The Government Information Security Management Board
2b/2010
VAHTI
Instructions on
Implementing
the Decree on
Information
Security
in Central
Government
The Government Information Security Management Board
2b/2010
VAHTI
Instructions on Implementing
the Decree on Information Security
in Central Government
Ministry of Finance
PO BOX 28 (Snellmaninkatu 1 A, Helsinki)
FI-00023 GOVERNMENT, FINLAND
Internet: www.vm.fi
Layout: Taina Ståhl
ISSN 1455-2566 (print)
ISBN 978-952-251-380-9 (print)
ISSN 1798-0860 (PDF)
ISBN 978-952-251-381-6 (PDF)
Juvenes Print
Tampereen Yliopistopaino Oy, 2012
441
729
Printed matter
5
To the management of government agencies
The purpose of information security in central government is to ensure the
continuity and quality of official activities as well as the implementation of due
process of law. These instructions provide guidelines of the implementation of
the Decree on Information Security in Central Government (Valtioneuvoston
asetus tietoturvallisuudesta valtionhallinnossa 681/2010; hereinafter Decree
on Information Security).
These instructions are intended for the management of organisations and
for those responsible within organisations for security, information services
and information management.
The general duty of central government authorities to take care of information
security is based on the Act on the Openness of Government Activities (Laki
viranomaisten toiminnan julkisuudesta 621/1999; hereinafter the Openness
Act). Under the Act, the authorities must ensure that the protection, integrity
and quality of documents and information systems, and the information
contained in them, are safeguarded by appropriate procedures and information
security arrangements, taking into account the significance and purpose of
the information as well as the threats directed at documents and information
systems and the costs arising from information security measures (section 18(2)
(4) of the Act).
The Decree on Information Security, issued by the Government on 1 July 2010
based on the Act on the Openness of Government Activities, is applied to central
government authorities. Central government organisations refer to central
government administrative authorities and other central government agencies
and institutions as well as courts of law and other judicial authorities (section
3(1)). The Decree repealed sections 2 and 3 of the Decree on the Openness of
Government Activities and on Good Practice in Information Management
(1030/1999; hereinafter the Openness Decree).
The Decree on Information Security came into force on 1 October 2010. It
contains provisions relating to a transition period, according to which public
authorities must implement their data processing to the base-level information
security requirements prescribed in section 5 of the decree within three years
of the decree having come into force, i.e. by 30 September 2013.
The decree lays down provisions on general information security
requirements and levels of security classification, including requirements
concerning processing of documents at different classification levels. It is worth
6
noting that in the Decree the term document also means information material
saved in electronic form or otherwise saved as a technical record. Especially
secret documents are subject to regulation (Decree on Information Security,
section 8, section 9(2)).
The classification of documents is not compulsory under the Decree. Each
authority must decide whether and when to introduce classification. Processing
requirements relating to classification must be implemented within 5 years of
classification being introduced. Authorities may assign classification to certain
documents only or to such stages of document processing where measures
are necessary in the interest to be protected (Decree on Information Security,
section 8(1)).
Planning the introduction of document classification is important.
Classification should facilitate the exchange of secret information between
authorities. It is particularly recommended therefore that classification be
implemented in public authorities that either receive secret documents from
other authorities or transfer secret documents to other authorities regularly
and in high volume.
Government agencies should ensure that all of the base-level information
security requirements prescribed in section 5 of the Decree on Information
Security are fulfilled within the three-year transition period prescribed in the
Decree. A preparatory survey related to this must be initiated during autumn
2010.
To implement security requirements and, more generally, the good
information management practice prescribed in the Openness Act, it is
important for each authority to ensure that
• an inventory of documents in the public authority’s control has been
made and that the significance of the information contained within the
documents has been assessed in the manner prescribed in section 1 of the
Openness Decree, an analysis of operational information security risks
have been made, and the implementation of information security has been
planned (Decree on Information Security, section 4, section 5(1)(1)),
• the authority has at its disposal sufficient expertise to ensure/safeguard
information security and that tasks and responsibilities relating to the
management of information security are defined;
• tasks and responsibilities relating to document processing are defined,
and that the confidentiality and other protection of documents and the
information contained therein are safeguarded by granting access to
documents only to those who need secret information or personal data
recorded in personal data files in their work;
• the availability and accessibility of information in different situations is
safeguarded and procedures are created to overcome exceptional situations;
7
• unauthorised manipulation and other unauthorised or inappropriate
processing of information is prevented through appropriate and sufficient
security arrangements and other measures concerning access management,
access monitoring, information networks, information systems and
information services;
• document data processing and storage facilities are adequately monitored
and protected;
• the reliability of personnel and others engaged in document processing
tasks is ensured if necessary through the background check procedure or
other available means based on law;
• guidelines and training on the appropriate processing of documents and
the information contained therein are given to personnel and others
engaged in document processing tasks;
• compliance with given instructions is monitored and the need for
instructions to be updated is regularly assessed;
• arrangements are made to ensure that the prescribed information security
requirements are also observed when the public authority’s documents are
processed based on a contract, for example within data processing service
companies (Decree on Information Security, section 6);
• care is taken to ensure that officials know the significance of classification
labelling/ markings and that these do not release the public authority from
their duty on a case-by-case basis to consider the openness of a document
and whether access to a document is in accordance with the Openness
Act and its case law when information is requested on the basis of the
Openness Act.
The Decree on Information Security and these Instructions are an important
part of the implementation of the Government Resolution on Enhancing
Information Security in Central Government Information Security, dated
26 November 2009.
These Instructions replace earlier VAHTI instructions, namely Information
security instructions for the processing of government data VAHTI 2/2000 and
Instructions for processing sensitive international data VAHTI 4/2002, and are
significantly more comprehensive than the latter.
8
9
Introducing the organisation – Vahti’s task
The Ministry of Finance is responsible for steering and reconciling the
development of public administration and particularly central government
information security in Finland. The Government Information Security
Management Board (VAHTI), which has been established by the Ministry
of Finance, is responsible for steering, developing and coordinating central
government information security. VAHTI handles all significant central
government information security policy and information security guidance
matters. In its work, VAHTI supports the Government and the Ministry of
Finance in decision-making and also in the preparation of decisions relating
to central government information security.
VAHTI’s objective is, by developing information security, to improve the
reliability, continuity, quality, risk management and contingency planning
of central government functions and to promote information security so
that it becomes an integral part of central government activity, steering and
performance management.
VAHTI promotes the implementation of the Government Programme, the
Security Strategy for Society, the Government IT Strategy, the Government
Resolution on Security of Supply, the National Information Security Strategy,
the Government Resolution on Enhancing Information Security in Central
Government and other key policy outlines of the Government.
On 26 November 2009, the Government made a Resolution on Enhancing
Information Security in Central Government. The resolution emphasises
VAHTI’s position and tasks as the key body responsible for the steering,
development and coordination of central government information security.
In accordance with the resolution, the administrative branches allocate funds
and resources for the development of information security and for cooperation
coordinated within VAHTI.
VAHTI acts as the cooperation, preparation and coordination body of central
government organisations responsible for developing the central government’s
information security and data protection, and promotes the development of networked operating practices in public administration information security work.
VAHTI’s work has improved central government information security, and
the effectiveness of its work is evident not only in central government but also in
companies and internationally. The result is a very comprehensive set of general
information security instructions (www.vm.fi/vahti). Led by the Ministry of
Finance and VAHTI, a number of joint information security projects have
been implemented with ministries and agencies as well as an extensive central
government information security development programme.
For three years in succession, VAHTI has been recognised with an award for
its exemplary work in improving Finland’s information security.
10
Acknowledgements
The following experts were involved in compiling the Instructions on
Implementing the Decree on Information Security in Central Government:
• Ms Tuire Saaripuu
Population Register Office
• Ms Irma Talonen
Ministry for Foreign Affairs
• Ms Erja Kinnunen
State Treasury
• Ms Hanna Aronen
Ministry of Transport and Communications
• Ms Merja Fleming
Ministry of Finance
• Mr Aku Hilve
Ministry of Finance
• Ms Marja-Leena Viitala
Ministry of Finance.
11
Contents
To the management of government agencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Introducing the organisation – Vahti’s task .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Acknowledgements . . . . . . . . ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1Introduction.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.1 Purpose and scope of application .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.2 Structure of the instructions
......................................................
17
1.3 Information security levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
1.4 Processing and management of information materials .. . . . . . . . . . . . . . . 19
1.5 Legislation and international obligations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
1.6 Key concepts
. . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
22
1.7 Forms, challenges, opportunities and threats
of the secure processing of information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2
Implementing the Decree. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.1 Steering
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
27
2.2Training . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.3Supervision . . . . . . . . . . . . ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2.4Monitoring . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2.5 Enforcement of the Decree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
3
Good information management and
information processing practice. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.1 Information management planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.2 Mapping and management of information material .. . . . . . . . . . . . . . . . . . . 33
3.3 Cataloguing and recording of information
material, and descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
3.4 Public and secret documents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
3.5 Availability and accessibility of information material . . . . . . . . . . . . . . . . . . 36
3.6 Requirements relating to personal data
......................................
37
12
4
General information security requirements
for information processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
4.1 General information security requirements
in the Decree on Information Security .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
4.2 Requirements relating to staff . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
4.3 Basic prerequisites of information security culture . . . . . . . . . . . . . . . . . . . . . 42
4.4 Requirements relating to premises security .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
5
Information security requirements relating
to information technology environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
5.1 Requirements relating to information technology
environment and information services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
5.2 Use of service providers and subcontractors to supply and
maintain information technology systems and services . . . . . . . . . . . . . . 46
5.3 Basis for information security levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
5.4 Objectives for the setting of information security levels . . . . . . . . . . . . . . 47
5.5 Assets to be protected and technical protection mechanisms . . . . . . 48
5.6 Specification and assessment of information security level . . . . . . . . . 49
6
Requirements relating to administrative
information security.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Information security development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
6.1 Requirements for information security management . . . . . . . . . . . . . . . . . . 51
6.3 Assessment of information security management . . . . . . . . . . . . . . . . . . . . . . . 53
6.4 Requirements for the management of information systems
and information services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
6.5 Assessment of information systems management . . . . . . . . . . . . . . . . . . . . . . . 55
13
7
Classification of information resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
7.1 Documents within the sphere of classification,
and classification criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
7.2 Secrecy markings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
7.3 Protection levels and associated markings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
7.4 Grouping of information material into protection levels . . . . . . . . . . . . . 61
7.5 Security classification markings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
7.6 Security classification of international information material . . . . . . . 65
7.7 Classification and markings of personal data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
7.8 Recommendations relating to the classification
of extensive information assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
7.9 Requirements set for the integrity and
non-repudiation of information .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
7.10 Requirements set for the availability and
accessibility of information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
8
Processing requirements of classified information materials . . . . . . . . . . 71
8.1 Basic requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
8.2 Creating and editing of information material .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
8.3 Classification, marking and registration .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
8.4Copying
....................................................................................
77
8.5 Document distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
8.6 Sending or transferring documents,
and/or access to information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
8.7 Measures undertaken by the recipient .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
8.8 Saving and storage of documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
8.9 Access to information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
8.10 Archiving of information resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
8.11 Revising the protection level of documents .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
8.12 Destruction of information resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
8.13 Deciding on the disclosure of a document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
8.14 Impact of encryption on the processing
of information material .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
14
ANNEXES . . . . . ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Annex 1: Obligations set by legislation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Annex 2: Stamps for secret documents and information. . . . . . . . . . . . . . . . 86
Annex 3: Detailed instructions to public authorities
to facilitate the secure processing of documents . . . . . . . . . . . . . 87
Annex 4: Processing requirements for secret documents
and information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Annex 5: Detailed requirements
for information security levels.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Annex 6: Substitute procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Annex 7: Valid VAHTI publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
15
1Introduction
1.1
Purpose and scope of application
The purpose of these instructions is to promote good information management
practice in central government as well as the implementation of the Decree
on Information Security in Central Government (Valtioneuvoston asetus
tietoturvallisuudesta valtionhallinnossa 681/2010).
These instructions outline the requirements for creating operating conditions
that comply with good information management practice. These include a duty
to plan information assets as well as requirements for information networks,
information systems, operating premises, document management and access
rights management. The purpose is to create for those engaged in information
work a secure and efficient working environment for processing information
at all stages of its life cycle.
The Decree on Information Security and these instructions aim to create
conditions to enhance the central government’s information security work
and establish standardised procedures when secret and restricted information
material is processed. A plan formulated in the Ministry of Finance on the
implementation of different information security levels was taken into account
when preparing the decree. This plan helped to reinforce development work based
on the information guidance of the Ministry of Finance’s Public Management
Department as well as the significance of these instructions.
