Organisaation on luotava ja ylläpidettävä tietoturvasuunnitelmaa.
Asiakastietolain 27 §:n mukaisesti palvelunantajan on laadittava tietoturvaan ja tietosuojaan sekä tietojärjestelmien käyttöön liittyvä tietoturvasuunnitelma.
Tämän määräyksen(MÄÄRÄYS 3/2024) mukaista tietoturvasuunnitelmaa ei tule sisällyttää tai yhdistää julkaistaviin tai julkisesti saatavilla oleviin omavalvontasuunnitelmiin. Tietoturvasuunnitelmaa ja siinä viitattuja liitedokumentteja tulee käsitellä ja säilyttää ottaen huomioon tarvittava suojaaminen sivullisilta ja tarvittaessa niihin tulee merkitä salassa pidettävä -tieto
The organization has an information security policy developed and approved by top management. The policy shall include at least the following:
In addition, the task owner shall ensure that:
Organization's top management sets security objectives. Security objectives meet the following requirements:
In connection with the documentation of security objectives, the necessary top-level improvements and tasks, needed resources, responsible persons, due dates and methods for evaluating the results in order to achieve the objectives are also defined.
The organization conducts internal audits in accordance with its internal audit procedure. The aim is to check:
Documented information on the execution and results of audits must be kept.
The Statement of Applicability (SoA) is a key document that defines how an organization implements much of its cyber security.
The statement describes which of the controls recommended by ISO 27001 are implemented in the organization, how they are implemented, and the current state of the controls. In addition, possible reasons for not using certain controls are described.
Compliance with required laws, regulations, standards, and contractual obligations can be as challenging as dealing with an ever-changing threat environment and new forms of cyber-attacks.
The organization shall document the information security requirements and the organisation's operating model for meeting them.
It is important to note that a large part of the requirements (e.g. laws, standards) are evolving entities. It is recommended to define a review interval for the documentation to describe the frequency at which changes in the requirements should at least be checked.
The organization has established a procedure for conducting internal audits. The procedure shall describe at least:
The organization must operate, maintain, and continuously develop a security management system.
The boundaries and scope, contents, role, cumulative implementation information and other necessary descriptive information related to the management system must be clearly documented.
The organization must define the frameworks that are used as the basis of the management system. Requirements frameworks should address:
Internal reporting goals:
Requirement fulfillment goals:
The organization must submit the report on the review of ICT risk management framework in searchable electronic format. It must include:
Description of the financial entity’s context, including:
Executive Level Summary:
Reported Area Information:
Changes in ICT Risk Management Framework:
Approval Date:
Reason for Review:
Review information:
Remedying Measures:
Conclude the review, including further planned developments for the ICT risk managemen
The organization must develop, document, and implement an ICT project management procedure. It should take into account:
The organization must ensure that internal auditing has sufficient segregation and independence from control functions.
The simplified ICT risk management framework is subject to an internal audit in line with the organization's audit plans. The auditor needs to have sufficient competence and independence. The frequency and scope of audits should be based on the ICT risk of the organization.
Based on the outcome of the audit the organization must ensure timely verification and remediation of the critical audit findings.
The organization must have in place an internal governance and control framework to ensure effective management of ICT risk and achieve high level of digital operational resilience.
The management body must:
Organizations should do coopearation with the single point of contact and the competent CSIRTs, if requested or voluntarily, when a significant incident with cross-border and cross-sectoral impact happens.
Organizations should conduct an external audit at least once every two years or whenever it's requested by competent authority, as mandated by applicable laws and regulations.
Audits are conducted by cybersecurity auditors, who are responsible for preparing a report on the audit findings. Organizations should note that some laws and regulations may require auditors to hold specific certifications, e.g. national cybersecurity audit security certificate or audit has to be done by specific authority.
Organizations are required to submit the report to the competent authority responsible for implementing cybersecurity requirements immediately upon receipt, if mandated by laws and regulations.
The administrative bodies and the governing bodies of the organizations have to be informed on a periodic or, if appropriate, promptly, of incidents and notifications.
