Content library
Encryption
Managing compromised encryption keys

Other tasks from the same security theme

Task name
Priority
Status
Theme
Policy
Other requirements
Encryption key inventory and management system
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Encryption
11
requirements

Examples of other requirements this task affects

10: Cryptography
ISO 27017
10.1: Cryptographic controls
ISO 27017
10.1.2: Key management
ISO 27017
21.2.h: Encryption
NIS2
CC6.1c: Technical security for protected information assets
SOC 2
See all related requirements and other information from tasks own page.
Go to >
Encryption key inventory and management system
1. Task description

The Encryption Key Management System (CKMS) handles, manages, stores, and monitors encryption keys. The management system can be implemented as an automated tool or as a more manual implementation.

The organization must have the means to monitor and report on all encryption materials and their status using an encryption key management system. The cryptographic key management system should be used at least to:

  • Track changes to cryptographic states
  • Generate and distribute cryptographic keys
  • Generate public-key certificates
  • For monitoring unidentified encrypted assets
  • For cataloging, archiving, and backing up encryption keys
  • Maintains a database of connections to an organization's certificate and encryption key structures
Encryption of laptops
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Encryption
17
requirements

Examples of other requirements this task affects

10.1.1: Policy on the use of cryptographic controls
ISO 27001
6.6.4: Fyysisten tilojen, laitteiden ja tulosteiden turvallisuus
Omavalvontasuunnitelma
TEK-18.1: Etäkäyttö - tietojen ja tietoliikenteen salaaminen
Julkri
8.24: Use of cryptography
ISO 27001
21.2.h: Encryption
NIS2
See all related requirements and other information from tasks own page.
Go to >
Encryption of laptops
1. Task description

Laptops are protected by full-disk encryption.

Encryption of backup data
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Encryption
18
requirements

Examples of other requirements this task affects

12.3: Backup
ISO 27001
10.1.1: Policy on the use of cryptographic controls
ISO 27001
12.3.1: Information backup
ISO 27001
TEK-20: Varmuuskopiointi
Julkri
8.13: Information backup
ISO 27001
See all related requirements and other information from tasks own page.
Go to >
Encryption of backup data
1. Task description

When the confidentiality of backups is important, backups are protected by encryption. The need to encrypt backups may become highlighted when backups are stored in a physical location where security policies are unknown.

Verifying achieved protection level from used cryptographic procedures
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Encryption
1
requirements

Examples of other requirements this task affects

5.1.1: Cryptography management
TISAX
See all related requirements and other information from tasks own page.
Go to >
Verifying achieved protection level from used cryptographic procedures
1. Task description

All used cryptographic procedures must be able to provide the needed security for respective field of application according to industry best standards. The fields include for example:

  • Encryption
  • Signatures
  • Hash algorithms
  • Protocols
Tiedon salaamisen lisävaatimukset (TL I)
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Encryption
1
requirements

Examples of other requirements this task affects

TEK-16.5: Tiedon salaaminen - TL I
Julkri
See all related requirements and other information from tasks own page.
Go to >
Tiedon salaamisen lisävaatimukset (TL I)
1. Task description

Kun TL I -tietojen suojaamiseen käytetään salausratkaisuja (esim. kiintolevyjen salaukseen, eri omistajien tietojen erottelu) huomioidaa, että TL I -tietojen suojaamiseen riittävän luotettavia, hyväksyttyjä salausratkaisuja on saatavilla äärimmäisen rajoitetusti.

Näissä tilanteissa salausratkaisut ovat lähtökohtaisesti vain tukevassa roolissa muille suojauksille, erityisesti fyysiselle pääsynhallinnalle. Tietojen siirtämisessä turva-alueiden välillä voidaan turvautua esimerkiksi kuriirimenettelyihin.

Tiedon salaamisen lisävaatimukset (TL III)
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Encryption
1
requirements

Examples of other requirements this task affects

TEK-16.4: Tiedon salaaminen - TL III
Julkri
See all related requirements and other information from tasks own page.
Go to >
Tiedon salaamisen lisävaatimukset (TL III)
1. Task description

Turvallisuusluokan III sähköisten tietojen säilytys on mahdollista kyseisen turvallisuusluokan mukaisessa päätelaitteessa turva-alueen ulkopuolella seuraavien ehtojen täyttyessä:

  • tiedot on suojattu ko. turvallisuusluokalle riittävän turvallisella salausratkaisulla
  • päätelaitteen tietoturvallisuudesta on huolehdittu riittävin menettelyin
Turvallisuusluokitellun tiedon salaaminen siirrettäessä turvallisuusalueiden ulkopuolelle (TL IV)
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Encryption
1
requirements

Examples of other requirements this task affects

TEK-16.2: Tiedon salaaminen - turvallisuusluokitellun tiedon siirto turvallisuusalueiden ulkopuolella
Julkri
See all related requirements and other information from tasks own page.
Go to >
Turvallisuusluokitellun tiedon salaaminen siirrettäessä turvallisuusalueiden ulkopuolelle (TL IV)
1. Task description

Erityisesti turvallisuusluokitellun tiedon suojaamisessa korostuu tarve käyttää salausratkaisuja, joiden riittävästä turvallisuudesta on luotettavaa näyttöä. Puhtaasti ohjelmistopohjaiset salausratkaisut ovat tyypillisesti hyväksyttävissä IV- ja joissain tilanteissa erityisehdoilla myös III-luokille. II-luokalle ja useimmin myös III-luokalle edellytetään tyypillisesti enemmän alustan luotettavuudelta.

Kun turvallisuusluokiteltua tietoa siirretään hyväksyttyjen fyysisesti suojattujen turvallisuusalueiden ulkopuolelle, tieto/tietoliikenne salataan riittävän turvallisella menetelmällä. Lisäksi tietojensiirto on järjestettävä siten, että vastaanottaja varmistetaan tai tunnistetaan riittävän tietoturvallisella tavalla ennen kuin vastaanottaja pääsee käsittelemään siirrettyjä turvallisuusluokiteltuja tietoja.

