of Classified Information (Ur. l. RS, no. 49/2005) 10 years of Government Office for The Protection of Classified Information (NSA) 55 • • • • • • • Sporazum med Vlado Republike Slovenije in Vlado Republike Poljske o izmenjavi in medsebojnem varovanju tajnih podatkov (Uradni list RS, št. 30/2010) Sporazum med Vlado Republike Slovenije in Vlado Republike Estonije o izmenjavi in medsebojnem varovanju tajnih podatkov (Uradni list RS, št. 30/2010) Sporazum med Vlado Republike Slovenije in Vlado Francoske republike o izmenjavi in medsebojnem varovanju tajnih podatkov (Uradni list RS, št. 35/2010) Sporazum med Vlado Republike Slovenije in Vlado Republike Makedonije o izmenjavi in medsebojnem varovanju tajnih podatkov (Uradni list RS, št. 80/2010) Sporazum med Vlado Republike Slovenije in Svetom ministrov Republike Albanije o izmenjavi in medsebojnem varovanju tajnih podatkov (Uradni list RS, št. 80/2010) Sporazum med Vlado Republike Slovenije in Vlado Republike Latvije o izmenjavi in medsebojnem varovanju tajnih podatkov (Uradni list RS, št. 80/2010) Sporazum med Vlado Republike Slovenije in Vlado Republike Hrvaške o medsebojnem varovanju tajnih podatkov (Uradni list RS, št. 66/2011) Slika 16: Podpis sporazuma med Republiko Slovenijo in Ukrajino o izmenjavi in medsebojnem varovanju tajnih podatkov (Uradni list RS, št. 90/2009), kjer sta podpisu prisostvovala predsednik Ukrajine Viktor Janukovič in predsednik Republike Slovenije dr. Danilo Türk. 56 • • • • • • • Agreement on Mutual Protection of Classified Information between the Government of the Republic of Slovenia and the Government of the Kingdom of Norway (Ur. l. RS, no. 64/2006) Agreement between the Government of the Republic of Slovenia and the Government of the Republic of Finland on the Exchange and Mutual Protection of Classified Information (Ur. l. RS, no. 21/2009) Agreement between the Government of the Republic of Slovenia and the Austrian Federal Government on the Exchange and Mutual Protection of Classified Information (Ur. l. RS, no. 37/2009) Agreement between the Republic of Slovenia and the Czech Republic on the Exchange and Mutual Protection of Classified Information (Ur. l. RS, no. 43/2009) Agreement between the Republic of Slovenia and Ukraine on the Exchange and Mutual Protection of Classified Information (Ur. l. RS, no. 90/2009) Agreement between the Government of the Republic of Slovenia and the Government of the Republic of Poland on the Exchange and Mutual Protection of Classified Information (Ur. l. RS, no. 30/2010) Agreement between the Government of the Republic of Slovenia and the Government of the Figure 16: The President of Ukraine, Viktor Yanukovych, and the President of the Republic of Slovenia, Danilo Türk, attend the formal signing of the Agreement between the Republic of Slovenia and Ukraine on the Exchange and Mutual Protection of Classified Information (Ur. l. RS, no. 90/2009) 10 let Urada RS za varovanje tajnih podatkov • • Sporazum med Vlado Republike Slovenije in Vlado Romunije o medsebojnem varovanju tajnih podatkov (Uradni list RS, št. 93/2011) Sporazum med Vlado Republiko Slovenije in Vlado Kraljevine Švedske o izmenjavi in medsebojnem varovanju tajnih podatkov Podpisu sta prisostvovala tudi predsednik Ukrajine Viktor Janukovič in predsednik Republike Slovenije dr. Danilo Türk. Poleg že veljavnih sporazumov so v različnih fazah sprejemanja še dvostranski sporazumi z Nizozemsko, Luksemburgom, Španijo, Bolgarijo, Rusko federacijo, Italijo in Srbijo. Ob pogajanjih o dvostranskih sporazumih in skupni udeležbi na sestankih varnostnih odborov smo spletli mrežo stikov s predstavniki nacionalnih varnostnih organov drugih, predvsem evropskih držav. Prav to nam poleg urejene pravne podlage v sporazumih omogoča učinkovito sodelovanje na področju varnostnega preverjanja ter medsebojno posvetovanje pri uveljavitvi enotnih standardov in posledično pomoč pri pripravi sprememb predpisov. UVTP je dejavno sodeloval s sorodnimi službami tudi v regiji Zahodnega Balkana. Pomoč na področju zakonske ureditve področja tajnih podatkov smo nudili predstavnikom Makedonije, Hrvaške, Črne gore, Bosne in Hercegovine ter Srbije, gostili smo delegacije Makedonije, Hrvaške, Črne gore ter Bosne in Hercegovine ter jim predstavili praktične rešitve in dobre prakse našega delovnega področja. Na začetku leta 2009 smo gostili posebno konferenco s področja informacijske varnosti zaradi vključitve Hrvaške in Albanije v poseben Natov informacijski sistem. Redno se udeležujemo ter kot svetovalci in predavatelji sodelujemo na letnih konferencah nacionalnih varnostnih organov balkanskih držav. Začenjamo tudi postopek ustanovitev področne »delovne skupine« poenotenja standardov varovanja tajnih podatkov v regiji Zahodnega Balkana po vzoru povezav baltskih držav ali t. i. Višegrajske skupine. Podporo bi zagotovo dobili tudi od varnostnih odborov EU in Nato. Poudarek delovne skupine bi bil na industrijski varnosti (v povezavi z gospodarstvom bi poleg enotnega doseganja standardov lahko tudi okrepili industrijo in proizvodnjo visokotehnoloških sredstev za varovanje, pa tudi gradbeništva in tehnološko manj zahtevnih produktov – zaščitne omare, vrata in podobno). Pripravili smo tudi nekaj predlogov o povečanju prepoznavnosti in prisotnosti Slovenije na Zahodnem Balkanu v zvezi z varovanjem tajnih podatkov. • • • • • • • Republic of Estonia on the Exchange and Mutual Protection of Classified Information (Ur. l. RS, no. 30/2010) Agreement between the Government of the Republic of Slovenia and the Government of the French Republic on the Exchange and Mutual Protection of Classified Information (Ur. l. RS, no. 35/2010) Agreement between the Government of the Republic of Slovenia and the Government of the Republic of Macedonia on the Exchange and Mutual Protection of Classified Information (Ur. l. RS, no. 80/2010) Agreement between the Government of the Republic of Slovenia and the Council of Ministers of the Republic of Albania on the Exchange and Mutual Protection of Classified Information (Ur. l. RS, no. 80/2010) Agreement between the Government of the Republic of Slovenia and the Government of the Republic of Latvia on the Exchange and Mutual Protection of Classified Information (Ur. l. RS, no. 80/2010) Agreement between the Government of the Republic of Slovenia and the Government of the Republic of Croatia on Mutual Protection of Classified Information (Ur. l. RS, no. 66/2011) Agreement between the Government of the Republic of Slovenia and the Government of Romania on Mutual Protection of Classified Information (Ur. l. RS, no. 93/2011) Agreement between the Government of the Republic of Slovenia and the Government of the Kingdom of Sweden on the Exchange and Mutual Protection of Classified Information In addition to the agreements in force, bilateral agreements with the Netherlands, Luxembourg, Spain, Bulgaria, Russia, Italy and Serbia are now in various stages of the adoption process. During the negotiations on bilateral agreements and joint participation in the security committees' meetings, we have created a network of contacts with the representatives of national security authorities and other countries, most of which are in Europe. In addition to the agreements' regulated legal bases, it is this network that enables us to participate efficiently in the area of security clearance and fosters mutual consultation in setting up uniform standards and assistance in drafting amendments to regulations. The UVTP also cooperated actively with its related offices and services in the Western Balkans. Assistance in the legal regulation of classified information was provided to representatives of Macedonia, Croatia, Montenegro, Bosnia and Herzegovina, and Serbia; we hosted delegations from Macedonia, Croatia, Montenegro, and Bosnia 10 years of Government Office for The Protection of Classified Information (NSA) 57 Posebno pozornost smo posvetili navezavi na gospodarstvo in integraciji držav Zahodnega Balkana v evroatlantske povezave. 