Toimijoiden on toteutettava kyberturvallisuutta koskevan riskienhallinnan toimintamallin mukaiset oikeasuhtaiset tekniset, operatiiviset tai organisatoriset hallintatoimenpiteet viestintäverkkojen ja tietojärjestelmien turvallisuuteen kohdistuvien riskien hallitsemiseksi ja haitallisten vaikutusten estämiseksi tai minimoimiseksi.
Toimintamallissa ja siihen perustuvissa hallintatoimenpiteissä on otettava huomioon ja pidettävä yllä ajantasaisesti omaisuudenhallinta ja sen turvallisuuden kannalta tärkeiden toimintojen tunnistaminen.
Organisation must maintain a listing of used data systems and their owners. Owner is responsible for completing the related documentation and possible other security actions directly related to the data system.
Data system documentation must include at least:
Organisation must maintain a listing of controlled data stores and their owners. Owner is responsible for completing the documentation and other possible security actions directly related to the data store.
Data store documentation must include at least:
The organization shall maintain a list of data sets contained in the data stores it manages.
The documentation shall include at least the following information:
The organization maintains documentation of interfaces and other connections between data system and the data transmission methods used in the interfaces.
The documentation concerning the interfaces shall be reviewed regularly and after significant changes to data systems.
Assets to be protected related to information and data processing services should be inventoried. The purpose is to ensure that the cyber security is focused on the necessary information assets.
Inventory can be done directly in the management system, but an organization may have other, well-functioning inventory locations for certain assets (including code repositories, databases, network devices, mobile devices, workstations, servers, or other physical assets).
Describe in this task, which lists outside the management system are related to protection of information assets.
The organization shall list all relevant protected assets to determine ownership and to ensure that security measures cover all necessary items.
A large portion of the protected assets (including data sets, data systems, personnel / units, and partners) are treated through other tasks. In addition, the organization must list other important assets, which may be, depending on the nature of its operations, e.g. hardware (servers, network equipment, workstations, printers) or infrastructure (real estate, power generation, air conditioning). In addition the organization should make sure that relevant external devices are documented.
Registrants have the same rights to their personal data, no matter in what form we store them. We need to be able to communicate processing and provide data subjects with access to personal data, whether on paper, in local files or in data systems.
We separately document personal data that is stored outside of data systems.