effective_information_security

8/7/2019 Effective_Information_Security

1/88

VAHTI

5/2009The Government Information Security Management Board

EfectiveInormationSecurityA Summaryof GeneralInstructionson InformationSecurity Management


2/88


3/88

Effective Information Security

A Summary of General Instructions on Information SecurityManagement

5/2009VAH

TI

T he Government Inf ormation Sec urity Management Board


4/88

MINISTRY OF FINANCE

PO Box 28 (Snellmaninkatu 1 A) FI-00023 GOVERNMENT

FINLANDTel. +358 9 16001

Internet: www.nanceministry.

Layout: Pirkko Ala-Marttila

ISSN 1455-2566 (print)

ISBN 978- 951-804-982-4 (print)

ISSN 1798-0860 (pd)

ISBN 978-951-804-983-1 (pd)

Edita Prima Plc

Helsinki 2009


5/88

Introducing the organisation VAHTIS taskTe Ministry o Finance is responsible or the steering and development o

central government inormation security in Finland and has set up the Gov-

ernment Inormation Security Management Board (VAHI) as the bodyresponsible or cooperation, steering and development in the area o central

government inormation security. In its work, VAHI supports the Govern-

ment and the Ministry o Finance in decision-making and in the preparation

o decisions relating to central governments inormation security.

VAHIs objective is, by developing inormation security, to improve the

reliability, continuity, quality, risk management and contingency planning o

central government unctions and to promote inormation security so that it

becomes an integral part o central government activity, steering and perorm-

ance management.

VAHI handles all the signicant central government inormation secu-rity policies and the steering o inormation security measures. VAHI also

handles central government inormation security statutes, instructions, rec-

ommendations and targets. All areas o inormation security are subject to

VAHIs scrutiny.

VAHIs work has improved central government inormation security, and

the eectiveness o its work is evident not only in the central government but

also in companies and internationally. Te result is a very comprehensive set

o general inormation security instructions (www.vm./VAHI). Led by the

Ministry o Finance and VAHI, a number o joint inormation security projects

have been implemented with ministries and agencies. VAHI has prepared,

managed and implemented the central government inormation security devel-

opment programme, in which signicant development work has been achieved

at a total o 26 development locations by 300 people appointed to the projects.

VAHI promotes the development o networked operating practices in pub-

lic administration inormation security work.

In addition to the central government, the results o VAHIs work are also

widely utilised in local government, the private sector, international cooperation

and everyday lie. For three years in succession, VAHI has been recognised

with an award or exemplary work in improving Finlands inormation security.
http://www.vm.fi/VAHTIhttp://www.vm.fi/VAHTI


6/88


7/88

Executive summary

Te Government Inormation Security Management Board (VAHI) has pro-

duced or the central governments use comprehensive instruction and recom-

mendation material over the entire eld o inormation security. Tese sum-

marised instructions serve as a manual and as a link to the more extensive

instructions and present their main elements in condensed orm. Moreover,these instructions emphasise the management perspective, management and

supervisor responsibility as well as inormation security planning. Teir pur-

pose is to give the management o central government organisations, and par-

ticularly their senior inormation management sta and security and inor-

mation security personnel, together with people otherwise working in the said

tasks, instructions or managing inormation security as part o their own

work.

Tese instructions have been written primarily or central government use,

but they are or the most part also applicable to other organisations. Inorma-

tion security has been described as an entity that includes operational processesand people as well as the security and saeguarding o inormation material

and inormation systems. Te main elements are people, processes, inorma-

tion material, inormation technology and availability o inormation. Policy,

instructions, training and the consequent common understanding and oper-

ating practices that arise are the cornerstones o an organisations good inor-

mation security culture.

An organisations internal data processing, production and customer serv-

ice depend on the condentiality, integrity and availability o the inormation

behind them, namely on inormation security. A breach o inormation security

can undermine an organisations operational reliability and interrupt or prevent

the provision o services used by both internal and external services. Without

inormation security measures as well as backup measures created in advance,

the electronic services and activities provided by society cannot be guaranteed

in a normal situation nor, in particular, in the event o serious disruptions or

emergency conditions.

It is the task o the management, as part o their own management work,

also to ensure the inormation security o their organisations operations. Part

o the management process should be to ensure that the level o inormation

security and risk management corresponds to the targets set or them and that


8/88

sucient maintenance and development resources have been allocated to inor-

mation security unctions. Attention should also be paid to the wellbeing o

employees, because a high level o security can be achieved only by an organi-

sation where employees are well motivated in their work.

Te management develop and strengthen the principles o their organisa-

tions inormation security and risk management. In addition, measures should

be taken to ensure that management receive regular reports on the organisa-

tions inormation security situation and events as well as on any corrective

measures arising rom them.

Tis publication gives an overall picture o what an inormation security

management system created on the basis o an inormation security and risk

management system, and supporting good inormation management practice,

should be like and how it should operate. With the aid o an inormation secu-

rity management system, an organisation can ensure the achievement o bothits own and the Governments targets in accordance with the resolution on cen-

tral government inormation security and other guidelines, general inormation

principles and statutes, as well as instructions given by the Ministry o Finance.

Te most important objective o VAHI activity and instructions is to enhance

central government inormation security.

Te VAHI instructions support organisations in the planning, implemen-

tation and maintenance o inormation security as well as in preparing the nec-

essary documents.

Structure

Te introduction to these instructions describes the general principles and jus-

tication o inormation security rom a central government perspective.

Chapter 2 deals with the undamentals o inormation security as well as

the organisation, monitoring and reporting o inormation security, including

risk management.

Chapter 3 examines the organisation o inormation security, its incorpo-

ration into processes as well as its implementation and practical evaluation.

Te main details o the elements o inormation security are discussed rom

Chapter 4 onwards on the basis o a traditional eight-element subdivision. Chap-

ter 11 examines the principles o continuity and emergency conditions planning

and Chapter 12 the classications used in inormation security.

Appended to these instructions is a set o document models relating to the

building o an organisations inormation security management system.

Appendix 1 presents model policies and planning rameworks.

Appendix 2 is a list o inormation security responsibilities and related roles.


