Alusta- ja verkkopalvelujen tietoturvallinen käyttö tietosuojan ja varautumisen kannalta

Cyber criminals can exploit configuration errors or technical vulnerabilities in applications, firewalls, or networks to access our information.

An organization must use defense-in-depth technologies to protect against, detect, and respond to cyber-attacks. The techniques should be suitable for controlling physical, logical and administrative controls.

Remote workers have their own operating guidelines, which are monitored. In addition, regular training is provided to staff to identify threats to information security arising from the use of mobile devices and remote work, and to review the guidelines.

The media used for backups and the restoration of backups are tested regularly to ensure that they can be relied on in an emergency.

Accurate and complete instructions are maintained for restoring backups. The policy is used to monitor the operation of backups and to prepare for backup failures.

Käsiteltäessä erityisiin henkilötietoryhmiin kuuluvia tai rikostuomioihin ja rikoksiin liittyviä henkilötietoja organisaatio toteuttaa asianmukaiset ja erityiset toimenpiteet rekisteröidyn oikeuksien suojaamiseksi.

Näitä erityisiä toimenpiteitä voivat olla mm.:

• käsittelyn tarkempi lokitus
• erityisiä henkilötietoja käsittelevän henkilöstön tarkempi ohjeistaminen
• tarkempi pääsynhallinta liittyviin henkilötietoihin
• henkilötietojen pseudonymisointi liittyvissä käsittelytoimissa
• henkilötietojen salaus liittyvissä käsittelytoimissa
• käsittelyyn liittyvien järjestelmien tietoturvatarkistukset
• tietosuojan vaikutustenarvioinnin toteuttaminen
• muut tietojen turvallisuutta parantavat toimenpiteet

GDPR defines the conditions for the lawful transfer of personal data outside the EU or the EEA.

The organization shall document all data transfers and the applicable transfer criteria. Data transfers can occur, for example, based on the location of the data system, the data processing partner or the recipient of the data disclosure.

With adequate backups, all important data and programs can be restored after a disaster or media failure. An important first step in a functional backup strategy is to identify who is responsible for backing up each piece of data. Determining the responsibility for backup is the responsibility of the owners of the information assets (systems, hardware).

If the backup is the responsibility of the partner, we will find out:

• how comprehensively does the partner back up the data?
• how the data can be recovered if necessary?
• how the backups are agreed in the contracts?

If the backup is our own responsibility, we will find out:

• whether the data backup process exists and is documented?
• whether the coverage and implementation cycle of the backup is at the level required by the importance of the data?

The processors of personal data (e.g. providers of data systems, other partners using our employee or customer data) and the agreements related to the processing of personal data have been documented. The documentation includes e.g.:

• Processor name and location
• Purpose of processing data
• Status of agreement

The purpose of a data protection impact assessment is to help identify, assess and manage the risks involved in the processing of personal data. An impact assessment must be carried out when the processing of personal data is likely to pose a high risk to people's rights and freedoms. Risks are increased by, for example, the use of new technologies, the processing of sensitive personal data, the automation of personal characteristics or the scale of processing in general.

Task owner regularly evaluates organisation's processing of personal data, in particular, the databanks and related processing purposes and the data systems used, in order to determine the need for impact assessments. Task owner is also responsible for ensuring the identified impact assessments get conducted and documented.

A designated responsible person actively monitors the supplier's activities and services to ensure compliance with the security terms of the contracts and the proper management of security incidents.

Monitoring includes the following:

• monitoring the promised service level
• reviewing supplier reports and arranging follow-up meetings
• regular organization of independent audits
• follow-up of problems identified in audits
• more detailed investigation of security incidents and review of related documentation
• review of the supplier's future plans (related to maintaining the service level)

Organization's data systems and network must be monitored to detect abnormal use. When anomalities are detected, the organization must take the necessary measures to assess the possibility of security incident.

The monitoring should utilize tools that enable real-time or regular monitoring, taking into account the organization's requirements. Monitoring practices should be able to manage large amounts of data, adapt to changing threat environment, and send alerts immediately when necessary.

Inclusion of the following sources in the monitoring system should be considered:

• outbound and inbound network and data system traffic

  li>

• access to critical data systems, servers, network devices and the monitoring system itself
• critical system and network configuration files
• logs from security tools (e.g. antivirus, IDS, IPS, network filters, firewalls)

Organization must also establish procedures for identifying and correcting "false positive" results, including tuning monitoring software for more accurate anomaly detection.

Tietoteknisissä ympäristöissä ja niihin liittyvissä sopimuksissa on huomioitu toiminnan kannalta tärkeiden palveluiden saatavuus häiriötilanteissa.

Tärkeiden palvelujen tietotekniset ympäristöt varmennetaan esimerkiksi kahdentamalla siten, että yksittäisten komponenttien vikaantumiset eivät aiheuta toiminnan edellyttämää palvelutasoa pidempiä käyttökatkoja.

Tietotekniset ympäristöt voidaan varmentaa varavoimalla tai varavoimaliitännöillä siten, että sähkönjakelu voidaan käynnistää riittävän nopeasti ja ylläpitää sitä riittävän ajan suhteessa toiminnan vaatimuksiin.