effective_information_security
TRANSCRIPT
-
8/7/2019 Effective_Information_Security
1/88
VAHTI
5/2009The Government Information Security Management Board
EfectiveInormationSecurityA Summaryof GeneralInstructionson InformationSecurity Management
-
8/7/2019 Effective_Information_Security
2/88
-
8/7/2019 Effective_Information_Security
3/88
Effective Information Security
A Summary of General Instructions on Information SecurityManagement
5/2009VAH
TI
T he Government Inf ormation Sec urity Management Board
-
8/7/2019 Effective_Information_Security
4/88
MINISTRY OF FINANCE
PO Box 28 (Snellmaninkatu 1 A) FI-00023 GOVERNMENT
FINLANDTel. +358 9 16001
Internet: www.nanceministry.
Layout: Pirkko Ala-Marttila
ISSN 1455-2566 (print)
ISBN 978- 951-804-982-4 (print)
ISSN 1798-0860 (pd)
ISBN 978-951-804-983-1 (pd)
Edita Prima Plc
Helsinki 2009
-
8/7/2019 Effective_Information_Security
5/88
Introducing the organisation VAHTIS taskTe Ministry o Finance is responsible or the steering and development o
central government inormation security in Finland and has set up the Gov-
ernment Inormation Security Management Board (VAHI) as the bodyresponsible or cooperation, steering and development in the area o central
government inormation security. In its work, VAHI supports the Govern-
ment and the Ministry o Finance in decision-making and in the preparation
o decisions relating to central governments inormation security.
VAHIs objective is, by developing inormation security, to improve the
reliability, continuity, quality, risk management and contingency planning o
central government unctions and to promote inormation security so that it
becomes an integral part o central government activity, steering and perorm-
ance management.
VAHI handles all the signicant central government inormation secu-rity policies and the steering o inormation security measures. VAHI also
handles central government inormation security statutes, instructions, rec-
ommendations and targets. All areas o inormation security are subject to
VAHIs scrutiny.
VAHIs work has improved central government inormation security, and
the eectiveness o its work is evident not only in the central government but
also in companies and internationally. Te result is a very comprehensive set
o general inormation security instructions (www.vm./VAHI). Led by the
Ministry o Finance and VAHI, a number o joint inormation security projects
have been implemented with ministries and agencies. VAHI has prepared,
managed and implemented the central government inormation security devel-
opment programme, in which signicant development work has been achieved
at a total o 26 development locations by 300 people appointed to the projects.
VAHI promotes the development o networked operating practices in pub-
lic administration inormation security work.
In addition to the central government, the results o VAHIs work are also
widely utilised in local government, the private sector, international cooperation
and everyday lie. For three years in succession, VAHI has been recognised
with an award or exemplary work in improving Finlands inormation security.
http://www.vm.fi/VAHTIhttp://www.vm.fi/VAHTI -
8/7/2019 Effective_Information_Security
6/88
-
8/7/2019 Effective_Information_Security
7/88
Executive summary
Te Government Inormation Security Management Board (VAHI) has pro-
duced or the central governments use comprehensive instruction and recom-
mendation material over the entire eld o inormation security. Tese sum-
marised instructions serve as a manual and as a link to the more extensive
instructions and present their main elements in condensed orm. Moreover,these instructions emphasise the management perspective, management and
supervisor responsibility as well as inormation security planning. Teir pur-
pose is to give the management o central government organisations, and par-
ticularly their senior inormation management sta and security and inor-
mation security personnel, together with people otherwise working in the said
tasks, instructions or managing inormation security as part o their own
work.
Tese instructions have been written primarily or central government use,
but they are or the most part also applicable to other organisations. Inorma-
tion security has been described as an entity that includes operational processesand people as well as the security and saeguarding o inormation material
and inormation systems. Te main elements are people, processes, inorma-
tion material, inormation technology and availability o inormation. Policy,
instructions, training and the consequent common understanding and oper-
ating practices that arise are the cornerstones o an organisations good inor-
mation security culture.
An organisations internal data processing, production and customer serv-
ice depend on the condentiality, integrity and availability o the inormation
behind them, namely on inormation security. A breach o inormation security
can undermine an organisations operational reliability and interrupt or prevent
the provision o services used by both internal and external services. Without
inormation security measures as well as backup measures created in advance,
the electronic services and activities provided by society cannot be guaranteed
in a normal situation nor, in particular, in the event o serious disruptions or
emergency conditions.
It is the task o the management, as part o their own management work,
also to ensure the inormation security o their organisations operations. Part
o the management process should be to ensure that the level o inormation
security and risk management corresponds to the targets set or them and that
-
8/7/2019 Effective_Information_Security
8/88
sucient maintenance and development resources have been allocated to inor-
mation security unctions. Attention should also be paid to the wellbeing o
employees, because a high level o security can be achieved only by an organi-
sation where employees are well motivated in their work.
Te management develop and strengthen the principles o their organisa-
tions inormation security and risk management. In addition, measures should
be taken to ensure that management receive regular reports on the organisa-
tions inormation security situation and events as well as on any corrective
measures arising rom them.
Tis publication gives an overall picture o what an inormation security
management system created on the basis o an inormation security and risk
management system, and supporting good inormation management practice,
should be like and how it should operate. With the aid o an inormation secu-
rity management system, an organisation can ensure the achievement o bothits own and the Governments targets in accordance with the resolution on cen-
tral government inormation security and other guidelines, general inormation
principles and statutes, as well as instructions given by the Ministry o Finance.
Te most important objective o VAHI activity and instructions is to enhance
central government inormation security.
Te VAHI instructions support organisations in the planning, implemen-
tation and maintenance o inormation security as well as in preparing the nec-
essary documents.
Structure
Te introduction to these instructions describes the general principles and jus-
tication o inormation security rom a central government perspective.
Chapter 2 deals with the undamentals o inormation security as well as
the organisation, monitoring and reporting o inormation security, including
risk management.
Chapter 3 examines the organisation o inormation security, its incorpo-
ration into processes as well as its implementation and practical evaluation.
Te main details o the elements o inormation security are discussed rom
Chapter 4 onwards on the basis o a traditional eight-element subdivision. Chap-
ter 11 examines the principles o continuity and emergency conditions planning
and Chapter 12 the classications used in inormation security.
Appended to these instructions is a set o document models relating to the
building o an organisations inormation security management system.
Appendix 1 presents model policies and planning rameworks.
Appendix 2 is a list o inormation security responsibilities and related roles.