9/88

7

Contents

Introducing the organisation VAHTIS task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Executive summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

1.1 Introduction to the concept o inormation security. . . . . . . . . . . . . . . . . . . . . 9

1.2 Good inormation management practice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

1.3 Coordination of information security work in central government ..13

1.4 A changing, globalising operating environment. . . . . . . . . . . . . . . . . . . . . . . . . . .15

1.5 Working group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

1.6 Chapter guide to the instructions by target group. . . . . . . . . . . . . . . . . . . . . . . .16

2 Information security fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

2.1 Risk management policy .....................................................................19

2.2 Inormation security policy ................................................................20

2.3 Inormation security management ....................................................21

2.4 Information security as an element of performance management . 232.5 Inormation security as part o operational strategic planning .....26

2.6 Inormation security and quality. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27

2.7 Assessment and monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29

3 Organisation of information security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

3.1 Process thinking as the basis o inormation security. . . . . . . . . . . . . . . . . . .31

3.2 Inormation security management system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33

3.3 Inormation security planning and development . . . . . . . . . . . . . . . . . . . . . . . . .36

3.3.1 Planning undamentals. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

373.3.2 Inormation security practices and principles (aninormation security plan) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38

3.3.3 Inormation security development plan . . . . . . . . . . . . . . . . . . . . . . . . . .38

3.4 Inormation security implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

3.4.1 Procurement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40

3.4.2 Outsourcing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41

3.4.3 raining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42

3.4.4 Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42

3.5 Practical assessment and reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

43


10/88

84 Security of information material information capital

management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

5 Personnel security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

6 Physical security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

7 Security of telecommunications services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

8 Hardware and equipment security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

9 Operations security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

9.1 System maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55

9.2 Inormation security o telework and remote access . . . . . . . . . . . . . . . . . . .56

9.3 Inormation technology monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

9.4 Management o access rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57

10 Software and software development security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

10.1 Security o electronic services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59

10.2 System development security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59

11 Continuity and special situations management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

11.1 Ensuring operational continuity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61

11.1.1 Continuity plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62

11.1.2 Emergency preparedness plan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

11.1.3 Recovery plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64

11.1.4 Fire and rescue plan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

6511.1.5 Inormation security anomaly management. . . . . . . . . . . . . . . . . . . .65

12 Classification used in information security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

12.1 Classication o organisations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67

12.2 Classication o acilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67

12.3 Classication o personnel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69

12.4 Classication o tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69

12.5 Priority classication o systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69

12.6 Classication o inormation material. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Appendix 1: Model policies and planning rameworks . . . . . . . . . . . . . . . . . . . . . . . . .73

Appendix 2: Inormation security responsibilities by role . . . . . . . . . . . . . . . . . . . . .79

Appendix 3: Valid VAHI publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83


11/88

9

1 Introduction

1.1 Introduction to the concept of information security

Te term inormation security means the protection and back-up o inor-

mation and services as well as systems and telecommunications in order tomanage the risks directed at them. Protection and back-up are achieved in

both normal and emergency conditions through administrative, technical and

other measures.

Te objective o inormation security is to saeguard the condentiality,

integrity and availability o inormation rom threats and accidents arising

rom hardware and soware aults, natural events and wilul, negligent or acci-

dental actions.

Central government inormation, inormation systems and services are

essential or Finnish society; they are also economically irreplaceable and vital

in terms o the nations security and unctions. For society to unction, an ade-quate level o inormation security is required.

Eciency requirements in a rapidly developing and internationalising society

have made inormation technology vital in all activities in society. Our engage-

ment with inormation technology as well as our dependence on its reliability

and the continuous availability o inormation and technology are placing an

increasing signicance on inormation security. Inormation security is o key

importance in managing and saeguarding all o an organisations activities,

whether in normal conditions, during disruptions or malunctions, in emer-

gency conditions or in possible special situations. Inormation security is a

undamental prerequisite o the quality and operational reliability o central

government as a whole as well as o good inormation management practice.

A high standard and quality o inormation security are important or citi-

zens as well as or central government activities and openness. A low level o

inormation security may jeopardise the security and economic interests o the

central government and citizens, cause additional work and costs as a conse-

quence o damage and loss o inormation, and weaken the credibility o the

authorities activities.


12/88

10

Te key statutes governing central government inormation security work are:

Te Archives Act (Arkistolaki 831/1994)

Te Personal Data Act (Henkiltietolaki 523/1999)

Te Act on Electronic Services and Communication in the Public Sector(Laki shkisest asoinnista 13/2003)

Te State Budget Act (alousarviolaki 423/1988)

Te State Budget Decree (alousarvioasetus 1243/1992)

Te Act on the Openness o Government Activities (Julkisuuslaki 621/1999)

Te Decree on the Openness o Government Activities (Julkisuusasetus

1030/1999)

Te Act on the Protection o Privacy in Working Lie (yelmn

tietosuojalaki 759/2004):

Te basic rights and reedoms provisions o the Constitution (Perustuslaki

731/1999)

Te Act on the Protection o Privacy in Electronic Communications (Laki

yksityisyyden suojasta shkisess viestinnss 516/2004)

Te Emergency Powers Act (Valmiuslaki 1080/1991)

Te State Civil Servants Act (Virkamieslaki 750/1994)

Each authority is individually responsible or implementing the statutes and

the resolution on central government security as well as promoting inorma-tion security development.

Te Government resolution on central government inormation security

relates to:

ministries, government agencies and public bodies

data processing, inormation management and data transer services

acquired by them rom external parties or outsourced to unincorporated

government enterprises ounded by them and

state-owned enterprises handling ocial unctions o the state.

An organisation should conduct its activities in accordance with good

administrative practice. Good inormation management practice requires per-

ormance responsibility and accountability as well as a commitment to e-

ciency and transparency. Te perormance prism is also applicable to inorma-

tion security management.


13/88

11Figure 1. Performance prism

Eectiveness

Operationaleectiviness- economy- productivity- economic

eciency- cost correlation

Output andquality control- performance and

public goods- service capacity

and quality

Social eectivenessgoals

Operationalperformance

goals

PERFORMANCEMANAGEMENT

ACCOUNTABILITY

Social eectiveness

How operations and nancehave inuenced social

eectiveness

(which can beinuenced by

management)

---

-

-

-

Operational results

Management and development

of intellectual resources

Inormation security and its productive management require the commit-

ment o management to the development o inormation security. Te manage-

ment must also ensure the allocation o the resources required by inormation

security. Te organisation must develop the ability to integrate inormation

security into its management activity and culture. Trough an open and trans-

parent management model it is possible to involve all personnel in developing

inormation security. Tis creates or the organisation a secure operating andservices environment that ulls its operational needs. An advanced manage-

ment system and a high inormation security culture create the conditions or

cost-eective risk management and thereby an eective inormation security

management system.

Senior management commitment is essential or systematic work to succeed.

Te management decide the desired inormation security level (maturity level)

and its signicance or their organisation. Te desired strategic intent and posi-

tion are presented regularly in up-to-date operating strategy and policy doc-

uments (inormation security and risk management policy). Based on these,

the organisation prepares and strengthens the practical inormation security

instructions that govern the practical inormation security and processes o the

organisations personnel.

In particular, the importance o the secure handling o inormation (inor-

mation capital) should be emphasised as part o both the employees and the

organisations activities.

Regular inormation security training eectively maintains the inormation

security expertise and inormation security awareness o personnel.

Quality, cost-eective provision o services also means secure services.


14/88

12

Te level o inormation security should also be measured. Indicators linked

to the perormance management process will ensure the achievement o inor-

mation security targets both on an annual basis and over a longer period. Te

ullment o the inormation security level and the management o related risks

should also be evaluated by the organisations internal auditing or corresponding

unction. Te task is to conrm that management are complying with laws, stat-

utes and standards, and to supervise the implementation o managements plans.

