Ensuring the reliability of data systems

Sometimes an unexpected event, such as a fire, flood, or equipment failure, can cause downtime. In order to be able to continue operations as quickly and smoothly as possible, continuity planning is carried out, i.e. planning the operations in advance for these exceptional situations.

Each continuity plan shall contain at least the following information:

• Event for which the plan has been made
• Goal for recovery time
• Responsible persons and related stakeholders and contact information
• Planned immediate actions
• Planned recovery steps

Tiedonhallintayksikön on suoritettava olennaiset riskiarvioinnit sen tietoaineistojen käsittelyn, tietojärjestelmien hyödyntämisen ja toiminnan jatkuvuuden suhteen. Riskiarvioinnin perusteella tiedonhallintayksikön on:

a) Laadittava valmiussuunnitelmat ja etukäteisvalmistelut häiriötilanteiden varalle.

b) Suoritettava muut tarvittavat toimenpiteet, jotta tietoaineistojen käsittely, tietojärjestelmien hyödyntäminen ja niihin perustuva toiminta voivat jatkua mahdollisimman häiriöttömästi normaaliolojen häiriötilanteissa sekä valmiuslaissa (1552/2011) tarkoitetuissa poikkeusoloissa.

Organisaation on Asiakastietolain 41 §:n mukaisesti ilmoitettava tietojärjestelmän tuottajalle, mikäli järjestelmässä ilmenee poikkeama järjestelmien olennaisista vaatimuksista. Poikkeamia on kuvattu THL:n määräyksen 5/2021 luvussa 10.4

Tietojärjestelmien merkittävistä poikkeamista on ilmoitettava Valviralle, erityisesti tilanteissa, joissa poikkeama voi aiheuttaa merkittävän riskin asiakas- tai potilasturvallisuudelle tai tietoturvalle. Merkittävien poikkeamien korjaamiseksi on ryhdyttävä korjaaviin toimenpiteisiin.

The organization has a clear process, according to which it identifies the most critical functions in terms of its operations (e.g. services offered to customers), which are subject to the highest continuity requirements.

Items in the IT environment that are necessary for these activities (such as information systems, data reserves, operating processes, partners, units, hardware) are classified as critical.

Critical functions are considered with the highest priority, e.g. in continuity planning, and stricter safety requirements can be applied to them than to other objects in the environment.

Organization must identify the required level of availability for the services it offers as well as for any related data systems and other data processing environment. The organization must plan its systems and operations so that the availability level can be met.

When planning a resilient data processing environment, the organization should consider the following factors:

• use of resilient networks
• use of two geographically separate data centers with mirrored databases
• use of several parallel software components with automatic load sharing
• use of duplicated key components in systems (e.g. CPU, hard drives, memories) or networks (e.g. firewalls , routers, switches)

For example, in important production systems, the resilience should also be tested regularly to ensure a smooth transition to backup solutions during incidents.

Continuity requirements for ICT services are derived from continuity plans that are created for core processes (e.g. related to the provision of organization's products and services) and the recovery time goals included in them.

Organization must identify what recovery times and recovery points different ICT services must be able to achieve, taking into account the defined recovery goals for related processes, and ensure the ability to achieve them.

The planning must take into account in particular:

• responsibilities are defined for preparing for, managing and responding to disruptions in ICT services
• in particular continuity plans related to ICT services have been created, approved and are regularly tested
• continuity plans contain information on performance requirements, recovery time requirements and recovery actions for each important ICT service, as well as recovery point requirements and restoring actions for each important ICT service

Palvelujen riippuvuus muista palveluista ja toisista toimijoista on otettu huomioon koko tietojenkäsittely-ympäristön ja sen vikasietoisuuden suunnittelussa.

The organisation has identified the tasks that are critical for the continuity of its operations. Alternative courses of action for specific exceptional situations and staff availability and contingency arrangements have been planned and prepared for the continuation of critical tasks.

To implement the continuation plans, the plan owners, their alternates and other persons required to implement the plan have been identified. In addition, their ability to carry out their tasks under normal circumstances has been ensured.

Palvelua hankittaessa tulee huomioida, että palvelua voi olla hankala kotiuttaa ja toimittajalukkoon jäänyttä palvelua vaikea siirtää toiselle palveluntarjoajalle. Erityisesti vaatimus tulee huomioida hankittaessa pilvipalveluita.

Jatkuvuussuunnitelmissa on huomioitu yhtenä erityistä tarkkuutta vaativana näkökulmana palveluiden kotiuttamiset ja siirrot toiselle palveluntarjoajalle.

In the event of an incident, the implementation of the response plan with stakeholders must be carried out as specified in the plan.

In the event of an incident , communication with internal and external stakeholders must be in accordance with the incident response plan.