4.3.1 Sporazumi COMSEC UVTP je skladno s svojimi pristojnostmi in kot krovni organ za komunikacijsko varnost odgovoren za pripravo in podpis sporazumov (memorandumov o soglasju) z nacionalnimi organi za komunikacijsko varnost držav članic zveze Nato in EU za prodajo, nabavo in uporabo posameznih šifrirnih rešitev. S tem sporazumom se opredeljuje pristojnost in odgovornosti podpisnic ter določijo pogoji prevoza, namestitve, uporabe in nadzora nad posameznimi šifrirnimi rešitvami. and Herzegovina and presented to them practical solutions and examples of good practice in our working area. At the beginning of 2009, we hosted a conference on information security on account of Croatia's and Albania's integration into a special NATO information system. We regularly take part as advisers and lecturers in annual conferences organised by the national security authorities of Balkan countries. We are also beginning the process of establishing a sectoral »working group« for the unification of standards of classified information protection in the Western Balkans region after the model of the alliance of the Baltic States, known as the Višegrad Group. We will certainly obtain the support of the EU and NATO security committees. The focus of the working group will be on industrial safety (in cooperation with the economic sector, we could also reinforce the industry and production of high technology means of protection, in addition to setting up uniform standards; and we could also include the construction sector and technologically less demanding products, such as security cabinets, doors, etc.). We have also prepared some proposals on increasing Slovenia's visibility and presence in the Western Balkans in terms of the protection of classified information. Special attention has been paid to strengthening ties with the economic sector and the integration of Western Balkan countries into Euro-Atlantic structures. 4.3.1 COMSEC Agreements In accordance with its competences and as the umbrella authority for communications security, the UVTP is responsible for drafting and signing agreements (memorandums of understanding) with the national authorities for communications security of EU Member States and NATO Members on the sale, procurement and use of specific cryptographic solutions. These agreements define the competences and responsibilities of the signatories and determine the conditions required for the transport, installation, use and supervision of individual cryptographic solutions. 58 10 let Urada RS za varovanje tajnih podatkov 4.4 Večstransko sodelovanje Sooblikovanje varnostnih politik na področju varovanja tajnih podatkov v okviru dveh največjih in najpomembnejših mednarodnih povezav – Nato in EU – je ključna in najpomembnejša naloga UVTP na področju mednarodnega sodelovanja. To pa obenem ne pomeni, da zanemarjamo dejavnosti, povezane z našim delovnim področjem pri drugih mednarodnih organizacijah, na primer OZN, OECD, RCC in drugih, kar se izraža z dajanjem mnenj in stališč ter svetovanjem o posameznih zaznanih situacijah. V skladu z zunanjepolitičnimi usmeritvami naše države pa smo se odzivali tudi na povabila za sodelovanje v forumu V4. Foruma sta se udeležila tudi David Galloway, namestnik generalnega direktorja v generalnem direktoratu za varovanje, varnost in komunikacijske in informacijske sisteme pri Svetu EU, ter Stephan Smith, direktor NOS pri Natu. UVTP je v predpisih Nato in EU ter tudi pri drugih mednarodnih organizacijah in tujih državah določen kot stična in kontaktna točka Republike Slovenije za vsa vprašanja v zvezi z varovanjem tajnih podatkov. Le tako lahko opravlja naloge koordinatorja na nacionalni ravni. Slika 17: Srečanje v okviru foruma V4 4.4 Multilateral cooperation The co-creation of security policies for the protection of classified information within the framework of the two largest and most important international groupings – NATO and the EU – is the pivotal and most important task of the UVTP with regard to international cooperation. However, this does not imply neglecting activities associated with our area of work in other international organisations such as, for example, the UN, OECD, RCC and others, where we cooperate by providing opinions, observations and advice on specific situations identified. In accordance with our country's foreign-policy guidelines, we also honoured our invitations to participate in the Forum V4. The forum was attended by David Galloway, Deputy Director-General of the Directorate-General for Security, Safety and Communication and Information Systems of the EU Council, and Stephen Smith, Director of the NATO Office of Security, amongst others. NATO and EU regulations and the regulations of other international organisations and foreign countries identified the UVTP as Slovenia's contact point for all issues relating to classified information protection. Under this arrangement, the UVTP may perform the tasks of national coordinator. Figure 17: Meeting within the Forum V4 framework 10 years of Government Office for The Protection of Classified Information (NSA) 59 4.5 EVROPSKA UNIJA 4.5 EUROPEAN UNION Začetki dela UVTP so bili neposredno povezani tudi s pristopnimi pogajanji za vstop Slovenije v EU. Izdelava pravne podlage in s tem povezanega celovitega sistema varovanja tajnih podatkov EU je bila prvi korak, obenem pa tudi pogoj, ki ga je postavljala mednarodna organizacija. The launch of the UVTP's activities was directly linked to the negotiations for Slovenia's accession to the EU. Establishing the legal basis and the related EU integrated system of classified information protection was the first step and also the prerequisite laid down by the international organisation. Kot posledica zapletene strukture sestave institutov Evropske unije in odsotnosti določila o obveznosti varovanja tajnih podatkov za vse na enoten način v ustanovitveni pogodbi EU je tudi struktura varnostnih odborov precej razvejana. Vsebinsko je najzahtevnejše delo v varnostnem odboru Sveta EU, ki pa s svojimi rezultati, stališči in predlogi dokumentov pomeni nekakšen gradnik za posamezna podpodročja varovanja tajnih podatkov, obenem pa zaradi konsenza sprejetih rešitev med vsemi državami članicami tudi osnovo tako Evropski komisiji, skupni zunanji službi ter posameznim agencijam. Poleg dejavne vključenosti v delo varnostnega odbora Sveta EU in njegovih pododborov je UVTP tudi del varnostno-posvetovalnega odbora Evropske komisije in varnostnega odbora skupne zunanje službe Evropske unije. The structure of security committees is considerably diversified as a result of intricately structured European Union institutions and the absence of a provision on the obligation of uniform classified information protection for all Member States in the Treaty on European Union. Working in the EU Council's Security Committee is the most challenging of all in terms of the substantive issues at hand, but its results, observations and draft proposals constitute components of particular subfields of classified information protection; moreover, owing to the consensus reached in solutions adopted by all Members States, they also constitute the basis for the activities of the European Commission, External Action Service and individual agencies. In addition to active engagement in the work of the EU Council's Security Committee and its sub-committees, the UVTP is also part of the Security Advisory Committee of the European Commission and the Security Committee of the European External Action Service. Ključna naloga varnostnega odbora Sveta EU in s tem tudi UVTP na področju delovanja Evropske unije je bila sprejetje novih pravil o varovanju tajnih podatkov EU, ki smo jo usklajevali v letih med 2009 in 2011. Pri novih varnostnih pravilih Sveta EU je zaznan prožnejši pristop k upravljanju tveganj kot podlaga za varovanje tajnih podatkov EU. Največji poudarek pri spremembi je bil v upoštevanju praktičnih izkušenj, pridobljenih med veljavo dosedanjih pravil. Da bi bila zares uporabna, so sestavljena enostavno, dovolj kratka in razumljiva, odpravljene pa so tudi nekatere nedoslednosti. Slika 18: Zastava Evropske unije (vir: europa.eu) 60 The key task of the EU Council's Security Committee and, therefore, of the UVTP, in the EU area was the adoption of new security rules for protecting EU classified information, which we adjusted during the period 2009–2011. The EU Council's new security rules provide for more flexible access to risk management as the basis for protecting EU classified information. The major emphasis in amending the rules was placed on Figure 18: European Unin flag (Source: europa.eu) 10 let Urada RS za varovanje tajnih podatkov Stopnja tajnosti – Slovenija Stopnja tajnosti – EU INTERNO RESTREINT UE/EU RESTRICTED ZAUPNO CONFIDENTIEL UE/EU CONFIDENTIAL TAJNO SECRET UE/EU SECRET STROGO TAJNO TRÈS SECRET UE/EU TOP SECRET Preglednica 2: Primerjava stopenj tajnosti med Slovenijo in Evropsko unijo Poleg vsebovanega okvira varovanja tajnih podatkov EU bodo pravila in na njihovi podlagi sprejeti ukrepi še naprej zagotavljali primerno raven varovanja tajnih podatkov, prejetih od držav članic, drugih držav in mednarodnih organizacij. UVTP je vzporedno z usklajevanjem teh pravil izvedel tudi postopek usklajevanja in sprejemanja sporazuma med državami članicami Evropske unije, ki so se sestale v