A further objective of the reform is to enhance customers’ and stakeholders’
trust in the central government and its data processing and to create an
appropriate framework for developing electronic case management and
electronic services. Standardised procedures will help create conditions for the
secure processing of information material with the authorities and information
service suppliers operating on their behalf as well as with other parties that
process official information.
These instructions cover in particular the protection of secret information.
Information material is processed in accordance with the technical and
operational requirements prescribed for four different protection levels (see
chapter 5). These instructions also take into account other recommendations
issued by the Government Information Security Management Board (VAHTI) in
16
which more detailed requirements have been prescribed for various processing
stages and for technical and administrative functions.
The term ‘documents’ means documents as defined in section 5 of the
Openness Act, which may also be in an electronic form or information material
otherwise saved as a technical record. In these instructions, ‘information
(material)’ means documents and information on paper or on electronic and
other media.
These instructions specify requirements for the implementation of
operations that facilitate good information management practice, so that users
of information material can at all processing stages act in accordance with set
requirements.
These instructions contain guidelines on the classification and protection
of documents and information as well as on the security requirements and
recommended practices at different stages in the life cycle of information
processing. They also take into account the special requirements for the
processing of personal data set by the Personal Data Act (523/1999). Also
included are requirements for the processing of official documents by external
service providers.
These instructions outline information classification practices that correspond
to good information management practice and the need to safeguard information
security, particularly with regard to the confidentiality of information and
access restrictions as well as information processing instructions based on
this classification. In addition, general requirements relating to integrity and
availability have been specified.
Information security requirements applying to information and documents
at different stages of the manual and electronic processing are presented.
Information security requirements are specified in chapter 4. Case management
type specialist work, in which both paper and electronic documents are involved,
is specifically taken into account. These instructions are also recommended,
where applicable, in standard data processing based on the use of information
systems and databases.
These guidelines are of a general nature in terms of content. The annexes
contain more detailed information on legal provisions and on the marking
and processing of secret information as well as check lists for target groups,
specifying requirements relating to them. It is hoped that the detailed obligations
outlined in Annex 4 will guide the actions of each administrative branch. Here
the emphasis is on facilitating conditions for the implementation of good
information management practice also where a public authority’s information
is processed by different parties.
The ministries attend to the training of the staff of their agencies and bodies
and give, if necessary, guidance on the basis of these instructions.
17
Data processing environments are classified as base, increased and high
information security levels. The same classification scale is used in determining
the level of the information security management system.
Organisations that process documents relating to international cooperation
(e.g. EU, NATO, OECD) must take into account international information
security obligations (see Act on International Information Security Obligations
588/2004). Detailed information on these requirements is given if necessary by
the National Security Authority of the Ministry for Foreign Affairs.
Each organisation specifies requirements in its own guidelines on the basis
of operational needs and information security requirements. More detailed
guidelines and descriptions are given, for example, in information system
descriptions, operating instructions and filing plans as well as, with respect
to personal data, data file or data protection descriptions. Each ministry,
government agency and body must ensure that staff members are properly
familiarised with guidelines for processing information material.
The assessment of the contents, classification and processing of documents
must be carried out separately by each agency to ensure information security,
which is part of safeguarding operations and their quality and continuity.
1.2
Structure of the instructions
The first chapter outlines the purpose and objectives of the instructions; the
second chapter describes how to implement the instructions; the third chapter
presents requirements for implementing good information management and
good data processing practice in the processing of information material. This
part is in the form of lists. The fourth chapter specifies the measures public
authorities are required to take in order to process documents securely. The
fifth chapter presents requirements and obligations for the classification and
marking of information material. The sixth chapter details requirements for
the different processing stages of information material. Issues are discussed on
a general level, taking into account all stages of a document´s life-cycle.
The annexes give more detail on the content of the main text. A list of statutes
is given in Annex 1; Annex 2 presents the stamps and markings required in
the processing of secret information material and Annex 3 provides public
authorities with instructions for the measures required to promote secure
information work. Document processing guidelines for specific security levels
are presented in Annex 4, information security level requirements in Annex 5
and a substitute procedure in Annex 6.
These instructions are intended for widespread use in the various central
government functions, processes, services, systems, documents and procurement.
The different chapters also give end users good additional guidance.
18
1.3
Information security levels
Information security levels specify technical and administrative requirements
for organisations and information processing environments.
Information security levels describe those requirements relating to
information security activities and processes which must be implemented in
every central government organisation. Implementation has previously not been
a statutory requirement, but it has been possible to mandate such fulfilment in
other ways. Some of the requirements are already included in obligations for
public administration to adhere to good information management practice. The
Government IT Shared Service Centre may also require that its customers fulfil
the requirements set in information security levels.
Data processing environments and administration are classified into three
levels: base level, increased level and high level of information security. The
lowest required level of a public authority’s data processing environments is the
base level of information security. In this environment, by the decision of the
competent authority, information requiring protection level IV can be processed
in clear text form (see section 7.4). In an increased information security level
environment, with corresponding authorisations, information can be processed
in clear text form up to protection level III. Correspondingly, in environments
fulfilling a high information security level, information can be processed in
clear text form up to protection level II.
The information security level requirements have been grouped into two: (1)
administrative information security requirements and (2) technical information
security requirements. Information security levels are explained in more detail
in chapters 5 and 6 and in Annex 5.
A public authority may ensure the information security level of its systems
by applying various assessment methods, such as self-assessments and public
or private information security audit services. By these methods, the level of a
public authority’s information security measures can be assessed in relation to
the Decree on Information Security and these instructions or, if the processing
of EU documents, for example, is involved, with reference to EU security rules.
Specific VAHTI instructions (3/2010) have been prepared on the information
security level requirements issued for central government internal networks.
19
1.4
Processing and
management of information materials
The significance of information in society and in official activities is constantly
increasing. Official operational targets set major challenges for information
management.
The implementation of good information management practice requires
management of the information life cycle. The life cycle approach is guided by
the filing plan specified in the Archives Act (Arkistolaki 831/1994).
In the processing of personal data, the Personal Data Act and its provisions
on, for example, duty of care and good data processing practice must be taken
into account.
Each authority must see to it that its information assets and the information
systems and processing that use the information are up to date. Attention
should be paid to implementing the requirements for issues presented in the
VAHTI instruction Information security assessment in central government
(Tietoturvallisuuden arviointi valtionhallinnossa, VAHTI 8/2006).
1.5
Legislation and international obligations
Special care must be exercised in the processing of secret documents. The
relevant obligations are laid down in the Openness Act. The violation of a
confidentiality obligation by a public servant or public organisation employee
is enacted in chapter 40 of the Penal Code, and the violation of confidentiality
by other individuals in chapter 38 of the Penal Code.
According to the Openness Act, official documents are public unless otherwise
prescribed in law. The concept of a document is broad in the Openness Act and
it also covers various technical records (section 5). The most general grounds for
confidentiality are mentioned in section 24 of the Openness Act. Some special
provisions are included in other legislation. According to the Openness Act,
access to each document must be reviewed on a case-by-case basis when someone
asks to see a document or to receive a copy of one. Interpretation guidelines are
provided in section 17 of the Openness Act: secrecy must not be restricted further
than is necessary for the protection of the interests of the person protected. If
only part of a document is secret, a public authority must grant access to other
information in the document (section 10). An authority’s refusal to grant access to
information from a document must be based on a decision and detailed grounds
for the refusal. Additional information on the application of the Openness Act
can be found on the Ministry of Justice website www.om.fi. (Basic provisions;
Act on the Openness of Government Activities; Letter plus annexes sent by the
Ministry of Justice on 23 September 2005 to ministries on the implementation
and partial amendment of the openness legislation).
20
The Openness Act’s provisions (section 18) relating to good information
management practice require, among other things, that public authorities see
to it that their staff is informed about the implementation of the Act.
According to the Act, information from a secret document may be disclosed
only by an authority or official to whom such a right has been specifically granted
in rules of procedure or in some other way.
A public authority or, for example, an official preparing a case in accordance
with general guidance given by a public authority may disclose information
from a document which, under sections 6 and 7 of the Openness Act, has not
yet entered the public domain (discretionary public documents). Note that a
public authority is obliged under section 19 of the Openness Act to provide
information orally on certain matters under preparation.
The classification of documents to safeguard information security and the
corresponding marking of documents do not change the obligation stated above
to evaluate access to each document separately and on a case-by-case basis when
a document is requested from a public authority. The only exceptions to this
rule are documents which have been given a security classification marking in
accordance with the Act on International Information Security Obligations
(588/2004).
International regulations binding on Finland, which are based on either
bilateral or multilateral agreements or EU statutes, are adhered to in the
processing of documents falling within the scope of the Act on International
Information Security Obligations.
Key statutes and instructions relating to the processing of information material:
Acts and international policy outlines:
Instructions on central government information
security:
Archives Act (Arkistolaki 831/1994) Chapter 4, sections 7, 8
Information Security and Management by Results
(VAHTI 1/2005, section 4.2)
Personal Data Act (Henkilötietolaki 523/1999)
Securing the state administration’s key information
systems (Valtionhallinnon keskeisten tietojärjestelmien
turvaaminen, VAHTI 5/2004, Chapter 5)
Act on the Openness of Government Activities
(Julkisuuslaki 621/1999) Chapters 5, 6, 7 sections 1, 3, 10
Decree on the Openness of Government Activities and on
Good Practice in Information Management
(Julkisuusasetus 1030/1999) section 1
Decree on Information Security in Central Government
(Valtioneuvoston asetus tietoturvallisuudesta valtionhallinnossa 681/2010)
Assessment of the information security management
system (Tietoturvallisuuden hallintajärjestelmän
arviointisuositus, VAHTI 3/2003, Chapter 2)
Act on International Security Obligations
(Laki kansainvälisistä tietoturvallisuusvelvoitteista
588/2004)
Information security assessment in central government
(Tietoturvallisuuden arviointi valtionhallinnossa,
VAHTI 8/2006, Annex 3)
21
Acts and international policy outlines:
Instructions on central government information
security:
Government Resolution on Enhancing Information
Security in Central Government, VAHTI 7b/2009
Management of information security incidents
(Tietoturvapoikkeamatilanteiden hallinta,
VAHTI 3/2005, section 2.1.1)
Emergency Powers Act (Valmiuslaki 1080/1991)
From participation to influence – central government
challenges in international information security work
(Osallistumisesta vaikuttamiseen – valtionhallinnon
haasteet kansainvälisessä tietoturvatyössä,
VAHTI 1/2007)
Act on the Protection of Privacy in Electronic
Communications (Sähköisen viestinnän tietosuojalaki
516/2004), Chapters 2, 3, 5
Logging instructions (Lokiohje, VAHTI 3/2009)
Act on Background Checks
(Laki turvallisuusselvityksistä 177/2002)
Personnel security as part of information security
(Tärkein tekijä on ihminen - henkilöstöturvallisuus
osana tietoturvallisuutta, VAHTI 2/2008)
Internal Supervision and Risk Management of Government
Agencies, Institutions and Funds, (Valtion viraston ja laitoksen sekä rahaston sisäinen valvonta ja riskienhallinta),
pages 24, 33, VM 2005
Security and operational continuity of information
technology (Tietotekniikan turvallisuus ja toiminnan
varmistaminen, National Board of Economic Defence,
1/2002, section 3.2)
In order to create and realise good information management practice, the authorities shall see to the appropriate
availability, accessibility, protection and integrity of documents and information systems and the information
contained in them as well as other factors affecting the quality of information.
– Act on the Openness of Government Activities, section 18
Information security management is an integral part of the operational management of an organisation. It should
therefore be included in the responsibilities of every individual working in management positions. Information
security is best implemented when it is built into the organisation’s planning processes (operational development),
quality and other monitoring system (assessment, measurement), and in monitoring the achievement of targets.
– Security and Operational Continuity of Information Technology (National Board of Economic Defence 2002)
Management must be aware of their organisation’s information security level and state of information security
risk management. They must further be aware of the current state of information, the significance of information
security work for operations and how critical it is for each function. The development of information security
requires a development programme, and the monitoring thereof, aimed at a prescribed target state.
– Assessment of Information Security Management System (VAHTI 3/2003, Chapter 2)
22
1.6
Key concepts
Document: By the term document is meant, in addition to a written or
visual presentation, a message relating to a given topic or subject-matter and
consisting of signs which, by virtue of the use to which they are put, are meant
to be taken as a whole, and are decipherable only by means of automatic
data processing or audio and video reproduction equipment or some other
technical device (Openness Act section 5(1); see also Decree on Information
Security in Central Government section 3(3). The concept of a document is
therefore independent of the medium on which or the means by which the
information has been saved. Thus by the term documents is meant not only
traditional documents in paper form but also information material recorded
electronically irrespective of its form.
