Content library
Tietoturvasuunnitelma (THL 3/2024)
6.11: Alusta- ja verkkopalvelujen tietoturvallinen käyttö tietosuojan ja varautumisen kannalta

How to fill the requirement

Tietoturvasuunnitelma (THL 3/2024)

6.11: Alusta- ja verkkopalvelujen tietoturvallinen käyttö tietosuojan ja varautumisen kannalta

Task name
Priority
Status
Theme
Policy
Other requirements
Choosing and using network protection systems
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Virtualization
requirements

Task is fulfilling also these other security requirements

PR.PT-4: Communications and control networks
NIST
ARCHITECTURE-2: Implement Network Protections as an Element of the Cybersecurity Architecture
C2M2: MIL1
CC6.6: Logical access security measures against threats from sources outside system boundries
SOC 2
6.11: Alusta- ja verkkopalvelujen tietoturvallinen käyttö tietosuojan ja varautumisen kannalta
Tietoturvasuunnitelma
3.1.1: Management of secure areas
TISAX
1. Task description

Cyber criminals can exploit configuration errors or technical vulnerabilities in applications, firewalls, or networks to access our information.

An organization must use defense-in-depth technologies to protect against, detect, and respond to cyber-attacks. The techniques should be suitable for controlling physical, logical and administrative controls.

Personnel guidelines for secure remote work
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Remote work and mobile devices
Remote work
requirements

Task is fulfilling also these other security requirements

7.2.2: Information security awareness, education and training
ISO27 Full
6.2.2: Teleworking
ISO27 Full
6.6.4: Fyysisten tilojen, laitteiden ja tulosteiden turvallisuus
Self-monitoring
PR.AC-3: Remote access management
NIST
FYY-04: Tiedon säilytys
Julkri
1. Task description

Remote workers have their own operating guidelines, which are monitored. In addition, regular training is provided to staff to identify threats to information security arising from the use of mobile devices and remote work, and to review the guidelines.

Regular testing, evaluation, and recovery instructions for backups
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Backups
requirements

Task is fulfilling also these other security requirements

12.3: Backup
ISO27 Full
12.3.1: Information backup
ISO27 Full
12.1.1: Documented operating procedures
ISO27 Full
PR.IP-4: Backups
NIST
TEK-20: Varmuuskopiointi
Julkri
1. Task description

The media used for backups and the restoration of backups are tested regularly to ensure that they can be relied on in an emergency.

Accurate and complete instructions are maintained for restoring backups. The policy is used to monitor the operation of backups and to prepare for backup failures.

Käsittelyn turvallisuuden lisätoimenpiteet erityisiä henkilötietoja käsiteltäessä
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Security and responsibilities
requirements

Task is fulfilling also these other security requirements

TSU-13: Käsittelyn turvallisuus
Julkri
6.11: Alusta- ja verkkopalvelujen tietoturvallinen käyttö tietosuojan ja varautumisen kannalta
Tietoturvasuunnitelma
1. Task description

Käsiteltäessä erityisiin henkilötietoryhmiin kuuluvia tai rikostuomioihin ja rikoksiin liittyviä henkilötietoja organisaatio toteuttaa asianmukaiset ja erityiset toimenpiteet rekisteröidyn oikeuksien suojaamiseksi.

Näitä erityisiä toimenpiteitä voivat olla mm.:

  • käsittelyn tarkempi lokitus
  • erityisiä henkilötietoja käsittelevän henkilöstön tarkempi ohjeistaminen
  • tarkempi pääsynhallinta liittyviin henkilötietoihin
  • henkilötietojen pseudonymisointi liittyvissä käsittelytoimissa
  • henkilötietojen salaus liittyvissä käsittelytoimissa
  • käsittelyyn liittyvien järjestelmien tietoturvatarkistukset
  • tietosuojan vaikutustenarvioinnin toteuttaminen
  • muut tietojen turvallisuutta parantavat toimenpiteet
Documentation of bases for personal data transfer for relevant partners
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Data transfer and disclosure
requirements

Task is fulfilling also these other security requirements

44. General principle for transfers
GDPR
45. Transfers on the basis of an adequacy decision
GDPR
46. Transfers subject to appropriate safeguards
GDPR
47. Binding corporate rules
GDPR
48. Transfers or disclosures not authorised by Union law
GDPR
1. Task description

GDPR defines the conditions for the lawful transfer of personal data outside the EU or the EEA.

The organization shall document all data transfers and the applicable transfer criteria. Data transfers can occur, for example, based on the location of the data system, the data processing partner or the recipient of the data disclosure.

Determining responsibilities for backing up important information assets
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Backups
requirements

Task is fulfilling also these other security requirements

I24: Varmuuskopiointi
Katakri
12.3.1: Information backup
ISO27 Full
12.3: Backup
ISO27 Full
PR.IP-4: Backups
NIST
TEK-20: Varmuuskopiointi
Julkri
1. Task description

With adequate backups, all important data and programs can be restored after a disaster or media failure. An important first step in a functional backup strategy is to identify who is responsible for backing up each piece of data. Determining the responsibility for backup is the responsibility of the owners of the information assets (systems, hardware).

If the backup is the responsibility of the partner, we will find out:

  • how comprehensively does the partner back up the data?
  • how the data can be recovered if necessary?
  • how the backups are agreed in the contracts?