Inormation security management means in practice the implementation o

risk management. Daily operating processes must include methods by which

risks can be reduced, or their impact lessened, in an orderly manner. In well-

managed organisations, inormation security and other security tasks, the

responsibilities o those perorming these tasks and reporting practices are

properly dened.

Te provision o electronic services requires the trust o users. Inormationsecurity aspects relating to the provision o services must be reviewed when

examining an organisations opportunities to provide new services. Use o

inormation technology services requires a connection between the user and

the system. Te inormation security o the connection depends on the classi-

cation o the inormation moving on the inormation network. Te inormation

security o the connection must correspond to the inormation security level o

the inormation transerred in the network. Linked data warehouses must be

accessible, consistent and up-to-date, and the condentiality o the inormation

obtainable rom them must be ensured.

1.2 Good information management practice

Good governance in public administration means the quality, eciency, trans-

parency and accountability o operating practices and structures. An essential

element o good governance in public administration is a citizen- and customer-

oriented way o operating. This requires clarity o organisational structures and

roles at dierent levels o management and operating according to these roles.

Defnition: Financial Controller

Good inormation management practice is a way o operating that includes a

high standard and good quality o work. The good quality requirement relates

above all to the documents and inormation processed by the public adminis-

tration. The characteristics required o these are accessibility and availability,

integrity and accuracy, and condentiality. The quality o documents and inor-

mation is ensured with the aid administrative practice and inormation systems.

Ministry o Finance defnition o inormation management practice 11/2000


15/88

13

Good inormation management practice must be included in the normal work

o every employee and it should also be taken into account in processes. ar-

gets in accordance with the Act on the Openness o Government Activities

should be ullled through the appropriate organisation, resourcing, planning

and direction o operations.

Te rst practical prerequisite or the implementation o good inormation

management practice is that the authority has detailed, up-to-date descriptions

o its own tasks, including what inormation and documents are created in the

handling o the said tasks as well as how long the inormation and documents

should be kept. Tese descriptions are needed or document and inormation

management. Te descriptions not only serve the organisation itsel, but also

external parties who need the inormation. Tose seeking inormation can then

ascertain which public documents and inormation exist in the organisation

and where they can be ound.Another prerequisite is that the organisations individual issues are under

control. Lists o individual issues that are being, and have been, processed should

be obtainable in records, various inormation systems, registers and archives.

A third prerequisite or good inormation management practice is that the

authoritys inormation management and archiving as well as its communica-

tions and inormation service are appropriately resourced and organised, and

that responsibilities or tasks as well as mutual division o labour are clearly

specied. Tis means that all unctions and work stages related to inormation

processes are signicant. A quality system is achieved only i all areas o inor-

mation work cooperate eectively and appropriately.A ourth prerequisite or good inormation management practice is that

operations are governed by instructions. Instructions help ensure operational

continuity, transparency and quality. Common ground rules should ensure that

employees act in the same way in the same situations, in which case good inor-

mation management practice goals and principles will be ullled. Instructions

can help saeguard operational continuity, because then operating practices can

be transerred rom one person to another and taught to new employees. Te

Act and Decree on the Openness o Government Activities require that per-

sonnel are trained to act in accordance with instructions, and that compliance

with instructions is supervised and monitored.

1.3 Coordination of information security work in centralgovernment

In December 2008, the Government issued a resolution on a national inorma-

tion security strategy. Te resolutions objectives are to promote national and

international inormation security cooperation, enhance national competitive-


16/88

14

ness and the operational environment or Finnish IC companies, improve

inormation security risk management and saeguard the ullment o un-

damental rights and national inormation capital, and increase inormation

security awareness and expertise.

Te Government resolution on central government inormation security

steers development policies. According to the Governments rules o procedure,

the Ministry o Finance directs and reconciles development activities. Each

ministry is responsible or advancing inormation security activities in its own

administrative branch. It is the task o the Government Inormation Security

Management Board (VAHI) to prepare and harmonise the inormation secu-

rity policies o the Government and the Ministry o Finance.

VAHIs objective is, by developing inormation security, to improve the reli-

ability, continuity, quality, risk management and contingency planning o central

government unctions and to promote inormation security so that it becomesan integral part o government activity, steering and perormance management.

VAHI handles central government inormation security statutes, instructions,

recommendations and targets. VAHI acts as the cooperation, preparation and

coordination body o central government organisations responsible or the cen-

tral governments development and steering o inormation security and data

protection, and it promotes the development o networked operating practice

in public administration inormation security work.

Te Management Board participates when necessary in the work o coop-

eration groups developing national and international inormation security. Te

key central government organisations in terms o inormation security work arerepresented on the board.

Each ministry is responsible or directing and monitoring inormation secu-

rity in its own administrative branch.

Te Data Protection Board and the Data Protection Ombudsman promote

the development o and adherence to good data processing practice according

to the provisions o the Data Protection Act. Tey monitor the protection o

privacy and issue instructions on the protection o personal data records rom

use by third parties.

Te National Audit Oce o Finland perorms audits o central government

I and electronic administration unctions. Inormation security is one aspect

to be taken into account in these audits.

Te National Archive Service issues document management orders and

instructions on the retention, preservation and destruction o data materials.

Te Finnish reasury issues instructions on the ullment o obligations

under the Budget Decree (administrative and payment trac systems).

Te Communications Regulatory Authority supervises telecommunica-

tions activities and, when necessary, issues technical orders on the operation

o telecommunications companies and on the provision o telecommunications

equipment, networks and services with a sucient level o security. Te Com-


17/88

15

munications Regulatory Authority also acts as the national inormation security

authority, and it maintains and provides the services o the national Computer

Emergency Response eam (CER-FI). In addition, the Communications Reg-

ulatory Authoritys duties include communications security (COMSEC) tasks.

Te inormation system department o the National Board o Economic

Deence and its data transer, data processing and mass communications com-

mittee, together with the National Emergency Supply Agency, direct and develop

in cooperation with the responsible administrative branches the emergency

planning o the data transer, data processing and electronic mass communi-

cations o government agencies, public bodies and businesses as well as contin-

gency planning or emergency conditions.

1.4 A changing, globalising operating environmentFinnish public administration, through a tightening o international coopera-

tion and the accelerating globalisation o the operating environment, is to an

increasing extent bound by, and dependent on, constraints relating to data

processing o other countries and international organisations. Cooperation

takes place via electronic networks, and thereore data exchange requires not

only mutual trust but also common procedures and, in the case o agreements,

evaluation practices.

Te international practices that bind Finland apply mainly to the handling

o data and, o these, European Union directives and the partnership agree-ments between Finland and the West European Union (WEA) and between

Finland and NAO bind the central government directly. International inor-

mation security cooperation may give rise to investment in human resources

and associated costs.

In addition, the Organisation or Economic Cooperation and Developments

(OECD) recommendation on security principles guides the central govern-

ments inormation security practices and denes good inormation manage-

ment practice.

1.5 Working group

Tese instructions were prepared by an inter-ministerial working group estab-

lished in 2006 by the Government Inormation Security Management Board

and were translated into English in 2009.


