Management process for approved software

Organisation must maintain a listing of used data systems and their owners. Owner is responsible for completing the related documentation and possible other security actions directly related to the data system.

Data system documentation must include at least:

• System purpose and linked responsibilities
• System's data location (covered in a separate task)
• System's maintenance and development responsibilities and linked partners (covered in a separate task)
• When necessary system's access roles and authentication methods (covered in a separate task)
• When necessary systems interfaces to other systems (covered in a separate task)

Organization must define (in addition to more detailed practices regarding supplier responsibilities, incidents and the procurement of cloud services) the general principles for managing information security risks related to the use of cloud services.

Principles must take into account e.g.:

• how to utilize security features made possible by service providers
• how to demand evidence of security measures implemented by service providers
• what factors must be taken into account in own operations when utilizing a large number service providers
• considering use of cloud services in own information security risk management process
• procedures for ending the use of cloud services

The organization should have defined guidelines for the generally acceptable use of data systems and for the management of the necessary credentials.

In addition, the owners of data systems classified as 'High' or 'Critical' priority can define, document, and implement more specific guidelines for the use of that particular data system. These guidelines can describe e.g. security requirements related to the data contained in the system.

Organisation has a process to review and approve software before installation or use. Process includes at least:

• Assess limited approval: Verifying if the software is approved for specific use-cases or roles within the organization.
• Check conformance: Ensuring the software meets the organization's information security requirements.
• Verify software use rights and licensing: Confirm that the software has the appropriate licensing for its intended use.
• Evaluate source and reputation: Assess the credibility and reputation of the software vendor or source.

This process should include the selection of special purpose software e.g. maintenance tools.

The organization's information systems and hardware are comprehensively covered by systems management. Through system management, it is possible to e.g. automatic updates.

Reviews and other verification actions e.g. during audits, that target data systems, must be planned in advance and agreed with the appropriate testers and management. This aims to minimize the impact of actions on operational processes.

When planning practices, the following points must be taken into account:

• inspection requests are approved with the appropriate responsible person
• the scope of technical tests is agreed in advance and their the implementation is monitored
• tests are restricted to read-only use as far as possible or are only implemented by experienced system administrators
• fulfilment of security requirements is ensured in advance on devices that require access to systems
• tests that may affect the availability of important systems, are performed outside office hours
• the actions taken during the inspections and the access rights granted for them are recorded in a log

Käsiteltäessä samalla varmistusjärjestelmällä eri omistajien tietoja, tarkastusoikeuden mahdollistavat erottelumenettelyt on toteutettava varmistusjärjestelmän liittymien ja tallennemedioiden osalta (esim. omistaja-/hankekohtaiset eri avaimilla salatut nauhat, joita säilytetään asiakaskohtaisissa kassakaapeissa/kassakaappilokeroissa).

Jos palvelulla on saatavuus vaatimuksia, seurataan sen saatavuutta valvontajärjestelmällä. Valvontajärjestelmän tulee lähettää hälyttää havaitusta saatavuuspoikkeamista.

The organisation must ensure the availability of information systems throughout their entire lifecycle. For this reason, the availability requirements of different information systems (especially the maximum time a system can be out of service, recovery time objective, and recovery point objective) must be met.

The implementation of availability requirements must take into account the load endurance, fault tolerance, and recovery time required from the information system.

Additionally, the need for procedures that protect availability has been identified, and procedures have been implemented with customized protections for critical systems. These protections may include, for example, redundancy of key network connections, hardware, and application execution environments.

Tietojärjestelmiin ja verkkoihin liittyvää turvallisuusdokumentaatiota ylläpidetään ja sitä kehitetään jatkuvasti tärkeänä osana yleistä muutostenhallintaprosessia.

Olennaisilla tietojärjestelmillä tarkoitetaan sellaisia tietojärjestelmiä, jotka ovat kriittisiä viranomaisen lakisääteisten tehtäviä toteuttamisen kannalta erityisesti hallinnon asiakkaille palveluja tuotettaessa.

Toiminnallisella käytettävyydellä tarkoitetaan tietojärjestelmän käyttäjän kannalta sen varmistamista, että tietojärjestelmä on helposti opittava ja käytössä sen toimintalogiikka on helposti muistettava, sen toiminta tukee niitä työtehtäviä, joita käyttäjän pitää tehdä tietojärjestelmällä ja tietojärjestelmä edistää sen käytön virheettömyyttä.

• Organisaatio tunnistaa ja luetteloi tehtävien hoitamisen kannalta olennaiset tietojärjestelmät esimerkiksi osana suojattavien kohteiden luettelointia ja tiedon luokittelua.
• Organisaatio määrittelee olennaisten tietojärjestelmien saatavuuskriteerit, joita vasten vikasietoisuus voidaan testata. Järjestelmäkohtaisten saatavuuskriteerien määrittelyssä voidaan hyödyntää tietojärjestelmien saatavuusluokittelua.
• Organisaatio määrittelee toiminnallisen käytettävyyden kriteerit.
• Organisaation hankintaprosesseissa ja hankintaohjeissa on huomioitu toiminnalliseen käytettävyyteen ja vikasietoisuuteen liittyvät vaatimukset.
• Organisaatio dokumentoi vikasietoisuuden testaukset.