-
8/7/2019 Effective_Information_Security
9/88
7
Contents
Introducing the organisation VAHTIS task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Executive summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.1 Introduction to the concept o inormation security. . . . . . . . . . . . . . . . . . . . . 9
1.2 Good inormation management practice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
1.3 Coordination of information security work in central government ..13
1.4 A changing, globalising operating environment. . . . . . . . . . . . . . . . . . . . . . . . . . .15
1.5 Working group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
1.6 Chapter guide to the instructions by target group. . . . . . . . . . . . . . . . . . . . . . . .16
2 Information security fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.1 Risk management policy .....................................................................19
2.2 Inormation security policy ................................................................20
2.3 Inormation security management ....................................................21
2.4 Information security as an element of performance management . 232.5 Inormation security as part o operational strategic planning .....26
2.6 Inormation security and quality. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
2.7 Assessment and monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
3 Organisation of information security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.1 Process thinking as the basis o inormation security. . . . . . . . . . . . . . . . . . .31
3.2 Inormation security management system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
3.3 Inormation security planning and development . . . . . . . . . . . . . . . . . . . . . . . . .36
3.3.1 Planning undamentals. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
373.3.2 Inormation security practices and principles (aninormation security plan) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
3.3.3 Inormation security development plan . . . . . . . . . . . . . . . . . . . . . . . . . .38
3.4 Inormation security implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
3.4.1 Procurement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
3.4.2 Outsourcing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
3.4.3 raining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
3.4.4 Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
3.5 Practical assessment and reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
43
-
8/7/2019 Effective_Information_Security
10/88
84 Security of information material information capital
management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
5 Personnel security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
6 Physical security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
7 Security of telecommunications services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
8 Hardware and equipment security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
9 Operations security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
9.1 System maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55
9.2 Inormation security o telework and remote access . . . . . . . . . . . . . . . . . . .56
9.3 Inormation technology monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
9.4 Management o access rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57
10 Software and software development security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
10.1 Security o electronic services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59
10.2 System development security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59
11 Continuity and special situations management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
11.1 Ensuring operational continuity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
11.1.1 Continuity plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62
11.1.2 Emergency preparedness plan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
11.1.3 Recovery plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
11.1.4 Fire and rescue plan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6511.1.5 Inormation security anomaly management. . . . . . . . . . . . . . . . . . . .65
12 Classification used in information security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
12.1 Classication o organisations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
12.2 Classication o acilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
12.3 Classication o personnel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69
12.4 Classication o tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69
12.5 Priority classication o systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69
12.6 Classication o inormation material. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Appendix 1: Model policies and planning rameworks . . . . . . . . . . . . . . . . . . . . . . . . .73
Appendix 2: Inormation security responsibilities by role . . . . . . . . . . . . . . . . . . . . .79
Appendix 3: Valid VAHI publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83
-
8/7/2019 Effective_Information_Security
11/88
9
1 Introduction
1.1 Introduction to the concept of information security
Te term inormation security means the protection and back-up o inor-
mation and services as well as systems and telecommunications in order tomanage the risks directed at them. Protection and back-up are achieved in
both normal and emergency conditions through administrative, technical and
other measures.
Te objective o inormation security is to saeguard the condentiality,
integrity and availability o inormation rom threats and accidents arising
rom hardware and soware aults, natural events and wilul, negligent or acci-
dental actions.
Central government inormation, inormation systems and services are
essential or Finnish society; they are also economically irreplaceable and vital
in terms o the nations security and unctions. For society to unction, an ade-quate level o inormation security is required.
Eciency requirements in a rapidly developing and internationalising society
have made inormation technology vital in all activities in society. Our engage-
ment with inormation technology as well as our dependence on its reliability
and the continuous availability o inormation and technology are placing an
increasing signicance on inormation security. Inormation security is o key
importance in managing and saeguarding all o an organisations activities,
whether in normal conditions, during disruptions or malunctions, in emer-
gency conditions or in possible special situations. Inormation security is a
undamental prerequisite o the quality and operational reliability o central
government as a whole as well as o good inormation management practice.
A high standard and quality o inormation security are important or citi-
zens as well as or central government activities and openness. A low level o
inormation security may jeopardise the security and economic interests o the
central government and citizens, cause additional work and costs as a conse-
quence o damage and loss o inormation, and weaken the credibility o the
authorities activities.
-
8/7/2019 Effective_Information_Security
12/88
10
Te key statutes governing central government inormation security work are:
Te Archives Act (Arkistolaki 831/1994)
Te Personal Data Act (Henkiltietolaki 523/1999)
Te Act on Electronic Services and Communication in the Public Sector(Laki shkisest asoinnista 13/2003)
Te State Budget Act (alousarviolaki 423/1988)
Te State Budget Decree (alousarvioasetus 1243/1992)
Te Act on the Openness o Government Activities (Julkisuuslaki 621/1999)
Te Decree on the Openness o Government Activities (Julkisuusasetus
1030/1999)
Te Act on the Protection o Privacy in Working Lie (yelmn
tietosuojalaki 759/2004):
Te basic rights and reedoms provisions o the Constitution (Perustuslaki
731/1999)
Te Act on the Protection o Privacy in Electronic Communications (Laki
yksityisyyden suojasta shkisess viestinnss 516/2004)
Te Emergency Powers Act (Valmiuslaki 1080/1991)
Te State Civil Servants Act (Virkamieslaki 750/1994)
Each authority is individually responsible or implementing the statutes and
the resolution on central government security as well as promoting inorma-tion security development.
Te Government resolution on central government inormation security
relates to:
ministries, government agencies and public bodies
data processing, inormation management and data transer services
acquired by them rom external parties or outsourced to unincorporated
government enterprises ounded by them and
state-owned enterprises handling ocial unctions o the state.
An organisation should conduct its activities in accordance with good
administrative practice. Good inormation management practice requires per-
ormance responsibility and accountability as well as a commitment to e-
ciency and transparency. Te perormance prism is also applicable to inorma-
tion security management.
-
8/7/2019 Effective_Information_Security
13/88
11Figure 1. Performance prism
Eectiveness
Operationaleectiviness- economy- productivity- economic
eciency- cost correlation
Output andquality control- performance and
public goods- service capacity
and quality
Social eectivenessgoals
Operationalperformance
goals
PERFORMANCEMANAGEMENT
ACCOUNTABILITY
Social eectiveness
How operations and nancehave inuenced social
eectiveness
(which can beinuenced by
management)
---
-
-
-
Operational results
Management and development
of intellectual resources
Inormation security and its productive management require the commit-
ment o management to the development o inormation security. Te manage-
ment must also ensure the allocation o the resources required by inormation
security. Te organisation must develop the ability to integrate inormation
security into its management activity and culture. Trough an open and trans-
parent management model it is possible to involve all personnel in developing
inormation security. Tis creates or the organisation a secure operating andservices environment that ulls its operational needs. An advanced manage-
ment system and a high inormation security culture create the conditions or
cost-eective risk management and thereby an eective inormation security
management system.
Senior management commitment is essential or systematic work to succeed.
Te management decide the desired inormation security level (maturity level)
and its signicance or their organisation. Te desired strategic intent and posi-
tion are presented regularly in up-to-date operating strategy and policy doc-
uments (inormation security and risk management policy). Based on these,
the organisation prepares and strengthens the practical inormation security
instructions that govern the practical inormation security and processes o the
organisations personnel.
In particular, the importance o the secure handling o inormation (inor-
mation capital) should be emphasised as part o both the employees and the
organisations activities.
Regular inormation security training eectively maintains the inormation
security expertise and inormation security awareness o personnel.
Quality, cost-eective provision o services also means secure services.
-
8/7/2019 Effective_Information_Security
14/88
12
Te level o inormation security should also be measured. Indicators linked
to the perormance management process will ensure the achievement o inor-
mation security targets both on an annual basis and over a longer period. Te
ullment o the inormation security level and the management o related risks
should also be evaluated by the organisations internal auditing or corresponding
unction. Te task is to conrm that management are complying with laws, stat-
utes and standards, and to supervise the implementation o managements plans.