18/88

16

1.6 Chapter guide to the instructions by target group

Te Government Inormation Security Management Board (VAHI) has pro-

duced or central government use comprehensive instruction and recommen-

dation material over the entire eld o inormation security.

Tis publication is intended to serve as a manual and as a link to the more

extensive instructions, presenting their main elements in condensed orm. Tese

instructions emphasise the management perspective, management and super-

visor responsibility as well as inormation security planning. Teir main target

group are senior management and directors o central government organisa-

tions and inormation management and security personnel and inormation

security management in particular. Moreover, individuals working in central

government tasks other than those mentioned above may nd guidelines or

their own work in these instructions.Tis publication also gives to those working outside central government and

to those interested in the development o inormation security an opportunity

to acquaint themselves with the body o instructions and recommendations on

the continually changing management and development o inormation secu-

rity created under VAHIs direction.


19/88

17Chapter guide by target group

Role - task Ch2

Ch3

Ch4

Ch5

Ch6

Ch7

Ch8

Ch9

Ch10

Ch11

Ch12

Senior Management X X X

Administrative Management X X X

Security Management X X X X X X X X X X X

Inormation Security Management X X X X X X X X X X

Subunit Management, SectorManagement X X X X X X X

Inormation Technology Management X X X X X X X X X X

Inormation Security Experts, SecurityExperts X X X X X X X X X

Individuals working in supervisor roles X X X

Inormation System Owner X X X X X X X X X X

System Experts, IT Support X X X X X X X

Emergency Preparedness Manager/Secretary X X X X X X X X X X X

Internal Auditing,System Auditing X X X X X X X X X X X

Individuals responsible or documentmanagement and archives X X X

Individuals responsible or inormationservice X X X

Inormation System Main User X X X X X X X X

Standard Users, employees X X X X

Procurement personnel X X

Individuals handling personal datarecords X X X

Premises management personnel X X X X

Inormation Security Group X X X X X X X X X X X

Security and Emergency PreparednessGroup X X X X X X X X X X X

Risk Management Co-ordination Group X X X X X X X X X X X

Individuals responsible or contractsand agreements X X X

Occupational Saety Director,Occupational Saety Supervisor X X X X X X

Consultants and Service Companies X X X X X X X


20/88

18


21/88

19

2 Information securit yfundamentals

2.1 Risk management policy

The reports on operations included in the nancial accounts o a accounting

oces shall comprise the ollowing:

An assessment o the appropriateness and adequacy o internal control and o

the risk management entailed therein and a statement prepared on the basis

o it on the status and the most essential development needs o internal con-

trol (assessment and statement o assurance o internal control).

State Budget Decree (1243/1992) Section 65, Paragraph 7

Inormation security risks are diversiying while completely new risks and

threats are arising. A prerequisite o national security is the preventive iden-

tication and management o risks. When risks are reliably recognised, their

adverse eects can be minimised by developing inormation security. Opera-

tions should ocus on prevention, not on reaction ater the act. Risk manage-

ment also calls or adequate, up-to-date monitoring o the national situation.

National Inormation Security, 2002, Chapter 3.1

Management of information security risks is part of an organisations compre-

hensive risk management. Integration of risk management into management sys-

tems substantially improves an organisations ability to respond to various infor-

mation security, and other, threats. Te principles of risk management include

the introduction, maintenance and updating of the management system.

Eective risk management reduces and alleviates losses and other damage

that threaten an organisation. It involves systematic, continuous development to

identiy, evaluate and control threats. Risk management is based on the organ-

isations operational goals and strategy, development, saeguarding o service

processes, and the expertise o personnel and management o human resources.

Risk management policy ormulates management as a whole and creates

policies or its handling and development. o provide or systematic risk man-

agement in the policy, procedures and tools are agreed by which inormation

on the most important risk actors is supplied to management. Te procedures

described in the policy speciy the identication o risks, their management

planning, implementation and monitoring, and agreements are made on the

organisation and continuous implementation o risk management work.


22/88

20

With the aid o risk management policy, risk management is integrated into

the management system and its annual schedule. Te policy does not necessar-

ily need to be a separate document; it may be included, or example, in operat-

ing and nancial plans.

Te risk management policy is approved by the organisations senior man-

agement and it is based on statutes and ministerial instructions. Management

also determines the coverage, responsibilities and internal organisation o risk

management.

2.2 Information security policy

The senior management o a ministry, agency or institute approve and con-

rm the security and contingency planning principles to be adhered to in their

organisation and determine the internal organisation handling the issue. Indi-

vidual units and their managers are responsible or the implementation and

monitoring o security and contingency planning principles in accordance

with the principles o perormance management. Operating principles should

include inormation security targets and procedures.

Government Resolution on Central Government Inormation Security (11.11.1999)

With the aid o inormation security policy, management species the objec-

tives, responsibilities and operating guidelines o inormation security.For the establishment o an inormation security culture, it is essential that

the signicance o inormation security and the general principles o inor-

mation security work are explained to every employee. Inormation security

policy serves as a oundation on which various inormation security plans and

instructions are built.

Te ormulation o inormation security is directed by the purpose and

strategy o an organisations activities, risk analysis, laws and regulations. I an

organisation is committed to adhering to certain standards, and especially i

one o the organisations objectives is certication according to a standard, the

inormation security policy must ull the requirements o these standards.

Senior management approve an organisation-specic inormation security

policy, conrm the security and contingency planning principles, and speciy

responsibilities and the activities the internal inormation security organisa-

tion. Heads o units are responsible or the implementation and monitoring o

security and contingency planning principles in accordance with the principles

o perormance management.

Responsibility or the preparation and maintenance o inormation security

policy is oen assigned to the individual responsible or inormation security.

Te management ensure that the document is reviewed or updated regularly,


23/88

21

at least every three years and when there are operational and organisational

changes.

2.3 Information security management

In order to create and implement good inormation management practice, the

authorities shall see to the appropriate availability, accessibility, protection and

integrity o documents and inormation systems and the inormation contained

in them as well as other actors aecting the quality o inormation.

Act on the Openness o Government Activities, Section 18

Inormation security management is an integral part o the operational man-

agement o an organisation. It should thereore be included in the responsibili-

ties o every individual working in management positions. Inormation securityis best implemented when it is built into the organisations planning processes

(operational development), quality and other monitoring system (assessment,

measurement), and achievement o targets o routine operations.

Inormation Technology Security and Saeguarding Operations, National Board o

Economic Deence, 2002

Inormation security management is thereore part o all management activ-

ity. In addition to the management, attending to inormation security is part

o the responsibilities o everyone employed by an organisation. Only the com-mitment o management to the development o inormation security will ena-

ble the achievement o targets set or an organisations activities.