Orgaisaation on myös varmistettava digitaalisten palveluiden saavutettavuus lainsäädännön edellyttämässä laajuudessa:

Saavutettavuus tarkoittaa sitä, että mahdollisimman moni erilainen ihminen voi käyttää verkkosivuja ja mobiilisovelluksia mahdollisimman helposti. Saavutettavuus on ihmisten erilaisuuden ja moninaisuuden huomiointia verkkosivujen ja mobiilisovelluksien suunnittelussa ja toteutuksessa. Saavutettavan digipalvelun suunnittelussa ja toteutuksessa pitää huomioida kolme osa-aluetta: tekninen toteutus, helppokäyttöisyys ja sisältöjen selkeys ja ymmärrettävyys.

The organization must utilize mechanisms like:

• Failsafe, to minimize damage in case of an issue
• Load balancing to reduce risk for issues
• Hot swappable components

The organization utilizes the principle of least functionality in deploying and configuring systems. Systems must not have rights to anything that is not needed to accomplish what they are intended for.

Critical admin operations mean operations where a failure can cause unrecoverable damage to assets in the cloud computing environment.

Critical admin operations may include e.g. changes related to virtualized devices (e.g. servers, networks, storage), termination procedures, backup and restoration.

If a data system includes regular critical admin operations, these are documented. Also the procedures for carrying out critical admin operations are documented beforehand in needed detail for all utilized data systems.

Whenever a critical admin operation is carried out, a supervisor named in the documentation monitors the operation.

The organisation has to make sure that all of it’s licensed software are:

• actively supported
• removed from devices when no longer supported
• configured to automatically update, if possible

The organisation must make sure unnecessary software like application, system utilities and network services are removed.

The organization shall regularly review the technical compliance of the data systems with the organisation's requirements.

The review may use manual implementation by experienced professionals or automated tools (including intrusion testing).

The technical review shall always be planned and carried out by competent and pre-approved staff.

The organization maintains documentation of interfaces and other connections between data system and the data transmission methods used in the interfaces.

The documentation concerning the interfaces shall be reviewed regularly and after significant changes to data systems.

Organisation should:

• Identify and list the types of software to be managed, including firmware, operating systems, applications, libraries, and device drivers.
• Ensure that repositories for managed software are created and maintained.
• Implement security measures to protect the software repositories from unauthorized access and manipulation.
• Conduct regular reviews to ensure that all software in use remains approved and meets the organization’s security and operational standards.
• Keep an updated record of all software versions and their respective patch levels to ensure that all software is up-to-date and secure.

The organisation must have a defined requirements for conducting audits on IT systems or for a service conducting the audit. In addition the following must be taken into account:

• Definition of scope of system audit in a timely manner
• The audits must be coordinated with the operators and users of the system
• The audit results are stored in a traceable manner and reported to relevant management
• The results must be analyzed to derive new measures based on the results

Ensure the security of connections with external systems by verifying and documenting them in formal agreements. Review current connections with their security measures, within documented agreements such as:

• Service Level Agreement (SLA)
• Data Processing Agreement (DPA)
• Non-Disclosure Agreement (NDA)
• Interconnection Security Agreement (ISA)
• Third-Party Risk Management Agreement

Establish and maintain a comprehensive security architecture. The following functionality should be implemented into the ICT system:

• Functionality for managing users and accounts
• Functionality for staying in control of devices (e.g. clients)
• Functionality for managing access to resources and services
• Functionality for controlling software execution and software installation (especially on clients)
• Tools for operating and virtualising all or parts of the ICT architecture (on-prem and cloud)
• Network devices (switches, routers, access points) and firewalls
• Mechanisms for dealing with malware (antivirus)
• Cryptographic modules
• Digital certificates and public key infrastructure (PKI)
• Databases
• Tools for system monitoring
• Tools for managing security configurations
• Intrusion detection (IDS) and protection (IPS) systems
• Backup and restore

Design the ICT system using ICT products which integrate well. This means that:

• Used ICT products should be module-based. (The principle of least functionality in systems)
• Used ICT products should comply with the industry standards
• Products and security functionality (also from different vendors) should work well together from a security perspective. These products should reuse identities taken from shared database of organisations identities.

Design the ICT system using ICT products which integrate well. This means that:

• Used ICT products should be module-based. (The principle of least functionality in systems)
• Used ICT products should comply with the industry standards
• Products and security functionality (also from different vendors) should work well together from a security perspective. These products should reuse identities taken from shared database of organisations identities.

Map the flow of information between work processes, users, devices and services. This mapping helps the organisation to understand the flow of information better.

