Content library
Julkri: TL IV-I
HAL-16: Hankintojen turvallisuus

How to fill the requirement

Julkri: TL IV-I

HAL-16: Hankintojen turvallisuus

Task name
Priority
Status
Theme
Policy
Other requirements
General rules for the procurement of data systems
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Data system procurement
requirements

Task is fulfilling also these other security requirements

13 §: Tietoaineistojen ja tietojärjestelmien tietoturvallisuus
TiHL
14.1.1: Information security requirements analysis and specification
ISO27 Full
HAL-16: Hankintojen turvallisuus
Julkri
5.23: Information security for use of cloud services
ISO27k1 Full
52: Tietoturva- ja tietousojavaatimukset hankintavaatimuksissa
Sec overview
1. Task description

Whenever new data systems are acquired, a pre-defined procurement process and rules are followed. The rules ensure that the supplier is able to guarantee an adequate level of security, taking into account the priority of the system.

Security rules for the development and acquisition of data systems
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Data system procurement
requirements

Task is fulfilling also these other security requirements

I13: Ohjelmistoilla toteutettavat pääsynhallintatoteutukset
Katakri
13 §: Tietoaineistojen ja tietojärjestelmien tietoturvallisuus
TiHL
14.1.1: Information security requirements analysis and specification
ISO27 Full
14.1.2: Securing application services on public networks
ISO27 Full
14.2.5: Secure system engineering principles
ISO27 Full
1. Task description

Whenever new data systems are acquired or developed, pre-defined security rules are followed, taking into account the priority of the system. The rules ensure that adequate measures are taken to ensure the security of the data and data processing in the system.

Criteria for suppliers of high priority data systems
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Data system procurement
requirements

Task is fulfilling also these other security requirements

15.1.1: Information security policy for supplier relationships
ISO27 Full
14.1.1: Information security requirements analysis and specification
ISO27 Full
15.2.1: Monitoring and review of supplier services
ISO27 Full
ID.SC-1: Cyber supply chain
NIST
ID.SC-4: Audit suppliers and third-party partners
NIST
1. Task description

The organization has defined the certifications or standards required of key partners. Commonly recognized standards related to cyber security include:

  • ISO 27001 (information security management system)
  • SOC2 (general security, also called SSAE 16)
  • ISO 27701 (data protection management system)
  • ISO 27017 (cyber security in cloud services) or ISO 27018 (data protection in cloud services)
  • other popular e.g. NIST (general), CSA (cloud software), PCI DSS (card payments and data)

Certifications required from partners can make organization's own partner management more efficient and provide good evidence of a particular level of security or privacy of the partner.

Requiring a system description from suppliers of important information systems to be acquired
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Data system procurement
requirements

Task is fulfilling also these other security requirements

HAL-16: Hankintojen turvallisuus
Julkri
21.2.e: Secure system acquisition and development
NIS2
1. Task description

Organization must ensure in advance that the acquired data systems are secure. In order to ensure this, the supplier of the important data system to be acquired must be required to provide sufficient security-related clarifications already at the procurement stage.

The supplier must clarify at least the following:

  • There is a system description of the service. Based on the description of the service provider, you must be able to assess the general suitability of the service in question for the customer's use case. The system description must show at least
  • The service and implementation models of the service, as well as the related service level agreements (Service Level Agreements, SLAs).
  • The principles of the life cycle (development, use, decommissioning) of service provision procedures and security measures, including control measures.
  • Description of the infrastructure, network and system components used in the development, maintenance/management and use of the service.
  • Principles and practices of change management, especially processes for handling changes affecting security.
  • Processing processes for significant events deviating from normal use, for example operating procedures in case of significant system failures.
  • Role and division of responsibilities related to the provision and use of the service between the customer and the service provider. The description must clearly show the actions that are the customer's responsibility in ensuring the safety of the service. The service provider's responsibilities must include the obligation to cooperate, especially in the investigation of abnormal situations.
  • Functions transferred or outsourced to subcontractors.
No items found.