Inormation security management means in practice the implementation o
risk management. Daily operating processes must include methods by which
risks can be reduced, or their impact lessened, in an orderly manner. In well-
managed organisations, inormation security and other security tasks, the
responsibilities o those perorming these tasks and reporting practices are
properly dened.
Te provision o electronic services requires the trust o users. Inormationsecurity aspects relating to the provision o services must be reviewed when
examining an organisations opportunities to provide new services. Use o
inormation technology services requires a connection between the user and
the system. Te inormation security o the connection depends on the classi-
cation o the inormation moving on the inormation network. Te inormation
security o the connection must correspond to the inormation security level o
the inormation transerred in the network. Linked data warehouses must be
accessible, consistent and up-to-date, and the condentiality o the inormation
obtainable rom them must be ensured.
1.2 Good information management practice
Good governance in public administration means the quality, eciency, trans-
parency and accountability o operating practices and structures. An essential
element o good governance in public administration is a citizen- and customer-
oriented way o operating. This requires clarity o organisational structures and
roles at dierent levels o management and operating according to these roles.
Defnition: Financial Controller
Good inormation management practice is a way o operating that includes a
high standard and good quality o work. The good quality requirement relates
above all to the documents and inormation processed by the public adminis-
tration. The characteristics required o these are accessibility and availability,
integrity and accuracy, and condentiality. The quality o documents and inor-
mation is ensured with the aid administrative practice and inormation systems.
Ministry o Finance defnition o inormation management practice 11/2000
-
8/7/2019 Effective_Information_Security
15/88
13
Good inormation management practice must be included in the normal work
o every employee and it should also be taken into account in processes. ar-
gets in accordance with the Act on the Openness o Government Activities
should be ullled through the appropriate organisation, resourcing, planning
and direction o operations.
Te rst practical prerequisite or the implementation o good inormation
management practice is that the authority has detailed, up-to-date descriptions
o its own tasks, including what inormation and documents are created in the
handling o the said tasks as well as how long the inormation and documents
should be kept. Tese descriptions are needed or document and inormation
management. Te descriptions not only serve the organisation itsel, but also
external parties who need the inormation. Tose seeking inormation can then
ascertain which public documents and inormation exist in the organisation
and where they can be ound.Another prerequisite is that the organisations individual issues are under
control. Lists o individual issues that are being, and have been, processed should
be obtainable in records, various inormation systems, registers and archives.
A third prerequisite or good inormation management practice is that the
authoritys inormation management and archiving as well as its communica-
tions and inormation service are appropriately resourced and organised, and
that responsibilities or tasks as well as mutual division o labour are clearly
specied. Tis means that all unctions and work stages related to inormation
processes are signicant. A quality system is achieved only i all areas o inor-
mation work cooperate eectively and appropriately.A ourth prerequisite or good inormation management practice is that
operations are governed by instructions. Instructions help ensure operational
continuity, transparency and quality. Common ground rules should ensure that
employees act in the same way in the same situations, in which case good inor-
mation management practice goals and principles will be ullled. Instructions
can help saeguard operational continuity, because then operating practices can
be transerred rom one person to another and taught to new employees. Te
Act and Decree on the Openness o Government Activities require that per-
sonnel are trained to act in accordance with instructions, and that compliance
with instructions is supervised and monitored.
1.3 Coordination of information security work in centralgovernment
In December 2008, the Government issued a resolution on a national inorma-
tion security strategy. Te resolutions objectives are to promote national and
international inormation security cooperation, enhance national competitive-
-
8/7/2019 Effective_Information_Security
16/88
14
ness and the operational environment or Finnish IC companies, improve
inormation security risk management and saeguard the ullment o un-
damental rights and national inormation capital, and increase inormation
security awareness and expertise.
Te Government resolution on central government inormation security
steers development policies. According to the Governments rules o procedure,
the Ministry o Finance directs and reconciles development activities. Each
ministry is responsible or advancing inormation security activities in its own
administrative branch. It is the task o the Government Inormation Security
Management Board (VAHI) to prepare and harmonise the inormation secu-
rity policies o the Government and the Ministry o Finance.
VAHIs objective is, by developing inormation security, to improve the reli-
ability, continuity, quality, risk management and contingency planning o central
government unctions and to promote inormation security so that it becomesan integral part o government activity, steering and perormance management.
VAHI handles central government inormation security statutes, instructions,
recommendations and targets. VAHI acts as the cooperation, preparation and
coordination body o central government organisations responsible or the cen-
tral governments development and steering o inormation security and data
protection, and it promotes the development o networked operating practice
in public administration inormation security work.
Te Management Board participates when necessary in the work o coop-
eration groups developing national and international inormation security. Te
key central government organisations in terms o inormation security work arerepresented on the board.
Each ministry is responsible or directing and monitoring inormation secu-
rity in its own administrative branch.
Te Data Protection Board and the Data Protection Ombudsman promote
the development o and adherence to good data processing practice according
to the provisions o the Data Protection Act. Tey monitor the protection o
privacy and issue instructions on the protection o personal data records rom
use by third parties.
Te National Audit Oce o Finland perorms audits o central government
I and electronic administration unctions. Inormation security is one aspect
to be taken into account in these audits.
Te National Archive Service issues document management orders and
instructions on the retention, preservation and destruction o data materials.
Te Finnish reasury issues instructions on the ullment o obligations
under the Budget Decree (administrative and payment trac systems).
Te Communications Regulatory Authority supervises telecommunica-
tions activities and, when necessary, issues technical orders on the operation
o telecommunications companies and on the provision o telecommunications
equipment, networks and services with a sucient level o security. Te Com-
-
8/7/2019 Effective_Information_Security
17/88
15
munications Regulatory Authority also acts as the national inormation security
authority, and it maintains and provides the services o the national Computer
Emergency Response eam (CER-FI). In addition, the Communications Reg-
ulatory Authoritys duties include communications security (COMSEC) tasks.
Te inormation system department o the National Board o Economic
Deence and its data transer, data processing and mass communications com-
mittee, together with the National Emergency Supply Agency, direct and develop
in cooperation with the responsible administrative branches the emergency
planning o the data transer, data processing and electronic mass communi-
cations o government agencies, public bodies and businesses as well as contin-
gency planning or emergency conditions.
1.4 A changing, globalising operating environmentFinnish public administration, through a tightening o international coopera-
tion and the accelerating globalisation o the operating environment, is to an
increasing extent bound by, and dependent on, constraints relating to data
processing o other countries and international organisations. Cooperation
takes place via electronic networks, and thereore data exchange requires not
only mutual trust but also common procedures and, in the case o agreements,
evaluation practices.
Te international practices that bind Finland apply mainly to the handling
o data and, o these, European Union directives and the partnership agree-ments between Finland and the West European Union (WEA) and between
Finland and NAO bind the central government directly. International inor-
mation security cooperation may give rise to investment in human resources
and associated costs.
In addition, the Organisation or Economic Cooperation and Developments
(OECD) recommendation on security principles guides the central govern-
ments inormation security practices and denes good inormation manage-
ment practice.
1.5 Working group
Tese instructions were prepared by an inter-ministerial working group estab-
lished in 2006 by the Government Inormation Security Management Board
and were translated into English in 2009.
