Vastuut tietoturvan sekä asiakastietojen asianmukaisen käsittelyn varmistamisessa

Organisaation on luotava ja ylläpidettävä tietoturvasuunnitelmaa.

Asiakastietolain 27 §:n mukaisesti palvelunantajan on laadittava tietoturvaan ja tietosuojaan sekä tietojärjestelmien käyttöön liittyvä tietoturvasuunnitelma.

Tämän määräyksen(MÄÄRÄYS 3/2024) mukaista tietoturvasuunnitelmaa ei tule sisällyttää tai yhdistää julkaistaviin tai julkisesti saatavilla oleviin omavalvontasuunnitelmiin. Tietoturvasuunnitelmaa ja siinä viitattuja liitedokumentteja tulee käsitellä ja säilyttää ottaen huomioon tarvittava suojaaminen sivullisilta ja tarvittaessa niihin tulee merkitä salassa pidettävä -tieto

The organization must operate, maintain, and continuously develop a security management system.

The boundaries and scope, contents, role, cumulative implementation information and other necessary descriptive information related to the management system must be clearly documented.

A supplier agreement will be drawn up with all partners directly or indirectly involved in the processing of data. The aim is to ensure that there is no misunderstanding between the organization and the supplier of parties' obligations regarding to complying with security requirements.

The organization shall include in the supplier agreement, as appropriate:

• the data used by the supplier (and possible data classification) and staff receiving access to data
• rules on the acceptable use of data
• confidentiality requirements for data processing staff
• parties responsibilities in meeting regulatory requirements
• parties' concrete responsibilities in relation to data security (e.g. access control, monitoring)
• reporting and correcting incidents
• requirements for the use of subcontractors
• allowing auditing supplier processes and controls related to the contract (and committing to correcting non-conformities)
• a commitment to return or destroy data at the end of the contract
• the supplier's responsibility to comply with organization's security guidelines

The organization must maintain a list of partners who have access to confidential information. System vendors and processors of personal data are listed separately from other stakeholders because they play an active role in the processing of data.

Organization's top management sets security objectives. Security objectives meet the following requirements:

• they shall take into account applicable data security and data protection requirements and the results of risk assessment and treatment
• they are clearly communicated to key security and data protection personnel, staff and other relevant stakeholders
• they are updated as necessary (e.g. when the risk landscape changes or periodically when the objectives are met)
• they are documented and (if possible) measurable

In connection with the documentation of security objectives, the necessary top-level improvements and tasks, needed resources, responsible persons, due dates and methods for evaluating the results in order to achieve the objectives are also defined.

Top management must ensure clear responsibilities / authority on at least the following themes:

• who is primarily responsible for ensuring that the information security management system complies with the information security requirements
• who act as ISMS theme owners responsible for the main themes of the information security management system
• who has the responsibility and authority to report to top management on the performance of the information security management system
• who is authorized to carry out internal audits

The ISMS theme owners are presented on the desktop of the management system and in the Information security policy report.

In addition, top management shall ensure that all roles relevant to information security, as well as related responsibilities and authorities, are defined and communicated. It is also important to recognize the roles and responsibilities of external partners and providers.

The ISMS should monitor the implementation of the tasks and guidelines recorded therein.

The task owner should regularly review the implementation status of the ISMS as a whole.