If the backup is our own responsibility, we will find out:

  • whether the data backup process exists and is documented?
  • whether the coverage and implementation cycle of the backup is at the level required by the importance of the data?
Inventory and documentation of data processing agreements
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Data transfer and disclosure
requirements

Task is fulfilling also these other security requirements

28. Data processor
GDPR
15.1.2: Addressing security within supplier agreements
ISO27 Full
13.2.2: Agreements on information transfer
ISO27 Full
A.8.2.4: Infringing instruction
ISO 27701
5.14: Information transfer
ISO27k1 Full
1. Task description

The processors of personal data (e.g. providers of data systems, other partners using our employee or customer data) and the agreements related to the processing of personal data have been documented. The documentation includes e.g.:

  • Processor name and location
  • Purpose of processing data
  • Status of agreement
Executing and documenting data protection impact assessments
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Processing principles and accountability
requirements

Task is fulfilling also these other security requirements

35. Data protection impact assessment
GDPR
36. Prior consultation
GDPR
A.7.2.5: Privacy impact assessment
ISO 27701
TSU-16: Tietosuojariskien hallinta
Julkri
TSU-17 : Tietosuojan vaikutustenarviointi
Julkri
1. Task description

The purpose of a data protection impact assessment is to help identify, assess and manage the risks involved in the processing of personal data. An impact assessment must be carried out when the processing of personal data is likely to pose a high risk to people's rights and freedoms. Risks are increased by, for example, the use of new technologies, the processing of sensitive personal data, the automation of personal characteristics or the scale of processing in general.

Task owner regularly evaluates organisation's processing of personal data, in particular, the databanks and related processing purposes and the data systems used, in order to determine the need for impact assessments. Task owner is also responsible for ensuring the identified impact assessments get conducted and documented.

Monitoring suppliers' compliance with security requirements
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Agreements and monitoring
requirements

Task is fulfilling also these other security requirements

32. Security of processing
GDPR
15.1.1: Information security policy for supplier relationships
ISO27 Full
15.2.1: Monitoring and review of supplier services
ISO27 Full
ID.GV-2: Cybersecurity role coordination
NIST
ID.SC-1: Cyber supply chain
NIST
1. Task description

A designated responsible person actively monitors the supplier's activities and services to ensure compliance with the security terms of the contracts and the proper management of security incidents.

Monitoring includes the following:

  • monitoring the promised service level
  • reviewing supplier reports and arranging follow-up meetings
  • regular organization of independent audits
  • follow-up of problems identified in audits
  • more detailed investigation of security incidents and review of related documentation
  • review of the supplier's future plans (related to maintaining the service level)
Monitoring the use of the network and information systems to identify anomalies
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
requirements

Task is fulfilling also these other security requirements

8.16: Monitoring activities
ISO27k1 Full
6.11: Alusta- ja verkkopalvelujen tietoturvallinen käyttö tietosuojan ja varautumisen kannalta
Tietoturvasuunnitelma
I-11: MONITASOINEN SUOJAAMINEN – POIKKEAMIEN HAVAINNOINTIKYKY JA TOIPUMINEN
Katakri 2020
5.2.3: Malware protection
TISAX
DE.CM-1: The network is monitored to detect potential cybersecurity events.
CyFun
1. Task description

Organization's data systems and network must be monitored to detect abnormal use. When anomalities are detected, the organization must take the necessary measures to assess the possibility of security incident.

The monitoring should utilize tools that enable real-time or regular monitoring, taking into account the organization's requirements. Monitoring practices should be able to manage large amounts of data, adapt to changing threat environment, and send alerts immediately when necessary.

Inclusion of the following sources in the monitoring system should be considered:

  • outbound and inbound network and data system traffic

    li>

  • access to critical data systems, servers, network devices and the monitoring system itself
  • critical system and network configuration files
  • logs from security tools (e.g. antivirus, IDS, IPS, network filters, firewalls)

Organization must also establish procedures for identifying and correcting "false positive" results, including tuning monitoring software for more accurate anomaly detection.

Tietoteknisten ympäristöjen toimivuuden varmistaminen
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Supplier security
requirements

Task is fulfilling also these other security requirements

VAR-07: Tietoteknisten ympäristöjen varmentaminen
Julkri
6.11: Alusta- ja verkkopalvelujen tietoturvallinen käyttö tietosuojan ja varautumisen kannalta
Tietoturvasuunnitelma
1. Task description

Tietoteknisissä ympäristöissä ja niihin liittyvissä sopimuksissa on huomioitu toiminnan kannalta tärkeiden palveluiden saatavuus häiriötilanteissa.

Tärkeiden palvelujen tietotekniset ympäristöt varmennetaan esimerkiksi kahdentamalla siten, että yksittäisten komponenttien vikaantumiset eivät aiheuta toiminnan edellyttämää palvelutasoa pidempiä käyttökatkoja.

Tietotekniset ympäristöt voidaan varmentaa varavoimalla tai varavoimaliitännöillä siten, että sähkönjakelu voidaan käynnistää riittävän nopeasti ja ylläpitää sitä riittävän ajan suhteessa toiminnan vaatimuksiin.

No items found.