The organization appoints a Cyber Security Officer who is responsible for the compliance of specific networks and systems.
The organization appoints a chief information security officer (CISO) that meets the defined requirements and is responsible for the implementation of the organization's risk management measures.
The organization performs cyber security audits according to the procedures of the National Cyber Security Center.
The National Cyber Security Center installs and manages technical cyber security measures for entities to monitor and address cyber threats and incidents. Important entities can request and essential entities must facilitate the implementation and management of these measures for their systems. The Ministry of National Defense defines the procedures and approves the installation plan, specifying the measures and any data processed. The installation, maintenance, and repair costs of these cyber security measures are covered by The National Cyber Security Center.
State and municipal organization or other institutions listed in the Secure Network list must store state information resources in state data centers or data centers within Lithuania, EU, EEA, or NATO member states. Storage costs of the state information resources are funded from the institutions' allocated state budget funds.
Governmental and municipal organizations or other institutions handling state information or meeting the criteria must use the Ministry of National Defense overseen Secure State Data Transmission Network for electronic communications and connect to public networks only through it except for government-defined exceptions.
Conditions for the usage of the Secure Network:
The national cyber security authorities maintain a Cyber Security Information System for managing data related to cyber security entities, incidents, and risk management measures. The organization based on the requirements specified in the Cyber Security Information System regulations must register to this system and has a right to become a user of the data it provides.
The key requirements include:
Benefits of the Cyber Security Information system usage for the organization:
The organization shall notify a competent authority immediately, but no later than within five working days, of the appointment of a cyber security manager. The notice shall state the name, surname, personal identification number, position, e-mail address and telephone number of the cyber security manager. The organization shall report any changes to a competent immediately, but no later than within five working days.
The entity's cyber security management is ensured and is the responsibility of the entity's manager. The head of each entity determines the responsible person who implements and supervises the implementation of cyber security measures in the relevant entity. The Cabinet of Ministers determines the requirements for the cyber security manager.
The cyber security manager has the following duties:
Conformity of the organization is ensured by passing a mandatory regular conformity assessment. To carry out this assessment, the organization can choose from three options:
The conformity assessment statement that the organization receives after the conformity assessment of their chosen framework, allows them to benefit from a presumption of conformity. Until proven otherwise, they are presumed to have respected their obligations.
Dependencies on external services might affect the organization's risk management and critical capabilities. The organization needs to identify and maintain a list of the organization’s external dependencies, including facilities, cloud providers, and any third-party services.
The documentation should also include:
Ensure that relevant personnel are informed about these dependencies and their associated risks.
Organization defines the strategic approaches for responding to risks based on the risk types, and the organizational risk tolerance and exposure. These strategies can include for example:
Identify and document the organisation's strategy and priorities, which may have an impact on information system security.
It is important to note that this documentation should be reviewed when the organization's strategy and priorities change.
The organization develops and implements a crisis response strategy to protect the organization from the negative consequences and reputational damage of a crisis. This strategy should include predefined actions to manage public view, control the narrative, and mitigate the impact of the crisis on the organization.
The organization must determine what work fields and specific jobs are considered sensitive (e.g. based on data handled and access the employee has).
Sensitive work fields depend on the nature of organizations operations, but can include e.g. information security, IT and system administration, finance, HR, legal, R&D, customer support, analytics, management and many others.
Organisation should define and document an information security structure within the organisation. This should include the consideration of other relevant security roles.
The organization must monitor the effectiveness of their digital operational resilience strategy. This should include at least:
This should increase the awareness of exposure to cyber attack related risk especially with important and critical functions and preparedness against cyber attacks.
Organization should have a process to analyse and learn from the operational resilience testing results, from actual cyber security incidents and from experiences of activating continuity plans. Relevant information and experiences should be exchanged with counterparts.
The lessons learned should be incorporated in to the cyber risk management process.
The organisation's top management should have a yearly report about the lessons from senior ICT staff along with recommendations for improvements.
Top management of the organization is responsible for:
Top management must ensure clear responsibilities / authority on at least the following themes:
The ISMS theme owners are presented on the desktop of the management system and in the Information security policy report.