okviru Sveta, o varovanju tajnih podatkov, ki se izmenjujejo v interesu Evropske unije. Sporazum je bil podpisan 4. maja 2011 v Bruslju. Sporazum bo soobstajal z varnostnimi predpisi Sveta in Komisije ter pomagal okrepiti sistem, ki ureja varovanje tajnih podatkov v Evropski uniji. Določila sporazuma dajejo primeren okvir za varovanje nacionalnih tajnih podatkov, izmenjanih med državami članicami v interesu EU, če države članice med seboj nimajo sklenjenih dvostranskih sporazumov, obenem pa vidno in jasno vključujejo obveze, da se za tajne podatke, ki jih EU prejme od tretjih držav in mednarodnih organizacij, zagotovi ustrezna raven varovanja v državah članicah, če jim tajne podatke predložita Svet ali Komisija. Seveda pa je glavni namen sporazuma obveza držav članic, da sprejmejo vse ustrezne ukrepe za zagotovitev primernega varovanja tajnih podatkov, ki jim jih predložijo Svet in Komisija ter agencije EU in ES. Sporazum sam po sebi ne določa pravil, ki urejajo tajne podatke EU – še naprej jih bodo urejali varnostni predpisi Sveta EU. Slednji se uporabljajo kot referenčna točka za določitev enakovredne ravni varovanja tajnih podatkov, za katere velja ta sporazum. Sporazum nima prednosti pred nacionalnimi zakoni in predpisi držav članic glede varovanja njihovih tajnih podatkov, dostopa javnosti do dokumentov ali varstva osebnih podatkov, niti ne vključuje usklajevanja ali približevanja zakonodaje ali predpisov na tem področju. UVTP se posredno ali neposredno vključuje tudi v obravnavo problematike, povezne z delovanjem Security classification level – Slovenia Security classification level – EU RESTRICTED RESTREINT UE/EU RESTRICTED CONFIDENTIAL CONFIDENTIEL UE/EU CONFIDENTIAL SECRET SECRET UE/EU SECRET TOP SECRET TRÈS SECRET UE/EU TOP SECRET Table 2: Comparison of security classification levels between Slovenia and the European Union the incorporation of practical experiences obtained during the applicability period of the former rules. In order to really serve their purpose, the amended rules are simple, sufficiently brief, easy to understand, and free of certain former inconsistencies. In addition to protecting EU classified information, the rules and measures adopted on the basis thereof will continue to ensure an adequate level of protection of classified information received from the Member States, other countries and international organisations. Alongside the modification of these rules, the UVTP also carried out the procedure for the harmonisation and adoption of the Agreement between the Member States of the European Union, who met within the framework of the Council, regarding the Protection of Classified Information Exchanged in the Interests of the European Union. The Agreement was signed in Brussels on 4 May 2011. The Agreement will apply together with the EU Council's and EU Commission's security regulations and will help reinforce the system regulating the protection of classified information in the EU. The Agreement's provisions provide a relevant framework for the protection of national classified information exchanged between the EU Member States in the interests of the European Union, if the Member States have no bilateral agreements concluded, while the Agreement also visibly and clearly lays down the obligation that the classified information received by the EU from third countries and international organisations be provided with the appropriate level of protection in the Member States if the classified information are submitted to them by the Council or the Commission. Cleary the main purpose of the Agreement is to impose an obligation on the Member States to adopt all appropriate measures to ensure adequate protection of classified information submitted to them by the EU Council, EU Commission and the agencies of the EU and EC. 10 years of Government Office for The Protection of Classified Information (NSA) 61 nekaterih agencij EU (EUROPOL, EUROJUST itd.). To se po eni strani izraža z dajanjem mnenj in stališč v enotnem komunikacijsko-informacijskem sistemu odločanja o zadevah EU (EU-portal) v Sloveniji, na drugi strani pa s pomočjo in posvetovanji z organi in posamezniki, ki so neposredno vključeni v delo omenjenih agencij. Stična točka v vseh primerih ostaja pomoč pri varnostnem preverjanju in izmenjava podatkov o dovoljenjih za dostop do tajnih podatkov. Usklajevanje in opredelitve ter stališča do posameznih vprašanj, ki se nanašajo na varovanje tajnih podatkov EU, se poleg agencij lahko dotikajo tudi drugih ključnih delov EU (npr. Evropskega parlamenta), lahko pa se nanašajo na posamezne projekte (npr. Projekt Galileo, FP7) ali druga področja delovanja EU (kritična infrastruktura, nabavni postopki). 4.5.1.1 Galileo Predstavniki UVTP dejavno sodelujemo tudi v varnostnih odborih, organih za varnostne akreditacije in v posameznih ekspertnih delovnih skupinah, ki jih je v okviru svojih projektov ustanovila Evropska komisija – sodelujemo v projektih Galileo, EGNOS, GMES in FP 7. GALILEO je strateški program držav članic in skupni projekt Evropske komisije in Evropske vesoljske agencije (ESA – European Space Agency). Gre za civilni projekt, ki zagotavlja avtonomijo na področju satelitske navigacije, hkrati pa zaradi interoperabilnosti z že obstoječimi satelitskonavigacijskimi sistemi (GPS) pripomore k večji natančnosti pozicioniranja po vsem svetu. Poleg interoperabilnosti in globalne dosegljivosti Galileo zagotavlja visoko stopnjo zanesljivosti sistema in informacijsko integriteto. Namen posebnih ciljev programa Galileo je zagotoviti, da se signali, ki jih oddaja sistem, lahko uporabijo za naslednje funkcije: Ponuditi »odprto storitev« (OS – Open Service), ki je brezplačna in zagotavlja informacije o določanju položaja in časa ter je namenjena množični uporabi satelitske radionavigacije. Ponuditi »storitev varovanja življenj« (SoL – Safety of Life Service), ki je namenjena uporabnikom, za katere je varnost bistvenega pomena, in ki izpolnjuje zlasti zahteve letalskega, pomorskega in železniškega sektorja. Storitev izpolnjuje tudi zahtevo po stalnosti in ima funkcijo celovitosti, ki omogoča, da je uporabnik obveščen o nepravilnem delovanju sistema. Ponuditi »komercialno storitev« (CS – Commercial Service), ki z večjo učinkovitostjo in s podatki, ki imajo večjo dodano vrednostjo od podatkov, dobljenih z »odprto storitvijo«, omogoča razvoj aplikacij za poslovne ali komercialne namene. 62 However, the Agreement per se does not determine the rules regulating EU classified information – these will continue to be regulated by the EU Council's security rules. The latter shall be used as a reference point for determining an equivalent level of protection as that afforded to classified information subject to this Agreement. The Agreement shall not have advantage over the national laws and regulations of Member States regulating the protection of their classified information, public access to documents or protection of personal data, nor shall it include the harmonisation or approximation of laws or regulations in this area. The UVTP is also engaged directly and indirectly tackling issues associated with the operation of certain EU agencies (EUROPOL, EUROJUST, etc.). On the one hand, this is expressed by providing opinions and observations in the unified communication and information system of decision-making in the EU affairs in Slovenia (the EU portal), and on the other by providing assistance and advice to the bodies and persons who are directly engaged in the work of the aforementioned agencies. The point of contact in all cases is assistance in personnel security clearance and the exchange of data on security clearance to access classified information. Adjustments, definitions and positions on particular issues regarding the protection of EU classified information may, in addition to agencies, also refer to other key parts of the EU (e.g. the European Parliament), and to individual projects (e.g. Galileo Project, FP7) or other areas of activity of the European Union (critical infrastructure, procurement procedures). 4.5.1.1 GALILEO UVTP representatives also actively participate in security committees, security accreditation bodies and individual expert working groups set up by the European Commission within its projects; thus we participate in Galileo, EGNOS, GMES and FP 7 projects. GALILEO is a strategic programme of the EU Member States and a joint project of the European Commission and the European Space Agency (ESA). It is a civil project providing autonomy in satellite navigation and, owing to its interoperability with the existing satellite navigation systems (GPS), it also enhances the global positioning accuracy. Apart from its interoperability and global availability, Galileo provides high reliability of the system and information integrity. 