Figure 2. The relationship between the management system and information

security

5 years

3 - 5 years

1 - 3 years

Now

Time span Management tools IS management

IS instructions

IS andplanning

IS

Basic

Reporting

Mission statement

Strategic intent

Operational planning

Operational management IS instructions

IS and continuityplanning

IS strategy

Basic

Reporting

IS policy

Strategy

task


24/88

22

o enable eective planning and resourcing o inormation security activi-

ties and to assign responsibilities by means o regular risk analysis, the man-

agement need an overall view o the unctions, processes and sta expertise at

dierent levels o their organisation, and o the key risks associated with the

organisations activities.

Figure 3. Example of an information security organisation model

Sector Sector InformationmanagementSector

Sta unitsmanagement

Performanceunits

Sector Sector InformationmanagementSector

Dierent sub-areasof security

Security

Senior management

Internalauditing

Inormation security management must be arranged so that the set objec-

tives are in the right proportion to an organisations overall security and so thatthey support the various security objectives in strategies. Security is oen part

o the management unctions o senior management while inormation security

is one o its subareas, but other organisational approaches are also possible. Te

selected organisation model aects the ocus o inormation security manage-

ment tasks. An organisation should be structured in such a way that security

is closely related to auditing, with the security unction reporting directly to

management. Implementation and monitoring (evaluation/auditing) should be

operationally dierentiated.

Inormation security management draws on an up-to-date inormation secu-

rity policy. In an organisation, inormation security takes shape in the orm o,

or example, regular risk assessment and management measures, determining

the inormation security level o new systems and attending to it throughout

the entire lie cycle o the system.

Inormation security responsibilities are included in the management sys-

tem, management rules, rules o procedure and job descriptions, and in human

resources perormance management. Job descriptions should speciy respon-

sibilities, inormation security management, authorisations and actions in the

event o serious incidents, as well as monitoring and reporting obligations. In

addition to general responsibilities, special expertise and nominated security


25/88

23

experts are also required in an organisations inormation security manage-

ment tasks.

Te inormation security responsibility specication must ollow organi-

sational and operational changes. Inormation security arrangements depend

on an organisations maturity level. Depending on the organisation, a number

o the inormation security responsibilities can be included in the duties o the

same individual. It is essential that arrangements are made or the handling o

these tasks.

A list o essential responsibilities and roles is presented in Appendix 2, where

the responsibilities o individuals working in dierent roles or inormation

security implementation and development are described.

No separate law has been enacted on inormation security, rather elements

o it can be ound in selected legal provisions.

2.4 Information security as an element of performancemanagement

The inormation on perormance shall include comparisons with perormance

targets in accordance with Section 11 as well as repots on deviations and the

main reasons or the deviations.

State Budget Decree, Section 65

For example, an adequate level o inormation security is an absolute prerequi-

site o the operational continuity and credibility o an agency.

The Ministry o Finance recommendation Inormation Security and Perormance

Management (VAHTI 1/2005) presents the main principles o inormation secu-

rity and their connection with perormance management, the management o

agencies and operational assessment.

Handbook on Perormance Management (Ministry o Finance 2/2005, Chapter 7.4)

It is the task o every organisational level and all perormance areas to attend

to the inormation security o their own activities and services they purchase,

speciy the required principles, and when necessary prepare regulations and

detailed instructions.

Clear and measurable inormation security targets should be specied or

each organisational level in perormance target negotiations. It is recommended

that inormation security targets or large development projects be agreed on

an individual project basis in order to ensure their cost-eectiveness. Perorm-

ance targets should be closely linked to actual activity, thereby ensuring the

achievement o results.


26/88

24

In perormance management, an organisation must:

attend to the perormance management o inormation security

agree with its perormance units the concrete implementation o

inormation security work attend to inormation security procedures when outsourcing and acquiring

services on a subcontracting basis or when procedures cover several parties

attend to the inormation security training o its personnel, and

attend to continuity and emergency preparedness planning as well as

contingency planning or emergency conditions and related contractual

procedures.

Inormation security tasks are included in the job descriptions o all employ-

ees. Tey apply to both organisation management and standard users. Perorm-ance units determine perormance targets all the way to the inormation secu-

rity targets o individual employees.

Table 1. Information security targets and period

Targets based on an organisations own characteristics or diferent time intervals

Time interval Target areas

Strategic planning period Operational productivity, quality,

uninterrupted service provision.

Operating and nancial planning period Specifcation o desired inormation security

level (maturity level) and implementation o

development programme in accordance with it.

Achievement o maturity level as specied in

the management system.

Annual targets Measurable targets that show that the security

level has been met.

Targets rom the development programme.

Constraints

Compliance o statutory inormation security level.Management statement on risk management.

When setting targets, indicators should also be specied. Possible indicators

may be, or example, ullment o development targets, the trend in the number

o inormation security anomalies, and the imputed savings to be achieved

through inormation security measures in the event o serious incidents (per-

son years and the corresponding value in euros).

o monitor the security situation and results, perormance agreements

should also speciy monitoring responsibilities as well as reporting to senior


27/88

25

management, the organisations operational and key support unction manage-

ment, key individuals in positions o responsibility and supervisors. Perorm-

ance management target-setting directs the planning and implementation o

practical security measures. Inormation security tasks, responsibilities and

reporting obligations can also be recorded in other documents in addition to

perormance agreements.

Inormation security is included in the annual planning process. Annual and

longer period targets are incorporated into perormance management. Costs

arising rom inormation security measures are normal operating expendi-

ture and they are taken into account when planning activities and preparing

budget proposals.

Figure 4. Donut dial for annual planning

Annual reporting Internal auditing

assessment

XII I

II

III

IV

V

VIVII

VIII

IX

X

XI

Service agreements

Strategic decisionsand operating and

Internal budgetingAgreement monitoring

Threat surveys

Strategy preparation

II Interim reporting IS measurement

Self-assessmentSelection of development services,Risk surveys and assessments

Performance agreements

Document reviews: Risk management policy IS policy Other security documents

Performance anddevelopment appraisalsManagement review

Budget proposalInternal audit performedby IS group

I Interim reporting Measuring IS

Audits conducted by outsiders

Risk management

XII I

II

III

IV

V

VIVII

VIII

IX

X

XI

ContinuityFire and rescue

nancial plan

exercises

exercises

Te budget takes into account inormation security development invest-

ments, cost items in plans, and operational expenditure such as personnel

expenses and maintenance agreement costs. Te budget must also make provi-

sion or expenditure caused by risks as well as inormation security assessment

and measurement costs.

When developing operational activities, adequate resources must be allo-

cated to inormation security in new processes and systems. When inorma-

tion security investments are made, a payback period in proportion to the esti-

mated risk is calculated.


28/88

26

2.5 Information security as part of operational strategicplanning

Government agencies shall plan their operations and nances, and their per-ormance, several years ahead. Ministries shall plan the eectiveness o opera-

tions and operative perormance in their sector several years ahead.

State Budget Act (423/1988), Section 12

The national inormation security strategy is a key element o the Govern-

ment inormation society policy. The strategy assists in combating inormation

threats and exploiting related opportunities in both normal and emergency

conditions. The strategy provides a common direction to the inormation secu-

rity eorts o the Government, businesses, organisations and individual citizens.