Document holder: The organisation or individual who possesses the
document.
Document author: The organisation or individual who has prepared the
document.
Personal data file: The term personal data file means, according to section
3(1) of the Personal Data Act, “a set of personal data, connected by a common
use and processed fully or partially automatically or sorted into a card index,
directory or other manually accessible form so that the data pertaining to
a given person can be retrieved easily and at reasonable cost” (i.e. logical
data file concept). The purpose of data processing should be defined so that
those operations of the data controller in which the personal data are being
processed are made clear.
Processing of personal data: Processing of personal data means the collection,
recording, organisation, use, transfer, disclosure, storage, manipulation,
combination, protection, deletion and erasure of personal data, as well as other
measures directed at personal data (Personal Data Act, section 3(2).
Classified document: A classified document means, in these instructions,
a document which has been classified under the Decree on Information
Security as belonging to a protection level outlined in section 9 of the Decree
and under the requirements prescribed therein. Classification of documents
falling within the sphere of international information security obligations is
prescribed in the Act on International Information Security Obligations.
Controller: Controller means an individual, corporation, institution or
foundation, or a number of them, for the use of whom a personal data file
23
is established and who is entitled to determine the use of the file, or who has
been designated as a controller by an Act (Personal Data Act, section 3(4)).
Data file description: A data file description is a fixed-form description of the
content use and protection of the data file prepared and made available in the
manner required by the Personal Data Act (Personal Data Act, section 10).
Secret document: A secret document means documents and information
which are deemed secret under section 24(1) of the Act on the Openness of
Government Activities.
Protection levels: Protection levels help to determine the requirements
that a data processing environment and data processing should fulfil when
a classified document is processed. A four-tier classification system is used
for protection levels. Each protection level has been set its own technical
and operational requirements. These procedures help ensure the appropriate
processing of secret and other information that requires classification (chapter
7.3 below; Decree of Information Security, section 9).
Privacy statement: A statement by the party processing personal data
explaining how it processes personal data and how the rights of data subjects
are fulfilled.
Information security levels: Information security levels mean the technical
and administrative arrangements whereby the implementation of information
security at different levels is ensured. In an environment fulfilling base level
requirements, most of a public authority’s data processing needs can be
implemented. In document processing which requires high reliability in all
operating conditions and where classified information requiring protection
level III is widely processed, the authority must maintain structures that
meet the increased information security level. Critical information systems
and those that widely contain information classified at level II must be
implemented in high information security level environments. Documents
requiring protection level I may be processed in closed networks which fulfil
the requirements of the high information security level and which are not
linked to other networks.
Competent authority: The competent authority means the public authority
for whom the document has been prepared or delivered for processing
(exercising) prescribed duties. The competent authority has the right to decide
on the document’s disclosure or determine that the document be processed in
some other way. The competent authority is responsible for the information
systems and documents relating to its activities. In information management
24
and information security work, the concept ‘information system owner’ is
often used for the competent authority or other organisation.
Competent official: In the competent authority, the official responsible for the
processing and classification of a document, who has been assigned the task
on the basis of rules of procedure or other corresponding order and who, on
these grounds, has the right to decide on the matter.
Security classified document: A document containing secret information
which can, under the Decree on Information Security or the Act on
International Information Security Obligations, be given a marking
indicating a security classification, and in whose processing the information
security requirements fulfilling the classification must be adhered to. The
titles of security classified documents by protection level are: TOP SECRET
(protection level I), SECRET (protection level II), CONFIDENTIAL
(protection level III) and RESTRICTED (protection level IV).
Security classification marking: A security classification marking can be
made to certain documents, namely those whose information if unlawfully
disclosed might cause damage to international relations, central government
security, national defence and to other common interests in the manner
referred to in section 24(1)(2, 7–10) of the Openness Act. A security classified
document is always processed according to the corresponding protection level.
A security classification may also be based on an international agreement or
statute binding on Finland.
Official document: An official document is defined as a document in the
possession of a public authority and prepared by an authority or a person in
the service of an authority, or a document delivered to an authority for the
consideration of a matter or otherwise in connection with a matter within the
competence or duties of the authority. In addition, a document is deemed to
be prepared by a public authority if it has been commissioned by the authority;
and a document is deemed to have been delivered to a public authority if it
has been given to a person assigned by the authority or otherwise acting on its
behalf for the performance of the assignment (Openness Act, section 5(2); for
documents deemed not to be official documents, see Openness Act, sections
5(3) and 5(4).
25
1.7
Forms, challenges, opportunities and threats
of the secure processing of information
Information is processed in many types of situations. For example, when
information is processed, this can be considered information work. And when
information is saved electronically in a form that can be examined later, a
record is created. These records may be the result of a person’s direct work or
be generated automatically. Records fall within the sphere of the Openness
Act’s concept of an official document; one record may include a number of
documents referred to in the Act or only part of a document. Examples of
records are word processing products, email messages, text messages, audio
recordings, photographs and videos, information register databases, real-time
monitoring information, and information system log data.
Information has a life cycle whose length varies according to the characteristics
of the information, from microseconds to permanent storage. The length of the
life cycle has a direct impact on information management.
Information is produced and transferred to an increasing extent on
information networks. In open networks, everyone who operates there may
be a customer and processor of information. In official networks, a public
authority has the power to specify who is entitled to access a network and
process information.
Information is widely and rapidly available thanks to information networks,
but the networks also involve major threats. These include, for example, blocking
network traffic, producing false information by combining different information,
and taking unauthorised possession of information in a manner that violates
protection of privacy.
Each authority is required to practice information management both to
achieve its own performance targets and to fulfil the needs of customer service.
26
27
2 Implementing the Decree
2.1
Steering
A public authority must adhere to good information management and data
processing practice (see Decree on Information Security) when developing and
maintaining systems and services required by information work.
A public authority must issue, to individuals in the service of the authority
and to those working on the orders of the authority, instructions on access to
documents, the procedures to be followed in giving and processing information
and in protecting documents and information systems, and also on security
arrangements and division of responsibilities.
A public authority must ensure that information processing and the associated
risks have been assessed as part of risk management.
A public authority must outline the process and sub-processes of the entire
life cycle of information as well as plans relating to them in preparation for
various disruptions.
A public authority must arrange, with the aid of technical solutions, the
security of operating premises so that external parties cannot gain access to
classified information material.
Case management systems must support monitoring and archiving of the
use of information material.
2.2Training
A public authority must issue any necessary authority-specific further
instructions and provide training to those involved in the processing of
information material.
Training in the processing of information at all protection levels must be
arranged regularly and as part of staff induction.
A public authority should train staff involved in planning and implementing
information systems, taking into account the requirements presented in these
instructions for implementing good information management practice in
information services offered by the authority.
28
2.3 Supervision
A public authority should regularly audit the implementation of information
security measures for classified information material and monitor that issued
instructions and technical information security measures are functioning
appropriately.
A public authority should monitor that the correct working methods are in
use and that personnel are working in accordance with the prescribed process
in different processing situations.
Processing of personal data must be monitored using logs. An employer
should ensure that the Act on the Protection of Privacy in Working Life
(759/2004) is adhered to when arranging supervision. Guidelines on supervision
arrangements for information use are outlined in Effective Information Security
(VAHTI 5/2009) and Logging instructions (Lokiohje, VAHTI 3/2009).
When information technology equipment are removed from use or their
intended use changes, a public authority must see to the removal of residual
information using software designed for this purpose, and a record of the
measures performed should be made.
The implementation of the monitoring system for a public authority’s
operating premises should support the protection of information material. The
information security of monitoring systems should be attended to in a similar
way to the information security of other information systems.
2.4 Monitoring
A public authority should ensure that risk monitoring is performed and,
according to an agreed schedule, present to senior management an information
security situation report, containing an assessment of the implementation of
good information management practice, a summary of observed information
security risks, the information security training and instructions provided
to staff, and the present state of the public authority’s information security
culture and any perceived deviations from it. This presentation should include
proposals for corrective measures in respect of any identified problems.
Storage facilities for electronic and other recorded information material
should be audited or inspected regularly and any identified shortcomings
corrected.
Outsourced systems must be approved by the competent authority before
information subject to security requirements can be transferred to them.
29
2.5
Enforcement of the Decree
Each public authority is responsible for enforcing information security levels
in its operations and when cooperating with other parties. The Decree on
Information Security specifies compulsory requirements for information
security levels. Each central government authority must fulfil at least the
base level of information security, which covers the processing of all of the
authority’s secret documents.
The base level of information security must be implemented throughout
central government by 30 September 2013 (Decree on Information Security,
section 23(3)).
In activities that require an operating environment (operations, information
systems and information networks) on an increased or high information
security level and where the documents processed have been classified by a
public authority, the requirements must be implemented within five years of
the authority introducing the classification system.
30
31
3 Good information management
and information processing
practice
3.1
Information management planning
Implementing good information management practice requires that the public
authorities have made appropriate plans (Openness Act, section 18). Planning
begins with an analysis of the authority’s operating processes. Case-related
workflows, case management processes and related documents, and access
rights to documents and their information must be planned accordingly. The
process description should include information on
• how matters are taken up for consideration
• what measures are included at each processing stage
• how matters are decided
• who participates in which stage of the process
• what documents and information are created, accumulated or acquired
at each stage, how they are saved, registered and stored, and how the
documents and information are processed.
In the electronic management of information material and sensitive personal
data classified at protection levels I and II, a key requirement is an unbroken
processing chain whereby all processing stages are to be registered in the
system.
The handling of official documents requires the existence of a filing plan.
More detailed instructions on the structure and maintenance of the filing plan
are outlined in the National Archive Service publication Filing plan (http://
www.ams-opas.fi/).
The filing plan is a set of instructions on the handling, recording and
storage of official documentary information. The filing plan produces metadata
relating to documentary information management in information systems. Case
management procedures and responsibilities must be recorded in archive rules
or some similar set of instructions.
32
Processing of personal data must be planned in the manner laid down in
section 6 of the Personal Data Act. Personal data files must be identified and
mapped, their purpose defined and the necessary data file description prepared.
A public authority must review and assess the availability, accessibility and
protection of its documents and the information contained in them as well as
the threats and risks that may prejudice the integrity of the information and
other aspects of quality. The means and costs available to mitigate risks as well
as the impact of any measures undertaken should also be reviewed and assessed
(Openness Act, section 18(1)(4); Decree on Information Security, section 4,
section 5(1)(1)).
Purpose for the availability and accessibility of information should be
defined in the manner required by the activities concerned. The accessibility
of information is influenced by, among other things, the characteristics of the
information network and information system. Particular attention should be
paid to application interfaces to ensure that the tasks required by the activity in
question can be performed flexibly. This often requires fast information search
functions as well as implementation that supports the operating process. In
order to ensure the availability of information, directories should be designed
and maintained to facilitate the immediate retrieval of information. These can,
moreover, be used to support the distribution of public information to those
who request it.
A public authority is to specify and issue procedures and rules on how
information about its activities is presented on the public domain. When
information is communicated via the internet, a public authority should ensure
that it is up to date and well maintained. Particular attention is to be paid to
safeguarding the integrity of information. It must also be remembered that
secret information must not be communicated to the public.
The processing of secret information should be planned and implemented
such that only those authorised to process the information can do so.
In the planning of information systems, a public authority should ensure
that good information management practice can be carried out undisturbed in
different circumstances. In the planning and implementation of information
systems, an effort should be made to ensure that common information required
in different processes is saved in one place and used by the processes in question.
Parallel processes required to safeguard operations should be planned and
implemented such that information assets remain intact.
A public authority should pay particular attention to the quality of the
information it produces, especially in the case of documents and personal data
files that are used in decision-making relating to individuals, corporations and
public bodies. In quality requirements particular emphasis should be placed
on document content, structure, signatures, distribution and schedules, and
attendance to the integrity and non-repudiation of documents. In accordance
33
with section 9 of the Personal Data Act, the controller must ensure that no
erroneous, incomplete or obsolete personal data are processed.
3.2
Mapping and management of information material
An authority must identify the documents (information assets) in its
possession. These should be based on the filing plan maintained by the
authority and, with respect to personal data, on the planning and the statutory
evaluation of data processing required by the Personal Data Act.
The authority must sufficiently often assess its documents and information
systems as well as the significance of the information saved in them and its
information processing.
