Detection of non-compliance with the change management procedure

Organisation must create and maintain comperhensive and well-documented a risk management framework.

The risk management framework should include at least:

• Strategies
• policies
• procedures
• protocls
• tools

used in cyber risk management.

The risk management framework must be reviewed at least yearly.

The organization has defined procedures for assessing and treating cyber security risks. The definition includes at least:

• Risk identification methods
• Methods for risk analysis
• Criteria for risk evaluation (impact and likelihood)
• Risk priorisation, treatment options and defining control tasks
• Risk acceptance criteria
• Process implementation cycle, resourcing and responsibilities
• The results should be included into the organization risk management process

The task owner regularly checks that the procedure is clear and produces consistent results.

The organization proactively seeks to list and assess the likelihood and severity of various cyber security risks. The documentation shall include the following:

• Description of the risk
• Evaluated impact and likelihood of the risk
• Tasks for managing the risk or other treatment options
• Acceptability of the risk

The organization has a defined cybersecurity risk management policy and it has been communicated to relevant stakeholders and been approved by the top management. The policy should include at least:

• Basis for setting the risk management requirements and objectives based on the organizational context
• Commitment to the cyber security risk management system
• Strategic directions of the risk management process
• Overview of the roles and responsibilities for risk management

The policy should be kept updated, reviewed periodically and reflect organizational changes. The task owner should also ensure that the policy is understandable and available to all parties.

In the management of information security risks, the tasks must be separated if they are not compatible.

In a situation where the tasks are not compatible, but the separation of tasks is not practical, separate controls must be developed to monitor it.

The organization must consider the risks for achieving information security goals. Risks related to the achievement of goals must be mitigated by setting up control measures in at least the following areas:

• Risk assessment process
• Organization-specific factors, such as the environment, nature, the structure of the organization and the scope of its activities
• Essential business processes

The organization must identify the functions critical to the continuity of its operations (e.g. services offered to the customer).

Risks related to critical operations should be identified, evaluated and handled with emphasis and regularly in cooperation with service providers.

Implemented risk management measures and the overall situation of risk management are checked regularly.

The operating model for monitoring the status of risk management is clearly described.

Critical risks threatening the organization's operations are reported to the organization's management immediately.

There is a clearly planned operating model for reporting.

• Tietojenkäsittely-ympäristö on dokumentoitu sellaisella tasolla, että siitä pystytään selvittämään tietojenkäsittely-ympäristössä käytetyt laitteet ja ohjelmistot versiotietoineen (laite-, käyttöjärjestelmä- ja sovellusohjelmistot) ja se tukee myös haavoittuvuuksien hallintaa.
• Tietojenkäsittely-ympäristöjä tarkkaillaan luvattomien muutosten tai laitteistojen havaitsemiseksi. Tietojenkäsittely-ympäristön kirjanpito pidetään ajan tasalla koko elinkaaren ajan.
• Tietojenkäsittely-ympäristön turvallisuuden toteuttamiseen liittyvän aineiston (dokumentaatiot, sähköiset kirjanpidot ja vast.) luokittelu- ja suojaamistarpeet on määritetty.

Fyysiset turvatoimet on mitoitettava riskien arvioinnin mukaisesti. Riskien arvioinnissa tulee ottaa huomioon esimerkiksi pääsyoikeuksien hallintaan ja muihin turvallisuusjärjestelyihin liittyviin prosesseihin sisällytettävät tiedonsaantitarpeen, tehtävien eriyttämisen ja vähimpien oikeuksien periaatteet. Fyysisiä turvatoimia koskevan riskien arvioinnin tulee olla säännöllistä ja osa organisaation riskienhallinnan kokonaisuutta. Arvioiduilla riskeillä on nimetyt omistajat.

