Tietojärjestelmien asennus, ylläpito ja päivitys

Organisation must maintain a listing of used data systems and their owners. Owner is responsible for completing the related documentation and possible other security actions directly related to the data system.

Data system documentation must include at least:

• System purpose and linked responsibilities
• System's data location (covered in a separate task)
• System's maintenance and development responsibilities and linked partners (covered in a separate task)
• When necessary system's access roles and authentication methods (covered in a separate task)
• When necessary systems interfaces to other systems (covered in a separate task)

Centrally select and install malware detection and repair programs and update them regularly for preventive or regular scanning of computers and media.

Programs should check at least the following:

• files received over the network or storage media are scanned for malware before use
• email attachments and downloaded files are scanned for malware before use
• websites are scanned for malware

The organization should have defined guidelines for the generally acceptable use of data systems and for the management of the necessary credentials.

In addition, the owners of data systems classified as 'High' or 'Critical' priority can define, document, and implement more specific guidelines for the use of that particular data system. These guidelines can describe e.g. security requirements related to the data contained in the system.

Malware protection systems automatically check for and install updates at desired intervals and also run the desired scans at the selected frequency without needed user actions.

The organization must make sure that data systems are maintained and updated according to the manufacturer guidelines

In systematic cyber security work, the impact of significant changes must be assessed in advance and they must be executed in a controlled way. The consequences of unintentional changes must be assessed and efforts made to mitigate possible adverse effects.

Significant changes may include: changes in the organization, operating environment, business processes and data systems. Changes can be identified e.g. through management reviews and other cyber security work.

The organization regularly conducts a vulnerability scan, which searches for vulnerabilities found on computers, workstations, mobile devices, networks or applications. It is important to scan even after significant changes.

It should be noted that vulnerable source code can be from operating system software, server applications, user applications, as well as from the firmware application as well as from drivers, BIOS and separate management interfaces (e.g. iLo , iDrac). In addition to software errors, vulnerabilities occur from configuration errors and old practices, such as the use of outdated encryption algorithms.

The organization must ensure that information systems are installed, maintained and updated only by personnel who have the necessary skills and expertise. In addition, the role and responsibilities of the person who installs, maintains and updates information systems must be described in relation to the organization and the producer of the information system.

Once a vulnerability is identified, suppliers often have significant pressure to release patches as soon as possible. Therefore, the patch may not adequately address the issue and may have harmful side effects.

In evaluating patches, e.g. the following things should be taken into account:

• whether the patch can be pre-tested properly?
• whether it is wise to expect experience from other repairers?
• whether the patch is available from a trusted source?
• what are the risks of installing the patch and delaying the installation?
• whether other actions are needed, such as disabling vulnerability features, increasing monitoring, or reporting about the vulnerability