10 let Urada RS za varovanje tajnih podatkov Slika 19: Satelit Galileo (vir: ESA) Figure 19: Galileo Satellite (Source: ESA) Ponuditi »javno regulirane storitve« (PRS – Public Regulated Service), namenjene izključno uporabnikom, ki jih pooblasti vlada, za občutljive aplikacije, ki zahtevajo visoko raven stalnosti storitve. »Vladna storitev« uporablja močne in šifrirane signale. The purpose of Galileo programme's specific goals is to ensure that the signals transmitted by the system may be used for the following functions: Sodelovati pri storitvi iskanja in reševanja (SAR – Search and Rescue Support Service) sistema COSPAS-SARSAT z odkrivanjem nujnih signalov, ki jih oddajajo radijski oddajniki, in vračanjem sporočil tem oddajnikom. 4.5.1.2 EGNOS (European Geostacionary Navigation Overlay Service) EGNOS je prva evropska pobuda na področju satelitske navigacije. Osnovni cilj tega sistema je zagotavljanje komplementarnih informacij kot dodatek signaloma satelitskih navigacijskih sistemov GPS in GLONASS (Rusija) ter izboljšanje parametrov delovanja navigacijskega sistema. Gre za sistem, ki služi zagotavljanju izboljšanja signalov za satelitsko navigacijo, ki jo nudita ta navigacijska sistema. Te signale EGNOS sprejme, jih korigira in opremi z informacijo o integriteti ter pošlje uporabnikom. 4.5.1.3 GMES (Global Monitoring for Environment and Security) GMES je skupna pobuda Evropske komisije in Evropske vesoljske agencije, njen cilj pa je doseči neodvisno in operativno sposobnost opazovanja Zemlje. Cilj je racionalizirati uporabo več virov podatkov, da bi dobili pravočasne in kakovostne informacije, storitve To offer the »Open Service« (OS) which is free and provides signals for timing and positioning and is intended for mass application of radio navigation. To offer the »Safety of Life Service« (SoL) which is intended for users for whom the safety is essential and which meets the requirements of air traffic, maritime and railway sectors in particular. This service also improves the open service performance through the provision of timely warnings to the user when it fails to meet certain margins of accuracy (integrity). To offer the »Commercial Service« (CS) which through its increased efficiency and data with a greater added value than the data obtained by the »Open Service« fosters the development of applications for business or commercial purposes. To offer the »Public Regulated Service« (PRS) intended for specific users authorised by the government for sensitive applications requiring a high continuity of service. The »Government service« uses strong and encrypted signals. To participate in the »search and rescue support service« (SAR) of the COSPAS-SARSAT system by picking up signals from emergency beacons and sending messages back to these beacons. 4.5.1.2 EGNOS (European Geostationary Navigation Overlay Service) EGNOS is the first European venture into satellite navigation. This system is intended to augment the two operational military satellite navigation systems 10 years of Government Office for The Protection of Classified Information (NSA) 63 in znanje, ter zagotoviti avtonomen in neodvisen dostop do informacij v zvezi z okoljem in varnostjo. Glavni uporabniki sistema GMES bodo pripravljavci zakonodaje, saj jim bo GMES omogočil, da pripravijo nacionalni, evropski in mednarodni zakonodajni okvir na področju okolja (tudi podnebnih sprememb) ter ukrepe za spremljanje izvajanja te zakonodaje. – the American GPS and the Russian GLONASS – and improve the parameters of navigation system operation. This system improves the signals for satellite navigation provided by these two navigation systems. ENGOS receives these signals, corrects them, furnishes them with information on the integrity and sends them to the users. Predstavniki UVTP sodelujemo v varnostnih odborih, organih za varnostne akreditacije in posameznih ekspertnih delovnih skupinah, ki jih je v okviru teh treh projektov ustanovila Evropska komisija, saj na njih obravnavamo tajne podatke EU, poleg tega pa nas je Evropska komisija pozvala, da se jih udeležujemo kot nacionalni varnostni organ. 4.5.1.3 Global Monitoring for Environment and Security 4.5.1.4 Sedmi okvirni program evropskih raziskav (FP7) Its objective is to streamline the use of multiple data sources with a view to providing timely and quality information, services and knowledge and ensuring autonomous and independent access to information in relation to environment and security. Main GMES users will be legislation drafters as GMES will enable them to prepare national, European and international legislative frameworks in the area of environment (including climate change) and measures to monitor the implementation of the relevant legislation. Sedmi okvirni program evropskih raziskav FP7, ki se zaključuje (leta 2013 ga bo nadomestil sedemletni okvirni program za raziskave in razvoj Obzorje 2020) je glavni instrument Evropske unije za financiranje znanstvenega raziskovanja in razvoja. V okviru precej zapletene strukture projektov je treba odkriti, ali obstaja možnost, da se v življenjskem ciklu programa pojavijo tajni podatki. Če je tako, je naloga nacionalnega varnostnega organa države vodje projekta, da oblikuje in pripravi projektno dokumentacijo z opisom ravnanja v primeru nastanka ali vključevanja tajnih podatkov. Global Monitoring for Environment and Security (GMES) is a joint initiative of the European Commission and the European Space Agency, which aims to develop independent and operational services to monitor the Earth. UVTP representatives participate in security committees, security accreditation bodies and individual expert working groups set up by the European Commission within these three projects; they deal with EU classified information and we have been invited by the European Commission to participate in our capacity of national security agency. 4.5.1.4 The EU's seventh framework programme for research The EU's Seventh Framework Programme for Research (FP7) is in its final phase; it will be succeeded by Horizon 2020, a seven-year framework programme for research and innovation. FP7 has been the EU's main instrument for funding scientific research and development. The likelihood that classified information will arise during a programme's life-cycle has to be detected within a relatively complex structure of the programme. If such a risk exists, the NSA of the Member State project leader must draft and finalise project documentation containing scenarios for any potential occurrence or the inclusion of classified information. 64 10 let Urada RS za varovanje tajnih podatkov 4.6 NATO 4.6. NATO Slovenija je 29. marca 2004 postala članica zveze Nato, potem ko je pri njenem depozitarju v Washingtonu deponirala listino o pristopu k Severnoatlantski pogodbi. On 29 March 2004 Slovenia became NATO member after having deposited its Instrument of Accession to the North Atlantic Treaty with its depositary in Washington. Predpisi o varovanju tajnih podatkov v Republiki Sloveniji so usklajeni s predpisi zveze Nato na tem področju. Zakon o Sporazumu med pogodbenicami Severnoatlantske pogodbe o varnosti podatkov (Uradni list RS, št. 83/04) določa, da pogodbenice varujejo tajne podatke zveze Nato označene kot take, ali tiste, ki jih država članica predloži zvezi Nato ali drugi državi članici v podporo programu, projektu ali pogodbi zveze Nato. Natovi tajni podatki ohranjajo stopnjo tajnosti podatkov, pogodbenice pa storijo vse potrebno, da jih varujejo primerno stopnji tajnosti. Zakon določa, da pogodbenice vzpostavijo in izvajajo enotne minimalne varnostne standarde, ki zagotavljajo enotno skupno raven varovanja tajnih podatkov, in da tajnih podatkov ne uporabljajo v druge namene kakor samo tiste, ki so določeni v Severnoatlantski pogodbi, sklepih in resolucijah, nanašajočih se na to pogodbo. Natovih tajnih podatkov ne razkrivajo stranem, ki niso članice Nata, brez soglasja lastnika podatkov. The regulations governing the protection of classified information in the Republic of Slovenia are in line with the relevant NATO regulations. The Act Ratifying the Agreement between the Parties to the North Atlantic Treaty for the Security of Information (Ur. l. RS, no. 83/04) stipulates that the parties must protect NATO classified information, marked as such, and classified information of the member states submitted to another member state in support of NATO programme, project or contract. NATO classified information must maintain the security classification of information and the parties