Salausratkaisujen hyväksyntäprosessia on kuvattu yksityiskohtaisemmin Kyberturvallisuuskeskuksen ohjeessa salaustuotearvioinneista ja -hyväksynnistä.

Turvallisuusluokiteltujen tietojen erottelu ja salaaminen (TL IV)
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Encryption
1
requirements

Examples of other requirements this task affects

TEK-07.4: Pääsyoikeuksien hallinnointi - turvallisuusluokiteltujen tietojen erottelu
Julkri
See all related requirements and other information from tasks own page.
Go to >
Turvallisuusluokiteltujen tietojen erottelu ja salaaminen (TL IV)
1. Task description

Kunkin turvallisuusluokan tiedot pidetään erillään julkisista ja muiden turvallisuusluokkien tiedoista, tai eri tason tietoja käsitellään korkeimman turvallisuusluokan mukaisesti.

Palvelimissa, työasemissa ja muissa tallennusvälineissä turvallisuusluokitellut tiedot säilytetään riittävän turvallisella menetelmällä salattuna, mikäli salausta käytetään tarkastusoikeuden varaavien eri tiedon omistajien tietojen erotteluun, tai/ja mikäli tallennusvälineitä viedään niiden elinkaaren aikana kyseisen turvallisuusluokan säilyttämiseen hyväksytyn turvallisuusalueen ulkopuolelle.

Tiedon salaaminen langattomassa tiedonsiirrossa (TL IV)
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Encryption
2
requirements

Examples of other requirements this task affects

TEK-05.1: Langaton tiedonsiirto - salaaminen
Julkri
I-05: SUOJATTAVIEN TIETOJEN SIIRTÄMINEN FYYSISESTI SUOJATTUJEN ALUEIDEN ULKOPUOLELLA - LANGATON TIEDONSIIRTO
Katakri 2020
See all related requirements and other information from tasks own page.
Go to >
Tiedon salaaminen langattomassa tiedonsiirrossa (TL IV)
1. Task description

In wireless data transmission, communication is encrypted with an encryption solution that is sufficiently secure for the respective security class. If necessary, the encryption solution must be approved by the competent authority.

For example, the traffic can be tunneled with a secure VPN solution or an application-level encryption solution can be used.

  • Wireless data transmission outside the physically protected area is encrypted as required.
  • Wireless data transmission (e.g. wireless peripherals) that is less protected than the requirements for taking place inside a physically protected area can be accepted, if it can be ensured that the confidentiality of the information is not compromised through these connections.
  • Including wireless connections with a lower safety level devices are not connected to the environment.
Turvallisuusluokiteltua tietoa sisältävien hallintayhteyksien turvallisuus (TL IV)
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Encryption
2
requirements

Examples of other requirements this task affects

TEK-04.7: Hallintayhteydet - salaaminen turvallisuusluokan sisällä
Julkri
I-04: TIETOJENKÄSITTELY-YMPÄRISTÖJEN SUOJATTU YHTEENLIITTÄMINEN – HALLINTAYHTEYDET
Katakri 2020
See all related requirements and other information from tasks own page.
Go to >
Turvallisuusluokiteltua tietoa sisältävien hallintayhteyksien turvallisuus (TL IV)
1. Task description

Hallintaliikenteen kulkiessa ko. turvallisuusluokan sisällä, alemman tason salausta tai salaamatonta siirtoa voidaan käyttää riskinhallintaprosessin tulosten perusteella.

Turvallisuusluokiteltua tietoa sisältävien hallintayhteyksien turvallisuus (TL IV)
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Encryption
2
requirements

Examples of other requirements this task affects

TEK-04.6: Hallintayhteydet - turvallisuusluokiteltua tietoa sisältävät hallintayhteydet
Julkri
I-04: TIETOJENKÄSITTELY-YMPÄRISTÖJEN SUOJATTU YHTEENLIITTÄMINEN – HALLINTAYHTEYDET
Katakri 2020
See all related requirements and other information from tasks own page.
Go to >
Turvallisuusluokiteltua tietoa sisältävien hallintayhteyksien turvallisuus (TL IV)
1. Task description

Hallintaliikenteen sisältäessä turvallisuusluokiteltua tietoa ja kulkiessa matalamman turvallisuusluokan ympäristön kautta, turvallisuusluokitellut tiedot on salattu riittävän turvallisella salaustuotteella.

Encryption solution and guidelines for personnel to encrypt transferred information
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Encryption
5
requirements

Examples of other requirements this task affects

TEK-16: Tiedon salaaminen
Julkri
21.2.h: Encryption
NIS2
9.8 §: Salaus
Kyberturvallisuuslaki
See all related requirements and other information from tasks own page.
Go to >
Encryption solution and guidelines for personnel to encrypt transferred information
1. Task description

The organization's personnel are offered a solution to protect unclassified confidential information with encryption when information is transferred outside of physically protected areas via the network. The solution has no known vulnerabilities and, according to the information received from the manufacturer, it supports modern encryption strengths and settings.

The staff's competence in the safe use of the encryption solution has been ensured (for example, instructions, training and supervision).

Langattomien yhteyksien salaaminen
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Encryption
1
requirements

Examples of other requirements this task affects

TEK-05: Langaton tiedonsiirto
Julkri
See all related requirements and other information from tasks own page.
Go to >
Langattomien yhteyksien salaaminen
1. Task description

When wireless connections are used instead of physical ones (e.g. WLAN, Bluetooth), the connection is interpreted as leaving the protected area.

In this case, the wireless communication is encrypted with an encryption solution that has no known vulnerabilities and that, according to information received from the manufacturer, supports modern encryption strengths and settings.