-
8/7/2019 Effective_Information_Security
18/88
16
1.6 Chapter guide to the instructions by target group
Te Government Inormation Security Management Board (VAHI) has pro-
duced or central government use comprehensive instruction and recommen-
dation material over the entire eld o inormation security.
Tis publication is intended to serve as a manual and as a link to the more
extensive instructions, presenting their main elements in condensed orm. Tese
instructions emphasise the management perspective, management and super-
visor responsibility as well as inormation security planning. Teir main target
group are senior management and directors o central government organisa-
tions and inormation management and security personnel and inormation
security management in particular. Moreover, individuals working in central
government tasks other than those mentioned above may nd guidelines or
their own work in these instructions.Tis publication also gives to those working outside central government and
to those interested in the development o inormation security an opportunity
to acquaint themselves with the body o instructions and recommendations on
the continually changing management and development o inormation secu-
rity created under VAHIs direction.
-
8/7/2019 Effective_Information_Security
19/88
17Chapter guide by target group
Role - task Ch2
Ch3
Ch4
Ch5
Ch6
Ch7
Ch8
Ch9
Ch10
Ch11
Ch12
Senior Management X X X
Administrative Management X X X
Security Management X X X X X X X X X X X
Inormation Security Management X X X X X X X X X X
Subunit Management, SectorManagement X X X X X X X
Inormation Technology Management X X X X X X X X X X
Inormation Security Experts, SecurityExperts X X X X X X X X X
Individuals working in supervisor roles X X X
Inormation System Owner X X X X X X X X X X
System Experts, IT Support X X X X X X X
Emergency Preparedness Manager/Secretary X X X X X X X X X X X
Internal Auditing,System Auditing X X X X X X X X X X X
Individuals responsible or documentmanagement and archives X X X
Individuals responsible or inormationservice X X X
Inormation System Main User X X X X X X X X
Standard Users, employees X X X X
Procurement personnel X X
Individuals handling personal datarecords X X X
Premises management personnel X X X X
Inormation Security Group X X X X X X X X X X X
Security and Emergency PreparednessGroup X X X X X X X X X X X
Risk Management Co-ordination Group X X X X X X X X X X X
Individuals responsible or contractsand agreements X X X
Occupational Saety Director,Occupational Saety Supervisor X X X X X X
Consultants and Service Companies X X X X X X X
-
8/7/2019 Effective_Information_Security
20/88
18
-
8/7/2019 Effective_Information_Security
21/88
19
2 Information securit yfundamentals
2.1 Risk management policy
The reports on operations included in the nancial accounts o a accounting
oces shall comprise the ollowing:
An assessment o the appropriateness and adequacy o internal control and o
the risk management entailed therein and a statement prepared on the basis
o it on the status and the most essential development needs o internal con-
trol (assessment and statement o assurance o internal control).
State Budget Decree (1243/1992) Section 65, Paragraph 7
Inormation security risks are diversiying while completely new risks and
threats are arising. A prerequisite o national security is the preventive iden-
tication and management o risks. When risks are reliably recognised, their
adverse eects can be minimised by developing inormation security. Opera-
tions should ocus on prevention, not on reaction ater the act. Risk manage-
ment also calls or adequate, up-to-date monitoring o the national situation.
National Inormation Security, 2002, Chapter 3.1
Management of information security risks is part of an organisations compre-
hensive risk management. Integration of risk management into management sys-
tems substantially improves an organisations ability to respond to various infor-
mation security, and other, threats. Te principles of risk management include
the introduction, maintenance and updating of the management system.
Eective risk management reduces and alleviates losses and other damage
that threaten an organisation. It involves systematic, continuous development to
identiy, evaluate and control threats. Risk management is based on the organ-
isations operational goals and strategy, development, saeguarding o service
processes, and the expertise o personnel and management o human resources.
Risk management policy ormulates management as a whole and creates
policies or its handling and development. o provide or systematic risk man-
agement in the policy, procedures and tools are agreed by which inormation
on the most important risk actors is supplied to management. Te procedures
described in the policy speciy the identication o risks, their management
planning, implementation and monitoring, and agreements are made on the
organisation and continuous implementation o risk management work.
-
8/7/2019 Effective_Information_Security
22/88
20
With the aid o risk management policy, risk management is integrated into
the management system and its annual schedule. Te policy does not necessar-
ily need to be a separate document; it may be included, or example, in operat-
ing and nancial plans.
Te risk management policy is approved by the organisations senior man-
agement and it is based on statutes and ministerial instructions. Management
also determines the coverage, responsibilities and internal organisation o risk
management.
2.2 Information security policy
The senior management o a ministry, agency or institute approve and con-
rm the security and contingency planning principles to be adhered to in their
organisation and determine the internal organisation handling the issue. Indi-
vidual units and their managers are responsible or the implementation and
monitoring o security and contingency planning principles in accordance
with the principles o perormance management. Operating principles should
include inormation security targets and procedures.
Government Resolution on Central Government Inormation Security (11.11.1999)
With the aid o inormation security policy, management species the objec-
tives, responsibilities and operating guidelines o inormation security.For the establishment o an inormation security culture, it is essential that
the signicance o inormation security and the general principles o inor-
mation security work are explained to every employee. Inormation security
policy serves as a oundation on which various inormation security plans and
instructions are built.
Te ormulation o inormation security is directed by the purpose and
strategy o an organisations activities, risk analysis, laws and regulations. I an
organisation is committed to adhering to certain standards, and especially i
one o the organisations objectives is certication according to a standard, the
inormation security policy must ull the requirements o these standards.
Senior management approve an organisation-specic inormation security
policy, conrm the security and contingency planning principles, and speciy
responsibilities and the activities the internal inormation security organisa-
tion. Heads o units are responsible or the implementation and monitoring o
security and contingency planning principles in accordance with the principles
o perormance management.
Responsibility or the preparation and maintenance o inormation security
policy is oen assigned to the individual responsible or inormation security.
Te management ensure that the document is reviewed or updated regularly,
-
8/7/2019 Effective_Information_Security
23/88
21
at least every three years and when there are operational and organisational
changes.
2.3 Information security management
In order to create and implement good inormation management practice, the
authorities shall see to the appropriate availability, accessibility, protection and
integrity o documents and inormation systems and the inormation contained
in them as well as other actors aecting the quality o inormation.
Act on the Openness o Government Activities, Section 18
Inormation security management is an integral part o the operational man-
agement o an organisation. It should thereore be included in the responsibili-
ties o every individual working in management positions. Inormation securityis best implemented when it is built into the organisations planning processes
(operational development), quality and other monitoring system (assessment,
measurement), and achievement o targets o routine operations.
Inormation Technology Security and Saeguarding Operations, National Board o
Economic Deence, 2002
Inormation security management is thereore part o all management activ-
ity. In addition to the management, attending to inormation security is part
o the responsibilities o everyone employed by an organisation. Only the com-mitment o management to the development o inormation security will ena-
ble the achievement o targets set or an organisations activities.