In accordance with section 1 of the Openness Decree, particular attention
should be paid to how the following are implemented:
• the right of access to official documents in the public domain
• the obligation to produce and disseminate information and to provide
information on pending matters
• the statutory processing and protection of personal data, in particular
sensitive data
• the protection of information which under law should be kept secret
• restrictions on the purpose for which data can be used (the exclusivity of
purpose requirement of the Personal Data Act, other requirements)
• the protection, availability and accessibility of information as well as the
integrity and quality of information in different circumstances to ensure
undisrupted handling of tasks by the authorities and their cooperation
with other parties
• requirements relating to the quality of the information, particularly when
it is used as the basis for decisions relating to individuals or corporations
and public bodies or as indicators of rights and obligations.
The planning and implementation of personal data processing should be
based on the requirements laid down by the Personal Data Act. The entire
processing chain must be designed to ensure that only those authorised to do
so may access and process data. The Act’s exclusivity of purpose requirement
means that personal data may be used only for the purpose for which it was
collected. The purpose of the processing of personal data should be specified
for each data file. Personal data can be disclosed from the personal data file
of an authority only under certain conditions (Openness Act, section 16(3)).
A data file or data protection description should be prepared and maintained
for each personal data file.
34
3.3
Cataloguing and recording of information
material, and descriptions
The provisions on good information management practice (Openness Act,
section 18(1)(1)) specify for public authorities the obligation to manage
their information assets by maintaining document records and the basic
information included in them to enable case monitoring. Provisions on
document registers are outlined in more detail in Chapter 2 of the Openness
Decree.
A public authority should plan and maintain structures allowing the
recording of documents to facilitate the protection of information and to
safeguard their accessibility, integrity and reliability.
The Openness Decree obliges public authorities to prepare and maintain
publicly available descriptions of the information systems they use. The Personal
Data Act prescribes the obligation to prepare a description of a personal data file.
The cataloguing of information material should be based on an effective and
valid filing plan. Cataloguing needs are specific to each government agency’s own
activities. Cataloguing needs should be identified and their maintenance planned
in connection with case management. The implementation of directories that are
updated automatically as a result of the operating processes should be introduced
as far as possible.
Some directories are records of various events (e.g. log files). These often
contain personal data and form a personal data file, in which case their
processing is governed by requirements in respect of processing rights, nonrepudiation and life cycle.
3.4
Public and secret documents
Official documents, rights of access to them and secrecy obligations are
defined in the Openness Act. As a rule, access should be granted to official
documents. The Act separately specifies those documents that are either
completely or partly secret. There are also provisions on secrecy obligations
in other statutes.
Public documents may be covered by various processing requirements due
to their significance and information content. Documents should be readily
available, taking into consideration a public authority’s own work and its
public services. On the other hand, there are integrity requirements for some
documents. A public authority should ensure that documents fulfil set quality
targets, are up to date and conform to the original documents (information has
not been modified during processing stages).
Only individuals who are authorised to process secret documents are entitled
to do so. This practice is valid for as long as the secrecy obligation is valid.
35
Section 9 of the Decree on Information Security defines the protection levels
which determine the processing of secret information material, and if necessary,
information material which can be made public on discretion and which is
subject to restricted use. Some of these documents may be given a security
classification on the conditions prescribed in section 11 of the Decree. The use
of a security classification marking is permitted only in information material
where unauthorised disclosure or use of the information contained in it may
prejudice international relations, State security, national defence or other public
interests, as prescribed in the Decree on Information Security.
Figure 3.1 presents an outline of official information and documents. Some
of these information resources fall within the sphere of classification (yellow
area). The processing of these documents and information is subject to certain
restrictions and people must be authorised to process them. Some of this material
is secret, some is based on official discretion and some is subject to the exclusivity
of purpose requirement.
Figure 3.1. Official information and documents
OFFICIAL INFORMATION AND DOCUMENTS
- Information and documents created by a public authority
- Information and documents received by a public authority
- Information and documents under preparation by a public authority
Information security classification of official documents
Secret, official discretion, exclusivity of purpose
Protection level marking
Security classification marking
Protection level I
TOP SECRET
Protection level II
SECRET
Protection level III
CONFIDENTIAL
Protection level IV
RESTRICTED
Decree 681/2010, section 9
Decree 681/2010, section 11
Act 621/1999, section 24(1)(3-6,11-33) Act 621/1999 section 24(1)(2,7-10)
Act 523/1999, section 11
Act 588/2004, section 8
Other legislation
PUBLIC INFORMATION
36
Information material falling within the sphere of application of the Act on
International Information Security Obligations is classified in accordance with
international obligations.
It should be noted that provisions on document secrecy (Openness Act,
section 5(5)) must also be applied to a public servant’s drafts and to documents
relating to internal assignments, even though these would otherwise fall outside
the concept of an official document under the Openness Act.
Personal data do not generally fall within the sphere of classification. Special
requirements, such as exclusivity of purpose, have been prescribed for their
processing, for example in the Personal Data Act.
Public access to information marked in document files, for example in
record registers should be assessed separately from public access to documents.
Whether the documents to which references are made in records are secret
or public should not influence this assessment. References to a case and/or
document may be public irrespective of whether the documents themselves are
either completely or partly secret. References should be made in such a way that
they do not disclose the secret content of a secret document.
Public authorities must specify who is responsible for decisions on requests,
made pursuant of the Openness Act, to receive information from a classified
or other secret document. The most expedient approach is to assign this task
to a public servant in a supervisory position, unless there are special reasons
for not doing so.
3.5
Availability and accessibility of information material
Requirements relating to the availability and accessibility of official
information depend on the significance of the information for the authority or
those authorised to access it. Many operating processes set high requirements
for the availability of timely and correct information. The Openness Act
specifies the requirements for giving information to those who request it.
Availability depends, for example, on the characteristics of the information
network, the use of certificates, the information system’s user-interface, the
workstation specifications and the user’s expertise.
With respect to public documents, special attention should be paid to the
availability of information and, depending on the case in question, the fulfilment
of requirements set for the integrity of the information.
The information, information system or service must be available and at
the disposal of those entitled to access it at the time they wish and in the time
required to fulfil the accessibility requirement. In addition, safeguards should
be in place to ensure that information remains unaltered and that any document
modification stages are indisputably identified. The secrecy of information
or restrictions on its use should be addressed so that the information is only
37
available to those entitled to access it, irrespective of the form in which the
information has been saved.
3.6
Requirements relating to personal data
The processing of personal data is guided by, among others, the following
legislative provisions
• the Personal Data Act
• the secrecy provisions of the Openness Act and by section 16(3) of the
Openness Act, which relates to the disclosure of information from a public
authority’s personal data file
• special statutes for certain administrative branches, which specify rules for
the processing of personal data.
Public access to personal data files is assessed in public administration in
accordance with the Openness Act and any possible special statutes. Public
authorities’ personal data files and the information they contain may be public
in the manner referred to in the Openness Act or they may be secret pursuant
to section 24 of the Act or some other statute.
The provisions of the Personal Data Act must be taken into account in the
processing of personal data and when a personal data file is established. The
Personal Data Act applies to the automatic processing of personal data. It also
applies to other processing when personal data form, or their purpose is to form,
a personal data file or part of such a system.
Whenever a personal data file is created and personal data saved in the files
are processed, the public authority must have proper grounds for these actions.
The processing of personal data should be planned so that the whole life cycle of
the data is taken into account. Personal data files and information in them should
be protected so that they can only be accessed and processed by those authorised
to do so. Saved personal data must be error-free, which imposes demands on the
maintenance of data. Only error-free data necessary for the given purpose should
be collected, saved and otherwise processed. In addition, due consideration
should be paid to fulfilling the rights of data subjects: informing data subjects
and processing requests concerning the right to inspect and correct data.
Under section 7 of the Personal Data Act, personal data must, as a rule,
be used or otherwise processed only in a manner compatible with processing
purposes referred to in section 6 of the Act. Information in a personal data file
can be used only for the purposes specified when the data file was established.
Protection obligations must be assessed for each personal data file case
by case. Under the Personal Data Act, the data controller must carry out the
technical and organisational measures necessary for securing personal data
against unauthorised access, accidental or unlawful destruction, manipulation,
38
disclosure and transfer, or other unlawful processing. When implementing
measures, the techniques available, the associated costs, the quality, quantity
and age of the data, as well as the significance of the processing to the protection
of privacy should be taken into account.
Sensitive personal data may only be processed under the preconditions and in
the situations referred to in section 12 of the Personal Data Act. Sensitive data are
generally considered to be secret. The Decree on Information Security contains
certain obligations concerning the processing of classified sensitive personal
data saved in a personal data file, and these obligations are not dependent on
whether or not the data are deemed to be secret (see Decree on Information
Security, sections 13(1), 14(4), 16(3), 19(3) and 20(1)).
39
4 General information security
requirements for information
processing
This chapter presents the general requirements set for information processing.
These include safeguarding the competence and reliability of the staff and
fulfilling the requirements set for information processing environments.
Information security aims to ensure the continuity and quality of public
authorities’ activities and a due process of law. The implementation of information
security is based on a survey of an organisation’s information resources and their
significance as well as the information security risks.
Public authorities should ensure that staff members have secure equipment,
work space and procedures. Staff members must be made aware of the risks
involved in information work, know the correct procedures and contribute
positively with their own attitudes to the creation of a high information security
culture.
The VAHTI Effective Information Security document (5/2009) examines
the subject of information security management.
4.1
General information security requirements
in the Decree on Information Security
Public authorities must implement and maintain an information processing
environment that fulfils at least the base-level requirements of information
security to the extent required by their activities.
Public authorities must ensure that they have sufficient expertise available to
assess the need for information security measures, to implement, develop and
supervise functions, and to provide guidance to staff members.
Under the Decree on Information Security (section 8), public authorities
decide whether classification applies to their documents. If classification
is applied then chapter 3 and 4 of the Decree should be adhered to in the
classification and processing of documents. Where public authorities decide not
40
to classify documents, they must adhere to the obligations prescribed in section
18 of the Openness Act and in section 2 of the Decree on Information Security.
The provisions require a public authority to identify and assess its documents
and information systems as well as the information security risks associated
with its activities (Openness Act, section 18; Openness Decree, section 1;
Decree on Information Security, section 4 and 5(1)(1)). For a public authority,
creating the prerequisites for good information management practice means,
in particular, that documents and information resources are made available
and accessible. Good information management practice involves ensuring a
good access and secrecy structure for records, cases and documents as well
as protecting information that should be kept secret. The Personal Data Act
requires the implementation of good data processing practice in the processing
of personal data.
A public authority should define the duties and responsibilities relating to
the processing of documents and information (Decree on Information Security,
section 5(1)(3)). Those who have the power to decide on the disclosure of secret
documents or personal data or who have the right to process such information
should be specified with internal rules, if not otherwise prescribed.
The measures necessary to protect information should be implemented
both in traditional document management and in information systems to
safeguard the base level of information security. Appropriate identity and
access management, access control and adequate security arrangements for
information networks and information systems must be implemented (section
5(1)(6)) . System functionality as well as the availability of information should
be safeguarded in different situations (section 5(1)(4)).
The premises in which secret information and personal data are processed
must be appropriately protected, monitored and approved for this use (section
5(1)(7)).
In ensuring the reliability of staff, security clearances and other means
provided for by law must be used, if necessary (section 5(1)(8)).
Staff must be given the necessary information security instructions, and
these must be kept up to date (section 5(1)(9)).
These instructions provide guidelines on the processing of secret documents
in order to determine protection levels, make secrecy and security classification
markings, and specify information security levels.
41
4.2
Requirements relating to staff
Personal data recorded in secret documents or personal data files can
be processed only by those individuals who have the right to access the
documents in question. Obtaining an access right requires that
• the individual must have a work-related need, specified by a supervisor, to
process the information contained in a document
• the individual must know and have a full understanding of the processing
rules for secret documents
• the individual’s reliability has been ascertained, if necessary, in an
appropriate manner, for example with the aid of the security clearance
procedure. This requirement particularly applies to the processing of
information material requiring protection levels I and II
• an individual must have a valid access right to process information
according to the protection level specified for a document. This requirement
particularly applies to the processing of information material requiring
protection levels I and II as well as to information according to security
classifications I–III.
Access rights must be linked to task. People must have access to the
information and documents required by their tasks. If their right to possess
secret material changes, access rights to the said material must be withdrawn
from them via access rights management procedures and they must surrender
the secret information material in their possession or destroy it in a way
specified by the senior management of the public authority. Secret documents
should be processed with care, such that only those who have right of access
can process secret information.
Staff must know and have a full understanding of the security procedures
of the tools required in the processing of information. At regular intervals and
always in connection with changes, staff must be given the necessary training
and advised of perceived risks.