The strategy does not, however, aect the division o responsibility relating to

inormation nor existing organisational structures.Explanatory Memorandum on the Government Resolution on National Inorma-

tion Security Strategy

Inormation and its utilisation play a key role in the strategies o organisations

today. At the same time, inormation security has become a strategic question.

Inormation society development provides an opportunity to reorm operating

practices, improve customer service and save resources.

An inormation security strategy is a management policy on inormation

security targets and the means by which the organisation aims to achieve thesetargets. Inormation security is primarily included in the strategic plans. Te

security guidelines contained in strategic plans are linked to operations and

thereby directly to any changes that occur. Inormation security is also included

in an organisations other strategies (or example human resources and inor-

mation management strategies). An inormation security strategy supporting

the implementation o the organisations strategic plans can also be specied

separately.

Strategic decisions and plans are also reviewed in terms o inormation secu-

rity when operating guidelines change or, or example, new electronic services

are introduced. Function-specic inormation security strategy priorities are

included in strategic plans and inormation security guidelines ormulated or

new services.


29/88

27Table 2. Relationship of planning documents to time

Efectiveness Planning document

Strategic planning period Inormation security strategy, risk management policy,

inormation security policy

Operating and nancial

planning period

Development plans, inormation security instructions,

continuity plans

Year Risk analyses, risk management plans, action plans

2.6 Information security and quality

Features common to all quality systems are customer-orientation, descrip-tion o processes, responsibilities and tasks, and measurement and continuous

development o operations. Inormation security is an essential element o the

operational and service eatures and characteristics by which established or

expected needs are ullled. It is thereore an operational quality actor. Inor-

mation security is part o an organisations quality system.

Security requirements have already been covered or some time in standards,

or example in inormation security standards such as ISO19977 and ISO27001

and their predecessors. A standard can be applied both as a checklist o inor-

mation security measures and as a certication option. Alongside standards,

however, additional requirements resulting rom Finnish statutes, or exam-ple in relation to preparedness or emergency conditions, should be taken into

account. Assessment, particularly o operationally critical systems and soware,

is absolutely necessary.

An inormation security and quality platorm or new inormation systems

and the services based on them is created in connection with system develop-

ment in the preliminary assessment stage or in the specication o an outsourced

service when it is acquired. Addressing inormation security only aer develop-

ment work or the purchase o a ready-made product is generally very expensive

or virtually impossible. Inormation security is thereore a key component o

system development already rom its initial stages.

Public image, protection o privacy and equal treatment o customers are

core values or the quality o inormation security. Requirements or inor-

mation security measures also necessitate extensive, networked cooperation

between organisations.

Te European Foundation or Quality Management (EFQM) quality system

applied in central government, moreover, sets quality criteria or organisations

activities to which inormation security requirements are also clearly related.

Te Common Assessment Framework (CAF) linked to EFQM is a Euro-

pean public administration quality sel-assessment method. Te ollowing table


30/88

28

describes the main inormation security criteria o the CAF, divided into assess-

ment areas:

Table 3. Main criteria of the CAF method

Assessment area Inormation security assessment criteria

Leadership Inormation security leadership practice

Strategies and planning Securit y policy, inormation security policy

and security in operating strategies as well as

their translation in operations

People Inormation security expertise and its inclu-

sion in operating practices

Partnerships and resources Inormation security management in coop-erative relationships, technology, the man-

agement o inormation and knowledge, and

the management o the physical operating

environment

Outsourcing and security management

Inormation security in the procurement o

services

Processes Inormation security management as part o

process development, planning and system-

atic management in own and partner-relatedprocesses as well as the continuous develop-

ment o inormation security processes

Customer/citizen oriented results Inormation security indicator and monitor-

ing o results rom the perspectives o the cus-

tomer and perormance

People results Motivation, satisaction and perormance,

inormation security work expertise, com-

mitment

Social results Resp onsi bili ty or soc ial e ec tive ness .Monitoring secure development. Detecting

events that jeopardise security and preven-

tively infuencing them.

Key perormance results Results o agreed development projects

Wide-ranging inormation security work requires comprehensive docu-

mentation and a systematic approach. Te existence o operating principles and

plans alone does not produce quality; this depends on the actions perormed in

practice and the results achieved with them.


31/88

29

A quality operating practice requires clear targets and their achievement,

the benchmarking o methods against the best practices o external organisa-

tions, improvements in perormance and results, as well as results recognised

based on benchmarking. Good quality also requires perormance and process

management, but so that achieved results are traceable rom the operating prac-

tices specied as a consequence o such management.

2.7 Assessment and monitoring

The reports on operations included in the nancial accounts o accounting

oces shall comprise the ollowing:

An assessment o the appropriateness and adequacy o internal control and othe risk management entailed therein and a statement prepared on the basis

o it on the status and the most essential development needs o internal con-

trol (assessment and statement o assurance o internal control).

State Budget Decree (1243/1992), Section 65, Paragraph 7

Inormation security assessment is part o risk management according to an

organisations planning cycle. Assessment produces data on operational results

and development needs, and supports the ullment o responsibility and

accountability or results. Inormation security assessment should begin byrst assessing the inormation security management system and its coverage.

In addition to the management system, it should cover the various subareas o

inormation security.

Te evaluation process has clear main stages: appoint an assessment group,

plan the process and select the method, conduct the assessment, collect and ana-

lyse the data obtained, and nally report the results, justications, and proposals

or urther measures. Aer the assessment, responsibilities are assigned or the

presented proposals on urther measures and their implementation scheduled.


32/88

30Figure 5. Evaluation process

performance

Summary andfeedback to

reporting

Correctiveand follow -up

Selectedsubject

Nominatedgroup

-leader- members

plan

Othersforms

Checklists Reports

Annualplan

Interviews

Assessment

plan

Assessmentperformance

Summary andfeedback to

Assessmentreporting

Correctiveand follow -up

Selectedsubject

Nominatedgroup

- leader- members

Assessmentplan

Assessmentjusti-

cations

Othersform

Checklists Reports

Annualplan

Interviews

tools

Assessment

measures

Annual planAssignment

subject


33/88

31

3 Organisation of informationsecurity

3.1 Process thinking as the basis of information security

The senior management o a ministry, agency or institute approve and con-

rm the security and contingency planning principles to be adhered to in their

organisation and determine the internal organisation handling the issue. Indi-

vidual units and their managers are responsible or the implementation and

monitoring o security and contingency planning principles in accordance

with the principles o perormance management. Operating principles should

include inormation security targets and procedures.

Government Resolution on Central Government Inormation Security (11.11.1999)

Inormation security must be included as part o an organisations operating

processes to ensure that it is implemented in practice. Its incorporation into

processes requires good cooperation rom inormation security management,

personnel responsible or inormation security, inormation system owners

and service providers. Measures that increase inormation security should be

taken into account when processes are planned to ensure that security require-

ments are ullled.