Figure 2. The relationship between the management system and information
security
5 years
3 - 5 years
1 - 3 years
Now
Time span Management tools IS management
IS instructions
IS andplanning
IS
Basic
Reporting
Mission statement
Strategic intent
Operational planning
Operational management IS instructions
IS and continuityplanning
IS strategy
Basic
Reporting
IS policy
Strategy
task
-
8/7/2019 Effective_Information_Security
24/88
22
o enable eective planning and resourcing o inormation security activi-
ties and to assign responsibilities by means o regular risk analysis, the man-
agement need an overall view o the unctions, processes and sta expertise at
dierent levels o their organisation, and o the key risks associated with the
organisations activities.
Figure 3. Example of an information security organisation model
Sector Sector InformationmanagementSector
Sta unitsmanagement
Performanceunits
Sector Sector InformationmanagementSector
Dierent sub-areasof security
Security
Senior management
Internalauditing
Inormation security management must be arranged so that the set objec-
tives are in the right proportion to an organisations overall security and so thatthey support the various security objectives in strategies. Security is oen part
o the management unctions o senior management while inormation security
is one o its subareas, but other organisational approaches are also possible. Te
selected organisation model aects the ocus o inormation security manage-
ment tasks. An organisation should be structured in such a way that security
is closely related to auditing, with the security unction reporting directly to
management. Implementation and monitoring (evaluation/auditing) should be
operationally dierentiated.
Inormation security management draws on an up-to-date inormation secu-
rity policy. In an organisation, inormation security takes shape in the orm o,
or example, regular risk assessment and management measures, determining
the inormation security level o new systems and attending to it throughout
the entire lie cycle o the system.
Inormation security responsibilities are included in the management sys-
tem, management rules, rules o procedure and job descriptions, and in human
resources perormance management. Job descriptions should speciy respon-
sibilities, inormation security management, authorisations and actions in the
event o serious incidents, as well as monitoring and reporting obligations. In
addition to general responsibilities, special expertise and nominated security
-
8/7/2019 Effective_Information_Security
25/88
23
experts are also required in an organisations inormation security manage-
ment tasks.
Te inormation security responsibility specication must ollow organi-
sational and operational changes. Inormation security arrangements depend
on an organisations maturity level. Depending on the organisation, a number
o the inormation security responsibilities can be included in the duties o the
same individual. It is essential that arrangements are made or the handling o
these tasks.
A list o essential responsibilities and roles is presented in Appendix 2, where
the responsibilities o individuals working in dierent roles or inormation
security implementation and development are described.
No separate law has been enacted on inormation security, rather elements
o it can be ound in selected legal provisions.
2.4 Information security as an element of performancemanagement
The inormation on perormance shall include comparisons with perormance
targets in accordance with Section 11 as well as repots on deviations and the
main reasons or the deviations.
State Budget Decree, Section 65
For example, an adequate level o inormation security is an absolute prerequi-
site o the operational continuity and credibility o an agency.
The Ministry o Finance recommendation Inormation Security and Perormance
Management (VAHTI 1/2005) presents the main principles o inormation secu-
rity and their connection with perormance management, the management o
agencies and operational assessment.
Handbook on Perormance Management (Ministry o Finance 2/2005, Chapter 7.4)
It is the task o every organisational level and all perormance areas to attend
to the inormation security o their own activities and services they purchase,
speciy the required principles, and when necessary prepare regulations and
detailed instructions.
Clear and measurable inormation security targets should be specied or
each organisational level in perormance target negotiations. It is recommended
that inormation security targets or large development projects be agreed on
an individual project basis in order to ensure their cost-eectiveness. Perorm-
ance targets should be closely linked to actual activity, thereby ensuring the
achievement o results.
-
8/7/2019 Effective_Information_Security
26/88
24
In perormance management, an organisation must:
attend to the perormance management o inormation security
agree with its perormance units the concrete implementation o
inormation security work attend to inormation security procedures when outsourcing and acquiring
services on a subcontracting basis or when procedures cover several parties
attend to the inormation security training o its personnel, and
attend to continuity and emergency preparedness planning as well as
contingency planning or emergency conditions and related contractual
procedures.
Inormation security tasks are included in the job descriptions o all employ-
ees. Tey apply to both organisation management and standard users. Perorm-ance units determine perormance targets all the way to the inormation secu-
rity targets o individual employees.
Table 1. Information security targets and period
Targets based on an organisations own characteristics or diferent time intervals
Time interval Target areas
Strategic planning period Operational productivity, quality,
uninterrupted service provision.
Operating and nancial planning period Specifcation o desired inormation security
level (maturity level) and implementation o
development programme in accordance with it.
Achievement o maturity level as specied in
the management system.
Annual targets Measurable targets that show that the security
level has been met.
Targets rom the development programme.
Constraints
Compliance o statutory inormation security level.Management statement on risk management.
When setting targets, indicators should also be specied. Possible indicators
may be, or example, ullment o development targets, the trend in the number
o inormation security anomalies, and the imputed savings to be achieved
through inormation security measures in the event o serious incidents (per-
son years and the corresponding value in euros).
o monitor the security situation and results, perormance agreements
should also speciy monitoring responsibilities as well as reporting to senior
-
8/7/2019 Effective_Information_Security
27/88
25
management, the organisations operational and key support unction manage-
ment, key individuals in positions o responsibility and supervisors. Perorm-
ance management target-setting directs the planning and implementation o
practical security measures. Inormation security tasks, responsibilities and
reporting obligations can also be recorded in other documents in addition to
perormance agreements.
Inormation security is included in the annual planning process. Annual and
longer period targets are incorporated into perormance management. Costs
arising rom inormation security measures are normal operating expendi-
ture and they are taken into account when planning activities and preparing
budget proposals.
Figure 4. Donut dial for annual planning
Annual reporting Internal auditing
assessment
XII I
II
III
IV
V
VIVII
VIII
IX
X
XI
Service agreements
Strategic decisionsand operating and
Internal budgetingAgreement monitoring
Threat surveys
Strategy preparation
II Interim reporting IS measurement
Self-assessmentSelection of development services,Risk surveys and assessments
Performance agreements
Document reviews: Risk management policy IS policy Other security documents
Performance anddevelopment appraisalsManagement review
Budget proposalInternal audit performedby IS group
I Interim reporting Measuring IS
Audits conducted by outsiders
Risk management
XII I
II
III
IV
V
VIVII
VIII
IX
X
XI
ContinuityFire and rescue
nancial plan
exercises
exercises
Te budget takes into account inormation security development invest-
ments, cost items in plans, and operational expenditure such as personnel
expenses and maintenance agreement costs. Te budget must also make provi-
sion or expenditure caused by risks as well as inormation security assessment
and measurement costs.
When developing operational activities, adequate resources must be allo-
cated to inormation security in new processes and systems. When inorma-
tion security investments are made, a payback period in proportion to the esti-
mated risk is calculated.
-
8/7/2019 Effective_Information_Security
28/88
26
2.5 Information security as part of operational strategicplanning
Government agencies shall plan their operations and nances, and their per-ormance, several years ahead. Ministries shall plan the eectiveness o opera-
tions and operative perormance in their sector several years ahead.
State Budget Act (423/1988), Section 12
The national inormation security strategy is a key element o the Govern-
ment inormation society policy. The strategy assists in combating inormation
threats and exploiting related opportunities in both normal and emergency
conditions. The strategy provides a common direction to the inormation secu-
rity eorts o the Government, businesses, organisations and individual citizens.
