Organisaation on Asiakastietolain 41 §:n mukaisesti ilmoitettava tietojärjestelmän tuottajalle, mikäli järjestelmässä ilmenee poikkeama järjestelmien olennaisista vaatimuksista. Poikkeamia on kuvattu THL:n määräyksen 5/2021 luvussa 10.4
Tietojärjestelmien merkittävistä poikkeamista on ilmoitettava Valviralle, erityisesti tilanteissa, joissa poikkeama voi aiheuttaa merkittävän riskin asiakas- tai potilasturvallisuudelle tai tietoturvalle. Merkittävien poikkeamien korjaamiseksi on ryhdyttävä korjaaviin toimenpiteisiin.
Tiedonhallintayksikön on suoritettava olennaiset riskiarvioinnit sen tietoaineistojen käsittelyn, tietojärjestelmien hyödyntämisen ja toiminnan jatkuvuuden suhteen. Riskiarvioinnin perusteella tiedonhallintayksikön on:
a) Laadittava valmiussuunnitelmat ja etukäteisvalmistelut häiriötilanteiden varalle.
b) Suoritettava muut tarvittavat toimenpiteet, jotta tietoaineistojen käsittely, tietojärjestelmien hyödyntäminen ja niihin perustuva toiminta voivat jatkua mahdollisimman häiriöttömästi normaaliolojen häiriötilanteissa sekä valmiuslaissa (1552/2011) tarkoitetuissa poikkeusoloissa.
Sometimes an unexpected event, such as a fire, flood, or equipment failure, can cause downtime. In order to be able to continue operations as quickly and smoothly as possible, continuity planning is carried out, i.e. planning the operations in advance for these exceptional situations.
Each continuity plan shall contain at least the following information:
Organization must, as part of it's cyber risk management framework, maintain and review digital operational resilience testing program. It must help the organisation to asses their preparedness to:
The testing program:
The organization should have processes to prioritize, classify and remedy the issues uncovered by the testing program.
As part of the program the organisation must ensure yearly testing of all ICT systems and applications that support critical or important functions.
The organization must have a process to perform needed checks to ensure data integrity is maintained when recovering from ICT-incident.
The check should also be done when data is reconstructed from external stakeholders to ensure data is consistent and correct between the systems.
To ensure the reliability of the systems, the following measures should be taken:
Maintenance, updating and possible renewal of information systems, devices and networks should be planned with the necessary component and software updates to be implemented before possible failures. When examining the criticality of components, the perspective of customer and patient safety should be taken into account.
The organization should regularly, at least annually, test and review its information security continuity plans to ensure that they are valid and effective in adverse situations.
Testing of continuity plans shall involve, as appropriate, stakeholders critical to each plan. The organisation should identify and document the necessary contacts with suppliers and partners.
In addition, the adequacy of continuity plans and associated management mechanisms should be reassessed in the event of significant changes in operations.
The organization has to include disaster recovery in their continuity planning. Relevant disasters for the planning are natural disasters (e.g floods, earthquake, hurricanes) and human caused disasters (e.g terror attack, chemical attack/incident, insider attack).
In disaster planning there is greater emphasis on the returning operations to normal levels safely than in continuity planning. After this focus moves to resuming normal operations.
The continuity plans must be updated at least annually or after significant changes.
The organization must document in advance procedures for responding to security breaches to ensure the actions of related departments, customers, and other critical partners in the event of a security breach.
The organization must test and update its response to the security breach at scheduled intervals or after significant changes. For critical parts of the organization, operational plans should be tested at least annually. Test results should be documented and communicated to improve the plan.
The organization shall establish a incident response plan for security incidents to critical information systems. Response plans should also be tested by the necessary organizational elements. The plan should take into account at least:
In addition, the plan should at least:
In the event of an incident, communication with internal and external stakeholders must be in accordance with the incident response plan.
In the event of an incident, the implementation of the response plan with stakeholders must be carried out as specified in the plan.