Data transfer also includes traffic between peripherals and terminals, i.e. wireless mice, keyboards and headphones. Wireless data transmission (e.g. wireless peripherals) protected less than the requirements for taking place inside a physically protected area can be accepted, if it can be ensured that the confidentiality of the information is not compromised through these connections.

Hallintayhteyksien salaaminen julkisessa verkossa
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Encryption
1
requirements

Examples of other requirements this task affects

TEK-04.2: Hallintayhteydet - hallintayhteyksen salaaminen
Julkri
See all related requirements and other information from tasks own page.
Go to >
Hallintayhteyksien salaaminen julkisessa verkossa
1. Task description

Hallintaliikenne julkisessa verkossa on salattua käyttötilanteeseen soveltuvalla menetelmällä, suosien oikeellisen toiminnan osalta varmistettuja (validoituja) ja standardoituja salausratkaisuja/-protokollia.

Salaaminen turva-alueiden ulkopuolella
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Encryption
1
requirements

Examples of other requirements this task affects

TEK-01.4: Verkon rakenteellinen turvallisuus - salaaminen turva-alueiden ulkopuolella
Julkri
See all related requirements and other information from tasks own page.
Go to >
Salaaminen turva-alueiden ulkopuolella
1. Task description

Hallitun fyysisen turvallisuusalueen ulkopuolelle menevä liikenne salataan riittävän turvallisella salausratkaisulla.

Salaus yleisissä tietoverkoissa
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Encryption
1
requirements

Examples of other requirements this task affects

TEK-01.1: Verkon rakenteellinen turvallisuus - salaus yleisissä tietoverkoissa
Julkri
See all related requirements and other information from tasks own page.
Go to >
Salaus yleisissä tietoverkoissa
1. Task description

Yleisessä tietoverkossa salassa pidettävää tietoa sisältävä tietoliikenne salataan salausratkaisulla, jossa ei ole tunnettuja haavoittuvuuksia ja jotka tukevat valmistajalta saatujen tietojen mukaan moderneja salausvahvuuksia ja -asetuksia tai vaihtoisesti siirto toteutetaan muuten suojattua tiedonsiirtoyhteyttä tai -tapaa käyttämällä.

Protection of data in transit
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Encryption
14
requirements

Examples of other requirements this task affects

PR.DS-2: Data-in-transit
NIST
21.2.h: Encryption
NIS2
Article 9a: Protection
DORA
5.1.2: Information transfer
TISAX
9.8 §: Salaus
Kyberturvallisuuslaki
See all related requirements and other information from tasks own page.
Go to >
Protection of data in transit
1. Task description

The data to be transmitted must be protected using cryptographic methods. The protection of the confidentiality and integrity of the data transmitted applies to the internal and external network and to all systems that can transmit data. These include:

  • Servers
  • Computers
  • Mobile devices
  • Printers

The data to be transferred can be protected by physical or logical means.

  • Physical protection is obtained from a protected distribution system, for example an optical fiber line, which has sufficient protection to prevent, for example, electromagnetic leakage and controls to prevent its unauthorized use.
  • Logical protection is achieved with strong encryption of communications.
Descriptions of used cryptography in relation to offered cloud services
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Encryption
1
requirements

Examples of other requirements this task affects

18.1.5: Regulation of cryptographic controls
ISO 27017
See all related requirements and other information from tasks own page.
Go to >
Descriptions of used cryptography in relation to offered cloud services
1. Task description

When offering cloud services, the organisation should provide descriptions of the cryptographic controls implemented to the cloud service customer for reviewing compliance with applicable agreements, legislation and regulations.

Compliance of used cryptographic controls in relation to applicable requirements
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Encryption
4
requirements

Examples of other requirements this task affects

18.1.5: Regulation of cryptographic controls
ISO 27001
18.1.5: Regulation of cryptographic controls
ISO 27017
5.31: Legal, statutory, regulatory and contractual requirements
ISO 27001
2.7.1: Establish crypto strategy in the organisation
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Compliance of used cryptographic controls in relation to applicable requirements
1. Task description

Organisation should verify that the set of cryptographic controls that apply to the use of data systems comply with relevant agreements, legislation and regulations.

Considering encryption and cryptographic key management in risk management procedures
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Encryption
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Considering encryption and cryptographic key management in risk management procedures
1. Task description

The organization's risk management procedure has to take into account the identification, assessment, handling and monitoring of risks related to cryptographic key management.

Managing compromised encryption keys
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Encryption
2
requirements

Examples of other requirements this task affects

2.7.1: Establish crypto strategy in the organisation
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Managing compromised encryption keys
1. Task description

The organization must have the means to handle compromised encryption keys. Endangered cryptographic keys may be in a state where they are awaiting further investigation to determine the appropriate course of action.

The handling of compromised cryptographic keys shall take into account at least the following:

  • compromised encryption keys should generally be used only for decryption and not for encryption, and in controlled environment
  • compromised keys should be included in the organization's compromised key lists
  • The immediate revocation of compromised encryption keys should be subject to the organisation's emergency revocation processes.

    Encryption key recovery
    Critical
    High
    Normal
    Low
    Fully done
    Mostly done
    Partly done
    Not done
    Technical cyber security
    Encryption
    2
    requirements

    Examples of other requirements this task affects

    2.7.1: Establish crypto strategy in the organisation
    NSM ICT-SP
    See all related requirements and other information from tasks own page.
    Go to >
    Encryption key recovery
    1. Task description

    Recovering an encryption key means rebuilding the encryption key using backups or archives.

    The organization must have the means to assess the risk of disclosure of the encryption key or encrypted data compared to compromising business continuity if the encryption key is lost.

    Encryption key archival
    Critical
    High
    Normal
    Low
    Fully done
    Mostly done
    Partly done
    Not done
    Technical cyber security
    Encryption
    1
    requirements

    Examples of other requirements this task affects

    No items found.
    See all related requirements and other information from tasks own page.
    Go to >
    Encryption key archival
    1. Task description

    Encryption key archiving refers to the long-term secure storage of encryption keys. Archived keys can be useful for data recovery later.