Organisations should have a clear plan detailing how phase-outs are managed. This plan should include, e.g., the processes involved and how transition to a new product is handled.

If the ICT product doesn't have the recent security functions and protocols, it shouldn't be used and should be phased out.

Phase-outs should be planned in advance, before the provider drops product support, to ensure the use of the latest security functions and protocols. For example, some older applications might have the latest security functions, but do not work well with newer exploit protections. In this scenario, exceptions should be made to avoid deactivating the protection entirely, but it is essential to remember that the phase-out process is likely to be relevant in the near future.

After the phase-out, it is important to evaluate the processes and document the lessons learned for the future.

When performing maintenance on ICT products, physical provider access should be regulated and monitored.

Software products should only be downloaded from the provider’s official website (only via HTTPS). This ensures the integrity and legitimacy of the software. The organisation should keep all installation software in file folders that only those responsible for software installation have write access to.

Organization defines processes and means to ensure the confidentiality, integrity and availability of the data in use. These processes can include for example:

• Removing confidential data from processors, memory and cache immediately after it is no longer needed to minimize exposure risks
• Ensuring that data in use is isolated and protected from unauthorized access by other users or processes on the same platform
• Applying hardware-based protections (e.g., Trusted Execution Environments or Secure Enclaves) to prevent tampering or unauthorized access to sensitive data while it is being processed
• Limiting the exposure of data to only those who require it

The organization ensures that authorized software is supported by:

• conducting regular reviews of the software inventory designating only vendor-supported software as authorized
• documenting exceptions with mitigating controls
• risk acceptance for necessary unsupported software
• identifying unauthorized software without exceptions
• implementing risk management measures like network segmentation and enhanced monitoring

The organization has developed an asset management strategy that involves comprehensive and regularly updated inventories of all physical, virtual, remote, and cloud-connected assets. The asset management strategy includes external assets, utilizing automated tracking tools to ensure accuracy and compliance with data protection regulations.

The organization has developed data management framework by classifying data sensitivity levels, segregating processing environments, implementing strict access controls, and establishing detailed handling protocols, all of which are regularly reviewed.

The organization has implemented a host-based Data Loss Prevention (DLP) tool that monitors sensitive data across all enterprise assets, including remote ones, integrates with data inventory systems for real-time tracking, generates alerts for unauthorized data actions, and undergoes regular audits to ensure its effectiveness.

The organization has instituted automatic account monitoring and deactivation processes with a 45-day inactivity threshold, complemented by regular reviews and user notifications prior to deactivation, ensuring effective account management and security policy adherence.

The organization has enhanced account management and security by implementing a central directory service with integrated single sign-on, standardized provisioning, centralized access control, and improved audit and reporting capabilities.

The organization has implemented a risk-based remediation strategy that prioritizes actions based on impact, is documented for consistency, undergoes monthly reviews for effectiveness, allocates resources efficiently based on risk assessments, and engages stakeholders for comprehensive support.

The organization enhances security by deploying dedicated workstations and virtual desktop infrastructure for administrative tasks, employing network segmentation, restricting internet access, implementing strict access controls, and using hardened operating systems.

The organization strengthens service provider management by developing a classification framework based on role, criticality, and access to sensitive data, maintaining a detailed inventory, and conducting regular assessments and due diligence. Continuous monitoring of performance and compliance, clear decommissioning procedures, and regular policy updates ensure alignment with security requirements, organizational goals, and the evolving threat landscape.

Inspections and re-inspections regarding information security are important to be performed periodically during the normal operation of the data processing environment, in connection with maintenance procedures and when exceptional situations occur.

The organization has defined the time limits and events according to which information security inspections are performed.

The organization must ensure that information systems are installed, maintained and updated only by personnel who have the necessary skills and expertise. In addition, the role and responsibilities of the person who installs, maintains and updates information systems must be described in relation to the organization and the producer of the information system.

On average, the IT administrator estimates that staff use about 50 cloud services when the actual number is 1,000. Many of these are important for staff productivity and are used outside the organization’s network, so firewall rules do not solve the challenge.

Systems that focus on identifying and managing cloud services allow you to identify the cloud services used by your staff and monitor users of different services. This helps e.g.:

• determine our own level of risk with respect to data in cloud services
• review used services in regard to security
• be able to report as required, e.g. on the location of data and data processors

Organisations should have a clear plan detailing how phase-outs are managed. This plan should include, e.g., the processes involved and how transition to a new product is handled.

If the ICT product doesn't have the recent security functions and protocols, it shouldn't be used and should be phased out.

Phase-outs should be planned in advance, before the provider drops product support, to ensure the use of the latest security functions and protocols. For example, some older applications might have the latest security functions, but do not work well with newer exploit protections. In this scenario, exceptions should be made to avoid deactivating the protection entirely, but it is essential to remember that the phase-out process is likely to be relevant in the near future.

After the phase-out, it is important to evaluate the processes and document the lessons learned for the future.