The organization shall establish a incident response plan for security incidents to critical information systems. Response plans should also be tested by the necessary organizational elements. The plan should take into account at least:

• The purpose of the information system and the precautions to be taken in the event of its disruption
• Recovery plans, targets, and priorities for the order of recovery of assets
• The role of implementing the response plans and the contact details of the persons assigned to the roles
•  Continuation of normal operations regardless of the state of the information systems.
• Distribution, approval and review of response plans

In addition, the plan should at least:

• Establish a roadmap for developing disruption management capacity
• Describe the structure and organization of incident management capability
• Provides metrics to measure incident management capability

The organization must test and update its response to the security breach at scheduled intervals or after significant changes. For critical parts of the organization, operational plans should be tested at least annually. Test results should be documented and communicated to improve the plan.

The organization must document in advance procedures for responding to security breaches to ensure the actions of related departments, customers, and other critical partners in the event of a security breach.

The organization has to include disaster recovery in their continuity planning. Relevant disasters for the planning are natural disasters (e.g floods, earthquake, hurricanes) and human caused disasters (e.g terror attack, chemical attack/incident, insider attack).

In disaster planning there is greater emphasis on the returning operations to normal levels safely than in continuity planning. After this focus moves to resuming normal operations.

The continuity plans must be updated at least annually or after significant changes.

The organisation should regularly, at least annually, test and review its information security continuity plans to ensure that they are valid and effective in adverse situations.

Testing of continuity plans shall involve, as appropriate, stakeholders critical to each plan. The organisation should identify and document the necessary contacts with suppliers and partners

In addition, the adequacy of continuity plans and associated management mechanisms should be reassessed in the event of significant changes in operations.

To ensure the reliability of the systems, the following measures should be taken:

• Duplication of the systems
• Planned temporary solutions in case of problem situations
• Spare parts available
• Using special components
• Active monitoring
• Active maintenance activities

Maintenance, updating and possible renewal of information systems, devices and networks should be planned with the necessary component and software updates to be implemented before possible failures. When examining the criticality of components, the perspective of customer and patient safety should be taken into account.

The organisation must have a process to perform needed checks to ensure data integrity is maintained when recovering from ICT-incident.

The check should also be done when data is reconstructed from external stakeholders to ensure data is consistent and correct between the systems.

Organisation must , as part of it's cyber risk management framework, maintain and review digital operational resilience testing programme. It must help the organisation to asses their preparedness to:

• handle ICT-related incidents
• identify weaknesses, deficiencies and gaps in digital operational resilience
• implement corrective measures

The testing programme:

• should include variety of assesments, test and tools to ensure the correctness of the testing.
• should be done with a risk-based approach to recognize the evolving landscape of ICT-related risks.
• be conducted by independent parties, external or internal, by ensuring sufficient resources and avoid conflict of interests

The organisation should have processes to prioritise, classify and remedy the issues uncovered by the testing programme.

As part of the programme the organisation must ensure yearly testing of all ICT systems and applications that support critical or important functions.

The organisation regularly develops its continuity plans by analyzing the testing of the plans, training and their actual use in real situations.

Relevantit henkilöt tuntevat omaan toimintaan liittyvät jatkuvuussuunnitelmat sekä niiden tarkemmat sisällöt riittävän tarkasti ja osaavat toimia niiden mukaisesti.

Organizational recovery measures must be communicated as planned to critical individuals and management within the organization. Recovery measures must also be communicated to external stakeholders.

The organization shall have procedures in place to communicate effectively with stakeholders and other participants during continuity plans and survival procedures.

Communication plans related to continuity plans shall include:

• Responsible persons, related stakeholders and other necessary contact information
• Clear criteria for the situation where continuity communication will be implemented
• A clear description of the staff implementing the continuity communication in each situation and the recipients to whom the communication will be sent
• References to the templates and tools to be used

The organization must maintain a top-level strategy for continuity planning. The strategy should include at least:

• Guidelines for defining continuity planning recovery time objectives and the adverse events requiring continuity plans
• Management commitment to continuity planning and improvement
• Description of the organization's risk appetite

In order to develop a strategy, it may be necessary to make use of general good practices, such as ISO 22300.

The organization should define requirements for the continuity of information security management during a crisis or disaster.

Information security management can either assume that the requirements are the same in adverse situations as in normal operating conditions, or seek to determine separately the security requirements applicable to adverse situations.

The organisation should establish and maintain a comprehensive crisis management framework. This involves implementing methods to detect potential crisis situations by identifying general indicators and specific predictable crises, along with clear procedures for invoking and escalating crisis management when necessary. Strategic goals and priorities must be defined, focusing on ethical considerations for example:

• protecting life and health
• safeguarding core business processes
• ensuring appropriate information security

A dedicated crisis management team should be formed, including representatives from all major organizational functions, with defined structures, roles, competencies, expectations, authority, and decision-making procedures.

Crisis management policies and procedures need to be developed and approved, encompassing exceptional authorities and decision-making processes, communication methods, emergency operating procedures, and organizational structures for reporting, information gathering, and decision-making.

The entire crisis management plan should be reviewed and updated regularly to ensure its ongoing effectiveness and relevance.

The organisation should include the following topics into their continuity planning:

• Plans for (D)DoS attacks
• Plans for succesful ransomware attacks and other sabotage
• System failures
• Natural disasters

Continuity planning should take into account alternate communication options for situations primary communication means aren't operational. There should also be alternative options for storage, power and network strategies.