Organisation must maintain a listing of used data systems and their owners. Owner is responsible for completing the related documentation and possible other security actions directly related to the data system.
Data system documentation must include at least:
Organization carries out threat intelligence by gathering information about information security threats related to its operations and how to protect against them. The goal is to increase awareness of the threat environment, so that own security level can be better evaluated and adequate control measures implemented.
When collecting threat intelligence, all three levels must be taken into account:
Principles related to threat intelligence should include:
The organization has defined a process for addressing identified technical vulnerabilities.
Some vulnerabilities can be fixed directly, but vulnerabilities that have a significant impact should also be documented as security incidents. Once a vulnerability with significant impacts has been identified:
The organisation must ensure the availability of information systems throughout their entire lifecycle. For this reason, the availability requirements of different information systems (especially the maximum time a system can be out of service, recovery time objective, and recovery point objective) must be met.
The implementation of availability requirements must take into account the load endurance, fault tolerance, and recovery time required from the information system.
Additionally, the need for procedures that protect availability has been identified, and procedures have been implemented with customized protections for critical systems. These protections may include, for example, redundancy of key network connections, hardware, and application execution environments.
Olennaisilla tietojärjestelmillä tarkoitetaan sellaisia tietojärjestelmiä, jotka ovat kriittisiä viranomaisen lakisääteisten tehtäviä toteuttamisen kannalta erityisesti hallinnon asiakkaille palveluja tuotettaessa.
Toiminnallisella käytettävyydellä tarkoitetaan tietojärjestelmän käyttäjän kannalta sen varmistamista, että tietojärjestelmä on helposti opittava ja käytössä sen toimintalogiikka on helposti muistettava, sen toiminta tukee niitä työtehtäviä, joita käyttäjän pitää tehdä tietojärjestelmällä ja tietojärjestelmä edistää sen käytön virheettömyyttä.
Orgaisaation on myös varmistettava digitaalisten palveluiden saavutettavuus lainsäädännön edellyttämässä laajuudessa:
Saavutettavuus tarkoittaa sitä, että mahdollisimman moni erilainen ihminen voi käyttää verkkosivuja ja mobiilisovelluksia mahdollisimman helposti. Saavutettavuus on ihmisten erilaisuuden ja moninaisuuden huomiointia verkkosivujen ja mobiilisovelluksien suunnittelussa ja toteutuksessa. Saavutettavan digipalvelun suunnittelussa ja toteutuksessa pitää huomioida kolme osa-aluetta: tekninen toteutus, helppokäyttöisyys ja sisältöjen selkeys ja ymmärrettävyys.
The organization must have a clear model for prioritizing identified technical vulnerabilities. The operating model should not be entirely new invention, but should be based on generally accepted practices.
Vulnerabilities should be prioritized based on the risk they pose, the importance of the assets involved, the potential organizational impact, and the urgency (taking into account the CVSS value).
The organization shall regularly review the technical compliance of the data systems with the organisation's requirements.
The review may use manual implementation by experienced professionals or automated tools (including intrusion testing).
The technical review shall always be planned and carried out by competent and pre-approved staff.
The organization must make sure that data systems are maintained and updated according to the manufacturer guidelines
The organisation regularly evaluates the level of cyber security and the effectiveness of the information security management system.
Organisation has defined:
Effective metrics should be usable for identifying weaknesses, targeting resources better and assessing organisation's success / failure related to cyber security.
To ensure the reliability of the systems, the following measures should be taken:
Maintenance, updating and possible renewal of information systems, devices and networks should be planned with the necessary component and software updates to be implemented before possible failures. When examining the criticality of components, the perspective of customer and patient safety should be taken into account.
The operation of information systems may depend on certain key resources, such as server capacity,storage space, data processing capacity,monitoring capacity or certain< em>key people.
The organization has defined key resources and methods for monitoring the use of these key resources. A normal level is also determined for the resources, which is used when assessing the risk of jeopardizing availability due to capacity problems.
The organization must ensure that information systems are installed, maintained and updated only by personnel who have the necessary skills and expertise. In addition, the role and responsibilities of the person who installs, maintains and updates information systems must be described in relation to the organization and the producer of the information system.