Cyberday content library

Full, certification-level ISMS. Complete set of security controls along with management, auditing and risk evaluation aspects.

• Management-driven tasks e.g. about ISMS management, risk evaluation and treatment and internal auditing.
• Advanced tasks e.g. about procurement, physical security, other information assets and vulnerability management
• Advanced documentation e.g. risks, non-conformities and improvements

Audited security expands the basics covered by Core security and advanced controls covered by Extended security.

NIS 2 sets the baseline for cybersecurity risk management measures and reporting obligations across important industries covered by the directive, such as energy, transport, health, food, waste, public administration and digital infrastructure - and even more importantly to their supply chains.

NIS 2 tigthtens the rules and expand its scope when compared to original NIS Directive from 2016. It also adds top management accountability and tightens sanctions for non-compliance.

The Cybersecurity Capability Maturity Model (C2M2) helps organizations evaluate their cybersecurity capabilities and optimize security investments.

This level includes the MIL1 requirements and other measures included in other supported frameworks, giving an estimated 50% coverage of the full framework.

Cyber Essentials is backed by the United Kingdom's government to help protect organisations, large or small, from cyber attacks. It is a good tool for getting the essentials of cyber security to a level which helps decrease the chance of your organisation to be vulnerable to basic cyber attacks.

• Tasks for admins regarding firewall, password and device management policies and malware protection, user access control and software management.
• Guidelines for employees regarding secure password practices and other cyber security basics.
• Documentation of main software and hardware assets relevant for information security.

The CyberFundamentals framework is created by Centre for Cybersecurity Belgium. It provides a set of concrete measures to protect your data, significantly reduce the risk of the most common cyber-attacks, and increase your organisation's cyber resilience. The framework is based on:

The Cyberfundamentals are structured in 4 levels, with a subsequent level containing a little more measures than the previous one each time. A beginner level Small, followed by Basic, Important and Essential. The Essential level contains all the basic information security mesures from previous ones and introduces more advanced controls. The essential level is in line with the NIS2 directive.

Cyberday unravels cyber security and privacy requirements into clear tasks, which can be delegated and clearly demonstrated as done.

Cyberday is used to show "assurance information" of implementing the task, which either mean documentation, guidelines or reports directly in Cyberday, or free descriptions of task implementation when it's executed outside of the ISMS.

Feel free to familiarize yourself with Cyberday task content. Each task has its own page, which includes a description, connected Cyberday features and related requirements that are complied with through the task.

The Digital Operational Resilience Act (DORA) is the EU law on digital operational resilience. DORA aims to achieve a uniform high level of digital resilience across the EU. It sets out uniform requirements for information networks and systems that support financial business processes.

DORA sets out requirements for, among other things, protection, detection, isolation, recovery and remediation in the event of a security incident. Further requirements include extensive risk and incident management, cyber threat and vulnerability sharing, requirements for resilience testing and reporting incidents to authorities.

Digital security overview is a service developed and maintained by the Finnish Digital and population data services agency. Goal of the service is to gather information about the digital security status of public sector organisations.

Requirements of this framework match the questions of the service.

GDPR sets out the requirements for lawful processing of personal data and demonstrating the adequate protection of data.

• Privacy and personal data handling guidelines for employees
• Informing, data processor and breach management tasks for admins
• Data processing, data transfer, privacy risk and DPIA documentation

Full, certification-level ISMS. Complete set of security controls along with management, auditing and risk evaluation aspects.

• Management-driven tasks e.g. about ISMS management, risk evaluation and treatment and internal auditing.
• Advanced tasks e.g. about procurement, physical security, other information assets and vulnerability management
• Advanced documentation e.g. risks, non-conformities and improvements

Audited security expands the basics covered by Core security and advanced controls covered by Extended security.

ISO 27017 is a security standard developed especially for cloud service providers and users to create a safer cloud-based environment and reduce the risk of security incidents.

• Technical tasks related to cloud environment and shared responsibilities.
• Advanced tasks e.g. about virtualization and monitoring cloud services

ISO 27017 gives cloud-specific additions to ISO 27001, so these two frameworks should be used together.

ISO 27018 is a security standard developed especially for cloud service providers to ensure risks are assessed and controls are implemented to protect personally identifiable information (PII).

• Documentation related to processing personally identifiable information (PII).
• Tasks related to purpose, data and retention minimization.
• Advanced tasks related to the information security while processing PII.

ISO 27018 gives cloud-specific additions to ISO 27001, so these two frameworks should be used together.

ISO 27701 is a privacy extension to ISO 27001. The framework aims to upgrade the existing Information Security Management System (ISMS) with additional requirements related to processing and protecting personal data in order to establish also a Privacy Information Management System (PIMS).

• Documentation related to processing activities, transfers and disclosures of personal data.
• Tasks related to data subject rights and ensuring lawfulness of processing.
• Advanced privacy-related tasks about ensuring proper consent and filling other requirements for personal data controllers and processors.

Certifications are available for ISO 27701. As the framework extends ISO 27001, organizations seeking an ISO 27701 certification will need to have the ISO 27001 certification.

Cyber security evaluation criteria by Finnish authorities for Finnish public administration.

Julkri lists 200 security measures of varying levels, which help organizations fulfill the requirements of e.g. local laws and the GDPR.

