TURVALLISUUSOHJEISTUS

Our organization has defined procedures for maintaining staff's cyber security awareness.These may include e.g. the following things:

• staff receive instructions describing the general guidelines of digital security related to their job role
• staff receive training to maintain the appropriate digital and cyber security skills and knowledge required for the job role
• staff demonstrate through tests that they have the security skills and knowledge required for the job role

Training should focus on the most relevant security aspects for each job role and include often enough the basics, which concern all employees:

• employee's personal security responsibilities (e.g. for devices and processed data)
• policies relevant for everyone (e.g. security incident reporting)
• guidelines relevant for everyone (e.g. clean desk)
• organization's security roles (who to contact with problems)

The Data Protection Officer (or other responsible person) has drawn up operating instructions for personnel handling personal data. In addition, the Data Protection Officer is ready to advise the controller, personal data processing partners or their own staff on compliance with GDPR or other data protection requirements.

The organization should have defined guidelines for the generally acceptable use of data systems and for the management of the necessary credentials.

In addition, the owners of data systems classified as 'High' or 'Critical' priority can define, document, and implement more specific guidelines for the use of that particular data system. These guidelines can describe e.g. security requirements related to the data contained in the system.

Especially when local or unstructured data needs to be handled a lot due to the nature of the activity, it may be necessary to develop training that describes the risks involved for staff.

Common problems with local and unstructured data include e.g.:

• no backups
• no access management
• hard to locate

For data you do not want to lose, that you want to control, or that is important to find in the future, staff should use data systems designed for it.

Organization has defined the areas for handling confidential information and the operating rules that are followed in all activities that take place in the corresponding areas.

In the rules, consideration should be given to the following points:

• the rules and related areas are communicated only personnel for whom the information is relevant
• unsupervised work in areas is minimized
• areas are physically locked and checked regularly
• prohibition of unauthorized recording devices (e.g. phones, video cameras)
• monitoring the transportation of terminal devices
• publishing emergency instructions in an easily accessible way

The management of the organization must ensure that the organization has up-to-date instructions on data processing, the use of information systems, data processing rights, the implementation of data management responsibilities, the implementation of access to information rights and information security measures.

In practice, the management defines how the up-to-dateness of the instructions is ensured and to which actors the instructions apply. taking care of up-to-dateness is part of it.

It is recommended to assign the responsibility for keeping the instructions up-to-date to those actors who have overall responsibility for information security, information systems, data reserves, record keeping, decision-making related to document requests, case management and archive work.