must make every effort to safeguard it accordingly. The Act stipulates that the parties must establish and implement security standards ensuring a common degree of protection for classified information and that classified information must not be used for purposes other than those laid down in the North Atlantic Treaty and the decisions and resolutions pertaining to that Treaty. NATO classified Slika 20: Uradni znak zveze NATO (vir: Nato) Figure 20: Official NATO logo (Source: NATO) Stopnja tajnosti – NATO Security classification – Slovenia Security classification – NATO INTERNO NATO RESTRICTED RESTRICTED NATO RESTRICTED ZAUPNO NATO CONFIDENTIAL CONFIDENTIAL NATO CONFIDENTIAL TAJNO NATO SECRET SECRET NATO SECRET STROGO TAJNO COSMIC TOP SECRET TOP SECRET COSMIC TOP SECRET Stopnja tajnosti – Slovenija Preglednica 3: Primerjava stopenj tajnosti v Sloveniji in zvezi Nato Table 3: Slovenia and NATO security classification comparison 10 years of Government Office for The Protection of Classified Information (NSA) 65 Tajni podatki zveze Nato se v tem zakonu opredelijo tako, da podatki pomenijo védenje, ki se lahko sporoča v kakršni koli obliki, in da tajni podatki pomenijo podatke ali sredstva, za katere je določeno, da morajo biti zavarovani pred nepooblaščenim razkritjem in so bili določeni s stopnjo tajnosti, pri čemer izraz sredstvo pomeni dokumente in vsak del strojev, opreme ali orožja, ki je že bil izdelan ali je v postopku izdelave, izraz dokument pa pomeni vsak zapisan podatek ne glede na njegovo obliko ali značilnost, vključno s pisnim ali natisnjenim gradivom, karticami ali trakovi za obdelavo podatkov, zemljevidi, kartami, fotografijami, slikami, risbami, grafikami, skicami, delovnimi zapisi, kopijami in pisalnimi trakovi ali reprodukcijami s sredstvi ali postopki ter zvočnimi, glasovnimi, magnetnimi, elektronskimi, optičnimi ali videoposnetki v kakršni koli obliki ter prenosno opremo za avtomatsko obdelavo podatkov z vgrajenimi računalniškimi sredstvi za shranjevanje podatkov in odstranljivimi računalniškimi sredstvi za shranjevanje podatkov. 4.6.1 Varnostni odbor NATA Za usklajevanje, spremljanje in uresničevanje varnostne politike zveze Nato skrbi Natov urad za varnost (NOS – Nato Office of Security). Direktor NOS je glavni svetovalec generalnega sekretarja za varnostna vprašanja in predsednik Natovega odbora za varnost (NSC – Nato Security Committee, ki se je leta 2011 preimenoval v SC – Security Committee). NOS ima več funkcij, zadolžen je varnosti znotraj Nata. Z nadzori, inšpekcijami in ogledi v državah članicah, Natovih telesih in pri vseh, ki razpolagajo z Natovimi tajnimi podatki, preverja ustreznost ukrepov in ravnanja s podatki ter akreditiranimi komunikacijskimi in informacijskimi sistemi. Varnostno politiko, direktive, usmeritve in druge dokumente ter podporo delu na varnostnem področju odobri Natov odbor za varnost (Nato Security Committee). V varnostnem odboru sodelujejo predstavniki vseh držav članic, in sicer nacionalnih varnostnih organov (National Security Authority). Sestankom prisostvujejo tudi predstavniki mednarodnega vojaškega osebja Nata, strateških poveljstev in odborov, ki se ukvarjajo z varnostnimi vprašanji. SC preučuje varnostna vprašanja v najširšem pomenu besede in je neposredno odgovoren Severnoatlantskemu svetu (NAC - North Atlantic Council). Sodobni varnostni izzivi so predmet razprav številnih odborov, od katerih jih vsak obravnava z vidika svojih pristojnosti. Gre za vprašanja vzpostavitve strateških odnosov z novimi svetovnimi centri moči in vzpostavitve evroatlantske skupnosti. Preseganje zgodovinskih razlik in nezaupanja, nadzora nad orožjem in razoroževanja je del krepitve čezatlantskih odnosov, usmerjenih v azijsko-pacifiški prostor, ki zavezništvo 66 information must not be disclosed to non-NATO parties without the consent of the originator. The Act defines NATO classified information, whereby information is defined as knowledge that can be communicated in any form, while classified information is defined as information or material determined to require protection against unauthorised disclosure which has been so designated by security classification; the term material is deemed to include documents and also any item of machinery or equipment or weapons either manufactured or in the process of manufacture, and the term document means any recorded information regardless of its physical form or characteristics, including, without limitation, written or printed matter, data processing cards and tapes, maps, charts, photographs, paintings, drawings, engravings, sketches, working notes and papers, carbon copies and ink ribbons, or reproductions by an means or process, and sound, voice, magnetic or electronic or optical or video recordings in any form, and portable ADP equipment with resident computer storage media, and removable computer storage media. 4.6.1 NATO Security Committee NATO security policy is coordinated, monitored and implemented by the NATO Office of Security (NOS). Its Director is the NATO Secretary General's principal adviser on security issues and the Chairman of the Security Committee; in 2011, NATO Security Committee (NSC) was renamed the Security Committee (SC). NOS has several functions and is responsible for coordinating security within NATO. The adequacy of the measures, the handling of information and accredited communication and information systems are verified by NOS through controls, inspections and visits to member states, to NATO bodies and to all who have NATO classified information at their disposal. The security policy, directives, guidelines and other documents, as well as the support for work in the area of security, are approved by the NATO Security Committee (NSC). Representatives of all member states, i.e. their National Security Authorities, participate in the work of the Security Committee. Its meetings are also attended by representatives of NATO international military staff, strategic headquarters and committees involved in security issues. It examines broad security issues and is directly responsible to the North Atlantic Council (NAC). The present security challenges are discussed by numerous committees from the viewpoint of their respective competencies; they relate to the issues concerning the establishment of strategic relations with new global centres of power and the setting up of the Euro–Atlantic community. 10 let Urada RS za varovanje tajnih podatkov ZDA z evropskimi državami še dodatno krepi. Zagotavljanje energetske in kibernetske varnosti, reševanje finančne krize in drugih varnostnih vprašanj v državah članicah Nata se obravnava prednostno in z zavedanjem, da Nato pri tem deluje kot mesto usklajevanja in spodbujanja konkretnega sodelovanja. SC se sestaja v različnih formatih. Na izvršilni ravni se praviloma sestaja dvakrat letno in obravnava splošna varnostna vprašanja, kakor je navedeno zgoraj, ter vprašanja varovanja tajnih podatkov. Sestankov se udeležujejo direktorji nacionalnih varnostnih organov držav članic Nata. SC sprejema dokumente, ki so predhodno usklajeni med državami članicami v drugih organih, kot so Security Policy Format in Information Assurance Format. Gre za dokumente – varnostno politiko, direktive in smernice, ki zagotavljajo varovanje tajnih podatkov na področju osebne varnosti, dokumentacijske varnosti, fizične in industrijske varnosti ter komunikacijsko informacijske varnosti. Sprejeti dokumenti veljajo za obravnavo tajnih podatkov v okoljih miru in stabilnosti kakor tudi v kriznih in vojnih področjih. Reguliran je tudi dostop do tajnih podatkov državam nečlanicam zveze Nato, ki dejavno sodelujejo v Natovih operacijah in zato potrebujejo dostop do tajnih podatkov zveze Nato. Glede na potrebe, se varnostni odbor sestaja tudi v razširjenem sestavu, z dodanimi drugimi državami, ki imajo status nečlanice Nata, t. i. NNN (NonNatoNation). SC poroča NAC najmanj enkrat letno. 