Home
NATO CALS Handbook Home
NCH Section 1
NCH Section 2
NCH Section 3
NCH Section 4
NCH Section 5
NCH Section 6
NCH Section 7
NCH Section 8
NCH Section 9
NCH Section 10
 
SECURITY AND PROTECTION OF EDI MESSAGES

Obligations of parties

NATO Classified information

Security procedures and measures

Failure and security procedures

Encryption

Obligations of parties

A satisfactory level of security for messages must be ensured to avoid any risks that may be associated with the exchange of messages by EDI, and such level will depend upon the importance of the transactions or messages exchanged.

NATO Classified information

For NATO classified information the NATO document C-M(55)15(Final) " Security within North Atlantic Organization" provides the necessary security requirements. Also national security regulations might be introduced here.

Security procedures and measures

Verification of origin and integrity are stated to be mandatory for any EDI Message as they constitute a basic level of security. Parties are, however, strongly recommended to agree, where required, on additional security measures, the degree of which will no doubt depend on the value and importance of the subject-matter of the messages and the possible secuirity risks in the event of an unsuccessful exchange of messages.

Control measures should be provided in the user manual, possibly by reference to an agreed standard, such as specific checks, acknowledgement of receipt, control count, reference number, identification etc. More elaborate controls may be necessary, in particular when transactions are important and could mean the use of some specific messages to increase the security such as those recommended by security experts, or any other available security means or method, including, as an example, digital signatures.

The means, methods and specifications of security and the messages to be used between the parties, to ensure the level of security required, should be set out in detail in the user manual.

Failure and security procedures

The failure of an EDI Message exchange, or an error in a message resulting from the use of security procedures or measures should be notified to the sender within the specified time limits in order to allow the sender to initiate any appropriate corrective action. In the case of rejection of an EDI Message or the detection of an error, instructions from the sender should be sought before any other action is undertaken by the receiver on the content of message itself.

Encryption

The parties may agree to use a specific form of protection for certain message such as a method of encryption to the extend permitted by law in either of their respective countries. For consequential transmission or retransmissions parties shall maintain the same level of protection.

Sample Clauses:
  • The parties undertake to implement and maintain security procedures and measures in order to ensure the protection of EDI Messages against the risks of unauthorized access, alteration, delay,destruction, loss, or security breach.

     

  • The security classifications detailed in the User Manual shall apply. For NATO classified information the NATO document CM(55) 15(Final) "Security withinNorth Atlantic Organisation" is applicable. This document is made part of this Agreement by reference, automatically if the User Manual indicates that classified information will be transmitted.

     

  • Security procedures and measures include the verification of origin, the verification of integrity (including date and time of transmission), the non-repudiation of origin and receipt and the confidentiality of EDI Messages. Security procedures and measures for the verification of origin and the verification of integrity, in order to identify the sender of any EDI Message andto ascertain that any EDI Message received is complete and has not been corrupted, are mandatory for any EDI Message. Where required, additional security procedures and measures may be expressly specified in the User Manual.

     

  • If the use of security procedures and measures results in the rejection of, or in the detection of an error in an EDI Message, the receiver shall inform the sender thereof, within the specified time limit. The receiver of any EDI Message which has been rejected, or which contains an error shall not act upon the EDI Message before receiving instructions from the sender. Where a rejected or erroneous EDI Message is retransmitted by the sender, the EDI Message should clearly state that it is a corrected EDI Message.
Content last modified
10/4/2000 11:16:30 AM
by TK
Copyright© 1999-2010 LAMP / IDE Virtual Enterprise