The strategy does not, however, aect the division o responsibility relating to
inormation nor existing organisational structures.Explanatory Memorandum on the Government Resolution on National Inorma-
tion Security Strategy
Inormation and its utilisation play a key role in the strategies o organisations
today. At the same time, inormation security has become a strategic question.
Inormation society development provides an opportunity to reorm operating
practices, improve customer service and save resources.
An inormation security strategy is a management policy on inormation
security targets and the means by which the organisation aims to achieve thesetargets. Inormation security is primarily included in the strategic plans. Te
security guidelines contained in strategic plans are linked to operations and
thereby directly to any changes that occur. Inormation security is also included
in an organisations other strategies (or example human resources and inor-
mation management strategies). An inormation security strategy supporting
the implementation o the organisations strategic plans can also be specied
separately.
Strategic decisions and plans are also reviewed in terms o inormation secu-
rity when operating guidelines change or, or example, new electronic services
are introduced. Function-specic inormation security strategy priorities are
included in strategic plans and inormation security guidelines ormulated or
new services.
-
8/7/2019 Effective_Information_Security
29/88
27Table 2. Relationship of planning documents to time
Efectiveness Planning document
Strategic planning period Inormation security strategy, risk management policy,
inormation security policy
Operating and nancial
planning period
Development plans, inormation security instructions,
continuity plans
Year Risk analyses, risk management plans, action plans
2.6 Information security and quality
Features common to all quality systems are customer-orientation, descrip-tion o processes, responsibilities and tasks, and measurement and continuous
development o operations. Inormation security is an essential element o the
operational and service eatures and characteristics by which established or
expected needs are ullled. It is thereore an operational quality actor. Inor-
mation security is part o an organisations quality system.
Security requirements have already been covered or some time in standards,
or example in inormation security standards such as ISO19977 and ISO27001
and their predecessors. A standard can be applied both as a checklist o inor-
mation security measures and as a certication option. Alongside standards,
however, additional requirements resulting rom Finnish statutes, or exam-ple in relation to preparedness or emergency conditions, should be taken into
account. Assessment, particularly o operationally critical systems and soware,
is absolutely necessary.
An inormation security and quality platorm or new inormation systems
and the services based on them is created in connection with system develop-
ment in the preliminary assessment stage or in the specication o an outsourced
service when it is acquired. Addressing inormation security only aer develop-
ment work or the purchase o a ready-made product is generally very expensive
or virtually impossible. Inormation security is thereore a key component o
system development already rom its initial stages.
Public image, protection o privacy and equal treatment o customers are
core values or the quality o inormation security. Requirements or inor-
mation security measures also necessitate extensive, networked cooperation
between organisations.
Te European Foundation or Quality Management (EFQM) quality system
applied in central government, moreover, sets quality criteria or organisations
activities to which inormation security requirements are also clearly related.
Te Common Assessment Framework (CAF) linked to EFQM is a Euro-
pean public administration quality sel-assessment method. Te ollowing table
-
8/7/2019 Effective_Information_Security
30/88
28
describes the main inormation security criteria o the CAF, divided into assess-
ment areas:
Table 3. Main criteria of the CAF method
Assessment area Inormation security assessment criteria
Leadership Inormation security leadership practice
Strategies and planning Securit y policy, inormation security policy
and security in operating strategies as well as
their translation in operations
People Inormation security expertise and its inclu-
sion in operating practices
Partnerships and resources Inormation security management in coop-erative relationships, technology, the man-
agement o inormation and knowledge, and
the management o the physical operating
environment
Outsourcing and security management
Inormation security in the procurement o
services
Processes Inormation security management as part o
process development, planning and system-
atic management in own and partner-relatedprocesses as well as the continuous develop-
ment o inormation security processes
Customer/citizen oriented results Inormation security indicator and monitor-
ing o results rom the perspectives o the cus-
tomer and perormance
People results Motivation, satisaction and perormance,
inormation security work expertise, com-
mitment
Social results Resp onsi bili ty or soc ial e ec tive ness .Monitoring secure development. Detecting
events that jeopardise security and preven-
tively infuencing them.
Key perormance results Results o agreed development projects
Wide-ranging inormation security work requires comprehensive docu-
mentation and a systematic approach. Te existence o operating principles and
plans alone does not produce quality; this depends on the actions perormed in
practice and the results achieved with them.
-
8/7/2019 Effective_Information_Security
31/88
29
A quality operating practice requires clear targets and their achievement,
the benchmarking o methods against the best practices o external organisa-
tions, improvements in perormance and results, as well as results recognised
based on benchmarking. Good quality also requires perormance and process
management, but so that achieved results are traceable rom the operating prac-
tices specied as a consequence o such management.
2.7 Assessment and monitoring
The reports on operations included in the nancial accounts o accounting
oces shall comprise the ollowing:
An assessment o the appropriateness and adequacy o internal control and othe risk management entailed therein and a statement prepared on the basis
o it on the status and the most essential development needs o internal con-
trol (assessment and statement o assurance o internal control).
State Budget Decree (1243/1992), Section 65, Paragraph 7
Inormation security assessment is part o risk management according to an
organisations planning cycle. Assessment produces data on operational results
and development needs, and supports the ullment o responsibility and
accountability or results. Inormation security assessment should begin byrst assessing the inormation security management system and its coverage.
In addition to the management system, it should cover the various subareas o
inormation security.
Te evaluation process has clear main stages: appoint an assessment group,
plan the process and select the method, conduct the assessment, collect and ana-
lyse the data obtained, and nally report the results, justications, and proposals
or urther measures. Aer the assessment, responsibilities are assigned or the
presented proposals on urther measures and their implementation scheduled.
-
8/7/2019 Effective_Information_Security
32/88
30Figure 5. Evaluation process
performance
Summary andfeedback to
reporting
Correctiveand follow -up
Selectedsubject
Nominatedgroup
-leader- members
plan
Othersforms
Checklists Reports
Annualplan
Interviews
Assessment
plan
Assessmentperformance
Summary andfeedback to
Assessmentreporting
Correctiveand follow -up
Selectedsubject
Nominatedgroup
- leader- members
Assessmentplan
Assessmentjusti-
cations
Othersform
Checklists Reports
Annualplan
Interviews
tools
Assessment
measures
Annual planAssignment
subject
-
8/7/2019 Effective_Information_Security
33/88
31
3 Organisation of informationsecurity
3.1 Process thinking as the basis of information security
The senior management o a ministry, agency or institute approve and con-
rm the security and contingency planning principles to be adhered to in their
organisation and determine the internal organisation handling the issue. Indi-
vidual units and their managers are responsible or the implementation and
monitoring o security and contingency planning principles in accordance
with the principles o perormance management. Operating principles should
include inormation security targets and procedures.
Government Resolution on Central Government Inormation Security (11.11.1999)
Inormation security must be included as part o an organisations operating
processes to ensure that it is implemented in practice. Its incorporation into
processes requires good cooperation rom inormation security management,
personnel responsible or inormation security, inormation system owners
and service providers. Measures that increase inormation security should be
taken into account when processes are planned to ensure that security require-
ments are ullled.