A public authority must maintain a list of tasks of its own staff, namely
information about who can, and in which tasks, process secret documents or
personal data contained in personal data files. Typical information processing
needs associated with a particular task can be described in the job description.
At protection levels III and IV, public servants have the right to process
information according to the needs of their tasks, based on decisions of the
senior management of the public authority (Decree on Information Security,
section 13). The fulfilment of international information security obligations
generally requires a public authority to maintain a list of staff members who
have right of access to information.
Detailed instructions for each protection level are presented in Annex 3,
section 2.
42
A public authority may require that staff in its service pass, to the extent
necessary, an information security competence test.
4.3
Basic prerequisites of information security culture
A public authority should maintain information security training for all staff
and ensure that they have sufficient expertise and that they understand the
risks associated with information security.
Staff must have sufficient knowledge of the public authority’s information
security policy and its information security instructions.
Staff must be committed to adhering to the issued information security
instructions.
All those who process secret and classified documents should be aware that
most information security problems are caused by an organisation’s own staff.
There are many reasons for this. One connecting factor is generally carelessness
when handling information material or equipment; another general reason is
disregard for issued instructions; thirdly staff are not given sufficient training
and instruction.
4.4
Requirements relating to premises security
The purpose of premises security is, as part of physical security, to protect
staff, information and material. Premises security means all structural
and monitoring arrangements by which a public authority ensures that its
premises remain solely in the control and use of authorised staff and in the
condition required for their intended use. Structures include walls, roofs,
windows, doors, fire safety cabinets and safes, and other mechanical solutions.
The term monitoring systems generally means access control systems as well
as penetration detection, camera surveillance and condition alarm systems.
Electrical monitoring systems also include property automation systems,
which are used to monitor and control premises’ operating conditions.
No general standards exist for premises security, but official requirements for
each information security level are outlined in detail in the chapter on physical
security in the National Security Auditing Criteria (KATAKRI).
A public authority should specify security solutions for its premises. The
specification should take into account, among other things, structural solutions,
necessary monitoring systems and possible issues relating to access rights to
premises.
Premises security should be examined as a whole. This includes, for example,
attending to the premises security of information network equipment and cross-
43
connection facilities as well as ensuring that unauthorised parties do not gain
access to active junction boxes.
Monitoring systems are used to control access to premises and to detect
unauthorised movement in them. Monitoring systems are also information
systems and as such often generate personal data files. Video monitoring must
comply with the provisions of the Act on the Protection of Privacy in Working
Life (759/2004).
The information security of monitoring systems should be attended to in a
similar way to the security of other information systems.
The information security of property automation systems should be
appropriate, with particular attention paid to monitoring the management of
access rights. Property automation systems are used to safeguard engine rooms´
operating conditions; outsiders may cause the collapse of the information system
services. Property automation systems can often be controlled remotely, in
which case conditions may be changed from outside a public authority’s control.
Premises security should also take into account the sound insulation of
premises. Sound insulation must be installed in all premises where secret
information is processed. Particular attention should be paid to the insulation
of sound passing through cable ducts and the ventilation system.
In premises security, due consideration should also be given to the threat
arising from electromagnetic radiation in separately specified cases, to the extent
specified by the competent authority (Tempest protection).
An organisation is responsible for ensuring that premises used for
information processing are appropriately protected. Users must know the
premises classification (security zone) of the place in question, particularly
when secret information is being processed.
The National Archives Service of Finland has issued instructions on
requirements for archive premises.
Detailed instructions for each protection level are presented in Annex 3,
section 4.
44
45
5 Information security
requirements relating
to information technology
environment
5.1
Requirements relating to information technology
environment and information services
The information networks and information systems used in the processing
of information should be implemented in a manner that enables secure
information work in all situations.
The equipment and components of information networks and information
systems should be located in secure premises (Security recommendation
for ICT premises, Tietoteknisten laitetilojen turvallisuussuositus, VAHTI
1/2002). Systems should be built so that the information work required by an
organisation’s activities can be performed in accordance with set availability
requirements.
Information technology environments are classified using information
security levels. A public authority should implement at least a base security
level operating environment.
An information system and information network in which secret information
is processed must fulfil the requirements set for the protection level of the
information in question.
Access to information networks, information assets and office premises
should be monitored.
A public authority should ensure that equipment and systems for processing
information contain the necessary security arrangements, for example malware
protection systems and encryption methods as well as access rights management
procedures.
Use of a workstation that contains classified information should be possible
only through an access rights verification procedure.
46
Information processing environments should be adequately protected against
electromagnetic radiation.
A public authority must specify who is responsible, under the Openness Act,
for deciding on requests to receive information from a classified document. The
most appropriate course is to assign this task to a public servant in a supervisory
position, unless there are special reasons for doing otherwise.
Detailed instructions are presented in Annex 3, section 5.
5.2
Use of service providers and subcontractors
to supply and maintain information technology
systems and services
Cooperation with interest groups is regulated by national legislation. The
Constitution, the Openness Act, the Personal Data Act, the Act on the
Protection of Privacy in Electronic Communications and the Decree on
Information Security, for example, set requirements that must be taken
into account when using external organisations in managing official duties.
Such requirements include location restrictions with respect to privacy and
contingency planning.
Many public authorities have duties involving the processing of security
classified information assets that impact on the development and maintenance
of information systems and services. For this reason, assignments should be
planned in advance with care and the capability of suppliers to protect the
classified information resources entrusted to them should be verified.
Cooperation should be conducted with companies that have established
sufficiently strong operations and support in Finland for the assignments in
question.
If an acquisition or service includes the processing of classified information,
security arrangements should be verified with the supplier in advance. If foreign
operators and individuals are involved, the National Security Authority should
be consulted to ascertain the required information with respect to the said
operators and individuals.
The first proposal for National Security Auditing Criteria (KATAKRI) was
completed in 2009 in cooperation with public authorities, business and security
industry organisations. The criteria do not as yet constitute a set of instructions
and their main aim is to help business and other private organisations in their
internal security work. They do, however, contain recommendations that public
authorities are advised to consult when planning information security measures.
In this context, organisations should also take into account the Government
Decision on Safeguarding the Security of Supply (539/2008), according to
which organisations, when planning and constructing information systems
critical for the functioning of society, should ensure that expertise in the
47
control, maintenance, systems management and technical support of such
systems is maintained in Finland or that it is possible to return such control
and maintenance ability to Finland. The decision requires that the information
assets used by key applications be held in Finland.
5.3
Basis for information security levels
For central government information technology environments and their
management, the following information security levels are defined:
• Base information security level environment (base level)
• Increased information security level environment (increased level)
• High information security level environment (high level).
The Decree on Information Security sets for central government authorities a
requirement to fulfil at least the base level of information security.
The base-level environment allows the processing of information and
documents belonging to protection level IV in clear text form.
The increased information security level environment allows the processing
of information and documents belonging to protection level III in clear text
form (Decree on Information Security, section 16(3)).
The high information security level environment allows the processing of
information and documents belonging to protection level II in clear text form
(Decree on Information Security, section 16(2)).
The clear text processing of information belonging to protection level I
can be implemented only in dedicated network environments, which have no
connections to a lower information security level environment.
Equipment (workstations etc.) used for information processing must fulfil
the requirements set for the information security level in question.
Based on separate official approval, a workstation that itself fulfils the
requirements of a higher information security level can be connected to a lower
information security level environment.
More detailed instructions on the requirements set for different information
security levels are presented in Annex 5.
5.4
Objectives for the setting of information
security levels
Information security levels are used to set requirements for implementing
and maintaining both technical security arrangements and administrative
procedures in information processing environments. The higher the
information security level the environment fulfils, the better opportunities
48
it provides for the handling of information assets belonging to different
protection levels.
The information security level to be implemented in each operating
environment should be determined based on the content and significance of
operating processes and the information processed in them as well as on the
threats and risks directed at them.
When the information security level of the information processing
environment is known, the processing taking place in the said environment
can be implemented based on standardised rules (Annex 4).
Information security levels increase opportunities to exchange secret
information between various public authorities as well as service suppliers and
subcontractors that provide services to public authorities. Information processing
environments and functions must be assessed against set requirements (section
5.6 and Annex 5.1.6).
A public authority should decide on the role that information security has in
the performance of the organisation’s key tasks, the resources required to achieve
this and the nature of the threats against which these resources are primarily
directed. Management can employ such steering mechanisms to ensure that the
investment made in information security is directed to the operationally correct
assets and that the information security level has been set correctly with respect
to operations. Effective steering mechanisms are of assistance in achieving an
adequate level of information security.
A public authority may have procedures, information systems and
information networks at different information security levels. Their classification
must be based on the reconciliation of risk assessments and cost-effectiveness.
5.5
Assets to be protected and technical
protection mechanisms
One of the key tasks of information security development is to identify the
assets of an organisation that should be protected. They include, for example,
information materials, workstations, information systems and their premises,
and information networks.
Development work must be based on continuous risk assessment. Risks to
information and information security should be identified, and procedures
suitable for the organisation’s activities created to control these risks. Different
means can be employed, ranging from training, instructions and agreements
to technical software and procedures.
The use of individual increased-level or high-level requirements may be
considered necessary in an organisation even at lower levels. Much information
on possible means of protection can be found in the instructions published by
the Government Information Security Management Board (VAHTI).
49
5.6
Specification and assessment of information
security level
A public authority should assess the information security level of the
environments it uses in the processing of information. This can be done by
using a self-assessment method or through an external assessment. VAHTI
instructions as well as instruments provided by the Government IT Shared
Service Centre can be used to assist in this.
A basic requirement is that each information processing environment
and administrative function fulfils the requirements set for the base level of
information security. This applies both to a public authority’s own arrangements
and to parties who carry out tasks as an assignment on the public authority’s
behalf.
As a rule, central government authorities should fulfil the requirements of
either the increased or high information security level when processing official
documents critical for functions vital to society.
50
51
6 Requirements relating to
administrative information
security
Information security development
A public authority should develop and maintain an information security
management system built to facilitate the implementation of the tasks set for
the authority in compliance with good information management practice.
Information security management must be integrated into the organisation’s
other management and development practice.
In central government, legislation as well as the VAHTI instructions form the
basis of the information security management. A description of an information
security management system is presented in Effective Information Security
(VAHTI 5/2009).
6.1
Requirements for information security
management
Information security management is covered in this document based on the
Common Assessment Framework (CAF) quality model structure:
• Leadership
• Strategies and planning
• People
• Partnerships and resources
• Processes
• Measurement.
52
Leadership includes the following items:
• Strategic control
• Resourcing and organising
• Coordination of cooperation
• Reporting and communicating to stakeholders
• Management in special situations
• Reporting to management.
The following items can be recognised in the specification of information
security strategy and in operational planning:
• Impact of operating environment
• Specification of objectives
• Developing operations through risk assessment
• Operating network management
• Special situations management.
In information security staff management, the following items can be identified:
• Developing expertise and awareness, and sanctions
• Management of human resources and tasks
• Actions in special situations.
Management of partnerships and resources can be divided into the following
items:
• Contract management
• Securing operations in special situations.
The term information security operating processes means, in this context, all
of those processes in which information is processed or an information service
is provided. These are covered in the item
• Information resources management.
Information security measurement and assessment means measures by which
the current level of operations is verified. These are covered in the item
• Assessment and verification of operations.
An information security management system ensures the implementation
of information security in all operating processes. It is used to monitor
the current state of processes and possible problems and to direct the
implementation of corrective measures. It also helps to focus development
work on the information security of information systems and services.
Administrative and technical requirements for the above-mentioned items
should be set for each information security level environment.
53
Annex 5 presents detailed requirements for the management of information
at the different information security levels. Most of the detailed requirements
are based on the content of VAHTI instructions.
6.3
Assessment of information security management
A public authority should maintain a sufficiently comprehensive monitoring
system to assess the status of the different information security elements.
A public authority should prepare at regular intervals a monitoring report
on the state of information security and present this to senior management in
management reviews.
The monitoring report should contain results according to the diagram below
(figure 6.1), in which a set target and an assessment of the current situation is
presented for each issue.
Figure 6.1. An example of the information security management target state
of an information processing environment under examination and
of the current state based on assessment.