Palvelua hankittaessa tulee huomioida, että palvelua voi olla hankala kotiuttaa ja toimittajalukkoon jäänyttä palvelua vaikea siirtää toiselle palveluntarjoajalle. Erityisesti vaatimus tulee huomioida hankittaessa pilvipalveluita.
Jatkuvuussuunnitelmissa on huomioitu yhtenä erityistä tarkkuutta vaativana näkökulmana palveluiden kotiuttamiset ja siirrot toiselle palveluntarjoajalle.
The organization has identified the tasks that are critical for the continuity of its operations. Alternative courses of action for specific exceptional situations and staff availability and contingency arrangements have been planned and prepared for the continuation of critical tasks.
To implement the continuation plans, the plan owners, their alternates and other persons required to implement the plan have been identified. In addition, their ability to carry out their tasks under normal circumstances has been ensured.
Palvelujen riippuvuus muista palveluista ja toisista toimijoista on otettu huomioon koko tietojenkäsittely-ympäristön ja sen vikasietoisuuden suunnittelussa.
Continuity requirements for ICT services are derived from continuity plans that are created for core processes (e.g. related to the provision of organization's products and services) and the recovery time goals included in them.
Organization must identify what recovery times and recovery points different ICT services must be able to achieve, taking into account the defined recovery goals for related processes, and ensure the ability to achieve them.
The planning must take into account in particular:
Organization must identify the required level of availability for the services it offers as well as for any related data systems and other data processing environment. The organization must plan its systems and operations so that the availability level can be met.
When planning a resilient data processing environment, the organization should consider the following factors:
For example, in important production systems, the resilience should also be tested regularly to ensure a smooth transition to backup solutions during incidents.
The organization has a clear process, according to which it identifies the most critical functions in terms of its operations (e.g. services offered to customers), which are subject to the highest continuity requirements.
Items in the IT environment that are necessary for these activities (such as information systems, data reserves, operating processes, partners, units, hardware) are classified as critical.
Critical functions are considered with the highest priority, e.g. in continuity planning, and stricter safety requirements can be applied to them than to other objects in the environment.
The organisation should include the following topics into their continuity planning:
Continuity planning should take into account alternate communication options for situations primary communication means aren't operational. There should also be alternative options for storage, power and network strategies.
The organisation should establish and maintain a comprehensive crisis management framework. This involves implementing methods to detect potential crisis situations by identifying general indicators and specific predictable crises, along with clear procedures for invoking and escalating crisis management when necessary. Strategic goals and priorities must be defined, focusing on ethical considerations for example:
A dedicated crisis management team should be formed, including representatives from all major organizational functions, with defined structures, roles, competencies, expectations, authority, and decision-making procedures.
Crisis management policies and procedures need to be developed and approved, encompassing exceptional authorities and decision-making processes, communication methods, emergency operating procedures, and organizational structures for reporting, information gathering, and decision-making.
The entire crisis management plan should be reviewed and updated regularly to ensure its ongoing effectiveness and relevance.
The organization should define requirements for the continuity of information security management during a crisis or disaster.
Information security management can either assume that the requirements are the same in adverse situations as in normal operating conditions, or seek to determine separately the security requirements applicable to adverse situations.
The organization must maintain a top-level strategy for continuity planning. The strategy should include at least:
In order to develop a strategy, it may be necessary to make use of general good practices, such as ISO 22300.
The organization shall have procedures in place to communicate effectively with stakeholders and other participants during continuity plans and survival procedures.
Communication plans related to continuity plans shall include:
Organizational recovery measures must be communicated as planned to critical individuals and management within the organization. Recovery measures must also be communicated to external stakeholders.
Relevant persons are sufficiently familiar with the continuity plans related to their own activities and their more detailed contents, and are able to act accordingly.
The organization regularly develops its continuity plans by analyzing the testing of the plans, training and their actual use in real situations.