    The organization must have the means to manage encryption keys in a secure archive that operates on principle of least principality.

    Encryption key archiving should include at least:

    • Keys that are no longer needed for data recovery will not be archived but will be destroyed immediately
    • Encryption key archives should only be used for long-term storage of encryption keys
    • Data about archiving and recovering encryption keys is stored
    • All related events are stored in the cryptographic key management system
    Encryption key temporary revocation
    Critical
    High
    Normal
    Low
    Fully done
    Mostly done
    Partly done
    Not done
    Technical cyber security
    Encryption
    1
    requirements

    Examples of other requirements this task affects

    No items found.
    See all related requirements and other information from tasks own page.
    Go to >
    Encryption key temporary revocation
    1. Task description

    The organization must have technical measures to monitor, review and approve key transition from any state to/from suspension.

    In temporary suspension of encryption keys the following must be taken into account:

    • Temporarily suspended keys must not be used to encrypt data, they can be used for decryption
    • Encryption key should be suspended if there is a possibility of it's integrity being compromised
    • Before moving key back from suspension the suspensions reasons should be investigated
    Deactivating encryption keys
    Critical
    High
    Normal
    Low
    Fully done
    Mostly done
    Partly done
    Not done
    Technical cyber security
    Encryption
    1
    requirements

    Examples of other requirements this task affects

    No items found.
    See all related requirements and other information from tasks own page.
    Go to >
    Deactivating encryption keys
    1. Task description

    The organization must have the means to deactivate encryption keys when they expire.

    Deactivation of encryption keys must take into account at least:

    • Deactivated encryption keys are not used for encryption after expiration, but can be used for decryption
    • Deactivated encryption keys must be destroyed when they are no longer needed
    • Metadata may need to be retained for audit purposes
    • Actions must be logged in the encryption key management system
    Activation of encryption keys
    Critical
    High
    Normal
    Low
    Fully done
    Mostly done
    Partly done
    Not done
    Technical cyber security
    Encryption
    3
    requirements

    Examples of other requirements this task affects

    2.7.1: Establish crypto strategy in the organisation
    NSM ICT-SP
    2.7.2: Activate encryption in services which offer such functionality
    NSM ICT-SP
    See all related requirements and other information from tasks own page.
    Go to >
    Activation of encryption keys
    1. Task description

    The organization must have the means to generate encryption keys in pre-activated state when the key has been generated but not yet approved for use.

    When activating encryption keys, please note the following:

    • The encryption key can be changed from pre-activated to activated by adding the start date of the encryption period
    • Inactive encryption keys cannot be used for encryption
    • Inactivated encryption keys can only be used to prove key management or key validation
    • An encryption key in pre-activated mode should be destroyed if it is no longer needed
    Destruction of encryption keys
    Critical
    High
    Normal
    Low
    Fully done
    Mostly done
    Partly done
    Not done
    Technical cyber security
    Encryption
    1
    requirements

    Examples of other requirements this task affects

    No items found.
    See all related requirements and other information from tasks own page.
    Go to >
    Destruction of encryption keys
    1. Task description

    The organization must have the means to destroy cryptographic keys stored outside the secure environment and to destroy keys stored in Hardware Security Modules (HSMs) when they are no longer needed.

    When destroying encryption keys, the following factors must be taken into account to ensure that the data is not recoverable:

    • All copies of the encryption key must be destroyed
    • In view of the risks associated with disclosure, unnecessary encryption keys must be destroyed
    • Any legal requirements for data retention must be taken into account
    Revoking encryption keys
    Critical
    High
    Normal
    Low
    Fully done
    Mostly done
    Partly done
    Not done
    Technical cyber security
    Encryption
    1
    requirements

    Examples of other requirements this task affects

    No items found.
    See all related requirements and other information from tasks own page.
    Go to >
    Revoking encryption keys
    1. Task description

    The organization must have the means to revoke encryption keys before the end of the set encryption period. These measures are used, for example, when the integrity of the key is compromised or when the object of encryption leaves the organization.

    Information about the revocation of the encryption key should be available to all parties who rely on the encryption key. In informing relevant stakeholders, it may be appropriate to use e.g. certificate revocation lists (CRLs).

    Recycling encryption keys
    Critical
    High
    Normal
    Low
    Fully done
    Mostly done
    Partly done
    Not done
    Technical cyber security
    Encryption
    2
    requirements

    Examples of other requirements this task affects

    2.7.1: Establish crypto strategy in the organisation
    NSM ICT-SP
    See all related requirements and other information from tasks own page.
    Go to >
    Recycling encryption keys
    1. Task description

    The organization must ensure that encryption keys are recycled in accordance with the specified encryption cycles. The risks of disclosure and statutory requirements must be taken into account when determining the encryption period.

    When recycling encryption keys, the old key must first be used for decryption and then the new key for recryption.

    Encryption keys provisioned for unique purpose
    Critical
    High
    Normal
    Low
    Fully done
    Mostly done
    Partly done
    Not done
    Technical cyber security
    Encryption
    1
    requirements

    Examples of other requirements this task affects

    No items found.
    See all related requirements and other information from tasks own page.
    Go to >
    Encryption keys provisioned for unique purpose
    1. Task description

    Encryption keys managed by the organization must be dedicated to a single, unique use.

    When distributing encryption keys, at least the following must be considered:

    • Symmetric, asymmetric, and other encryption key materials require their own security methods to protect them when distributed
    • Distributed keys should be protected at rest, during storage, and during transfer
    • All activities related to encrypted key distribution should be logged
    • Key distribution should preferably be performed automatically
    Use of industry-approved cryptographic libraries
    Critical
    High
    Normal
    Low
    Fully done
    Mostly done
    Partly done
    Not done
    Technical cyber security
    Encryption
    1
    requirements

    Examples of other requirements this task affects

    No items found.
    See all related requirements and other information from tasks own page.
    Go to >
    Use of industry-approved cryptographic libraries
    1. Task description

    The organization uses only industry-accepted cryptographic libraries to generate encryption keys. Libraries determine the strength of the encryption algorithm used and e.g. the random number generator used.