Riskien arvioinnissa on otettava huomioon kaikki asiaan kuuluvat tekijät, erityisesti

seuraavat:

• Tietojen turvallisuusluokka ja salassapitoperuste;
• Tietojen käsittely- ja säilytystapa sekä määrä ottaen huomioon, että tietojen suuri määrä tai kokoaminen yhteen voi edellyttää tiukempien riskienhallintatoimenpiteiden soveltamista;
• Tietojen käsittely- ja säilytysaika
• Tietojen käsittely- ja säilytyspaikan ympäristö: rakennuksen ympäristö, sijoittuminen rakennuksessa, tilassa tai sen osassa;
• Hälytystilanteisiin liittyvä vasteaika
• Ulkoistetut toiminnot, kuten huolto-, siivous-, kiinteistö- ja turvallisuuspalvelut
• Tiedustelupalvelujen, rikollisen toiminnan ja oman henkilöstön muodostama arvioitu uhka tiedoille

Lainsäädäntöjohdannaisilla riskeillä viitataan eri maiden lainsäädännössä oleviin mahdollisuuksiin velvoittaa palveluntarjoaja toimimaan yhteistyössä kyseisen maan viranomaisten kanssa, ja tarjoamaan esimerkiksi suora tai epäsuora pääsy palvelun asiakkaiden salassa pidettäviin tietoihin. Lainsäädäntöjohdannaiset riskit voivat ulottua sekä salassa pidettävän tiedon fyysiseen sijaintiin sekä muun muassa toisesta maasta käsin hallintayhteyksien kautta toteutettavaan tietojen luovutukseen. Lainsäädäntöjohdannainen tietojen luovuttaminen ja tutkimusoikeus on useissa maissa rajattu koskevaksi poliisia sekä tiedusteluviranomaisia.

Riskienarvioinnin tulisi kattaa lainsäädäntöjohdannaiset riskit vähintään seuraavien tekijöiden osalta:

• Palvelussa käsiteltävän tiedon fyysinen sijainti koko tiedon elinkaaren ajalta, kattaen myös mahdolliset alihankinta- ja ulkoistusketjut.
• Palvelun eri toimintojen (esimerkiksi ylläpito- ja hallintaratkaisut, varmistukset) ja komponenttien fyysinen sijainti koko tiedon elinkaaren ajalta.
• Mahdolliset muut palvelun tuottamiseen osallistuvat tahot, esimerkiksi mahdolliset alihankinta-ja ulkoistusketjut.
• Palvelun käyttöön ja palvelussa käsiteltäviin tietoihin sovellettava lainsäädäntö ja oikeuspaikka.
• Toimijat, joilla voi sovellettavasta lainsäädännöstä johtuen olla pääsy palvelussa käsiteltäviin tietoihin.

Organisaation tulee varmistaa, että lainsäädäntöjohdannaiset riskit eivät rajoita palvelun soveltuvuutta sen käyttötarkoitukseen. Lainsäädäntöjohdannaisten riskien arvioinnissa on otettu huomioon koko palvelun tuottamisessa käytetty toimitusketju, ja niiden valtioiden säännökset, joiden mukaisesti palvelua tuotetaan sekä riski tietojen oikeudettomasta paljastumisesta näiden valtioiden viranomaisille.

Tietoturvariskien hallintaa toteuttaessaan organisaation on tunnistettava käsittelyä vaativat riskit ja määriteltävä näille käsittelysuunnitelmat, jotka usein koostuvat uusista tietoturvallisuustoimenpiteistä.

Organisaatio on määritellyt, kuinka säännöllisesti arvioidaan kokonaisuutena määriteltyjä käsittelysuunnitelmia ja niiden oikeasuhtaisuutta riskeille täytettyihin arvioihin (riskin vakavuus ja todennäköisyys) verrattuna.

The organization must determine an acceptable level for risks. The level is calculated based on the likelihood, impact and control of the risks.

The organization shall establish a description of the procedures for risk management processes and it has to be approved. The organization must agree about it with the organization's stakeholders.

As part of the security risk assessment, the organization shall make assessments of the severity and probability of the risk materializing.

The organization shall have a clearly instructed risk scale that allows each participant in the risk assessment to decide on the appropriate level of severity and probability.

Organisation has defined how information security aspects are integrated into used project management methods. Methods in use should require:

• Project’s information security related risks are identified, evaluated and treated at an early stage of the project
• Project’s information security related risks are reviewed if necessary
• Responsibility for project’s information security is clearly attached to certain project roles

The organization has to exercise executing the catastrophe plan annually or always when there are significant changes to the plan.

If possible local authorities should be included in the exercise.

