ICT operations security

Centrally select and install malware detection and repair programs and update them regularly for preventive or regular scanning of computers and media.

Programs should check at least the following:

• files received over the network or storage media are scanned for malware before use
• email attachments and downloaded files are scanned for malware before use
• websites are scanned for malware

Organisation must maintain a listing of used data systems and their owners. Owner is responsible for completing the related documentation and possible other security actions directly related to the data system.

Data system documentation must include at least:

• System purpose and linked responsibilities
• System's data location (covered in a separate task)
• System's maintenance and development responsibilities and linked partners (covered in a separate task)
• When necessary system's access roles and authentication methods (covered in a separate task)
• When necessary systems interfaces to other systems (covered in a separate task)

Visitors shall have access to secure areas only with permission, after they are appropriately identified and their access rights shall be limited to the necessary facilities. All visits are recorded in the visitor log. In addition, staff have guidelines about safe operating in connection with visits.

The Authority must ensure that the necessary logs are kept of the use of its information systems and of the disclosure of information from them, if the use of the information system requires identification or other log-in. The purpose of log data is to monitor the use and disclosure of data contained in information systems and to detect technical errors in the information system.

In Cyberday, the owner of the information system may be responsible for controlling the collection of log data from the information system. The organisation documents the content of the logs in more detail for those information systems for which it is responsible for technical maintenance. For other information systems, the owner, in cooperation with the system vendor, checks that the necessary logs are collected.

Organization carries out threat intelligence by gathering information about information security threats related to its operations and how to protect against them. The goal is to increase awareness of the threat environment, so that own security level can be better evaluated and adequate control measures implemented.

When collecting threat intelligence, all three levels must be taken into account:

• strategic threat intelligence (e.g. information on the growing types of attackers and attacks)
• tactical threat intelligence (e.g. information about tools and technologies used in attacks)
• operational threat intelligence (e.g. details of specific attacks)

Principles related to threat intelligence should include:

• setting targets for threat intelligence
• identification, verification and selection of information sources used in threat intelligence
• gathering threat intelligence
• data processing for analysis (e.g. translation, formatting, compression)

All externally acquired products and services should be regularly checked for the need of acquiring patches, updates and or upgrades for software and hardware.

These revisions should be acquired only from trusted providers, as well as ensured that the maintenance is only performed by the approved supplier personnel and unauthorized changes are denied.

The provenance, authenticity and integrity of these products and services has to be also confirmed and required by organizational policies and kept intact.

Any compromises in security or need for patches should be reported to leaders and relevant parties promptly.

When assessing risks related to ICT services supporting critical functions, financial entities should consider:

• Whether contracting with a non-substitutable ICT service provider is involved.
• The implications of multiple contracts with the same or closely connected ICT service providers.
• Evaluating alternative solutions like using different service providers, aligning with business needs and digital resilience strategy.

Regarding subcontracting:

• Financial entities should assess benefits and risks of subcontracting, especially when subcontractors are based in third countries.
• Consideration of insolvency law provisions in case of the service provider's bankruptcy and constraints on data recovery.
• Compliance with Union data protection rules and law enforcement in third countries.
• Assessment of potential impacts of complex subcontracting chains on monitoring and supervisory abilities.

The operation of information systems may depend on certain key resources, such as server capacity, file storage capacity, data processing capacity, monitoring capacity or certain key persons.

In particular, some of these resources may have long delivery times or high costs in certain situations, in which case special attention must be paid to future capacity problems with them.

We monitor the use of key system resources and identify trends, potential security bottlenecks and dependencies on important people.

The organization regularly conducts a vulnerability scan, which searches for vulnerabilities found on computers, workstations, mobile devices, networks or applications. It is important to scan even after significant changes.

It should be noted that vulnerable source code can be from operating system software, server applications, user applications, as well as from the firmware application as well as from drivers, BIOS and separate management interfaces (e.g. iLo , iDrac). In addition to software errors, vulnerabilities occur from configuration errors and old practices, such as the use of outdated encryption algorithms.

Inadequate change management is a common cause of incidents for digital services.

An organization shall document the change management process that must be followed whenever significant changes are made to developed digital services or other computing services that affect cyber security. The process includes requirements e.g. for the following:

• Defining and documenting the change
• Assessing the risks and defining the necessary control measures
• Other impact assessment of the change
• Testing and quality assurance
• Managed implementation of the change
• Updating a change log

The data systems (and their content) that support critical business processes are regularly reviewed to locate malware. All unauthorized files and changes will be formally investigated.

The organization must develop a process to automate the treatment of technical vulnerabilities.

The organization shall allow only pre-approved personnel access to security restricted areas.

All entry and exit points shall be blocked, documented and controlled by access control systems by default.

All access to security restricted areas must create log events and the organization must determine how long the logs will be retained.

The organization must ensure the availability of information systems throughout their entire lifecycle. For this reason, the availability requirements of different information systems (especially the maximum time a system can be out of service, recovery time objective, and recovery point objective) must be met.

The implementation of availability requirements must take into account the load endurance, fault tolerance, and recovery time required from the information system.

Additionally, the need for procedures that protect availability has been identified, and procedures have been implemented with customized protections for critical systems. These protections may include, for example, redundancy of key network connections, hardware, and application execution environments.

Access to buildings containing critical systems must be constantly monitored to detect unauthorized access or suspicious activity. The following issues should be taken into account in monitoring practices:

• touch, sound or motion detectors that trigger an intrusion alarm
• covering exterior doors and windows using sensors
• supervision of unstaffed and otherwise important (e.g. server or communication technology) premises
• regular testing of alarm systems

Information related to surveillance systems should be kept confidential, as disclosure of information can facilitate undetected breaches. The monitoring systems themselves must also be properly protected, so that the recordings or system status cannot be affected without permission.

Organization carries out threat intelligence by analyzing and utilizing collected information about relevant cyber security threats related and corresponding protections.

When analyzing and utilizing the collected threat intelligence information, the following points must be taken into account:

• analyzing how the threat intelligence information relates to to our own operations
• analyzing how relevant threat intelligence information is to our operations
• communicating and sharing information in an understandable form to relevant persons
• utilizing the findings of threat intelligence to determine the adequacy of technical protections, technologies used and information security testing methods for analysis

Current configurations of devices, data systems and networks are documented and a log is maintained of configuration changes.

Changes to configurations must be controlled and go through the change management procedure. Only authorized personnel are allowed to make changes to the configurations.

Configuration information may include e.g.:

• property owner and contact point information
• date of last configuration change
• configuration model version
• connections to other assets

The organization monitors information about technical vulnerabilities of the information systems in use. When relevant technical vulnerabilities are detected, the organization takes action according to the planned operating model.

Organisations should have a clear plan detailing how phase-outs are managed. This plan should include, e.g., the processes involved and how transition to a new product is handled.

If the ICT product doesn't have the recent security functions and protocols, it shouldn't be used and should be phased out.

Phase-outs should be planned in advance, before the provider drops product support, to ensure the use of the latest security functions and protocols. For example, some older applications might have the latest security functions, but do not work well with newer exploit protections. In this scenario, exceptions should be made to avoid deactivating the protection entirely, but it is essential to remember that the phase-out process is likely to be relevant in the near future.

After the phase-out, it is important to evaluate the processes and document the lessons learned for the future.