This framework includes all the criteria from Julkri: Full framework and in addition criteria for security classified information (TL IV, TL III, TL II and TL I).

Katakri is used when evaluating organisation's ability to secure confidential information from Finnish national authorities. It can be used to guide security work in an organisation, that wants to be ready for an audit performed by authorities.

• Tasks for admins about security management, physical security and technical cyber security.
• Documentation of identified and evaluated security risks and defined control measures.
• Guidelines for employees on working on secure areas and protecting confidential data from authorities.

Katakri is used when evaluating organisation's ability to secure confidential information from Finnish national authorities. It can be used to guide security work in an organisation, that wants to be ready for an audit performed by authorities.

• Tasks for admins about security management, physical security and technical cyber security.
• Documentation of identified and evaluated security risks and defined control measures.
• Guidelines for employees on working on secure areas and protecting confidential data from authorities.

Kyberturvallisuuslaki säätää tietoturvatoimenpiteistä keskeisiksi tai tärkeiksi nimetyillä toimialoilla sekä kyberturvallisuutta koskevien riskien hallinnasta. Kyberturvallisuuslaki vie Suomessa täytäntöön NIS2 -direktiivin.

NIST Cybersecurity Framework is a collaborative effort coordinated by The National Institute of Standards and Technology (NIST, part of the U.S. Department of Commerce) and involving industry, academia, and government.

Framework is designed to help owners and operators of critical infrastructure to identify, assess and manage cyber risks.

• Advanced tasks e.g. about risk management and incident detection, response and recovery.
• Advanced documentation e.g. on information security risks
• Generic cyber security guidelines for empoyees, priviliged users, senior management and other stakeholders.

NCM ICT Security Principles is a framework for ICT security published and maintained by the Norwegian National Security Authority (NSM). The security principles advise businesses and organisations on how to protect their information systems from unauthorized access, damage or misuse.

The principles focus on technological and organisational measures. Measures concerning physical security and the human perspective are generally not covered. The measures apply to both unintentional and intentional acts, although the main focus is on intentional acts.

In this framework there are 21 security principles with a total of 118 security measures, distributed across four categories: i) identify, ii) protect and maintain, iii) detect and iv) respond and recover.

This Finnish law is designed to promote harmonization of information management, cyber security and digitalisation in public administration.

• Information management -specific guidelines for employees or different sectors
• Tasks related to setting responsibilities, reporting for public and residents, archiving and technical interfaces
• Documentation about operational processes, data systems, data stores, data processing and related risks

SOC 2 framework specifies how organizations should protect customer data from e.g. unauthorized access, security incidents or other vulnerabilities. It is developed by the American Institute of Certified Public Accountants (AICPA).

SOC 2 includes 5 different requirement sets: security, availability, processing integrity, confidentiality and privacy. A SOC 2 audit can be carried out related to one or all of these criteria. Each criteria has specific requirements that the company needs to comply with by implementing controls.

TISAX (Trusted Information Security Assessment Exchange) is an assessment and exchange mechanism for the information security of enterprises and allows recognition of assessment results among the participants.

This framework includes TISAX's information security requirements, which are mandatory for all TISAX participants. Framework can be further expanded with prototype protection and data protection requirements found as extension frameworks.

Tiedonhallintalautakunnan suositus, joka opastaa tiedonhallintalain asettamien tietoturvallisuuden vähimmäisvaatimusten täyttämisessä, jotka kaikkien julkishallinnon organisaatioiden tulee vähintään täyttää. Vähimmäisvaatimusten osana organisaatioiden tulee tunnistaa ja arvioida tietojenkäsittelyyn liittyvät riskit sekä toteuttaa toimenpiteet riskien pienentämiseksi hyväksyttävälle tasolle.

Voimassa olevan asiakastietolain mukaisesti kaikkien sosiaali- ja terveydenhuollon palvelunantajien on laadittava tietosuojan, tietoturvallisuuden ja tietojärjestelmien käytön omavalvontasuunnitelma.

THL julkaisi vuonna 2020 uuden mallin tietoturvallisuuden ja tietosuojan omavalvontasuunnitelmasta. Omavalvontasuunnitelma tukee sote-palveluntuottajia tietoturvallisuuden ja tietosuojan suunnittelussa.

Palveluntuottaja pystyy suunnitelman avulla huomioimaan ja suunnittelemaan olennaiset tietosuojan, tietoturvallisuuden ja tietojärjestelmien käytön asiat.

Tietoturvasuunnitelma on dokumentti, jolla sosiaali- ja terveyspalveluiden tuottajat kuvaavat tietoturvan- ja tietosuojan omavalvontaa. Tietoturvasuunnitelman täytyy kuvata kuinka palveluntuottaja täyttää asiakastietolain 27 §:n vaatimukset, joita asiakas- ja potilastietojen käsittelyyn ja niitä käsitteleviin tietojärjestelmiin liittyy. Vaatimuksia ovat mm.

• tietojärjestelmien käyttäjillä on oltava tarvittava koulutus
• tietojärejstelmien ylläpitoa toteuttaa vain henkilö, jolla on riittävä ammattitaitojärjestelmien käyttöohjeet on saatavilla
• tietojärjestelmät täyttävät tarkoituksen mukaiset olennaiset vaatimuksettietojärjestelmän tietoturva ja tietosuoja on varmistettava