The organisation has to evaluate the impact of business disruptions and risks. Based on this evaluation the organisation must prioritize themes in continuity planning to focus on the important risk related issues.

The organization must take into account risk management procedures results when planning internal audit topics and execution, and when executing audits.

From the point of view of the information security management system, non-conformities are situations in which:

• the organisation's security requirements are not matched by the management system
• the procedures, tasks or guidelines defined in the management system are not complied with in the organisation's day-to-day operations

In systematic security work, all detected non-conformities must be documented. To treat the non-conformity, the organization must identify and implement improvements that correct it.

In systematic cyber security work, the impact of significant changes must be assessed in advance and they must be executed in a controlled way. The consequences of unintentional changes must be assessed and efforts made to mitigate possible adverse effects.

Significant changes may include: changes in the organization, operating environment, business processes and data systems. Changes can be identified e.g. through management reviews and other cyber security work.

Järjestelmällisessä turvallisuustyössä muutosten vaikutukset on arvioitava ennakkoon, muutokset on dokumentoitava selkeästi ja toteutettava systemaattisesti.

Suojaustasolla II muutostenhallinnassa käytetään seuraavia toimintatapoja:

• Tietojenkäsittelyyn liittyviin muutoksiin on määritelty muutoksenhallintamenettely (esim. määrittely, dokumentointi, riskien arviointi ja hallinta). Muutokset ovat jäljitettävissä.
• Verkot, järjestelmät ja niihin liittyvät laitteet, ohjelmistot ja asetukset on dokumentoitu siten, että muutokset hyväksyttyyn kokoonpanoon pystytään havaitsemaan vertaamalla toteutusta dokumentaatioon.
• Tietojenkäsittely-ympäristöjä tarkkaillaan luvattomien muutosten tai laitteistojen havaitsemiseksi.
• Laitteistot suojataan luvattomien laitteiden (näppäilynauhoittimet ja vastaavat) liittämistä vastaan.

Järjestelmällisessä turvallisuustyössä muutosten vaikutukset on arvioitava ennakkoon, muutokset on dokumentoitava selkeästi ja toteutettava systemaattisesti.

Suojaustasoilla IV-III muutostenhallinnassa käytetään seuraavia toimintatapoja:

• Tietojenkäsittelyyn liittyviin muutoksiin on määritelty muutoksenhallintamenettely (esim. määrittely, dokumentointi, riskien arviointi ja hallinta). Muutokset ovat jäljitettävissä.
• Verkot, järjestelmät ja niihin liittyvät laitteet, ohjelmistot ja asetukset on dokumentoitu siten, että muutokset hyväksyttyyn kokoonpanoon pystytään havaitsemaan vertaamalla toteutusta dokumentaatioon.
• Tietojenkäsittely-ympäristöjä tarkkaillaan luvattomien muutosten tai laitteistojen havaitsemiseksi.

Organisaatio ylläpitää luetteloa salassa pidettävän tiedon käsittelyä edellyttävistä työtehtävistä. Pääsyoikeus salassa pidettävään tietoon myönnetään vasta, kun henkilön työtehtävistä johtuva tiedonsaantitarve on selvitetty. Luettelo sisältää tiedon salassa pidettävien tietojen käsittelyoikeuksista suojaustasoittain.

Organization assesses cyber security risks by responding to situations where security has been mildly or severely compromised. The documentation shall include at least the following:

• Description of the incident
• Risks associated with the incident
• New tasks introduced as a result of the incident
• Other measures taken due to the incident

The ISMS should monitor the implementation of the tasks and guidelines recorded therein.

The task owner should regularly review the implementation status of the ISMS as a whole.

Top management of the organization is responsible for:

• the organization having security principles approved by the top management, which describe the connection of the organization's information security measures to the organization's operations
• the security principles being comprehensive and appropriate in terms of protecting classified information
• security principles guiding information security measures
• the organization having organized sufficient monitoring of compliance with obligations and instructions related to information management of security-classified information.

Management support, guidance and responsibility are manifested in the fact that the organization has security principles approved by top management, which describe the connection of the organization's information security measures to the organization's operations. This shows that the management is committed to the organization's safety principles and that the principles represent the will of the management and support the organization's operations. The principles can be described in many different ways, for example as a single document, as part of general operating principles, policy or strategy.

