Content library
Katakri 2020
T-04: TURVALLISUUSOHJEISTUS

How to fill the requirement

Katakri 2020

T-04: TURVALLISUUSOHJEISTUS

Task name
Priority
Status
Theme
Policy
Other requirements
Staff guidance and training procedure in cyber security
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Personnel security
Cyber security training
requirements

Task is fulfilling also these other security requirements

T11: Turvallisuuskoulutus ja -tietoisuus
Katakri
4 §: Tiedonhallinnan järjestäminen tiedonhallintayksikössä
TiHL
29. Processing under the authority of the controller or processor
GDPR
32. Security of processing
GDPR
7.2.1: Management responsibilities
ISO27 Full
1. Task description

Our organization has defined procedures for maintaining staff's cyber security awareness.These may include e.g. the following things:

  • staff receive instructions describing the general guidelines of digital security related to their job role
  • staff receive training to maintain the appropriate digital and cyber security skills and knowledge required for the job role
  • staff demonstrate through tests that they have the security skills and knowledge required for the job role

Training should focus on the most relevant security aspects for each job role and include often enough the basics, which concern all employees:

  • employee's personal security responsibilities (e.g. for devices and processed data)
  • policies relevant for everyone (e.g. security incident reporting)
  • guidelines relevant for everyone (e.g. clean desk)
  • organization's security roles (who to contact with problems)
Personnel guidelines for safe processing of personal and confidential data
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Processing principles and accountability
requirements

Task is fulfilling also these other security requirements

29. Processing under the authority of the controller or processor
GDPR
7.2.2: Information security awareness, education and training
ISO27 Full
18.1.4: Privacy and protection of personally identifiable information
ISO27 Full
12.1.1: Documented operating procedures
ISO27 Full
11.2.8: Unattended user equipment
ISO27 Full
1. Task description

The Data Protection Officer (or other responsible person) has drawn up operating instructions for personnel handling personal data. In addition, the Data Protection Officer is ready to advise the controller, personal data processing partners or their own staff on compliance with GDPR or other data protection requirements.

Personnel guidelines for safe data system and authentication info usage
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Data system management
requirements

Task is fulfilling also these other security requirements

32. Security of processing
GDPR
29. Processing under the authority of the controller or processor
GDPR
8.1.3: Acceptable use of assets
ISO27 Full
12.1.1: Documented operating procedures
ISO27 Full
9.1.1: Access control policy
ISO27 Full
1. Task description

The organization should have defined guidelines for the generally acceptable use of data systems and for the management of the necessary credentials.

In addition, the owners of data systems classified as 'High' or 'Critical' priority can define, document, and implement more specific guidelines for the use of that particular data system. These guidelines can describe e.g. security requirements related to the data contained in the system.

Personnel guidelines for file usage and local data
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Management of data sets
Management of data sets
requirements

Task is fulfilling also these other security requirements

7.2.2: Information security awareness, education and training
ISO27 Full
11.2.9: Clear desk and clear screen policy
ISO27 Full
6.6.4: Fyysisten tilojen, laitteiden ja tulosteiden turvallisuus
Self-monitoring
FYY-04: Tiedon säilytys
Julkri
5.10: Acceptable use of information and other associated assets
ISO27k1 Full
1. Task description

Especially when local or unstructured data needs to be handled a lot due to the nature of the activity, it may be necessary to develop training that describes the risks involved for staff.

Common problems with local and unstructured data include e.g.:

  • no backups
  • no access management
  • hard to locate

For data you do not want to lose, that you want to control, or that is important to find in the future, staff should use data systems designed for it.

Guidelines for operating in processing areas for confidential information
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Physical security
Property security
requirements

Task is fulfilling also these other security requirements

7.6: Working in secure areas
ISO27k1 Full
42: Turvallisuusalueiden määrittely
Sec overview
11.1.5: Working in secure areas
ISO27 Full
SEC-05: Remote access user authentication
Cyber Essentials
6.9: Fyysinen turvallisuus osana tietojärjestelmien käyttöympäristön turvallisuutta
Tietoturvasuunnitelma
1. Task description

Organization has defined the areas for handling confidential information and the operating rules that are followed in all activities that take place in the corresponding areas.

In the rules, consideration should be given to the following points:

  • the rules and related areas are communicated only personnel for whom the information is relevant
  • unsupervised work in areas is minimized
  • areas are physically locked and checked regularly
  • prohibition of unauthorized recording devices (e.g. phones, video cameras)
  • monitoring the transportation of terminal devices
  • publishing emergency instructions in an easily accessible way
Informing about threats and guidelines related to classified information and related to work tasks
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Personnel security
Security guidelines
requirements

Task is fulfilling also these other security requirements

T-04: TURVALLISUUSOHJEISTUS
Katakri 2020
1. Task description

The management of the organization must ensure that the organization has up-to-date instructions on data processing, the use of information systems, data processing rights, the implementation of data management responsibilities, the implementation of access to information rights and information security measures.

In practice, the management defines how the up-to-dateness of the instructions is ensured and to which actors the instructions apply. taking care of up-to-dateness is part of it.

It is recommended to assign the responsibility for keeping the instructions up-to-date to those actors who have overall responsibility for information security, information systems, data reserves, record keeping, decision-making related to document requests, case management and archive work.

No items found.