    Regularly auditing encryption and encryption key management systems
    Critical
    High
    Normal
    Low
    Fully done
    Mostly done
    Partly done
    Not done
    Technical cyber security
    Encryption
    1
    requirements

    Examples of other requirements this task affects

    No items found.
    See all related requirements and other information from tasks own page.
    Go to >
    Regularly auditing encryption and encryption key management systems
    1. Task description

    The organization must regularly audit cryptographic and cryptographic key management systems and policies. The audit should be performed at least annually and always after security incidents related to these areas.

    It is important to consider any industry-specific encryption requirements (e.g HIPAA - health information, or PCI DSS - payment card information).

    Providing customers with encryption key management capabilities
    Critical
    High
    Normal
    Low
    Fully done
    Mostly done
    Partly done
    Not done
    Technical cyber security
    Encryption
    4
    requirements

    Examples of other requirements this task affects

    10: Cryptography
    ISO 27017
    10.1: Cryptographic controls
    ISO 27017
    10.1.2: Key management
    ISO 27017
    See all related requirements and other information from tasks own page.
    Go to >
    Providing customers with encryption key management capabilities
    1. Task description

    The service provider has to be able to offer the customer a possibility for independently controlling storage and management of encryption keys that are used for the data they manage.

    Details for this division of labor should be mentioned in service level agreements, terms of use or other similar documents.

    Aineiston välitys postilla tai kuriirilla (TL II)
    Critical
    High
    Normal
    Low
    Fully done
    Mostly done
    Partly done
    Not done
    Technical cyber security
    Encryption
    2
    requirements

    Examples of other requirements this task affects

    I16: Aineiston välitys postilla ja kuriirilla
    Katakri
    F-08.1: TIETOJEN VÄLITYS POSTILLA JA KURIIRILLA
    Katakri 2020
    See all related requirements and other information from tasks own page.
    Go to >
    Aineiston välitys postilla tai kuriirilla (TL II)
    1. Task description

    Kun salassa pidettäviä tietoja siirretään fyysisesti suojattujen alueiden ulkopuolella, pyritään tiedot ensisijaisesti siirtämään tietoverkon yli sähköisesti viranomaisen hyväksymillä salaustuotteilla suojattuina.

    Jos edellä mainittua menettelyä ei käytetä:

    • salassa pidettävät tiedot kuljetetaan joko viranomaisen hyväksymillä salaustuotteilla suojatuilla sähköisillä välineillä (kuten USB-muistitikut, CD-levyt, kiintolevyt) tai
    • muissa tapauksissa viranomaisen ohjeita noudattaen

    Lisäksi suojaustasolla II toteutetaan alla mainitut toimenpiteet:

    • Organisaatiossa on tunnistettu vaatimukset ja toteutettu menettelyt erityissuojattavien tietoaineistojen (esimerkiksi salausavaimet) välittämiseksi.
    • Organisaation sisäiseen postin käsittelyketjuun kuuluu vain hyväksyttyä turvallisuusselvitettyä henkilöstöä.
    • Aineisto pakataan suljettavaan kaksinkertaiseen kirjekuoreen tai vastaavaan. Pakkauksen ulkokuoressa ei saa olla merkintää suojaustasosta eikä pakkaus saa ulkoisesti muuten paljastaa sen sisältävän salassa pidettävää aineistoa (kirjekuorien tai vastaavien on oltava läpinäkymättömiä). Sisäkuoren on oltava sinetöity. Vastaanottaja on ohjeistettava tarkistamaan sinetöinnin eheys ja ilmoitettava välittömästi, mikäli eheyden vaarantumista epäillään.
    • Aineisto toimitetaan kotimaassa ja ulkomaille viranomaisen ko. suojaustasolle hyväksymän kuriirimenettelyn mukaisesti.

    Kansainvälisiä turvallisuusluokiteltuja tietoja koskevat vaatimukset on varmistettava tapauskohtaisesti Suojelupoliisilta tai Pääesikunnasta.

    Aineiston välitys postilla tai kuriirilla (TL III)
    Critical
    High
    Normal
    Low
    Fully done
    Mostly done
    Partly done
    Not done
    Technical cyber security
    Encryption
    2
    requirements

    Examples of other requirements this task affects

    I16: Aineiston välitys postilla ja kuriirilla
    Katakri
    F-08.1: TIETOJEN VÄLITYS POSTILLA JA KURIIRILLA
    Katakri 2020
    See all related requirements and other information from tasks own page.
    Go to >
    Aineiston välitys postilla tai kuriirilla (TL III)
    1. Task description

    Kun salassa pidettäviä tietoja siirretään fyysisesti suojattujen alueiden ulkopuolella, pyritään tiedot ensisijaisesti siirtämään tietoverkon yli sähköisesti viranomaisen hyväksymillä salaustuotteilla suojattuina.