4.6.2 Natova mednarodna konferenca (Nato Security Committee/AdHoc Working Group) UVTP je v letu 2009 organiziral sestanek varnostnega odbora na Brdu pri Kranju. Sestanka so se udeležili predstavniki držav članic Nata. Na njem so bila med drugim obravnavana občutljiva vprašanja dostopanja do tajnih podatkov držav nečlanic Nata in sprejeti pomembni sklepi, ki so omogočili kakovosten premik pri pripravi dokumentov, ki naj bi to tudi formalno omogočili. Zaradi tega je sestanek dobil status izjemno pomembnega in občutljivega dogodka z zelo pomembnimi razpravami. Udeležilo se ga je veliko članov nacionalnih varnostnih organov držav članic, agencij, strateških poveljstev in strokovnjakov članic Nata. Na UVTP smo kot država gostiteljica od predsedujočega dr. Giuseppeja Benassija in takratnega direktorja NOS Michaela T. Evanoffa prejeli tudi pisno pohvalo za izvrstno organizacijo dogodka, ki je omogočila konstruktivno delovno vzdušje, katerega rezultati so pomenili pomemben mejnik v obravnavi tajnih podatkov. K uspešnosti The endeavours to overcome historical divisions and mistrust, and for arms control and disarmament are oriented towards strengthening transatlantic relations with the Asia-Pacific region and also contribute towards reinforcing alliance between the U.S. and European countries. The provision of energy and cyber security, the solving of the financial crisis and other security issues of the NATO member states are topics discussed as a matter of priority, whereby bearing in mind that, in this respect, NATO provides a platform for coordinating and promoting actual cooperation. The Security Committee meets in different formats. As a rule, it holds two meetings per year at Principal's level to discuss general security issues, as described above, and issues related to the protection of classified information. The meetings are attended by the Directors of National Security Authorities of the NATO member states. The Security Committee adopts documents previously coordinated between the member states within other bodies, i.e. in Security Policy Format and in Information Assurance Format. These are documents on security policy, directives and guidelines for ensuring classified information protection in the areas of personal security, documentation security, physical and industrial security, and communication and information security. The documents adopted apply to the handling of classified information in the stability and peace areas as well as in the crisis and war areas. The access to classified information for non–NATO countries, which are actively participating in NATO operations and therefore need access to NATO classified information, is also regulated. Depending on the needs, the Security Committee also meets in an extended formation, i.e. together with other countries holding a non–NATO nation (NNN) status. The Security Committee reports to the North Atlantic Council at least once a year. 4.6.2 NATO international conference (NATO Security Committee/Ad Hoc Working Group) In 2009, a Security Committee meeting was organised by the UVTP at Brdo pri Kranju. The meeting was attended by NATO member state representatives. The discussion focused on sensitive issue of the nonNATO countries access to classified information; the important decisions adopted at the meeting facilitated a qualitative step forward in drafting documents to formally regulate their access to such information. For this reason, the meeting has been considered a very significant and sensitive event that featured important discussions. It was attended by numerous members 10 years of Government Office for The Protection of Classified Information (NSA) 67 konference so vsekakor prispevali tudi sodelavci MORS in SV ter zaposleni JGZ Brdo. 4.6.3 Sporazum ATOMAL UVTP je bil tudi nosilec aktivnosti pri sprejemanju tako imenovanih predpisov ATOMAL. Republika Slovenija je Sporazum med pogodbenicami Severnoatlantske pogodbe o sodelovanju na področju jedrskih podatkov s Tajno tehnično prilogo k Sporazumu med pogodbenicami Severnoatlantske pogodbe o sodelovanju na področju jedrskih podatkov (katere varovanje tajnosti je 10. maja 2000 odpravil Severnoatlantski svet) in Zaupno varnostno prilogo k Sporazumu med pogodbenicami Severnoatlantske pogodbe o sodelovanju na področju jedrskih podatkov (katere varovanje tajnosti je 6. marca 1998 odpravil Severnoatlantski svet) ratificirala aprila leta 2007 (Uradni list RS, Mednarodne pogodbe, št. 6/07 – MSPJP), protokol, ki spreminja in dopolnjuje Zaupno varnostno prilogo k Sporazumu med pogodbenicami Severnoatlantske pogodbe o sodelovanju na področju jedrskih podatkov pa leta 2009. Sporazum Natu in njegovim članicam omogoča medsebojno izmenjavo podatkov z jedrskega področja za krepitev skupne obrambe in varnosti. Vlada Združenih držav Amerike po tem sporazumu posreduje jedrske podatke, potrebne za razvoj obrambnih načrtov, izobraževanje osebja, ki uporablja jedrske podatke v zvezi z uporabo jedrskega orožja oziroma učinki in posledicami uporabe jedrskega orožja. 4.6.4 MISWG 2010 Začetki mednarodne delovne skupine za industrijsko varnost (MISWG) segajo v leto 1985. Skupina je nastala kot odziv na ugotovitev, da obstoječe nezdružljive varnostne zahteve posameznih držav na področju industrijskega sodelovanja v praksi postajajo problem. Na sestanku predstavnikov držav članic Nata, odgovornih za področje industrijske varnosti (razen Islandije), so predstavniki ZDA, Velike Britanije in Nemčije predlagali ustanovitev delovne skupine, ki bi pregledala obstoječe varnostne standarde v vseh državah članicah in pripravila priporočila za njihovo poenotenje. Na prvem uradnem sestanku delovne skupine je bilo sprejeto njeno uradno ime, sčasoma pa je skupina dobila tudi uradni emblem in zastavo. Članstvo v MISWG je bilo prvotno omejeno na države članice Nata, vendar se je leta 1999 skupina začela postopoma odpirati navzven. 68 of the national security authorities, agencies, strategic headquarters and experts from NATO member states. The host country and the UVTP earned a written commendation by Guiseppe Benassi, who chaired the meeting, and Michael T. Evanoff, who was the Director of the NATO Office of Security at the time, for the excellent organisation of the event, which created a constructive working atmosphere enabling the meeting to become an important turning point in dealing with classified information. Undoubtedly, the credit for the conference's success also went to the Ministry of Defence and the staff of the Slovenian Armed Forces, as well as to JGZ Brdo State Protocol Services personnel. 4.6.3 ATOMAL Agreement The UVTP was also actively involved in the adoption of the ATOMAL regulations. In April 2007, the Republic of Slovenia ratified the Agreement between the Parties to the North Atlantic Treaty for co-operation regarding Atomic Information with Secret Technical Annex to the Agreement between the Parties to the North Atlantic Treaty for co-operation regarding Atomic Information (declassified by the North Atlantic Council on 10 May 2000) and Confidential Security Annex to the Agreement between the Parties to the North Atlantic Treaty for co-operation regarding Atomic Information (declassified by the North Atlantic Council on 6 March 1998) (Ur. l. RS, MP, no. 6/07); the Protocol Amending the Security Annex to the Agreement between the Parties to the North Atlantic Treaty for Co-operation regarding Atomic Information was ratified in 2009. The Agreement enables NATO and its members to exchange atomic information with a view to strengthening mutual defence and security. In accordance with this Agreement, the Government of the United States of America communicates the atomic information required for designing defence plans and training of personnel using atomic information in connection with the use of atomic weapons and/or effects and results of its use. 4.6.4 Multinational Industrial Security Working Group, 2010 The beginnings of the MISWG go back to 1985. The group was established in response to the finding that the applicable incompatible security requirements of the individual states in the area of industrial cooperation had become an impediment. At a meeting of industrial security officials from all of the NATO countries (with the exception of Iceland), the German, UK, and US representatives proposed the establishment of a working group which would 10 let Urada RS za varovanje tajnih podatkov Slika 22: Priložnostni znak in simbolično srce dobrodošlice Figure 22: A commemorative emblem and symbolic welcome heart Slika 23: Mednarodna konferenca zveze Nato (Nato Security Committee/AdHoc Working Group) – Brdo pri Kranju, 8. do 11. junij 2009 Figure 23: NATO international conference (NATO Security Committee/Ad Hoc Working Group), Brdo pri Kranju from 8 to 11 June 2009 Sestankov MISWG, ki praviloma potekajo enkrat na leto in so zaprtega tipa, se udeležujejo višji državni uradniki, odgovorni za področje industrijske varnosti, iz vseh držav članic Nata (razen Islandije), Avstralije, Avstrije, Finske, Izraela, Nove Zelandije, Švedske in Švice ter predstavnika Nata in Evropske komisije, ki imata status opazovalca. Slovenija je članica MISWG od leta 2003. review each country's security procedures and make recommendations for standard procedures. The official name of the working group was adopted at its first official meeting; a standard emblem was developed at a later date. MISWG membership