-
8/7/2019 Effective_Information_Security
34/88
32Figure 6. Information security maturity levels (ISO 21827 Systems Security
Engineering - Capability Maturity Model)
1
2
3
4
5
Maturity
Time
1. Initial2. Repeatable3. Dened4. Managed5. Optimizing
1
2
3
4
5
Continuous improvement of information
security is in use and it is based onquantitative indicators, feedback andinnovative new ideas and technologies.
Information security has indicators.Information security outputs and processesare used in operations and in monitoringand they are measured.
Information security processes aremodelled, documented and established aswell as integrated into the organisations
procedures.
Information security processes are denedand they are monitored in relation to costs,time use and functionality.Processes are to some extent repeatable.
Information security measures are basedon AdHoc activity: few functions are clearlydened and the result depends onindividual success and heroism.
When secure processes are maintained and developed, due attention should
also be paid to the maturity level set as a target or the organisations processes
and to the constraints this sets or development.
asks included in the PDCA (Plan, Do, Check, Act) process model based on
the ISO 27001 inormation standard can be divided into our parts:
at the planning stage (Plan), the process is initiated, business impact and
risk analyses are made and a continuity strategy ormulated based on them
at the implementation stage (Do), planned solutions are implemented andtraining begins
at the checking stage (Check), data on the state o the process is produced
by means o monitoring, testing, reviewing, auditing and reporting
at the development stage (Act), solutions are improved based on the data
collected.
Te management and development cycle o the PDCA model or inorma-
tion security processes includes planning and construction o the management
-
8/7/2019 Effective_Information_Security
35/88
33
system (Plan), implementing and operating it (Do), monitoring and assessment
(Check), and maintenance and development (Act). Te cycle calls or continuous
activity and its purpose is to lead to the continuous improvement o operations.
Figure 7. Application of the PDCA model in an information securit y management
syst em (ISO/IEC 27001:2005)
STAKEHOLDERS
Managedinformation
security
Informationsecurity demandsand expectations
Management systemconstruction
Management systemmonitoring andassessment
Management systemimplementation
Management systemmaintenance and
development
STAKEHOLDERSManagement systemconstruction
Management systemmonitoring andassessment
Management systemimplementation
Management systemmaintenance and
development
An inormation security management process, i.e. a process or the devel-
opment and maintenance o inormation security, also describes in its essential
aspects what is required in terms o inormation security o an organisations
management. Te objective o the process is to produce a managed inormation
security package that acilitates the ullment o an organisations targets andthe reliability o its operations.
3.2 Information security management system
Inormation system and network security policies, practices, measures and
procedures should be coordinated and integrated to create a coherent sys-
tem o security.
OECD Guidelines or the Security o Inormation Systems and Networks: Towardsa Culture o Security
An inormation security management system is a ramework consisting o the
ollowing operating models and documents:
inormation security policy and strategy
inormation security practices and principles describing the security prac-
tices in use
inormation security development plan
-
8/7/2019 Effective_Information_Security
36/88
34 basic and supplementary instructions or inormation security
inormation security architectures (topology and ramework descriptions
o solutions)
inormation security reporting to management
re and rescue plans
continuity plans
contingency plans
operational inormation security processes
auditing plan.
An inormation security management system is used to implement an organ-
isations strategy.
An organisations strategy is managed by means o a management system,which covers the detailed organisation o inormation security as well as inor-
mation security policies, planning, responsibilities, procedures, processes and
the necessary resources. A management system assists in monitoring and assess-
ing the eectiveness and appropriateness o inormation security measures. By
continuously developing the system, it is possible to improve the organisations
preparedness to systematically manage its inormation security.
Figure 8. Information security management system model
InstructionsInformation security
on the job
Risk analysesof systems
Vulnerabilityanalysesof core processes
Survey oftechnical risks
Threat surveyandriskanalysis
MonitoringExercises
InstructionsInformation security
on the job
Increasing IS knowledge, training, motivation and IS assessment
Implementation of security measures
planning
Continuity planning
Security planning
Strategies
ISO 27001Other
standards
Information security and data protection legislation and other legislation and standards
Information security policy (principles)
Development plan
Preparedness
Requirements oforganisation,
stakeholders andinformation systems.Performance targets,
priority classicationand prioritisation ofactual operations.
Information ManagementStrategy
Core processes and informationtechnology dependencies
and agreements.
-
8/7/2019 Effective_Information_Security
37/88
35
Te key components o an inormation security management system are an
up-to-date inormation security policy and related documents as well as regu-
lar risk management, applying to both current activities and planned changes.
Based on these, an inormation security strategy as well as inormation secu-
rity plans are prepared, which help to implement inormation security solutions
in accordance with existing inormation security requirements. Management
systems regularly measure and assess the eectiveness and appropriateness o
inormation security activities.
Figure 9. An example of the application of the maturity concept in a central
government organisation
Maturity
1. Initial2. Repeatable3. Dened4. Managed5. Optimizing
Benchmarking, restricted
Information security in agreements
Management processes documented
Continuity and preparedness
Information security plan and used solutions
Training plan Continuous training Information security awareness
Development plan
Threat survey Risk survey Risk management plan
Instructions Basic instructions Comprehensive instructions
Information security policy Risk management policy
Benchmarking
Benchmarking
Audits (internal and external)
Indicators, monitoring and reporting
Time
Various maturity models can be used to assist in developing a manage-
ment system. With their help, the existing state o inormation security can be
determined and a target level or its development set which will implement the
requirements laid down or the organisations inormation security. An organi-
sation can also adhere to management models described in inormation secu-
rity standards.
Te achievement o the target level is generally a long-term development
project whose objectives are described in operating and nancial plans and
spread over several years. In addition, the project should be divided so that
measurable targets can be set or development activities on an annual basis and
the necessary resources allocated to achieve the targets.
-
8/7/2019 Effective_Information_Security
38/88
36
3.3 Information security planning and development
Security planning translates the security measures that ollow rom the organ-
isations operating policies and strategies into targets or individuals in posi-
tions o responsibility and or the whole organisation. Plans are thereore the
basis or the implementation and comprehensive development o inormation
and other security and they must be taken into account in perormance man-
agement in connection with perormance appraisals as well as when imple-
menting IC services and extensive development projects.
Systematic inormation security development calls or synchronisation o the
inormation security management system. Inormation security requirements
arising rom strategies and the operational demands o development projects
must be harmonised. Development plans assess the inormation security risks
caused by operational requirements and seek appropriate solutions to reduce anderadicate risks. In this way the desired level o inormation security is achieved.
Plans are used to direct inormation security work and its implementation
in practice. Tey are prepared at all organisational levels. Tey take into con-
sideration continuity and contingency plans and measures.
Figure 10. Relationship between information security plans and security plans
Risk managementpolicy
Security instructions
Risk analysis
IS instructions
Security in processes
Security activity
Reporting
Preparedness
t
Security developmentprogramme
Promoting security
Informationsecurity policy
Risk managementplan
Security solutions
Fire and rescueplan
Continuity plans
Preparedness plans
Exercises
HR strategy ICT strategy Other strategiesOperating
strategy
-
8/7/2019 Effective_Information_Security
39/88
37
In addition to planning, attention should be paid to the implementation
o plans as well as their assessment, control and monitoring. Te division o
responsibility or control and monitoring must be clear, and activities need to
be ecient and appropriate. An inormation security management system can
be o assistance in implementing systematic control and monitoring as well as
assessment o plans.