Information security management – organisation, Organisation A - dd.mm.yyyy
6. Measurement
6.1 Assessment and verification of operations
5. Processes
5.1 Information resources
management
1.1 Strategic control
5
1.2 Resourcing and organising
4
Target level
of organisation / unit
Current level
1.3 Coordination of
cooperation
1. Leadership
3
4.2 Securing operations in special situations
2
4.1 Contract management
1
4. Partnerships and resources
0
3.3 Actions in special situations
3.2 Management of human resources and
tasks
3.1 Developing expertise and awareness, and sanctions
3. People
2.5 Special situations
management
1.4 Reporting and communicating
to stakeholders
1.5 Management in special situations
1.6 Reporting to management
2.1 Impact of operating environment
2.2 Specification of objectives
2. Strategies
and planning
2.3 Developing operations through risk assessment
2.4 Operating network management
Senior management should be made aware of existing critical risks and decide
on corrective measures.
54
6.4
Requirements for the management of information
systems and information services
A public authority should ensure that the management of its information
systems and information services meets its requirements and is sufficiently
effective.
Management should include effective procedures in the following fields:
• Reporting to the information security officer
• Asset management
• Introduction and removal of information processing environments
• Updating and change management of information processing environments
• Formation of secure areas and filtering between them
• Access control
• Identity and access management
• Malware protection
• Protection of physical environment
• Back-up management
• Monitoring of information security incidents
• Recovery of information systems from disruptions
• Management of information system development and application
maintenance.
Management of information systems and information services requires the
existence of adequate maintenance resources. This need is underlined in
environments which are subject to continuous development and which are
used to facilitate a public authority’s core functions.
Operations should include traceable processes to verify the functions that
describe the state of information processing environments, information systems
and other aspects of information security, and changes to such functions.
Annex 5 presents detailed requirements for the management of information
systems and services.
55
6.5
Assessment of information systems management
A public authority should maintain a sufficiently comprehensive monitoring
system to assess the status of the different elements of information systems
management.
A public authority should prepare at regular intervals a monitoring report
on the state of information systems management and present this to senior
management in management reviews.
The monitoring report should contain results according to the diagram below
(figure 6.2), in which a set target and an assessment of the current situation is
presented for each issue.
Figure 6.2. An example of the target state of IT environment management and
of the current state constructed on the basis of an assessment.
Information security management - ICT processes, Organisation A - dd.mm.yyyy
A: Reporting to the information security officer
5
M: Management of information system
B: Asset management
development and application maintenance
4
L: Recovery of information system
from disruptions
K: Monitoring of information
security incidents
J: Back-up management
I: Protection of physical environment
H: Malware protection
3
Current level
Target level
C: Introduction and removal
of information processing environments
2
1
0
D: Updating and change management
of information processing environments
E: Formation of secure areas and
filtering between them
F: Access control
G: Identity and access management
Senior management should know the existing critical risks and decide on
corrective measures.
56
57
7 Classification of information
resources
The Openness Act sets obligations for public authorities to manage the
information assets in their possession according to good information
management practice. An archive formation plan and the necessary data file
systems and directories help to manage information assets. The availability
and accessibility of information as well as its integrity and confidentiality
are managed by classifying material into different classes based on its
requirements.
7.1
Documents within the sphere of classification,
and classification criteria
The processing of information is managed by means of protection levels
(Decree on Information Security, section 9). Primarily secret documents are
brought within the sphere of classification. An official document is considered
secret if it has been prescribed as secret in the Openness Act or some other
statute or if it contains information covered by a non-disclosure obligation
prescribed in law. Courts of law may also order, based on law, that a document
be secret.
It is not necessary nor, in accordance with the Decree on Information Security,
possible to classify all secret documents in protection levels. Classification is
possible only if the impacts outlined in section 9(1) of the Decree on Information
Security may arise from the unauthorised disclosure of information. The fact
that a document has been prescribed as secret does not yet in itself specify to
which protection level the document should be assigned. Each information
resource should be assessed from the point of view of the potential consequences
of its disclosure. The evaluation process should also examine the interest under
protection as a whole.
Section 9(2) of the Decree on Information Security prescribes other
documents that may be classified as documents requiring protection level IV.
These are documents whose disclosure has been left to the discretion of a public
authority (e.g. discretionary public documents; Openness Act, section 9(2)) or
58
which may, according to law, be disclosed only for a given purpose (e.g. personal
data files; Openness Act, section 16(3)).
Classification should not be extended to documents or parts of them where
compliance with processing requirements is not necessary for the interest to
be protected. Classification can therefore be done so that information security
requirements are applied only to documents or document processing stages
where special measures are necessary for the interest being protected (Decree
on Information Security, section 8(1)).
Public authorities issue instructions on the classification of documents in
their own operating environments.
The signatory of the document or an individual separately prescribed in rules
of procedure determines the classification marking to be given to a document.
The classification marking reflects the view of the author or signatory on how
the document should be protected.
It should be noted that disclosure to third parties of secret information
contained in a document is not permitted even when a document is not marked
with a protection level. There might be no classification marking when secret
information constitutes only a small part (e.g. a name or a section) of an extensive
document or information package or when an annex of a document is secret but
the document is otherwise public. There might be no classification marking if
the disclosure of a document is not considered to lead to consequences referred
to in section 9(1) of the Decree on Information Security.
Classification markings do not release parties from assessing documents in
accordance with the Openness Act; classification markings do not as such give
rise to a secrecy obligation. A document may be secret only by virtue of the
Openness Act or some other Act.
Security classification markings (Decree on Information Security, section
11) may be made to secret documents, the unauthorised disclosure of whose
information could cause damage to international relations, State security,
national defence or to other public interests in the manner referred to in section
24(1)(2, 7–10) of the Openness Act.
Classified documents, when used in a national context, are marked with a
protection level marking only. A security classification marking must not be
used other than in cases prescribed in section 11(1) of the Decree on Information
Security, unless it is necessary for compliance with international information
security obligations or unless the document is otherwise related to international
cooperation (section 11(3)).
Because the expression LUOTTAMUKSELLINEN (CONFIDENTIAL) is
a security classification referred to in the Decree on Information Security, it is
not legal to make such a marking except when the document really belongs to
the said protection level.
59
7.2
Secrecy markings
A public authority must make a secrecy marking on a document which it gives
to a party and which is secret because of the public interest or the interest
of a third party (Openness Act, section 25). A marking can also be made on
other secret documents. It is recommended that a marking also be made when
giving a secret document to another public authority or to a party which
processes secret documents as an assignment on a public authority’s behalf.
Secrecy markings can be implemented in information systems, employing
various methods. In accordance with the case management metadata
specification (SÄHKE2), metadata relating to secrecy come by default from the
archive formation plan. Secrecy markings and their life cycle stages, such as the
expiry of secrecy, can be described in the metadata elements. Users should be
able to find information on the nature and level of secrecy from the display at the
different processing stages. Users should know the features of the applications
well enough to be able to distinguish secret and otherwise restricted information
from other information.
The marking should show the extent to which a document is secret and on
the grounds for secrecy. A secrecy obligation is expressed either by indicating
the secret parts of the document (e.g. section n.n of an annex) or specifying
what kind of information is secret (e.g. information concerning the state of
health of an applicant).
If secrecy is based on a legal provision that contains a damage condition
clause (minor damage, operational threat, significant damage, threat to certain
key interests), the marking can, however, be made indicating only the provision
on which the secrecy is based.
Damage condition clause refers to a secrecy provision in which secrecy is
dependent on the disclosure of information to an unauthorised party and on
the damage arising to the organisation from such disclosure (e.g. Openness
Act, section 24(1)(1–3, 6–15). More detailed information is available on the
Ministry of Justice website (www.om.fi; Basic provisions; Openness Act; Letter
of 23 September 2005 sent by the Ministry of Justice to ministries on the
implementation and partial amendment of the openness legislation, including
its annexes).
If secrecy ends at a certain time or due to a certain event, this can be marked
below the secrecy stamp, for example manually with justifications, if this option
has not been taken into account in some technical solution (metadata) in advance.
The secrecy of information ends when the disclosure of the document in
question does not lead to the effects that are the condition for secrecy or when
the secrecy period prescribed in section 31 of the Openness Act has expired.
60
7.3
Protection levels and associated markings
The processing of public authorities’ classified documents is controlled by
means of protection levels (PL).
The protection levels are:
• protection level I (PL I), if unauthorised disclosure of secret information
could cause particularly grave prejudice to a public interest referred to in a
secrecy provision
• protection level II (PL II), if unauthorised disclosure of secret information
could cause significant prejudice to a public interest referred to in a secrecy
provision
• protection level III (PL III), if unauthorised disclosure of secret information
could cause prejudice to a public or private interest or right referred to in a
secrecy provision
• protection level IV (PL IV), if unauthorised disclosure of secret information
could be disadvantageous to a public or private interest referred to in a
secrecy provision or, in the event of documents referred to in section 9(2)
of the Decree on Information Security being involved, if unauthorised
disclosure of information could be disadvantageous to a public or private
interest or adversely affect the ability of a public authority to perform its
functions.
It is recommended that classification be only used for secret documents.
Therefore personal data information, for example, should be classified only
if the information in the personal data files are either completely or to some
extent secret, or if sensitive information referred to in section 11 of the
Personal Data Act is recorded in the personal data files.
The main principle is that a protection level marking (stamp) be made on a
secret document. If a security classification marking can be made on a document,
it may replace a protection level marking (Decree on Information Security,
section 11(1)). The markings (stamps) to be used are presented in Annex 2.
A classification marking is not necessary if all those processing a document
are aware of the document’s secrecy as well as of the procedures to be adhered
to in its processing. For example, in information systems in which separately
authorised users merely process personal data belonging to personal data
files, the use of the markings mentioned in Annex 1 is not required in normal
handling situations. Those handling the information must recognise, however,
the restrictions concerning the handling of these documents and information.
It is also recommended that no classification marking be made on a document
when a secrecy obligation and the consequent handling requirements are valid
only for a relatively short period or when a document has only some information
falling within the sphere of a secrecy obligation and where all those handling
61
the document are aware of its nature. In these cases, it is more appropriate for
information relating to secrecy and processing requirements to be marked on
a separate document to be attached to the document (Decree on Information
Security, section 10(2)).
The protection level should be indicated to users with a marking that
expresses the class in question.
An official document must not be considered secret if a secrecy period
enacted in law or prescribed by virtue of a law has expired. In such cases, the
grounds for classification are also terminated.
The secrecy of a document ceases when the period enacted in law or
prescribed by virtue of a law has passed from the preparation of the document.
If the secret information is such that the need for it to remain secret ceases after
a designated period, that designated period should be indicated by the author or
holder of the document on the document or in a separate written or electronic
note. If a document has a classification marking, it is appropriate to indicate the
expiry of secrecy in connection with the classification marking.
A document in the possession of a public authority which includes
information that can be used only for a certain purpose may be classified if
conditions of the Decree on Information Security are fulfilled.
7.4
Grouping of information material into
protection levels
Secret information material is placed into a protection level determined based
on the significance of the information and the consequences of its disclosure,
if the conditions prescribed in section 9(1) of the Decree on Information
Security are fulfilled. Determining the correct level must be done with care.
A protection level requirement must not extend to those parts of information
material in which processing requirements are not necessary concerning the
interest to be protected (Decree on Information Security, section 8(1)). It is
also worth noting that it is neither necessary nor permitted to classify all
secret documents.
When a document is prepared, attention should be paid to processing
requirements of the document or its information. Documents should be prepared
so that their processing supports the availability and integrity of information
as well as the implementation of secrecy and restrictions on use.
The default protection level of documents and the need to use security
classification can be specified in the archive formation plan. The classification
need and class of each document should, however, always be assessed separately
and the marking of information corresponding to this should be made in the
document or its metadata specifications.
62
As a general principle, public and secret information must be kept separate.
Therefore documents should be prepared paying attention to which of them
can be implemented as public document material and which of them requires
the preparation of a document (good openness and secrecy structure) to be
processed separately.
Information belonging to different protection levels should, as a rule,
be placed in different documents, thereby facilitating the accessibility and
management of the documents throughout their life cycle.
When preparing documents, attention should also be paid to the extent to
which the information contained will be needed. Documents which will have a
wide distribution should be written so that they can be processed at protection
level IV or III. In these documents, reference can be made to documents at a
higher protection level. The more sensitive the information is, the higher the
security arrangements required for the entire processing chain.
Official documents, that may require extensive processing and whose
disclosure may cause minor harm or loss of trust, should be classified in
protection level IV.
The above-mentioned restrictions on the extent of distribution relate to
controlling human risk. Documents whose secrecy period is, for example, 25
years require controlled processing of information throughout the secrecy period.
The wider the group to which information is distributed, the greater the risk
of secrecy being compromised is. It is also necessary to take into consideration
that the processing of documents belonging to protection levels I and II must
be traceable throughout the entire life cycle of a document (processing log etc.).