    Jos edellä mainittua menettelyä ei käytetä:

    • salassa pidettävät tiedot kuljetetaan joko viranomaisen hyväksymillä salaustuotteilla suojatuilla sähköisillä välineillä (kuten USB-muistitikut, CD-levyt, kiintolevyt) tai
    • muissa tapauksissa viranomaisen ohjeita noudattaen

    Lisäksi suojaustasolla III toteutetaan alla mainitut toimenpiteet:

    • Organisaatiossa on tunnistettu vaatimukset ja toteutettu menettelyt erityissuojattavien tietoaineistojen (esimerkiksi salausavaimet) välittämiseksi.
    • Aineisto pakataan suljettavaan kaksinkertaiseen kirjekuoreen tai vastaavaan. Pakkauksen ulkokuoressa ei saa olla merkintää suojaustasosta eikä pakkaus saa ulkoisesti muuten paljastaa sen sisältävän salassa pidettävää aineistoa (kirjekuorien tai vastaavien on oltava läpinäkymättömiä).
    • Aineisto toimitetaan kotimaassa viranomaisen erillishyväksyntään pohjautuen kirjattuna kirjeenä tai viranomaisen ko. suojaustasolle hyväksymän kuriirimenettelyn mukaisesti. Ulkomaille toimitus postin välityksellä voi tapahtua vain viranomaisen erillishyväksyntään pohjautuen.
    • Organisaation sisäiseen postin käsittelyketjuun kuuluu vain hyväksyttyä turvallisuusselvitettyä henkilöstöä.

    Kansainvälisiä turvallisuusluokiteltuja tietoja koskevat vaatimukset on varmistettava tapauskohtaisesti Suojelupoliisilta tai Pääesikunnasta.

    Aineiston välitys postilla tai kuriirilla (TL IV)
    Critical
    High
    Normal
    Low
    Fully done
    Mostly done
    Partly done
    Not done
    Technical cyber security
    Encryption
    2
    requirements

    Examples of other requirements this task affects

    I16: Aineiston välitys postilla ja kuriirilla
    Katakri
    F-08.1: TIETOJEN VÄLITYS POSTILLA JA KURIIRILLA
    Katakri 2020
    See all related requirements and other information from tasks own page.
    Go to >
    Aineiston välitys postilla tai kuriirilla (TL IV)
    1. Task description

    Kun salassa pidettäviä tietoja siirretään fyysisesti suojattujen alueiden ulkopuolella, pyritään tiedot ensisijaisesti siirtämään tietoverkon yli sähköisesti viranomaisen hyväksymillä salaustuotteilla suojattuina.

    Jos edellä mainittua menettelyä ei käytetä:

    • salassa pidettävät tiedot kuljetetaan joko viranomaisen hyväksymillä salaustuotteilla suojatuilla sähköisillä välineillä (kuten USB-muistitikut, CD-levyt, kiintolevyt) tai
    • muissa tapauksissa viranomaisen ohjeita noudattaen

    Lisäksi suojaustasolle IV toteutetaan alla mainitut toimenpiteet:

    • Aineisto pakataan suljettavaan kirjekuoreen tai vastaavaan. Pakkauksen ulkokuoressa ei saa olla merkintää suojaustasosta eikä pakkaus saa ulkoisesti muuten paljastaa sen sisältävän salassa pidettävää aineistoa (kirjekuoren tai vastaavan on oltava läpinäkymätön).
    • Aineisto toimitetaan kotimaassa tavallisena postina, kirjattuna kirjeenä tai viranomaisen ko. suojaustasolle hyväksymän kuriirimenettelyn mukaisesti. Ulkomaille toimitus postin välityksellä vain viranomaisen erillishyväksyntään pohjautuen.
    • Organisaation sisäiseen postin käsittelyketjuun kuuluu vain hyväksyttyä henkilöstöä.
    • Organisaatiossa on tunnistettu vaatimukset ja toteutettu menettelyt erityissuojattavien tietoaineistojen (esimerkiksi salausavaimet) välittämiseksi

    Kansainvälisiä turvallisuusluokiteltuja tietoja koskevat vaatimukset on varmistettava tapauskohtaisesti Suojelupoliisilta tai Pääesikunnasta.

    Aineiston sähköinen välitys (TL IV-II)
    Critical
    High
    Normal
    Low
    Fully done
    Mostly done
    Partly done
    Not done
    Technical cyber security
    Encryption
    2
    requirements

    Examples of other requirements this task affects

    I15: Aineiston sähköinen välitys
    Katakri
    I-15: TURVALLISUUSLUOKITELTUJEN TIETOJEN VÄLITYS FYYSISESTI SUOJATTUJEN ALUEIDEN VÄLILLÄ – TIEDON SÄHKÖINEN VÄLITYS
    Katakri 2020
    See all related requirements and other information from tasks own page.
    Go to >
    Aineiston sähköinen välitys (TL IV-II)
    1. Task description

    Aineiston sähköinen välitys kattaa esimerkiksi puhelimen, faksin, sähköpostin, pikaviestimet ja muut vastaavat tietoverkon kautta toimivat tiedonsiirtomenetelmät.

    Sähköisen tietojen välittämisen turvaamiseksi organisaatio toteuttaa seuraavat toimenpiteet:

    • Kun salassa pidettävää aineistoa siirretään hyväksyttyjen fyysisesti suojattujen alueiden ulkopuolella, aineisto / liikenne salataan viranomaisen ko. suojaustasolle hyväksymällä menetelmällä
    • Tilanteissa, joissa salassa pidettävää aineistoa siirretään fyysisesti suojattujen alueiden sisäpuolella
    • a) ko. turvallisuusluokan liikennekanava on fyysisesti suojattu (esimerkiksi kaapelointi, joka kulkee kokonaisuudessaan suppean, esimerkiksi vain yhden huoneen kattavan ko. suojaustason fyysisesti suojatun alueen sisällä), tai
    • b) aineisto suojataan viranomaisen erillishyväksyntään perustuen matalamman tason salauksella (esim. HTTPS)
    Secure transmission of confidential information over a data network
    Critical
    High
    Normal
    Low
    Fully done
    Mostly done
    Partly done
    Not done
    Technical cyber security
    Encryption
    2
    requirements

    Examples of other requirements this task affects

    14 §: Tietojen siirtäminen tietoverkossa
    TiHL
    4.4: Salassa pidettävien tietojen siirtäminen yleisissä tietoverkoissa
    TiHL tietoturvavaatimukset
    See all related requirements and other information from tasks own page.
    Go to >
    Secure transmission of confidential information over a data network
    1. Task description

    Authoritis must carry out data transfer in a public data network using an encrypted or otherwise protected data transfer connection or method, if the data to be transferred must be kept secret. In addition, the data transfer must be organized in such a way that the recipient is verified or identified in a sufficiently secure manner before the recipient can process the transferred confidential information.