The responsibility for the organisations ICT risk management should be assigned to a function that has a level of independence to conduct the risk management without conflicts of interest.

The independence of the risk management and segregation of management, control and audit functions needs to be ensured.

The organisation must enable asset based risk management from the ISMS settings.

Asset-based risk management should be set to cover all needed asset types with high enough criticality. The asset based risk management should be used at least for:

• System providers
• Data systems
• Data stores
• Other stakeholders
• Other assets

The organization plans and prioritizes measures related to the identification and assessment of information security risks based on the classification of data sets.

Choose the right method for risk assessment. There are a number of different methods for identifying and assessing risk. It is important that the organisation chooses a method that makes risk assessments manageable and allows one to identify, discuss and manage the most significant risks. Examples of different methods/frameworks include ISO/IEC 27005, NIST SP 800-30 and Octave Allegro.

Strategic opportunities can address the organization's cybersecurity risks and enhance the overall strategic positioning. Identify and include them into the organizational cybersecurity risk discussions for example by the following:

• Define methods for identifying and integrating the strategic opportunities, such as the SWOT analysis
• Identify and document organization's stretch goals and align organization’s risk management procedure with them
• Calculate, document, and prioritize positive risks alongside negative risks, ensuring both are considered in decision-making processes

The organization has a defined cybersecurity risk management policy and it has been communicated to relevant stakeholders and been approved by the top management. The policy should include at least:

• Basis for setting the risk management requirements and objectives based on the organizational context
• Commitment to the cyber security risk management system
• Strategic directions of the risk management process
• Overview of the roles and responsibilities for risk management

The policy should be kept updated, reviewed periodically and reflect organizational changes. The task owner should also ensure that the policy is understandable and available to all parties.

Organization has defined procedures on measuring and evaluating the performance of the risk management strategy and the outcomes of occurred risks.

• The strategy and outcomes should be evaluated against factors such as how well the strategy has helped the management to make decisions and achieve organizational objectives, and whether the strategies or policies should be adjusted.
• The risk management strategy should be periodically reviewed for organizational internal (e.g. risk tolerance and policies) and external (e.g. laws and regulations) compliance, also taking the occurred cybersecurity incidents into account here.
• The organizational risk management performance is measured and reviewed with key performance indicators (KPIs), key risk indicators (KRIs) and other metrics to adjust the risk management process when needed.

The results are communicated to the top management and other relevant stakeholders, and the necessary actions and adjustments are performed.

The organization develops tailored assessment criteria for service providers based on their classification, incorporating standardized reports, customized questionnaires, and, when necessary, on-site audits to evaluate providers' security and compliance.

The organization regularly reassess service provider compliance, monitor release notes, implement dark web surveillance, integrate centralized dashboards, maintain open communication, establish incident response protocols, and annually update monitoring practices to ensure ongoing alignment with security standards and address any potential risks.

The organization assembles a skilled threat modeling team, map the application architecture, identify potential entry points, assess risks, develop threat scenarios and mitigation strategies, document and prioritize findings, and regularly update threat models to enhance application security

The organization must take into account the risks caused by partners when managing information security risks. If necessary, separate theme-specific risk assessments can be made for critical partners.

The organization has an operating model for continuously improving the functionality and efficiency of the risk management process.

In the improvement, it is possible to use e.g. general standards (e.g. ISO 27005) or feedback from people involved in risk management.

After risk treatment, the organization assesses the remaining level of residual risk per risk.

Regarding the residual risk, clear decisions are made by the risk owner to either close the risk or return the risk to the processing queue.

The organization's risk outlook is reported to the organization's management regularly and at least once a year.

The organization has to have rules for urgent emergencies when following the rules allows for deviating from standard change management procedures.

The rules should include references and comparisons to the normal change management procedures and for example needed evidence for the reason for deviation from normal procedure.

The organization has to have pre-planned means of detecting non-compliance with the change management procedure.

If a deviation from the change management procedure is detected, it should be addressed in accordance with the disruption management process.

Organisation carries out data security auditing regularly. Auditing is used to identify e.g. problems and development needs in data systems and system providers activity.

Important auditing partners should be listed on Other stakeholders -list.