Toimijoiden on toteutettava kyberturvallisuutta koskevan riskienhallinnan toimintamallin mukaiset oikeasuhtaiset tekniset, operatiiviset tai organisatoriset hallintatoimenpiteet viestintäverkkojen ja tietojärjestelmien turvallisuuteen kohdistuvien riskien hallitsemiseksi ja haitallisten vaikutusten estämiseksi tai minimoimiseksi.
Toimintamallissa ja siihen perustuvissa hallintatoimenpiteissä on otettava huomioon ja pidettävä yllä ajantasaisesti viestintäverkkojen ja tietojärjestelmien hankinnan, kehittämisen ja ylläpidon turvallisuus sekä tarvittavat menettelyt haavoittuvuuksien käsittelemiseksi ja julkistamiseksi.
The organization has defined a process for addressing identified technical vulnerabilities.
Some vulnerabilities can be fixed directly, but vulnerabilities that have a significant impact should also be documented as security incidents. Once a vulnerability with significant impacts has been identified:
Software under development, testing and production is run in differentiated technical environments in order to ensure the quality of development work in an environment that adapts to the production environment and, on the other hand, the production environment is not disturbed by unfinished development.
Sensitive or personal data of users is not copied and used in a development environment.
Whenever new data systems are acquired, a pre-defined procurement process and rules are followed. The rules ensure that the supplier is able to guarantee an adequate level of security, taking into account the priority of the system.
The organization monitors information about technical vulnerabilities of the information systems in use. When relevant technical vulnerabilities are detected, the organization takes action according to the planned operating model.
Organization must be able to monitor that devices, data systems and networks are maintained in accordance with the defined configurations (including security features) both during the implementation phase and throughout their entire life cycle.
For this, the organization has defined standard templates for secure configurations of devices, data systems and networks. When specifying standard templates, the following are taken into account:
Standard templates should be checked regularly and updated when significant new threats or vulnerabilities need to be responded to or new software or hardware versions are released.
The following points should be taken into account when defining standard templates:
The data and other materials used for testing should be carefully selected and protected.
Production information that contains personal or other confidential information should not be used for testing purposes.
The general rules for secure development work have been drawn up and approved by the development managers. The implementation of the rules is monitored in software development in the organization and the rules are reviewed at least yearly.
The safe development policy may include e.g. the following things:
Compliance with the rules of secure development may also be required of key partners.
Even when development is outsourced, we remain responsible for complying with appropriate laws and verifying the effectiveness of security controls.
We have defined the procedures that we monitor and follow throughout the outsourcing chain.Practices may include e.g. the following things:
Inadequate change management is a common cause of incidents for digital services.
An organization shall document the change management process that must be followed whenever significant changes are made to developed digital services or other computing services that affect cyber security. The process includes requirements e.g. for the following:
Whenever new data systems are acquired or developed, pre-defined security rules are followed, taking into account the priority of the system. The rules ensure that adequate measures are taken to ensure the security of the data and data processing in the system.
An owner is defined for an organization's networks. The owner is responsible for planning the structure of the network and documenting it.
Separate network areas are used in network design as needed. Domain areas can be defined by e.g.:
Separation can be implemented either with physically separate networks or with logically separate networks.
The definition of security-critical code for the various services is maintained. New parts of the critical code are constantly being identified and new updates are being checked particularly closely for changes to the critical code. The aim is to keep the likelihood of security vulnerabilities to a minimum.
In Cyberday, all frameworks’ requirements are mapped into universal tasks, so you achieve multi-framework compliance effortlessly.