34/88

32Figure 6. Information security maturity levels (ISO 21827 Systems Security

Engineering - Capability Maturity Model)

1

2

3

4

5

Maturity

Time

1. Initial2. Repeatable3. Dened4. Managed5. Optimizing

1

2

3

4

5

Continuous improvement of information

security is in use and it is based onquantitative indicators, feedback andinnovative new ideas and technologies.

Information security has indicators.Information security outputs and processesare used in operations and in monitoringand they are measured.

Information security processes aremodelled, documented and established aswell as integrated into the organisations

procedures.

Information security processes are denedand they are monitored in relation to costs,time use and functionality.Processes are to some extent repeatable.

Information security measures are basedon AdHoc activity: few functions are clearlydened and the result depends onindividual success and heroism.

When secure processes are maintained and developed, due attention should

also be paid to the maturity level set as a target or the organisations processes

and to the constraints this sets or development.

asks included in the PDCA (Plan, Do, Check, Act) process model based on

the ISO 27001 inormation standard can be divided into our parts:

at the planning stage (Plan), the process is initiated, business impact and

risk analyses are made and a continuity strategy ormulated based on them

at the implementation stage (Do), planned solutions are implemented andtraining begins

at the checking stage (Check), data on the state o the process is produced

by means o monitoring, testing, reviewing, auditing and reporting

at the development stage (Act), solutions are improved based on the data

collected.

Te management and development cycle o the PDCA model or inorma-

tion security processes includes planning and construction o the management


35/88

33

system (Plan), implementing and operating it (Do), monitoring and assessment

(Check), and maintenance and development (Act). Te cycle calls or continuous

activity and its purpose is to lead to the continuous improvement o operations.

Figure 7. Application of the PDCA model in an information securit y management

syst em (ISO/IEC 27001:2005)

STAKEHOLDERS

Managedinformation

security

Informationsecurity demandsand expectations

Management systemconstruction

Management systemmonitoring andassessment

Management systemimplementation

Management systemmaintenance and

development

STAKEHOLDERSManagement systemconstruction

Management systemmonitoring andassessment

Management systemimplementation

Management systemmaintenance and

development

An inormation security management process, i.e. a process or the devel-

opment and maintenance o inormation security, also describes in its essential

aspects what is required in terms o inormation security o an organisations

management. Te objective o the process is to produce a managed inormation

security package that acilitates the ullment o an organisations targets andthe reliability o its operations.

3.2 Information security management system

Inormation system and network security policies, practices, measures and

procedures should be coordinated and integrated to create a coherent sys-

tem o security.

OECD Guidelines or the Security o Inormation Systems and Networks: Towardsa Culture o Security

An inormation security management system is a ramework consisting o the

ollowing operating models and documents:

inormation security policy and strategy

inormation security practices and principles describing the security prac-

tices in use

inormation security development plan


36/88

34 basic and supplementary instructions or inormation security

inormation security architectures (topology and ramework descriptions

o solutions)

inormation security reporting to management

re and rescue plans

continuity plans

contingency plans

operational inormation security processes

auditing plan.

An inormation security management system is used to implement an organ-

isations strategy.

An organisations strategy is managed by means o a management system,which covers the detailed organisation o inormation security as well as inor-

mation security policies, planning, responsibilities, procedures, processes and

the necessary resources. A management system assists in monitoring and assess-

ing the eectiveness and appropriateness o inormation security measures. By

continuously developing the system, it is possible to improve the organisations

preparedness to systematically manage its inormation security.

Figure 8. Information security management system model

InstructionsInformation security

on the job

Risk analysesof systems

Vulnerabilityanalysesof core processes

Survey oftechnical risks

Threat surveyandriskanalysis

MonitoringExercises

InstructionsInformation security

on the job

Increasing IS knowledge, training, motivation and IS assessment

Implementation of security measures

planning

Continuity planning

Security planning

Strategies

ISO 27001Other

standards

Information security and data protection legislation and other legislation and standards

Information security policy (principles)

Development plan

Preparedness

Requirements oforganisation,

stakeholders andinformation systems.Performance targets,

priority classicationand prioritisation ofactual operations.

Information ManagementStrategy

Core processes and informationtechnology dependencies

and agreements.


37/88

35

Te key components o an inormation security management system are an

up-to-date inormation security policy and related documents as well as regu-

lar risk management, applying to both current activities and planned changes.

Based on these, an inormation security strategy as well as inormation secu-

rity plans are prepared, which help to implement inormation security solutions

in accordance with existing inormation security requirements. Management

systems regularly measure and assess the eectiveness and appropriateness o

inormation security activities.

Figure 9. An example of the application of the maturity concept in a central

government organisation

Maturity

1. Initial2. Repeatable3. Dened4. Managed5. Optimizing

Benchmarking, restricted

Information security in agreements

Management processes documented

Continuity and preparedness

Information security plan and used solutions

Training plan Continuous training Information security awareness

Development plan

Threat survey Risk survey Risk management plan

Instructions Basic instructions Comprehensive instructions

Information security policy Risk management policy

Benchmarking

Benchmarking

Audits (internal and external)

Indicators, monitoring and reporting

Time

Various maturity models can be used to assist in developing a manage-

ment system. With their help, the existing state o inormation security can be

determined and a target level or its development set which will implement the

requirements laid down or the organisations inormation security. An organi-

sation can also adhere to management models described in inormation secu-

rity standards.

Te achievement o the target level is generally a long-term development

project whose objectives are described in operating and nancial plans and

spread over several years. In addition, the project should be divided so that

measurable targets can be set or development activities on an annual basis and

the necessary resources allocated to achieve the targets.


38/88

36

3.3 Information security planning and development

Security planning translates the security measures that ollow rom the organ-

isations operating policies and strategies into targets or individuals in posi-

tions o responsibility and or the whole organisation. Plans are thereore the

basis or the implementation and comprehensive development o inormation

and other security and they must be taken into account in perormance man-

agement in connection with perormance appraisals as well as when imple-

menting IC services and extensive development projects.

Systematic inormation security development calls or synchronisation o the

inormation security management system. Inormation security requirements

arising rom strategies and the operational demands o development projects

must be harmonised. Development plans assess the inormation security risks

caused by operational requirements and seek appropriate solutions to reduce anderadicate risks. In this way the desired level o inormation security is achieved.

Plans are used to direct inormation security work and its implementation

in practice. Tey are prepared at all organisational levels. Tey take into con-

sideration continuity and contingency plans and measures.

Figure 10. Relationship between information security plans and security plans

Risk managementpolicy

Security instructions

Risk analysis

IS instructions

Security in processes

Security activity

Reporting

Preparedness

t

Security developmentprogramme

Promoting security

Informationsecurity policy

Risk managementplan

Security solutions

Fire and rescueplan

Continuity plans

Preparedness plans

Exercises

HR strategy ICT strategy Other strategiesOperating

strategy


39/88

37

In addition to planning, attention should be paid to the implementation

o plans as well as their assessment, control and monitoring. Te division o

responsibility or control and monitoring must be clear, and activities need to

be ecient and appropriate. An inormation security management system can

be o assistance in implementing systematic control and monitoring as well as

assessment o plans.