was initially limited to NATO member states; in 1999, the Group started to open up. 10 years of Government Office for The Protection of Classified Information (NSA) 69 Odločitve MISWG se sprejemajo v obliki dokumentov, ki niso pravno zavezujoči, kar pomeni, da je državam članicam povsem prepuščena odločitev o tem, ali bodo sprejete dokumente uvedle v svoje nacionalne ureditve ali ne. Kljub navedenemu se z vstopom v članstvo vsaka država neformalno obveže k temu, da bo odločitve MISWG spoštovala v kar največjem obsegu. Slednje je v povezavi s številom držav, ki sodelujejo v MISWG, pomemben kazalnik razvoja gibanja svetovne industrijske varnosti, hkrati pa dokumenti MISWG predstavljajo pomembno podlago za pripravo zavezujočih mednarodnih predpisov, katerih oblikovanje in sprejemanje zakonov potekata hitreje in z manj birokratskimi preprekami. Slovenski nacionalni varnostni organ, katerega naloge opravlja Urad Vlade RS za varovanje tajnih podatkov, je leta 2010 nastopil v vlogi organizatorja 25. srečanja MISWG. To leto je bilo za skupino v znamenju srebrnega jubileja, zato je imel vtis, ki ga je urad naredil na udeležence, še toliko večjo težo. Srečanje MISWG 2010 je potekalo od 7. do 9. septembra 2010 v kongresnem centru Brdo pri Kranju, predsedovala pa mu je Maja Rožaj. Navedeno srečanje je odprlo številne nove pobude, katerih večina se je osredotočala na področje kibernetske varnosti, možnosti za uravnoteženje Slika 24: Zasedanje na konferenci MISWG 2010 70 As a rule, the MISWG meets once a year at closed meetings attended by senior industrial security officials from all of NATO countries (with the exception of Iceland), Australia, Finland, Israel, New Zealand, Sweden and Switzerland, and representatives of NATO and the European Commission who have observer status. Slovenia became a member of the MISWG in 2003. The MISWG's decisions are adopted in the form of legally non-binding documents, which means that member states decide whether to transpose them into their national legislation. When joining the MISWG, states nevertheless informally undertake to comply with its decisions to the greatest extent possible. Viewed together with the number of countries participating in the MISWG, this represents an important indicator of the global industrial security trends; the MISWG documents also provide an important basis for drafting binding international regulations and national laws, facilitate their swift drafting and adoption and diminish bureaucratic barriers. In Slovenia, NSA tasks are carried out by the Office of the Government of the Republic of Slovenia for the Protection of Classified Information; in 2010, it organised the 25th MISWG meeting. That was the Figure 24: MISWG 2010 Conference meeting 10 let Urada RS za varovanje tajnih podatkov nacionalnih in mednarodnih zahtev na področju industrijske varnosti v luči vse večjega obsega dela in vse manjših finančnih sredstev, obširna razprava se je razvila tudi o nadaljnji širitvi MISWG ter določitvi meril in postopkov za pridružitev skupini bodisi v vlogi opazovalca bodisi stalnega člana. Velja poudariti dejstvo, da so imela slovenska podjetja, ki se ukvarjajo z razvojem, proizvodnjo in prometom opreme, sredstev ter storitev za obrambne in varnostne namene, v okviru konference priložnost predstaviti udeležencem lastno znanje in/ ali produkte. Za uspešno izvedbo konference je bilo izjemno pomembno tesno sodelovanje urada s številnimi akterji, med katerimi velja izpostaviti predvsem ministrstvo za gospodarstvo, ministrstvo za obrambo, ministrstvo za zunanje zadeve, Gospodarsko zbornico Slovenije in JGZ Brdo. Častni govornici oziroma gostji konference sta bili tedanja ministrica za obrambo dr. Ljubica Jelušič in ministrica za gospodarstvo mag. Darja Radić. year of the Group's silver jubilee, therefore the Office endeavoured to make the best impression on the participants. The MISWG 2010 meeting was held at the Brdo Congress Centre from 7–9 September 2010; it was chaired by Maja Rožaj. Several new initiatives were put forward; most of them focused on cyber security and the prospects for balancing national and international industrial safety requirements in the context of the increasing scope of work and diminishing financial resources; a thorough discussion was also held on further MISWG enlargement and on defining criteria and procedures for inviting new members or observers into the Group. Within the framework of the conference, the Slovenian companies engaged in the development, manufacture and trade of equipment, materials and services for defence and security purposes presented their knowledge and products to its participants. Close cooperation between the Office and a number of actors, particularly the Ministry of the Economy, the Ministry of Defence, the Ministry of Foreign Affairs, the Chamber of Commerce and Industry of Slovenia and JGZ Brdo State Protocol Services, was vital for the successful organisation of the conference. The then ministers of defence and the economy, Ljubica Jelušič and Darja Radić respectively, were the speakers of honour and hosts of the conference. Slika 25: Vodstvo MISWG 2010 in govornica mag. Darja Radič, ministrica za gospodarstvo Republike Slovenije Figure 25: The MISWG 2010 chairpersons and the Slovenian Minister of the Economy, Darja Radić. 10 years of Government Office for The Protection of Classified Information (NSA) 71 4.7 Regionalno sodelovanje 4.7.1 South East European National Security Authorities Državni zbor Republike Slovenije je z namenom potrditi zavezanost k sodelovanju, pomoči in razvoju regiji Zahodnega Balkana leta 2010 sprejel Deklaracijo o Zahodnem Balkanu. Vlada Republike Slovenije je istega leta zato, da bi izboljšala usklajenost delovanja na Zahodnem Balkanu, sprejela Smernice za delovanje Republike Slovenije do Zahodnega Balkana, vsako leto pa je na njihovi podlagi pripravljen akcijski načrt za delovanje Republike Slovenije do Zahodnega Balkana, v katerega je dejavno vključen tudi UVTP. Poleg razvejanega dvostranskega delovanja je vse pomembnejše tudi regionalno sodelovanje. Mednarodno regionalno organizacijo Regional Cooperation Council (RCC) je South East European Co-operation Process (SEECP) pooblastil za nadaljnji razvoj regionalnega sodelovanja na področju varnosti. Postala naj bi osnovni steber za oblikovanje temelja za regionalno izmenjavo tajnih podatkov, kar je bistveni predpogoj za regionalno sodelovanje na širšem varnostnem področju. Izmenjava tajnih podatkov presega teritorialne meje države, kar je pri večnacionalnem sodelovanju poseben izziv. Kot osnovo za to je treba razviti in širiti sodelovanje na dvostranski in mednarodni ravni na področju varovanja tajnih podatkov kot elementa nacionalne varnosti. V tem pogledu South East European National Security Authorities (SEENSA) skuša poiskati primerne rešitve in omogočiti skupen regionalni večstranski pristop. 4.7 Regional cooperation 4.7.1 South-East European National Security Authorities In 2010 the National Assembly of the Republic of Slovenia adopted a Declaration on the Western Balkans with a view to reaffirming its commitment to cooperation, support and development in the region. In order to improve operational coordination in the Western Balkans, the Government of the Republic of Slovenia adopted the Guidelines for Slovenia's Policy on the Western Balkans that year. On their basis, the annual action plans for Slovenia's policy on the Western Balkans, with the UVTP's active involvement, are prepared. In addition to extensive bilateral cooperation, regional cooperation is also gaining importance. The South-East European Co-operation Process (SEECP) entrusted the Regional Cooperation Council (RCC) a task to further develop regional cooperation in the area of security. The RCC is to provide the basis for developing regional exchange of classified information, which is a precondition for broader regional cooperation in the field of security. Classified information is exchanged across state borders, and this represents a particular challenge for multilateral cooperation. Bearing this in mind, bilateral and international cooperation in the area of classified information protection – viewed as an element of national security – should be developed and enhanced. In this context, the South-East European National Security Authorities (SEENSA) endeavour to find appropriate solutions and facilitate a common regional multilateral approach. Razvoj dejavnosti na območju jugovzhodne Evrope pri spodbujanju regionalnega in dvostranskega sodelovanja med organi, pristojnimi za varnost in obrambo, je jasno pokazal, da je treba podlago za nadaljnjo krepitev sodelovanja poiskati