    General, risk-based encryption policy
    Critical
    High
    Normal
    Low
    Fully done
    Mostly done
    Partly done
    Not done
    Technical cyber security
    Encryption
    14
    requirements

    Examples of other requirements this task affects

    10: Cryptography
    ISO 27001
    10.1: Cryptographic controls
    ISO 27001
    10.1.1: Policy on the use of cryptographic controls
    ISO 27001
    10.1.2: Key management
    ISO 27001
    I12: Salausratkaisut
    Katakri
    See all related requirements and other information from tasks own page.
    Go to >
    General, risk-based encryption policy
    1. Task description

    Deciding on the need for encryption solutions is seen as part of an overall process that includes risk assessment and the definition of other management tasks.

    The organization has established a general encryption policy that is always followed when protecting information using encryption.

    Encryption policy defines:

    • general principles for using cryptographic controls throughout the organization
    • methods for determining the needed level of encryption on the basis of a asset risk assesment
    • the use of encryption on mobile devices
    • ways to protect encryption keys and recover encrypted data when keys are lost
    • roles and responsibilities related to encryption
    • the effects of encryption on other tasks of the security management system
    Smartphone and tablet encryption
    Critical
    High
    Normal
    Low
    Fully done
    Mostly done
    Partly done
    Not done
    Technical cyber security
    Encryption
    3
    requirements

    Examples of other requirements this task affects

    10.1.1: Policy on the use of cryptographic controls
    ISO 27001
    See all related requirements and other information from tasks own page.
    Go to >
    Smartphone and tablet encryption
    1. Task description

    Devices that support full-device encryption are selected as smartphones and tablets for work use, and encryption is turned on.

    Encryption of portable media
    Critical
    High
    Normal
    Low
    Fully done
    Mostly done
    Partly done
    Not done
    Technical cyber security
    Encryption
    19
    requirements

    Examples of other requirements this task affects

    8.3.1: Management of removable media
    ISO 27001
    8.3.3: Physical media transfer
    ISO 27001
    10.1.1: Policy on the use of cryptographic controls
    ISO 27001
    PR.PT-2: Removable media
    NIST
    A.11.4: Protecting data on storage media leaving the premises
    ISO 27018
    See all related requirements and other information from tasks own page.
    Go to >
    Encryption of portable media
    1. Task description

    Storing confidential information on removable media should be avoided. When removable media is used to transfer confidential information, appropriate security is used (e.g., full disk encryption with pre-boot authentication).

    Good encryption key management practices
    Critical
    High
    Normal
    Low
    Fully done
    Mostly done
    Partly done
    Not done
    Technical cyber security
    Encryption
    13
    requirements

    Examples of other requirements this task affects

    10.1.2: Key management
    ISO 27001
    I12: Salausratkaisut
    Katakri
    6.6.3: Tekniset vaatimukset
    Omavalvontasuunnitelma
    TEK-16: Tiedon salaaminen
    Julkri
    21.2.h: Encryption
    NIS2
    See all related requirements and other information from tasks own page.
    Go to >
    Good encryption key management practices
    1. Task description

    Our organization has defined policies for creating, storing, sharing, and deleting encryption keys.

    Encryption key lengths and usage practices will be selected in accordance with best general practices by monitoring developments in the industry.

    Viranomaishyväksyttyjen salausratkaisuijen käyttö
    Critical
    High
    Normal
    Low
    Fully done
    Mostly done
    Partly done
    Not done
    Technical cyber security
    Encryption
    1
    requirements

    Examples of other requirements this task affects

    I-12: TIETOTURVALLISUUSTUOTTEIDEN ARVIOINTI JA HYVÄKSYNTÄ – SALAUSRATKAISUT
    Katakri 2020
    See all related requirements and other information from tasks own page.
    Go to >
    Viranomaishyväksyttyjen salausratkaisuijen käyttö
    1. Task description

    Organisaation turvallisuusluokitellun tiedon säilyttämiseen ja siirtämiseen liittyen käytetty salausratkaisu on oltava toimivaltaisen viranomaisen hyväksymä.

    Tässä tulee ottaa huomioon ainakin:

    • Organisaatiossa on tunnistettu käyttötapaukset, joissa turvallisuusluokitellun tiedon suojaamiseen on tarve käyttää salausratkaisuja. Tunnistetut käyttötapaukset kattavat kaikki tilanteet, joissa turvallisuusluokitellun tiedon suojaaminen nojaa täysin tai osittain salausratkaisuun
    • On hankittu ko. turvallisuusluokalle a) toimivaltaisen viranomaisen hyväksymät salausratkaisut ja käytetään niitä hyväksynnän yhteydessä määritellyn käyttöpolitiikan ja -asetusten mukaisesti, tai b) toimivaltaisen viranomaisen myöntämät tapauskohtaiset hyväksynnät ja käyttöpolitiikat-/asetukset sellaisille salausratkaisuille, joilla ei ollut entuudestaan voimassaolevaa hyväksyntää.
    • Salaiset avaimet ovat vain valtuutettujen käyttäjien ja prosessien käytössä. Salausavaintenhallinnan prosessit ja käytännöt ovat dokumentoituja ja asianmukaisesti toteutettuja.
    • Salausratkaisun toimitusketjun turvallisuudesta on varmistuttu riittävällä tasolla. Erityisesti salausratkaisun toimitusketju luotettavalta valmistajalta kohteen tietojenkäsittely-ympäristöön on varmistettu.
    Encryption and addressing protections for secure data transfer
    Critical
    High
    Normal
    Low
    Fully done
    Mostly done
    Partly done
    Not done
    Technical cyber security
    Encryption
    2
    requirements

    Examples of other requirements this task affects

    5.1.2: Information transfer
    TISAX
    See all related requirements and other information from tasks own page.
    Go to >
    Encryption and addressing protections for secure data transfer
    1. Task description

    The organisation must have measures for ensuring correct addressing and correct transfer of information.

