Toimijoiden on toteutettava kyberturvallisuutta koskevan riskienhallinnan toimintamallin mukaiset oikeasuhtaiset tekniset, operatiiviset tai organisatoriset hallintatoimenpiteet viestintäverkkojen ja tietojärjestelmien turvallisuuteen kohdistuvien riskien hallitsemiseksi ja haitallisten vaikutusten estämiseksi tai minimoimiseksi.
Toimintamallissa ja siihen perustuvissa hallintatoimenpiteissä on otettava huomioon ja pidettävä yllä ajantasaisesti toimenpiteet viestintäverkkojen ja tietojärjestelmien fyysisen ympäristön ja tilaturvallisuuden sekä välttämättömien resurssien varmistamiseksi.
Visitors shall have access to secure areas only with permission, after they are appropriately identified and their access rights shall be limited to the necessary facilities. All visits are recorded in the visitor log. In addition, staff have guidelines about safe operating in connection with visits.
Secure areas of the organization cannot be accessed unnoticed. The premises are protected by appropriate access control. Only authorized persons have access to the secure areas.
Staff have instructions and tools to help them report a lost physical identifier (e.g. keychain, smart card, smart sticker).
People can't move around the organization's premises without a visible identifier.
The operation of basic services (such as electricity, telecommunications, water supply, sewerage, heating, ventilation and air conditioning) will be monitored to ensure that their capacity covers business growth.
For example, data processing equipment, as well as other important equipment, should be placed in the premises safely and with consideration. Placement should restrict unauthorized access to devices.
The organization shall list all relevant protected assets to determine ownership and to ensure that security measures cover all necessary items.
A large portion of the protected assets (including data sets, data systems, personnel / units, and partners) are treated through other tasks. In addition, the organization must list other important assets, which may be, depending on the nature of its operations, e.g. hardware (servers, network equipment, workstations, printers) or infrastructure (real estate, power generation, air conditioning). In addition the organization should make sure that relevant external devices are documented.
Organization has defined the areas for handling confidential information and the operating rules that are followed in all activities that take place in the corresponding areas.
In the rules, consideration should be given to the following points:
Alarm systems monitor the level of key environmental conditions (e.g. temperature and humidity) that can adversely affect the operation of data processing equipment. There should also be a functioning fire alarm system in the environment.
.png)