In addition, top management shall ensure that all roles relevant to information security, as well as related responsibilities and authorities, are defined and communicated. It is also important to recognize the roles and responsibilities of external partners and providers.
The organization shall have a sufficient number of trained, supervised and, where necessary, properly security cleared personnel who play key roles in information security, performing management tasks related to the information security management system.
The organization has defined:
The owner of the task regularly reviews the number and level of competence of the security personnel.
The organization's top management must demonstrate a commitment to cyber security work and the management system. Management commits to:
Top management also decides the scope of the information security management system and records the decision in the description of the system. This means, for example, whether some parts of the organisation's activities or information are excluded from the scope of the management system, or whether it applies to all information / activities of the organization.
Management shall define responsibilities and establish procedures to ensure an effective and consistent response to security incidents.
Management must ensure e.g.:
The process must ensure e.g.:
Personnel under the direction of the entire organization must be aware:
In addition, top management has defined ways in which personnel are kept aware of security guidelines related to their own job role.
The organisation regularly evaluates the level of cyber security and the effectiveness of the information security management system.
Organisation has defined:
Effective metrics should be usable for identifying weaknesses, targeting resources better and assessing organisation's success / failure related to cyber security.
Top management shall review the organization's information security management system at planned intervals to ensure that it remains appropriate, relevant and effective.
The management review shall address and comment on at least the following:
Documented information on the execution and results of reviews must be maintained.
The organization shall determine which issues related to the information security management system need to be communicated on a regular basis. The plan must include the answers, e.g. to the following points:
Task owner will take care of the implementation of the plan and regular evaluation of its effectiveness.
The organization shall continuously strive to improve the performance of the information security management system. Ways to improve are being actively sought - not just through audits or clear non-conformities.
Task owner is responsible for documenting the improvements made to the management system and dividing them into tasks to be performed, monitoring task execution and assessing the reached effects.
Organization has defined what constitutes important security-related documentation and guidelines (e.g. report documents or all task / guideline content), which should be securely archived after they are replaced or become otherwise outdated.
This information should be saved for possible reviews of old policies or guidelines, which may be relevant e.g. in the case of a customer dispute or investigation by data protection authority.
When no specific legal or contractual requirement states the retention period, information should be saved for at least five years.
Organisation should have processes for ensuring that conflicting responsibilities are segregated to reduce opportunities for misuse of the organization’s assets.
Care should be taken e.g. in relation to a single person being able to process data without detection. Often also separating the initiation of an event from its authorization is a good practice.
When direct segregation of duties is hard to achieve, the following principles can be utilized:
The organization has set priorities for its operations and goals. Based on these priorities, you need to be able to define security roles, responsibilities, and goals.
Tietojärjestelmän tai muun useita tietoaineistoja sisältävän kohteen luokitus määräytyy ensi sijassa korkeimman luokituksen aineiston mukaan. Tietojärjestelmien luokitusta arvioitaessa tulee huomioida myös kasautumisvaikutus riskilähtöisesti.
Suuresta määrästä tietyn luottamuksellisuuden tason tietoa koostuvissa tietojärjestelmissä asiakokonaisuus voi nousta luokitukseltaan yksittäistä tietoa korkeammalle tasolle. Määrä ei ole kuitenkaan ainoa tekijä, vaan joskus esimerkiksi kahden eri tietolähteen yhdistäminen voi johtaa tietovarannon luokituksen nousemiseen.
Tyypillisesti kasautumisessa on kysymys IV-luokan tiedosta (esimerkiksi suuri määrä turvallisuusluokan IV tietoa voi muodostaa yhdistettynä turvallisuusluokan III tietovarannon), mutta kasautumisvaikutus tulee huomioida myös turvallisuusluokittelemattoman salassa pidettävän tiedon suojaamisessa.
Organization should identify and document dependencies between its assets.
In Cyberday dependencies between asset elements are created when creating and linking documentation. Procedure can be expanded according to organization's own needs.