Meeting the set targets according to the plans requires that the necessary

resources, schedules and links with other activities are taken into considera-

tion in the planning phase.

Sucient time and resources are required or planning, and planning must

be linked to the whole organisations operating and nancial planning.

It is oen possible to nd cost-eective inormation security solutions in an

earlier stage o projects but which can no longer be implemented later. Inorma-

tion security costs can thereore be better controlled the earlier in the processthe inormation security perspective is considered.

3.3.1 Planning fundamentals

Inormation security planning draws on legal statutes and the Ministry o

Finances VAHI instructions, and builds on saeguarding and quality con-

trol o an organisations operations.

Measures are directed at the dierent elements o inormation security. Plans

should take into account an assessment o an organisations inormation risks,dependence on inormation technology, and other threats connected with the

use o technology as well as the specication o measures required by risk man-

agement and implementation plans.

An organisation should prepare:

inormation security practices and principles designed to protect opera-

tions rom internal and external damage directed at inormation and in-

ormation technology describing the means by which inormation security

is ensured, a continuity plan that enables important services and unctions to con-

tinue when normal inormation processing has been blocked or technical

or other reasons during normal conditions,

an emergency preparedness plan, prepared irrespective o the priority clas-

sication o the organisation (inormation processing) as a contingency or

emergency conditions,

a development plan or the systematic development o inormation security.


40/88

38

Te various elements o inormation security should be adequately taken

into account at the dierent stages o planning.

3.3.2 Information security practices and principles (an information security plan)

For the overall management and control o inormation security, an organ-

isation must have an up-to-date description o the solutions and principles

already in use. Tis document is also known as an inormation security plan.

Te content, however, is not that o a plan. Solutions to be adopted at a later

date are described in the inormation security development plan. Te inorma-

tion security plan describes the organisations inormation security manage-

ment solutions.

Te document:

describes the inormation security solutions, tasks and responsibilities in

use and their level, and the manner in which they are implemented within

the organisation

describes the solutions or the protection, correct processing and conden-

tiality o data

species the security technology that supports operations as well as the

measures connected with the continual development o security and their

monitoring points species the procedures or reporting on inormation security activity and

its results to the organisations management, i not described in other docu-

ments.

Te basic premise or inormation security maintenance and development

is the specication o the organisations main unctions as well as a risk survey

conducted within the organisation. Tis risk survey includes inormation sys-

tems that support the main unctions.

Inormation security practices and principles aim to ull inormation secu-

rity needs under normal circumstances. In addition, the organisation should

also take into account the basic actors that infuence continuity planning and

emergency preparedness planning or emergency conditions, even i these plans

are made separately.

3.3.3 Information security development plan

Te inormation security development plan is generally linked to the inor-

mation security practices and principles document. In addition, together with


41/88

39

the inormation security policy and the inormation security assessment, the

development plan orms a logical package that describes the systematic devel-

opment work.

Te development plan serves as a guide or implementing the measures by

which shortcomings perceived in an inormation security assessment are rec-

tied and by which eorts are made to develop the inormation security matu-

rity level to its target level. Progress in the implementation o the development

plan is described as part o the organisations reporting.

3.4 Information security implementation

In order to create and implement good practice in inormation management,

the authorities shall:

Plan and implement their document and inormation administration and the

inormation management systems and computer systems they maintain in a

manner allowing or the eortless realisation o access to the documents and

or the appropriate archiving or destruction o the documents, the inormation

management systems and the inormation contained therein, as well as or the

appropriate saeguarding and data security arrangements or the protection,

integrity and quality o the documents, the inormation management systems

and the inormation contained therein, paying due attention to the signicance

o the inormation and the uses to which it is to be put, to the risks to the docu-

ments and the inormation management systems and to the costs incurred bythe data security arrangements

Act on the Openness o Government Activities, Section 18 Paragraph 4

It must be appropriate and justied to process personal data in the operations

o the data controller. The purpose o the processing o personal data, the reg-

ular sources o personal data and the regular recipients o recorded personal

data shall be dened beore the collection o the personal data intended to be

recorded in the le or their organisation into a personal data le. The purpose

o the processing shall be dened so that those operations o the data control-

ler in which the personal data are being processed are made clear.

Personal Data Act, Section 6

In inormation security, more consistent and interoperable operating instruc-

tions are needed than in other unctions. Instructions can be divided into gen-

eral, organisation-specic, and special instructions covering some restricted

area. Instructions in the central government include the Ministry o Finances

instructions on inormation management development as well as the VAHI

instructions. Tey are suitable as such or the basis o inormation security

work in central government organisations.


42/88

40

Organisation-specic instructions outline dedicated inormation security

practices so that they are suitable or an organisations own operating practices

and processes. Such instructions include inormation security instructions that

serve as the basis or in-house personnel training, or example. Te commitment

o personnel to secure operating practices is seldom achieved through instruc-

tions that are general in nature. For this reason, actual instructions must con-

sist o inormation security instructions adapted to the individual organisation

and its operating practices and must be based on its own inormation security

policy. Inormation security operating procedures are included as part o the

organisations normal operating processes, which are properly documented and

covered by clear instructions.

Special instructions are primarily an organisations own instructions, relat-

ing or example to a restricted eld o activity or specic inormation system.

Tey are intended or the inormation managements and security personnelsown use or relate to individual services, unctions, projects, technical security

solutions or continuity, emergency preparedness and recovery plans. As a rule,

these documents are security classied.

General and organisation-specic inormation security instructions can

orm a distinct entity in an organisations collections o instructions and stand-

ing rules. Inormation security instructions relating to individual services and

unctions can be situated in the quality assurance system next to the unctions

in question. Instructions intended or all personnel are distributed to the entire

organisation. Special instructions are situated according to their required use

either in the instructions collection or in the quality assurance system and dis-tributed in an appropriate way to their target groups.

It is important to note that expertise in inormation security measures can-

not be required o personnel i conrmed and approved inormation secu-

rity instructions and the training and amiliarisation required or compliance

with them are not available. Instructions should be made readily available, and

everyone should be amiliar with their content.

3.4.1 Procurement

Te procurement o services, inormation technology equipment or an inor-

mation system includes the specication o inormation security requirements

and an assessment o inormation security eatures. Key requirements are

specied and clearly presented at the invitation to tender stage, and inorma-

tion security actors in the tender comparison and selection criteria. Imple-

mentation o inormation security requirements may be an absolute precondi-

tion o any purchase.

In the procurement o inormation technology services and equipment, cen-

tral government instructions issued on the subject shall be adhered to. Where


43/88

41

resources are scarce in a public organisation, it is possible to acquire shared

inormation security resources rom a public sector partner instead o purchas-

ing them rom the private sector.

In the central governments general terms o public procurement contracts,

inormation security is not a special subject o attention. In connection with a

purchase there might be a need to enter into a separate security agreement spec-

iying the protection principles and condentiality periods to be observed by

the parties to the agreement. Trough agreements, an eort should be made to

prevent leak

effective_information_security

Documents