Change management procedures

Software under development, testing and production is run in differentiated technical environments in order to ensure the quality of development work in an environment that adapts to the production environment and, on the other hand, the production environment is not disturbed by unfinished development.

Sensitive or personal data of users is not copied and used in a development environment.

The development unit itself maintains a list of criteria that need to be met before a task can be marked as completed. The criteria may include e.g. review requirements, documentation requirements and testing requirements.

New code will only be implemented after extensive testing that meets pre-defined criteria. Tests should cover usability, security, effects on other systems, and user-friendliness.

All employees handling confidential information should sign a confidentiality or non-disclosure agreement before processing confidential information.

The confidentiality commitment should include, among other things:

• a clear definition of confidential information
• the expected duration of the commitment
• required actions when the commitment is terminated
• the responsibilities and actions of signatories to prevent unauthorized disclosure of information
• ownership of information, trade secrets, and intellectual property and how this relates to the protection of confidential information
• permissible use of confidential information and the signatory's rights to use the information
• the right to audit and monitor activities involving confidential information

The requirements and needs for confidentiality agreements are reviewed and updated at regular intervals.

In systematic cyber security work, the impact of significant changes must be assessed in advance and they must be executed in a controlled way. The consequences of unintentional changes must be assessed and efforts made to mitigate possible adverse effects.

Significant changes may include: changes in the organization, operating environment, business processes and data systems. Changes can be identified e.g. through management reviews and other cyber security work.

General rules for reviewing, approving and publishing the code have been defined and enforced.

The rules may include e.g. the following things:

• the generated code has been validated against the general safe development guidelines of the OWASP Framework
• the code has been reviewed by at least two people
• the changes have been approved by a designated, authorized user prior to publication
• the system documentation has been updated before release
• the time of publication of the changes has been chosen in accordance with the given instructions in order to minimize disruption to business processes
• the instructions needed by users have been updated before the code is released

The rules are intended to manage the risks associated with the release of new program code.

Only pre-defined, authorized users are allowed to post changes to the code.

Access to source code and other related plans is controlled to prevent e.g. adding unauthorized code and avoiding unintentional changes. Access rights are allocated on a need-to-know basis and, for example, support staff are not granted unlimited access rights.

Source code control can be implemented, for example, by storing all code centrally in a dedicated source code management system.

The general rules for secure development work have been drawn up and approved by the development managers. The implementation of the rules is monitored in software development in the organization and the rules are reviewed at least yearly.

The safe development policy may include e.g. the following things:

• safety requirements of the development environment
• instructions for secure coding of the programming languages used
• safety requirements at the design stage of properties or projects
• secure software repositories
• version control security requirements
• the skills required from developers to avoid, discover and fix vulnerabilities
• compliance with secure coding standards

Compliance with the rules of secure development may also be required of key partners.

Inadequate change management is a common cause of incidents for digital services.

An organization shall document the change management process that must be followed whenever significant changes are made to developed digital services or other computing services that affect cyber security. The process includes requirements e.g. for the following:

• Defining and documenting the change
• Assessing the risks and defining the necessary control measures
• Other impact assessment of the change
• Testing and quality assurance
• Managed implementation of the change
• Updating a change log

Determined system portfolio management means a clear picture of the organization's system as a whole, the benefits of different systems and future needs.

The aim of system portfolio management is to achieve e.g.:

• efficiency benefits by understanding the whole and e.g. the possibilities of integrations
• eliminate duplication
• save on unnecessary licensing costs
• control the number of suppliers
• facilitate staff guidance