Organisaation tietoturvallisuusvaatimukset muodostuvat esimerkiksi lainsäädännössä ja sopimuksissa määritellyistä vähimmäisvaatimuksista sekä muista tunnistetuista tai itse tavoitelluiksi valituista vaatimuksista.
Organisaation on seurattava tietoturvallisuusvaatimusten muutoksia ja tehtävä tarvittavat toimenpiteet niihin reagoimiseksi.
Tietoturvallisuuteen liittyvä dokumentaatio on ajantasaista.
Valtionhallinnon viranomaisen on pidettävä luetteloa henkilöistä, joilla on oikeus käsitellä turvallisuusluokan I, II tai III asiakirjoja. Luettelossa on mainittava henkilön tehtävä, johon turvallisuusluokitellun tiedon käsittelytarve perustuu.
The organization has identified the national and EU legislation governing ICT preparedness related to its operations and services, as well as other norms related to ICT preparedness.
Legislation and norms determine the minimum level for implementing ICT preparedness. In addition to this, the organization must take into account the needs arising from the special features of its own operations. Understanding the internal and external dependencies of operations is a basic requirement for cost-effective management of preparedness.
Theme-specific policy documents can help the communication and viewing of tasks, instructions and other documentation related to different areas, as well as connecting possible upper-level principles to these contents of the management system, which describe a more detailed implementation.
The organization must define which theme-specific policy documents are maintained and, if necessary, reviewed as a whole at desired intervals. Examples of topics for which you may want to maintain your own policy document include:
The organization has clearly defined a budget dedicated to the maintenance and development of digital security. The budget is sufficient to achieve the goals set for digital security.
When budgeting for digital security, three key areas must be considered in particular - personnel costs, technology solutions and operational costs.
The organization has an operating model for regular communication to the entire organization about the risk situation in information security and about new significant risks affecting the organization.
Information can be implemented, for example, as a collaboration between the information security core team and communication professionals.
The organization has dedicated sufficient resources and expertise to the development of digital security as part of the implementation of the organization's strategy.
In addition, a responsible person has been named for digital security, and this theme receives enough attention in the responsible person's job description and time management.
The organization has formed a plan in case of a smear or influence campaign against it.
A board separate from the management supervises the development and implementation of internal information security measures.
The board's duties include in particular:
The organization's information systems collect data from internal and external sources and process essential data into information. Information supports internal control components
Information must be:
The organization must define its operations and, in particular, the units relevant to the implementation of information security.
The owners defined for the units can be assigned responsibilities for the unit-specific implementation of various tasks.
When setting the organization's information security objectives, external objectives must be taken into account. This means, for example:
The organization must:
The organization must define what technology is needed in order to achieve the information security objectives? And, what technology must be acquired / developed in order to achieve the information security goals?
The organization must have a strategy for developing and maintaining a cyber security architecture.
The strategy must match the organization's cyber security program and the organization's architecture.
The architecture must include:
The organization must create and maintain a strategy for the cyber security program. The cyber security program defines the goals for the organization's cyber security measures.
The organization must establish and maintain a cyber security program. The program must have the support of the top management.
The program must be established:
Non-compliance with legal, regulatory, or contractual provisions can create risks to the information security of the organization.
To facilitate this, the integrity of records in accordance with the legal, regulatory, or contractual provisions and business requirements is considered.
Organisation should have a procedure to classify projects from the point-of-view of required information security level and other information security requirements for the project.
The criteria for the classification of projects should be documented.
The idea behind the certification mechanisms is to demonstrate that data processing follows good data processing practices and good practices in general. Example of a security certificate is for example: ISO27001.
Task owner regularly evaluates the implementation of internal audits, especially from the following perspectives:
If necessary, task owner makes changes to the internal audit procedure.
An organization must classify its information assets, such as information systems, data, units, key personnel, and other assets to be protected (e.g., equipment), according to priorities. Prioritization can be done, for example, based on the requirements for confidentiality, integrity, and availability of the information being processed.
The organization must consider the possibility of fraud related to information security when assessing risks.
It is at least worth noting: