Content library
TiHL: Suositus tietoturvan vähimmäisvaatimuksista
4.1: Tietojärjestelmien tietoturvallisuus

How to fill the requirement

TiHL: Suositus tietoturvan vähimmäisvaatimuksista

4.1: Tietojärjestelmien tietoturvallisuus

Task name
Priority
Status
Theme
Policy
Other requirements
Data system listing and owner assignment
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Data system management
requirements

Task is fulfilling also these other security requirements

I06: Pääsyoikeuksien hallinnointi
Katakri
13 §: Tietoaineistojen ja tietojärjestelmien tietoturvallisuus
TiHL
24. Responsibility of the controller
GDPR
5. Principles relating to processing of personal data
GDPR
32. Security of processing
GDPR
1. Task description

Organisation must maintain a listing of used data systems and their owners. Owner is responsible for completing the related documentation and possible other security actions directly related to the data system.

Data system documentation must include at least:

  • System purpose and linked responsibilities
  • System's data location (covered in a separate task)
  • System's maintenance and development responsibilities and linked partners (covered in a separate task)
  • When necessary system's access roles and authentication methods (covered in a separate task)
  • When necessary systems interfaces to other systems (covered in a separate task)
The goals of threat intelligence and the collection of information related to information security threats
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Technical vulnerability management
requirements

Task is fulfilling also these other security requirements

5.7: Threat intelligence
ISO27k1 Full
77: Menettely toimintaympäristön seuraamiseen
Sec overview
Article 13: Learning and evolving
DORA
4.1: Tietojärjestelmien tietoturvallisuus
TiHL: Tietoturva
ID.RA-2: Cyber threat intelligence is received from information sharing forums and sources.
CyFun
1. Task description

Organization carries out threat intelligence by gathering information about information security threats related to its operations and how to protect against them. The goal is to increase awareness of the threat environment, so that own security level can be better evaluated and adequate control measures implemented.

When collecting threat intelligence, all three levels must be taken into account:

  • strategic threat intelligence (e.g. information on the growing types of attackers and attacks)
  • tactical threat intelligence (e.g. information about tools and technologies used in attacks)
  • operational threat intelligence (e.g. details of specific attacks)

Principles related to threat intelligence should include:

  • setting targets for threat intelligence
  • identification, verification and selection of information sources used in threat intelligence
  • gathering threat intelligence
  • data processing for analysis (e.g. translation, formatting, compression)
Process for managing technical vulnerabilities
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Technical vulnerability management
requirements

Task is fulfilling also these other security requirements

12.6.1: Management of technical vulnerabilities
ISO27 Full
14.2.1: Secure development policy
ISO27 Full
ID.RA-1: Asset vulnerabilities
NIST
PR.IP-12: Vulnerability management plan
NIST
RS.AN-5: Vulnerability management process
NIST
1. Task description

The organization has defined a process for addressing identified technical vulnerabilities.

Some vulnerabilities can be fixed directly, but vulnerabilities that have a significant impact should also be documented as security incidents. Once a vulnerability with significant impacts has been identified:

  • risks related to the vulnerability and the necessary actions are identified (e.g. patching the system or other management tasks)
  • necessary actions are scheduled
  • all actions taken are documented
Availability of data systems and procedures to protect their availability
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Data system management
requirements

Task is fulfilling also these other security requirements

TEK-22: Tietojärjestelmien saatavuus
Julkri
TEK-22.1: Tietojärjestelmien saatavuus - saatavuutta suojaavat menettelyt
Julkri
31: Toipumissuunnitelmat kriittisille järjestelmille
Sec overview
Article 7: ICT systems, protocols and tools
DORA
Article 9: Protection
DORA
1. Task description

The organisation must ensure the availability of information systems throughout their entire lifecycle. For this reason, the availability requirements of different information systems (especially the maximum time a system can be out of service, recovery time objective, and recovery point objective) must be met.

The implementation of availability requirements must take into account the load endurance, fault tolerance, and recovery time required from the information system.

Additionally, the need for procedures that protect availability has been identified, and procedures have been implemented with customized protections for critical systems. These protections may include, for example, redundancy of key network connections, hardware, and application execution environments.

Tietojärjestelmien vikasietoisuus ja toiminnallinen käytettävyys
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Data system management
requirements

Task is fulfilling also these other security requirements

HAL-17.1: Tietojärjestelmien toiminnallinen käytettävyys ja vikasietoisuus - saavutettavuus
Julkri
4.1: Tietojärjestelmien tietoturvallisuus
TiHL: Tietoturva
4.3: Vikasietoisuuden ja toiminnallisen käytettävyyden testaus
TiHL: Tietoturva
1. Task description

Olennaisilla tietojärjestelmillä tarkoitetaan sellaisia tietojärjestelmiä, jotka ovat kriittisiä viranomaisen lakisääteisten tehtäviä toteuttamisen kannalta erityisesti hallinnon asiakkaille palveluja tuotettaessa.

Toiminnallisella käytettävyydellä tarkoitetaan tietojärjestelmän käyttäjän kannalta sen varmistamista, että tietojärjestelmä on helposti opittava ja käytössä sen toimintalogiikka on helposti muistettava, sen toiminta tukee niitä työtehtäviä, joita käyttäjän pitää tehdä tietojärjestelmällä ja tietojärjestelmä edistää sen käytön virheettömyyttä.

  • Organisaatio tunnistaa ja luetteloi tehtävien hoitamisen kannalta olennaiset tietojärjestelmät esimerkiksi osana suojattavien kohteiden luettelointia ja tiedon luokittelua.
  • Organisaatio määrittelee olennaisten tietojärjestelmien saatavuuskriteerit, joita vasten vikasietoisuus voidaan testata. Järjestelmäkohtaisten saatavuuskriteerien määrittelyssä voidaan hyödyntää tietojärjestelmien saatavuusluokittelua.
  • Organisaatio määrittelee toiminnallisen käytettävyyden kriteerit.
  • Organisaation hankintaprosesseissa ja hankintaohjeissa on huomioitu toiminnalliseen käytettävyyteen ja vikasietoisuuteen liittyvät vaatimukset.
  • Organisaatio dokumentoi vikasietoisuuden testaukset.

Orgaisaation on myös varmistettava digitaalisten palveluiden saavutettavuus lainsäädännön edellyttämässä laajuudessa:

Saavutettavuus tarkoittaa sitä, että mahdollisimman moni erilainen ihminen voi käyttää verkkosivuja ja mobiilisovelluksia mahdollisimman helposti. Saavutettavuus on ihmisten erilaisuuden ja moninaisuuden huomiointia verkkosivujen ja mobiilisovelluksien suunnittelussa ja toteutuksessa. Saavutettavan digipalvelun suunnittelussa ja toteutuksessa pitää huomioida kolme osa-aluetta: tekninen toteutus, helppokäyttöisyys ja sisältöjen selkeys ja ymmärrettävyys.

Prioritization of identified technical vulnerabilities and remediation goals
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Technical vulnerability management
requirements

Task is fulfilling also these other security requirements

4.1: Tietojärjestelmien tietoturvallisuus
TiHL: Tietoturva
1. Task description

The organization must have a clear model for prioritizing identified technical vulnerabilities. The operating model should not be entirely new invention, but should be based on generally accepted practices.

Vulnerabilities should be prioritized based on the risk they pose, the importance of the assets involved, the potential organizational impact, and the urgency (taking into account the CVSS value).

Technical review of data systems
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Data system management
requirements

Task is fulfilling also these other security requirements

Article 26: Advanced testing of ICT tools, systems and processes based on TLPT
DORA
4.1: Tietojärjestelmien tietoturvallisuus
TiHL: Tietoturva
PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity.
CyFun
1. Task description

The organization shall regularly review the technical compliance of the data systems with the organisation's requirements.

The review may use manual implementation by experienced professionals or automated tools (including intrusion testing).

The technical review shall always be planned and carried out by competent and pre-approved staff.

Maintenance and updating of data systems according to manufacturer guidelines
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Data system management
requirements

Task is fulfilling also these other security requirements

6.5: Tietojärjestelmien asennus, ylläpito ja päivitys
Self-monitoring
6.10: Työasemien, mobiililaitteiden ja käyttöympäristön tukipalveluiden hallinta
Tietoturvasuunnitelma
6.6: Tietojärjestelmien asennus, ylläpito ja päivitys
Tietoturvasuunnitelma
Article 7: ICT systems, protocols and tools
DORA
4.1: Tietojärjestelmien tietoturvallisuus
TiHL: Tietoturva
1. Task description

The organization must make sure that data systems are maintained and updated according to the manufacturer guidelines

Defining and documenting cyber security metrics
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
requirements

Task is fulfilling also these other security requirements

13 §: Tietoaineistojen ja tietojärjestelmien tietoturvallisuus
TiHL
7.2.1: Management responsibilities
ISO27 Full
HAL-07: Seuranta ja valvonta
Julkri
9.1: Monitoring, measurement, analysis and evaluation
ISO27k1 Full
11: Digiturvan mittarien määrittäminen
Sec overview
1. Task description

The organisation regularly evaluates the level of cyber security and the effectiveness of the information security management system.

Organisation has defined:

  • monitored metrics to provide comparable results on the development of cyber security level
  • persons responsible for the metering
  • methods, timetable and responsible persons for metrics reviewing and evaluation
  • methods to document metric-related evaluations and results

Effective metrics should be usable for identifying weaknesses, targeting resources better and assessing organisation's success / failure related to cyber security.

Ensuring the reliability of data systems
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Continuity management
requirements

Task is fulfilling also these other security requirements

6.2a: Jatkuvuuden hallinta
Tietoturvasuunnitelma
Article 7: ICT systems, protocols and tools
DORA
Article 9: Prevention
DORA
4.1: Tietojärjestelmien tietoturvallisuus
TiHL: Tietoturva
RC.RP-1: Recovery plan is executed during or after a cybersecurity incident.
CyFun
1. Task description

To ensure the reliability of the systems, the following measures should be taken:

  • Duplication of the systems
  • Planned temporary solutions in case of problem situations
  • Spare parts available
  • Using special components
  • Active monitoring
  • Active maintenance activities

Maintenance, updating and possible renewal of information systems, devices and networks should be planned with the necessary component and software updates to be implemented before possible failures. When examining the criticality of components, the perspective of customer and patient safety should be taken into account.

Monitoring the use of the available capacity
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Technical vulnerability management
requirements

Task is fulfilling also these other security requirements

A1.1: Evaluation of current processing capacity
SOC 2
4.1: Tietojärjestelmien tietoturvallisuus
TiHL: Tietoturva
1. Task description

The operation of information systems may depend on certain key resources, such as server capacity,storage space, data processing capacity,monitoring capacity or certain< em>key people.

The organization has defined key resources and methods for monitoring the use of these key resources. A normal level is also determined for the resources, which is used when assessing the risk of jeopardizing availability due to capacity problems.

The competence and responsibilites of the personnel maintaining data systems
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Data system management
requirements

Task is fulfilling also these other security requirements

6.5: Tietojärjestelmien asennus, ylläpito ja päivitys
Self-monitoring
6.6: Tietojärjestelmien asennus, ylläpito ja päivitys
Tietoturvasuunnitelma
4.1: Tietojärjestelmien tietoturvallisuus
TiHL: Tietoturva
1. Task description

The organization must ensure that information systems are installed, maintained and updated only by personnel who have the necessary skills and expertise. In addition, the role and responsibilities of the person who installs, maintains and updates information systems must be described in relation to the organization and the producer of the information system.

No items found.