Even if a document under preparation does not contain secret information,
it may be classified in protection level IV if the unauthorised disclosure of the
information could be disadvantageous to a public or private interest or adversely
affect the ability of a public authority to perform its functions. The ability of
a public authority to perform its functions cannot generally be considered to
be jeopardised when pending matters of general importance are involved, in
which case there is limited scope for the use of classification. In any event,
classification must not influence to any extent the fulfilment of obligations
relating to access to pending matters prescribed for public authorities in the
Openness Act (section 19).
In certain cases there is good reason to highlight which part of a document
contains secret or other classified information. This can be done, for example,
by paragraph or section. A classification marking indicating the protection level
can be made in brackets at the beginning of the paragraph containing classified
information in order to indicate the processing level of the information contained
in the paragraph. This marking method helps those processing the document
later to recognise the parts of the document requiring special handling and to
assess the need to continue classification. This is also helpful in situations where
existing information is used to assist in the preparation of new documents.
63
Classified material should be marked with protection levels when it is
transferred to another party. At the same time, it is necessary to verify that
such a transfer is possible according to law and that the recipient fulfils the
requirements for the processing of the information material. It is recommended
that classified material should always be marked with the stamps and markings
mentioned in Annex 2 throughout the life cycle of a document for as long as
information is secret.
7.5
Security classification markings
A security classification marking may be made on official documents in
the cases indicated in section 11 of the Decree on Information Security.
The security classification markings indicate four different levels. Security
classified material is processed in accordance with the requirements given for
the corresponding protection levels mentioned in section 7.3.
The security classification markings are:
• protection level I: ERITTÄIN SALAINEN (TOP SECRET), if unauthorised
disclosure of secret information could cause particularly grave prejudice to
international relations, State security, national defence or to other public
interests in the manner referred to in section 24(1)(2, 7–10) of the Openness
Act
• protection level II: SALAINEN (SECRET), if unauthorised disclosure
of secret information could cause significant prejudice to international
relations, State security, national defence or to other public interests in the
manner referred to in section 24(1)(2, 7–10) of the Openness Act
• protection level III: LUOTTAMUKSELLINEN (CONFIDENTIAL), if
unauthorised disclosure of secret information could cause prejudice to
international relations, State security, national defence or to other public
interests in the manner referred to in section 24(1)(2, 7–10) of the Openness
Act
• protection level IV: KÄYTTÖ RAJOITETTU (RESTRICTED), if unauthorised disclosure of secret information could be disadvantageous to
public interests in the manner referred to in section 24(1)(2, 7–10) of the
Openness Act.
Please note! The term security class is often used in connection with security
classified documents. A public authority may, in its own activities, use suitable
organisation-specific terms and abbreviations. The terms security class I – IV
are also used in connection with international security classified information
material, and material belonging to these security classes is protected in
accordance with protection levels I – IV mentioned in this document.
64
Stamps associated with security classification markings are presented in
Annex 2.
The equivalence of protection levels and security classification titles is
presented in the table below.
PROTECTION LEVEL
SECURITY CLASSIFICATION TITLE
ABBREVIATION
Protection level I
TOP SECRET
ERSAL (E)
Protection level II
SECRET
SAL (S)
Protection level III
CONFIDENTIAL
LUOT (L)
Protection level IV
RESTRICTED
RAJ (R)
Abbreviations can be used in information systems and documents where
applicable.
When expressing a security classification by paragraph, the security
classification marking in question is placed at the beginning of the paragraph,
e.g. using brackets. For example (S) at the beginning of a paragraph indicates that
there is SECRET (SALAINEN) information in the paragraph. Correspondingly,
in connection with metadata, the longer abbreviations are recommended, such
as SAL. If the information system set restrictions on the length of abbreviations,
shorter forms can be used, such as ERS and LUO instead of the abbreviations
ERSAL and LUOT.
Information belonging to protection levels I – III should be presented to
users on displays by a marking expressing the class in question.
The distribution of documents marked with the security classification
marking TOP SECRET (ERITTÄIN SALAINEN) should be carefully considered
on the basis of need to know and taking the secrecy period requirement (right to
process) into account. In any case, the author and signatory must always decide
on the distribution of a document belonging to protection level I. Copies must
not be made of a document furnished with the security classification marking
TOP SECRET (ERITTÄIN SALAINEN), nor should it be distributed further
without the written permission of the document author or signatory.
Distribution of documents in which the security classification marking
SECRET (SALAINEN) is used should be restricted on the basis of need and
taking the secrecy period requirement into account.
65
7.6
Security classification of international
information material
Documents that come from international organisations and other states may
have their own classification markings. Markings of a security classification
system corresponding to Finland’s are made on such a document if an
agreement binding on Finland has been made on the bilateral protection of
security classified information or a document otherwise falls within the sphere
of application of the Act on International Information Security Obligations
(e.g. an EU Commission or Council security classified document).
If there is no binding agreement or document on security classification
arrangements with a foreign state or international organisation, a public
authority must decide on the markings to be made in accordance with Finnish
legislation (Openness Act, section 24(1)(2, 7-10).
The table below presents the equivalence of certain international
organisations’ and Finland’s security classifications.
Translation of Table:
Country/
organisation
Protection
level I
Protection
level II
Protection
level III
Protection
level IV
Finland
ERITTÄIN SALAINEN
SALAINEN
LUOTTAMUKSELLINEN
KÄYTTÖ RAJOITETTU
EU
TRÉS SECRET UE/
EU TOP SECRET
SECRET UE /
EU SECRET
CONFIDENTIEL UE /
EU CONFIDENTIAL
RESTREINT UE /
EU RESTRICTED
NATO
COSMIC TOP SECRET
NATO SECRET
NATO CONFIDENTIAL
NATO RESTRICTED
A “LIMITE” marking on EU internal documents means that their distribution
is restricted. This is not a marking indicating a security classification.
Documents labelled with this marking are not for public distribution. The
same applies to NATO UNCLASSIFIED documents. The classification of both
document groups in Finland should be assessed case-by-case in accordance
with national legislation.
7.7
Classification and markings of personal data
Personal data files and the processing of personal data are governed by the
Personal Data Act, the Openness Act and a numbers of special Acts on the
processing of personal data, which set special requirements for, among other
things, the processing of sensitive data and the protection of information.
Exclusivity of purpose and disclosure criteria set their own requirements for
the processing of personal data.
66
Unless otherwise provided by a document, documents containing personal
data may be placed at either PL III or PL IV in accordance with an impact assessment made on the basis of section 9(1) of the Decree on Information Security.
Even if, due to the protection of privacy, an absolute secrecy obligation
applies to certain documents, all secret documents relating to an individual
or their information will not necessarily fall under protection level III. When
secrecy provisions relating to the protection of privacy have been enacted,
secrecy has been grounded on an assessment made at a general level of the
risks compromising the protection of privacy in case information is made public
(Government Proposal 30/1998, p. 88). Classification according to protection
levels, on the other hand, is a matter of assessing which information falling
within the sphere of a secrecy obligation could concretely compromise protection
of privacy as an object of legal protection.
Personal data do not need to be marked separately with stamps if they are
processed only by individuals who have received sufficient training and possess
the relevant access authorisations.
Necessity and accuracy requirements as well as the obligation to protect and
duty of care must be fulfilled in the processing of personal data. For this, effective
access management and a monitoring and supervision system must be in place.
The processing of sensitive and biometric data saved in personal data files
should be recorded in a log (Decree on Information Security, section 20(1)).
Sections 9 and 13 of the Personal Data Act should be taken into account when
personal identification numbers are used. Documents containing a personal
identification number must be processed in accordance with protection level
IV, unless the content of the documents necessitates processing according to
the requirements of a higher protection level.
67
7.8
Recommendations relating to the classification
of extensive information assets
In this context, the term extensive information assets means information
saved in one or more places, accessible by the user in one go. Information is
gathered from many different sources and by combining it new information is
formed to serve different purposes.
Even if individual documents included in an information asset are public
or classifiable at a low protection level, the information asset might constitute
an entity whose protection requirement is higher than that of the individual
documents contained within it. For example, the disclosure of information
about the weapons owned by an individual might be disadvantageous to a
private interest, but information about the whole country’s weapons register
could prejudice public safety.
The protection level requirement of each information asset is determined
on the basis of the protection level requirements of the individual documents
included within it. The Decree on Information Security prescribes the minimum
level for the information security requirement of classifiable documents. Section
7(2) of the Decree does not prevent a public authority from applying in its own
activities information security requirements higher than those prescribed in
chapter 4 of the Decree. It is recommended that a public authority assess the
protection requirements of its all information assets. It is also recommended
that the impact assessment of the protection requirements is broader than when
individual documents are assessed, and that information security procedures
are implemented accordingly.
When granting access rights to different information assets, attention must
always be paid to how access rights are defined and monitored.
When implementing an information system and specifying its functions,
public authorities must consider the protection level arrangements on which
the said documents and information resources may be processed.
Extensive information assets are generally processed by data processing
professionals or by companies providing data processing or security services
under contract. It is important that decisions on protection levels and on the
procedures and security arrangements to be followed are made by different
people than those who process the information assets.
When specifying access rights to information assets, public authorities must
ensure that situations do not arise in which access right holders can access
unauthorised information.
In the implementation of information systems and functions, due
consideration should be given to all information processing stages so that they
can be performed in an environment that offers an adequate protection level.
68
An access rights review procedure can be applied to all information assets
irrespective of whether the said information assets contain secret information
or not. Public and secret information should be kept separate through technical
(network, disk space, encryption, user identification) and administrative means
(access rights, logs, identification). Information system planning and access
rights management should ensure that those who do information work in a
public authority receive for their use the information they require to perform
their tasks.
7.9
Requirements set for the integrity and
non-repudiation of information
Various requirements relating to the integrity and non-repudiation of
information are set for official documents and the information they contain
because of the significance and use of the information in question. Such
requirements are included, for example, in all financial transactions and in
documents for which an official signature is required. In these situations, a
public authority should put in place procedures to ensure that the information
it generates cannot be changed and that it is accurate, and that the original
documents are verifiable.
When documents are saved and transferred electronically, various hash
functions and electronic signatures are available to ensure integrity and nonrepudiation.
In electronic information transfer, the competent authority must ensure
that information conveyed and maintained by a public authority is transferred
so securely that third parties cannot change the information unintentionally.
A public authority may classify its information resources on the basis of
integrity requirements; for example, (1) information that must be accurate and
(2) other information.
69
7.10 Requirements set for the availability and
accessibility of information
The accessibility requirements of official information depend on the content
of the information and its purpose. Many operating processes set high
requirements for the availability of timely and correct information. The
Openness Act specifies the requirements for giving information to those who
request it. The information accessibility requirement is also highlighted by
the need to implement good information management practice. Accessibility
consists of several elements. Accessibility depends, for example, on
information network characteristics, assurance, the implementation of the
user interface, workstation specifications and user expertise.
Different documents are generally used for different operational purposes.
When processing involves information and documents requiring a high
protection level and high availability, the high requirements for information
processing are emphasised. These requirements are to be taken into account
when the information systems are planned. Such information is often included
in information produced and processed by various monitoring systems.
In the processing of public documents and information, special attention
should be paid to the accessibility of information and, depending on the case,
also to requirements set for the integrity of information. From the point of view
of accessibility, this means, among other things, that the information in question
is as easy as possible to access by those who need it in their tasks, even to the
extent that the information is an integral part of the work.
The critical nature of information means those requirements that the
implementation of activities demands. When some activity requires the
immediate availability of certain information, this information is considered
to be critical. Examples of critical information:
• a project meeting (information about place and timing and the need to
participate)
• training session (information about trainers, training objectives and
teaching material).
The availability of information can be examined from a process perspective,
for example:
• highly important documents and information for the implementation of
functions
• important documents and information for the implementation of functions
• documents that support functions
• other documents.
70
Operations often require both public and secret information. Those
responsible for certain activities should be aware of the required information.
When structures required by information work are planned and developed,
particular attention should be paid to safeguarding the availability of
necessary critical information. A public authority should identify in advance
the critical information required by a function.
71
8 Processing requirements of
classified information materials
The aim of these instructions is to create standardised procedures and
conditions for the processing of information materials in central government.
A further goal is to harmonise procedures with respect to national and
international classified documents in different situations throughout their life
cycle.
The requirements of international obligations differ to some extent from
the measures outlined both in the Decree on Information Security and in these
instructions. Therefore such obligations must be taken into account by a public
authority case by case in activities subject to international obligations.
8.1
Basic requirements
Requirements set for the processing of information apply to its whole life cycle.