Meeting the set targets according to the plans requires that the necessary
resources, schedules and links with other activities are taken into considera-
tion in the planning phase.
Sucient time and resources are required or planning, and planning must
be linked to the whole organisations operating and nancial planning.
It is oen possible to nd cost-eective inormation security solutions in an
earlier stage o projects but which can no longer be implemented later. Inorma-
tion security costs can thereore be better controlled the earlier in the processthe inormation security perspective is considered.
3.3.1 Planning fundamentals
Inormation security planning draws on legal statutes and the Ministry o
Finances VAHI instructions, and builds on saeguarding and quality con-
trol o an organisations operations.
Measures are directed at the dierent elements o inormation security. Plans
should take into account an assessment o an organisations inormation risks,dependence on inormation technology, and other threats connected with the
use o technology as well as the specication o measures required by risk man-
agement and implementation plans.
An organisation should prepare:
inormation security practices and principles designed to protect opera-
tions rom internal and external damage directed at inormation and in-
ormation technology describing the means by which inormation security
is ensured, a continuity plan that enables important services and unctions to con-
tinue when normal inormation processing has been blocked or technical
or other reasons during normal conditions,
an emergency preparedness plan, prepared irrespective o the priority clas-
sication o the organisation (inormation processing) as a contingency or
emergency conditions,
a development plan or the systematic development o inormation security.
-
8/7/2019 Effective_Information_Security
40/88
38
Te various elements o inormation security should be adequately taken
into account at the dierent stages o planning.
3.3.2 Information security practices and principles (an information security plan)
For the overall management and control o inormation security, an organ-
isation must have an up-to-date description o the solutions and principles
already in use. Tis document is also known as an inormation security plan.
Te content, however, is not that o a plan. Solutions to be adopted at a later
date are described in the inormation security development plan. Te inorma-
tion security plan describes the organisations inormation security manage-
ment solutions.
Te document:
describes the inormation security solutions, tasks and responsibilities in
use and their level, and the manner in which they are implemented within
the organisation
describes the solutions or the protection, correct processing and conden-
tiality o data
species the security technology that supports operations as well as the
measures connected with the continual development o security and their
monitoring points species the procedures or reporting on inormation security activity and
its results to the organisations management, i not described in other docu-
ments.
Te basic premise or inormation security maintenance and development
is the specication o the organisations main unctions as well as a risk survey
conducted within the organisation. Tis risk survey includes inormation sys-
tems that support the main unctions.
Inormation security practices and principles aim to ull inormation secu-
rity needs under normal circumstances. In addition, the organisation should
also take into account the basic actors that infuence continuity planning and
emergency preparedness planning or emergency conditions, even i these plans
are made separately.
3.3.3 Information security development plan
Te inormation security development plan is generally linked to the inor-
mation security practices and principles document. In addition, together with
-
8/7/2019 Effective_Information_Security
41/88
39
the inormation security policy and the inormation security assessment, the
development plan orms a logical package that describes the systematic devel-
opment work.
Te development plan serves as a guide or implementing the measures by
which shortcomings perceived in an inormation security assessment are rec-
tied and by which eorts are made to develop the inormation security matu-
rity level to its target level. Progress in the implementation o the development
plan is described as part o the organisations reporting.
3.4 Information security implementation
In order to create and implement good practice in inormation management,
the authorities shall:
Plan and implement their document and inormation administration and the
inormation management systems and computer systems they maintain in a
manner allowing or the eortless realisation o access to the documents and
or the appropriate archiving or destruction o the documents, the inormation
management systems and the inormation contained therein, as well as or the
appropriate saeguarding and data security arrangements or the protection,
integrity and quality o the documents, the inormation management systems
and the inormation contained therein, paying due attention to the signicance
o the inormation and the uses to which it is to be put, to the risks to the docu-
ments and the inormation management systems and to the costs incurred bythe data security arrangements
Act on the Openness o Government Activities, Section 18 Paragraph 4
It must be appropriate and justied to process personal data in the operations
o the data controller. The purpose o the processing o personal data, the reg-
ular sources o personal data and the regular recipients o recorded personal
data shall be dened beore the collection o the personal data intended to be
recorded in the le or their organisation into a personal data le. The purpose
o the processing shall be dened so that those operations o the data control-
ler in which the personal data are being processed are made clear.
Personal Data Act, Section 6
In inormation security, more consistent and interoperable operating instruc-
tions are needed than in other unctions. Instructions can be divided into gen-
eral, organisation-specic, and special instructions covering some restricted
area. Instructions in the central government include the Ministry o Finances
instructions on inormation management development as well as the VAHI
instructions. Tey are suitable as such or the basis o inormation security
work in central government organisations.
-
8/7/2019 Effective_Information_Security
42/88
40
Organisation-specic instructions outline dedicated inormation security
practices so that they are suitable or an organisations own operating practices
and processes. Such instructions include inormation security instructions that
serve as the basis or in-house personnel training, or example. Te commitment
o personnel to secure operating practices is seldom achieved through instruc-
tions that are general in nature. For this reason, actual instructions must con-
sist o inormation security instructions adapted to the individual organisation
and its operating practices and must be based on its own inormation security
policy. Inormation security operating procedures are included as part o the
organisations normal operating processes, which are properly documented and
covered by clear instructions.
Special instructions are primarily an organisations own instructions, relat-
ing or example to a restricted eld o activity or specic inormation system.
Tey are intended or the inormation managements and security personnelsown use or relate to individual services, unctions, projects, technical security
solutions or continuity, emergency preparedness and recovery plans. As a rule,
these documents are security classied.
General and organisation-specic inormation security instructions can
orm a distinct entity in an organisations collections o instructions and stand-
ing rules. Inormation security instructions relating to individual services and
unctions can be situated in the quality assurance system next to the unctions
in question. Instructions intended or all personnel are distributed to the entire
organisation. Special instructions are situated according to their required use
either in the instructions collection or in the quality assurance system and dis-tributed in an appropriate way to their target groups.
It is important to note that expertise in inormation security measures can-
not be required o personnel i conrmed and approved inormation secu-
rity instructions and the training and amiliarisation required or compliance
with them are not available. Instructions should be made readily available, and
everyone should be amiliar with their content.
3.4.1 Procurement
Te procurement o services, inormation technology equipment or an inor-
mation system includes the specication o inormation security requirements
and an assessment o inormation security eatures. Key requirements are
specied and clearly presented at the invitation to tender stage, and inorma-
tion security actors in the tender comparison and selection criteria. Imple-
mentation o inormation security requirements may be an absolute precondi-
tion o any purchase.
In the procurement o inormation technology services and equipment, cen-
tral government instructions issued on the subject shall be adhered to. Where
-
8/7/2019 Effective_Information_Security
43/88
41
resources are scarce in a public organisation, it is possible to acquire shared
inormation security resources rom a public sector partner instead o purchas-
ing them rom the private sector.
In the central governments general terms o public procurement contracts,
inormation security is not a special subject o attention. In connection with a
purchase there might be a need to enter into a separate security agreement spec-
iying the protection principles and condentiality periods to be observed by
the parties to the agreement. Trough agreements, an eort should be made to
prevent leak