v možnosti za izmenjavo tajnih podatkov, kar bi pomenilo vsestransko korist tega procesa. V tem pogledu so nekateri nacionalni varnostni organi v jugovzhodni Evropi (iz držav članic RCC) razvili medsebojne Developments in the promotion of regional and bilateral cooperation between authorities responsible for security and defence in South-East Europe have clearly shown that further strengthening of cooperation should focus on the potential exchange of classified information, which would render the process very useful. In this context, the national security authorities of some South-East European countries (members of the RCC) have already established mutual relations and concluded bilateral agreements. In addition, a regional approach to establishing such cooperation between national security authorities should also be Slika 26: Znak RCC Figure 26: RCC logo 72 10 let Urada RS za varovanje tajnih podatkov odnose in podpisali dvostranske sporazume. Poleg tega je treba upoštevati, da lahko nacionalni varnostni organi razvijejo takšno sodelovanje tudi z regionalnim pristopom. Pobudo SEENSA je podprl SEECP na njihovem letnem srečanju voditeljev držav leta 2010, potrjena pa je bila tudi na letnem srečanju RCC. Pobuda je vključena v strateški in delovni program RCC za obdobje 2011–2013. Ta forum postaja vse bolj pomemben in koristen temelj za izmenjavo mnenj in idej o enem najpomembnejših področij regionalnega varnostnega sodelovanja. Njegov cilj je krepitev regionalne varnosti, stabilnosti in graditev medsebojnega zaupanja. considered. The SEENSA initiative was supported at the 2010 annual meeting of the Heads of State and Government of the SEECP and was also approved at the annual RCC meeting. The initiative has been included in the RCC 2011–2013 work programme. This forum has been gaining importance and becoming a valuable platform for exchanging opinions and ideas on one of the most important areas of regional security cooperation. Its objective is to strengthen regional security, stability and to foster mutual trust. 10 years of Government Office for The Protection of Classified Information (NSA) 73 Foto galerija Photo Gallery Zaposleni na UVTP v letu 2012 (z leve proti desni) prva vrsta: mag. Mateja Kapš, Tatjana Balorda, Maja Rožaj, Dora Uršič druga vrsta: mag. Erik Schlegel, Damjan Razinger, tretja vrsta: dr. Boštjan Petelinc, Gregor Majcen, v. d. direktorja urada, Uroš Kogoj četrta vrsta: Boris Mohar, Marko Rosandič, mag. Milan Tarman peta vrsta: Igor Eršte in Miran Skobe Office of the Government of the Republic of Slovenia for the Protection of Classified Information staff, 2012 First row (left to right): Mateja Kapš, Tatjana Balorda, Maja Rožaj and Dora Uršič. Second row: Erik Schlegel and Damjan Razinger. Third row: Boštjan Petelinc, Mr Gregor Majcen (Acting Director of the Office) and Uroš Kogoj. Fourth row: Boris Mohar, Marko Rosandič, Milan Tarman. Fifth row: Igor Eršte and Miran Skobe 74 10 let Urada RS za varovanje tajnih podatkov Delavnica Nato Infosec NATO InfoSec Workshop Delavnica Nato Infosec Workshop – Brdo pri Kranju, 28. do 30. januar 2009 NATO InfoSec Workshop — Brdo pri Kranju from 28 to 30 January 2009 Mednarodna konferenca zveze Nato (Nato Security Committee/AdHoc Working Group) NATO international conference (NATO Security Committee/Ad Hoc Working Group) Skupinska slika z mednarodne konference zveze Nato (Nato Security Committee/AdHoc Working Group) – Brdo pri Kranju, 8. do 11. junij 2009 Group photo — NATO international conference (NATO Security Committee/Ad Hoc Working Group), Brdo pri Kranju from 8 to 11 June 2009 10 years of Government Office for The Protection of Classified Information (NSA) 75 MISWG 2010 Multinational Industrial Security Working Group, 2010 Skupinska slika MISWG 2010 Group photo — MISWG 2010 Zastave držav in mednarodnih organizacij na konferenci MISWG 2010 The national flags and the flags of international organisations, MISWG 2010 76 10 let Urada RS za varovanje tajnih podatkov Poslovna predstavitev podjetja na MISWG 2010 Company business presentation, MISWG 2010 Poslovna predstavitev podjetja na MISWG 2010 Business presentation of a company, MISWG 2010 10 years of Government Office for The Protection of Classified Information (NSA) 77 Govor takratne ministrice za gospodarstvo mag. Darje Radič Former Slovenian Minister of the Economy, Darja Radić, delivering her speech Govor takratne ministrice za obrambo dr. Ljubice Jelušič Former Slovenian Minister of Defence, Ljubica Jelušič, delivering her speech 78 10 let Urada RS za varovanje tajnih podatkov Govor veleposlanika Charlesa Murta Ambassador Charles Murto delivering his speech Predaja vloge predsedovanja MISWG Republiki Finski Handing the MISWG presidency to Finland 10 years of Government Office for The Protection of Classified Information (NSA) 79 Dvostransko sodelovanje Bilateral cooperation Podpis sporazuma med Vlado Republike Slovenije in Vlado Kraljevine Švedske o izmenjavi in medsebojnem varovanju tajnih podatkov Signing of the Agreement between the Government of the Republic of Slovenia and the Government of the Kingdom of Sweden on the Exchange and Mutual Protection of Classified Information Podpis sporazuma med Vlado Republike Slovenije in Vlado Romunije o medsebojnem varovanju tajnih podatkov. Signing of the Agreement between the Government of the Republic of Slovenia and the Government of Romania on the Exchange and Mutual Protection of Classified Information 80 10 let Urada RS za varovanje tajnih podatkov Podpis sporazuma med Vlado Republike Slovenije in Vlado Republike Hrvaške o medsebojnem varovanju tajnih podatkov. Signing of the Agreement between the Government of the Republic of Slovenia and the Government of the Republic of Croatia on the Exchange and Mutual Protection of Classified Information Sporazum med Vlado Republike Slovenije in Svetom ministrov Republike Albanije o izmenjavi in medsebojnem varovanju tajnih podatkov Signing of the Agreement between the Government of the Republic of Slovenia and the Council of Ministers of the Republic of Albania on the Exchange and Mutual Protection of Classified Information 10 years of Government Office for The Protection of Classified Information (NSA) 81 Sporazum med Vlado Republike Slovenije in Vlado Republike Makedonije o izmenjavi in medsebojnem varovanju tajnih podatkov. Signing of the Agreement between the Government of the Republic of Slovenia and the Government of the Republic of Macedonia on the Exchange and Mutual Protection of Classified Information Podpis sporazuma med Vlado Republike Slovenije in Vlado Francoske republike o izmenjavi in medsebojnem varovanju tajnih podatkov. Signing of the Agreement between the Government of the Republic of Slovenia and the Government of the French Republic on the Exchange and Mutual Protection of Classified Information 82 10 let Urada RS za varovanje tajnih podatkov Podpis sporazuma med Vlado Republike Slovenije in Vlado Republike Latvije o izmenjavi in medsebojnem varovanju tajnih podatkov. Signing of the Agreement between the Government of the Republic of Slovenia and the Government of the Republic of Latvia on the Exchange and Mutual Protection of Classified Information Podpis sporazuma med Vlado Republike Slovenije in Vlado Republike Poljske o izmenjavi in medsebojnem varovanju tajnih podatkov. Signing of the Agreement between the Government of the Republic of Slovenia and the Government of the Republic of Poland on the Exchange and Mutual Protection of Classified Information 10 years of Government Office for The Protection of Classified Information (NSA) 83 Podpis sporazuma med Republiko Slovenijo in Češko republiko o izmenjavi in medsebojnem varovanju tajnih podatkov. Signing the Agreement between the Republic of Slovenia and the Czech Republic on the Exchange and Mutual Protection of Classified Information Podpis sporazuma med Vlado Republike Slovenije in Avstrijsko zvezno vlado o izmenjavi in medsebojnem varovanju tajnih podatkov. Signing of the Agreement between the Government of the Republic of Slovenia and the Federal Government of the Republic of Austria on the Exchange and Mutual Protection of Classified Information 84 10 let Urada RS za varovanje tajnih podatkov Podpis sporazuma med Vlado Republike Slovenije in Vlado Republike Finske o izmenjavi in medsebojnem varovanju tajnih podatkov. Signing of the Agreement between the Government of the Republic of Slovenia and the Government of the Republic of Finland on the Exchange and Mutual Protection of Classified Information 10 years of Government Office for The Protection of Classified Information (NSA) 85 86 10 let Urada RS za varovanje tajnih podatkov
© Copyright 2024