    An electronic data exchange must be conducted using content or transport encryption suitable for the classification of data in transfer.

    Defining technical rules for encryption of information
    Critical
    High
    Normal
    Low
    Fully done
    Mostly done
    Partly done
    Not done
    Technical cyber security
    Encryption
    3
    requirements

    Examples of other requirements this task affects

    5.1.1: Cryptography management
    TISAX
    See all related requirements and other information from tasks own page.
    Go to >
    Defining technical rules for encryption of information
    1. Task description

    The organisation should have technical rules containing requirements for encryption of information based on the classification of the information.

    The organisation should define their concept for application of cryptographic methods. This should include:

    • Used cryptographic procedures
    • Key strenght
    • Procedures for the management of keys for their entire lifecycle (including generation, storage, archival, retrieval, distribution, deactivation, renewal and deletion)

    There should be an emergency process for restoring key material.

    Protection of data at rest
    Critical
    High
    Normal
    Low
    Fully done
    Mostly done
    Partly done
    Not done
    Technical cyber security
    Encryption
    2
    requirements

    Examples of other requirements this task affects

    PR.DS-1: Data-at-rest is protected.
    CyberFundamentals
    See all related requirements and other information from tasks own page.
    Go to >
    Protection of data at rest
    1. Task description

    Organization ensures confidentiality and integrity of all data at rest is protected across all storage systems:

    • Cloud storages
    • File hosting services
    • Databases
    • Data warehouses

    The data can be protected by using physical and logical means.

    Physical protection for data stored is ensured by using secure facilities, such as locked rooms or data centers, that prevent unauthorized physical access.

    Logical protection is done by encrypting stored data using strong cryptographic algorithms and strict access control, ensuring only authorized users and systems can access the data.

    Encryption of server data
    Critical
    High
    Normal
    Low
    Fully done
    Mostly done
    Partly done
    Not done
    Technical cyber security
    Encryption
    4
    requirements

    Examples of other requirements this task affects

    10.1.1: Policy on the use of cryptographic controls
    ISO 27001
    2.7.3: Encrypt storage media which contain confidential data and which can easily be lost or compromised
    NSM ICT-SP
    See all related requirements and other information from tasks own page.
    Go to >
    Encryption of server data
    1. Task description

    The disk and file system of the servers is encrypted to manage the effects of physical theft of the servers.

    Revision of encryption methods and assessment of adequacy
    Critical
    High
    Normal
    Low
    Fully done
    Mostly done
    Partly done
    Not done
    Technical cyber security
    Encryption
    10
    requirements

    Examples of other requirements this task affects

    10.1.1: Policy on the use of cryptographic controls
    ISO 27001
    8.24: Use of cryptography
    ISO 27001
    21.2.h: Encryption
    NIS2
    CC6.1c: Technical security for protected information assets
    SOC 2
    5.1.1: Cryptography management
    TISAX
    See all related requirements and other information from tasks own page.
    Go to >
    Revision of encryption methods and assessment of adequacy
    1. Task description

    When choosing the encryption methods to be used, take into account e.g. the following points:

    • the cost of using encryption
    • encryption level (eg type, strength and quality of the encryption algorithm)
    • the value of the assets to be protected

    The need for the advice of external experts is always considered when determining used cryptographic practices.

    Management of encryption keys activation and end dates
    Critical
    High
    Normal
    Low
    Fully done
    Mostly done
    Partly done
    Not done
    Technical cyber security
    Encryption
    2
    requirements

    Examples of other requirements this task affects

    10.1.2: Key management
    ISO 27001
    See all related requirements and other information from tasks own page.
    Go to >
    Management of encryption keys activation and end dates
    1. Task description

    To reduce the likelihood of inappropriate use, activation and expiration dates are assigned to the encryption keys so that the keys can only be used for as long as is specified.

    Ensuring sovereignty of encryption keys
    Critical
    High
    Normal
    Low
    Fully done
    Mostly done
    Partly done
    Not done
    Technical cyber security
    Encryption
    1
    requirements

    Examples of other requirements this task affects

    5.1.1: Cryptography management
    TISAX
    See all related requirements and other information from tasks own page.
    Go to >
    Ensuring sovereignty of encryption keys
    1. Task description

    The organisation should determine requirements for encryption key sovereignty. This is especially important in the case of external processing.

    Universal cyber compliance language model: Comply with confidence and least effort

    In Cyberday, all frameworks’ requirements are mapped into universal tasks, so you achieve multi-framework compliance effortlessly.

    Security frameworks tend to share the common core. All frameworks cover basic topics like risk management, backup, malware, personnel awareness or access management in their respective sections.
    Cyberday’s universal cyber security language technology creates you a single security plan and ensures you implement the common parts of frameworks just once. You focus on implementing your plan, we automate the compliance part - for current and upcoming frameworks.
    Start your free trial
    Get to know Cyberday
    Start your free trial
    Cyberday is your all-in-one solution for building a secure and compliant organization. Whether you're setting up a cyber security plan, evaluating policies, implementing tasks, or generating automated reports, Cyberday simplifies the entire process.
    With AI-driven insights and a user-friendly interface, it's easier than ever to stay ahead of compliance requirements and focus on continuous improvement.
    Clear framework compliance plans
    Activate relevant frameworks and turn them into actionable policies tailored to your needs.
    Credible reports to proof your compliance
    Use guided tasks to ensure secure implementations and create professional reports with just a few clicks.
    AI-powered improvement suggestions
    Focus on the most impactful improvements in your compliance with help from Cyberday AI.