A number of critical requirements are set in particular for the secrecy period
of information. In the implementation of these requirements, those who
process information are in a special position. They are responsible for ensuring
that processing of information is done correctly and using the equipment
given by the employer.
The competent authority or its representative must be identified for the
official information in question. This competent authority has key responsibility
for the information over which it exercises authority. A public authority should
specify the parties responsible for all of its information assets. Markings (such
as stamps) can be prepared in advance for electronic documents and form
templates, for example. Protection levels must be set for the entire life cycle of
information material.
The processing of a secret electronic document must be recorded in an
electronic log, information system, case management system, manual register
or in the document itself. The recommended recording location for electronic
processing is a log or corresponding electronic tool.
Information requiring a protection level classification should be saved
according to the requirements set for the class in question. Protection level
72
III information can be saved as clear text in monitored, increased information
security level networks in which access rights are checked and which incorporate
an effective, document-specific access management procedure.
Secret documents are not public; they are secret in accordance with secrecy
criteria. This means that the parties authorised to process a document are those
mentioned in the said document or group of cases. Information can be given
from a document only to those who have been granted the right to process
documents belonging to the protection level required by the document and who
have a need, based on their tasks, to process that information.
The table below presents the processing rights, distribution, traceability
and IT processing of documents for each protection level. Material requiring
a security classification is processed in accordance with the corresponding
protection level.
PL IV
PL III
PL II
PL I
Processing right
Processing right
granted
Processing right granted Processing right
granted
Mentioned in
distribution,
processing right
granted
Distribution
According to tasks
According to tasks
Author specifies
individual distribution
Recording
of processing
Recording
of processing events
of documents
containing
information in
personal data files
or biometric data.
Recording of processing
events of documents
containing sensitive
information in personal
data files or biometric
data.
Recommended for
other information
Specified by author,
based on tasks
Recommended for other
information
Traceability
No monitoring
No monitoring
Document copy-specific Document
traceability
copy-specific
traceability
Transfer in open
networks
Encrypted or
otherwise protected
Encrypted or otherwise
protected
Not permitted
Not permitted
Transfer in official
networks
As clear text in
base and higher
information security
level networks
As clear text in
increased or high
information security
level networks
As clear text in
controlled high
information security
level networks
Strongly encrypted or
otherwise protected
in controlled separate
networks
Processing in
workstation
connected to open
network
Permitted
in base and higher
information security
level environments
Permitted in increased
or high information
security level
environments
Permitted in controlled
high information
security level
environments
Not permitted
Processing in
workstation
connected
to official network
Permitted
in base and higher
information security
level environments
Permitted in increased
or high information
security level
environments
Permitted in a
controlled high
information security
level environments
Permitted in a high
information security
level separate
network, to which
there is no connection
from other
information networks.
73
PL IV
PL III
PL II
PL I
Saving in data
storage medium
(hard drive, transferable memory)
Protected
Encrypted or otherwise
protected
Strongly encrypted
or otherwise strongly
protected
Strongly encrypted
or otherwise strongly
protected
Saving on official
network server
Protected with
user IDs
Encrypted or otherwise
protected in an
increased information
security level
environment
Encrypted or otherwise
protected in an high
information security
level environment
Strongly encrypted
or otherwise strongly
protected if system
fulfils high
information security
level requirements.
More detailed instructions for each protection level are presented in Annex 4.
The classification (protection level PL) governing the processing of documents
is expressed with the marking allocated for this purpose (Annex 2). A marking
is made by the author or the first recipient of the material or by the individual
who has the right to decide on the processing and use of the said material. A
classification marking is decided by the document signatory with his or her
manual or electronic signature.
Processing requirements corresponding to the classification of documents
depend on the significance of prejudice caused by the disclosure of information
contained in the documents for the public or private interests protected by
secrecy provisions.
The secrecy period of secret official documents is not dependent on whether a
document is classified or whether it has received a secrecy marking. All classified
documents are secret for as long as the grounds for secrecy exists, but not
exceeding 25 years from the signing of the document. In certain special cases,
however, the secrecy period may be longer.
Information in a secret document may be disclosed to a third party only if
the giving of the information or the right to receive the information have been
separately and expressly prescribed in law.
In assignments or cooperation projects etc. in which secret information
needs to be processed with external parties, the following conditions must be
fulfilled in advance:
• the security of a foreign party has been verified in accordance with the
procedure described in the Act on International Information Security
Obligations (588/2004)
• in the disclosure of information, the procedures according to these
instructions are observed
• the said organisation has the premises and procedures required by the
protection level in question and for the processing of the information
• those who are authorised to access the information know the public
authority’s processing rules applying to secret documents and information.
74
The assignment should, if necessary, include an agreement on security
arrangements (e.g. appended to the procurement contract). If an extensive
project or partnership requiring a high protection level has been agreed with
an external party, the following principles mentioned should be observed in
addition to the conditions mentioned above:
• a separate security agreement, specifying the security procedures to
be adhered to in assignments, should be prepared between the said
organisation and the public authority. With respect to procurements,
security requirements can be reviewed within the framework of the set
security arrangements.
• the staff of the said organisation may be required to sign a separate nondisclosure agreement specified by the public authority. The objective of this
is to ensure that staff know the set security obligations.
The appropriate records should be kept of secret documents given to external
parties.
A secret document should be managed in accordance with the requirements
set for the protection level required by the information contained by the
document, throughout the entire life cycle of the document, from preparation
to destruction.
Information systems should take into consideration the protection levels
required by the information contained within them. The working environment
should be protected with sufficient premises security, so that they are sufficiently
monitored and allow access only to authorised staff.
If a document contains both public and secret information, the public and
secret parts should be clearly specified.
If an information system has both public and secret information, secret
information should be given a protection level marking. For example, in database
systems this can be specified by table, field or information, depending on the
structure and the information material in question.
A document is classified in the class indicating the protection level required
by the information contained in it. If a document consists of several parts,
for example a main document and annexes, the main document should be
furnished with a stamp that represents the highest confidentiality level of the
whole document. The protection levels of both the main document and annexes
should accordingly be apparent from the main document if they differ from
one another. If a document and its annexes can be processed separately, their
protection level may also be indicated as required by each subdocument.
When a document contains secret information under a number of different
secrecy criteria, these secrecy criteria should be evident from the main document.
The importance of this information is highlighted when, for example, assessing
the distribution of a document and the disclosure of information from public
75
and secret parts of a document and when reviewing the ending of a document’s
secrecy period.
The diagram below presents the life cycle stages of a typical document.
8.2
A.Reception
Drafts
B. Creation,
preparation,
updating
and
maintenance
Stages of document processing
8.3
Classification,
marking and
registration
8.4
Copying
(numbers refer to the corresponding sections below)
8.5
Distribution
8.6
Transfer
8.7
Reception
8.11
Review and
removal of
classification
8.8 Saving
and storage
8.9 Access to
information
8.10
Archiving
8.12 Destruction
8.2
Creating and editing of information material
In the preparation of information material, particular attention must be
paid from the start to whether the material will be public or whether it will
contain secret information. Those engaged in the preparation of material are
responsible for it. The party preparing a document decides who will receive
the document in question. A case in preparation is not as a rule intended for
external parties, irrespective of whether the draft document contains public
or secret information. When a document reaches the stage where it becomes
an official document, it is incorporated into the public authority’s information
assets.
A document containing classified information should be processed during
its preparation in the same way as a public authority’s other documents. The
processing of information does not depend on the form in which the information
has been saved.
When classified information is processed in documented form, for example
as text, images, audio or video samples, in electronic form in information systems
or as separate records, the requirements prescribed for a public authority’s
documents should always be followed.
76
Information material to be used in all training events, meetings and
other special situations should be prepared so that the protection level of the
information and all identifying information (e.g. date, author and document
identifying details) is evident from the material in question. Presentation
material should be processed just like other official documents, applying the
requirements given in these instructions. Such information material includes,
for example, unregistered and unclassified presentation slides.
If it is necessary in these situations to process material belonging to protection
levels II (SECRET) or I (TOP SECRET), information on those who participated
in such processing should be recorded in the document’s processing history.
In addition, it is essential to check in advance that participants have both the
processing right required by the said protection level and a need to know the
presented information.
It is highly recommended that information belonging to the highest
protection levels is presented and saved only as part of a public authority’s
documentation.
Documents may refer to a document in a higher protection level. This also
applies to public documents.
When preparing documents that require actions, the case should be
presented so that the document in question can be classified as low as possible.
This procedure will help achieve the accessibility required by activities. Explicit
information etc. requiring a higher protection level is correspondingly indicated
in the reference data of the main document.
Moreover, the same processing rules set for official documents should be
observed in structural documentation and in metadata. When documents
are managed in case management systems using metadata, the aim should
be to implement information resources containing metadata so that the
information is, as far as possible, public or classified at as low a protection
level as practicable. These actions help promote the implementation of good
information management practice.
When preparing documents, their purpose should be taken into account
and an effort made to achieve a good openness and secrecy structure. This
means that, as far as possible, secret information must be set apart from public
information. In addition, information belonging to different protection levels
should as a rule be presented in different documents. These procedures guarantee
that document accessibility requirements are met.
77
8.3
Classification, marking and registration
The document author (generally the case presenter) makes a proposal on the
classification of the document. The classification is decided by the person who
is otherwise responsible for the case (first signatory in presentation cases).
A document is furnished with a marking corresponding to the highest
protection level of the information it contains. If a protection level requirement
applies to only part of a document, the marking should indicate which part of
the document it concerns.
A public authority’s document register should reveal the protection levels
required for documents. A register of documents requiring the highest protection
level can, if necessary, be classified and separated from other information by
means of limited access rights.
8.4Copying
Both electronic and paper copies may also be taken of classified documents
with due regard to the restrictions and processing rules prescribed for the
protection level in question.
Copies should be handled like the original documents.
Copies should be marked like the original documents and steps taken to
ensure that recipients of copies have a right inherent in their tasks to process
secret information material.
8.5
Document distribution
The distribution of documents is implemented as required by the document
in question. The document signatory specifies the distribution and processing.
A document can only be delivered to a recipient who has the necessary rights
to manage the material in question.
In information systems, the distribution is implemented primarily by email
or by granting access rights to the information. Secret information should be
processed using access rights, taking the requirements of each protection level
into account.
When expanding distribution:
• The recipient of a document must follow legislation, agreements and
protection level restrictions
• The distribution of a document must be specified, based on the information
it contains, for the parties to whom the document applies.
78
A classified document may be distributed to other public authorities and
stakeholders by taking into consideration the requirements set by the
document’s protection level, author and agreements.
8.6
Sending or transferring documents,
and/or access to information
When a document is delivered to a recipient, it is transferred with its
information content to the recipient’s control together with all rights and
obligations relating to it, if not otherwise prescribed by special provisions.
Documents requiring protection level I – III are assigned to an individual, to
a person responsible for the processing of a designated task or to an organisation.
The sender must ensure that a secret document is delivered only to those who
have a right in linked with their tasks to process the document in question.
The delivery of a document classified at protection level I or II must be
documented and the delivery of a document requiring protection level III must
be traceable.
Information contained in a document classified at protection level IV may
in certain cases be discussed with discretion over the telephone. The sending
of classified documents by telefax must be carried out in accordance with the
requirements of each protection level (Annex 4, table 5).
Classified documents are delivered to the recipient in accordance with
protection level requirements. A classified document should be distributed so
that third parties cannot access protected information.
In information systems, the distribution is implemented primarily by
email or by granting access rights to the information. Information contained
in a classified document should be processed using access rights, taking the
requirements of each protection level into account.
Information contained in a classified document can be processed, transferred
or saved only in the parts of information systems and networks that fulfil the
security requirements set for the processing of information in the said protection
level.
A public authority should maintain procedures ensuring that information is
processed throughout its entire life cycle in accordance with good information
management practice.
A document may include both security classified information and information
that is secret because of another interest. A document must accordingly be
processed in an environment required by the information it contains and in
accordance with set requirements.
When transferring international security classified information (e.g. EU,
NATO) electronically or by other methods, a public authority should make sure
what has been agreed in relevant bilateral security agreements.
79
8.7
Measures undertaken by the recipient
The recipient of a classified document records the received material in a
register corresponding to the document’s protection level. If a document
comes directly to a recipient, he or she is responsible for registering the
document.
The recipient of a document checks that the individual responsible for
processing it has the right to process classified documents.
The recipient of a document forwards the document to the person responsible
for the case - if a classified document is involved in a closed envelope - and
otherwise observing the procedures relating to the transfer of documents.
On departing working premises, staff must not leave secret information
material in plain view and unsupervised.
The recipient of a document is responsible for all obligations including
processing and access rights.
A public authority should also verify the relevant provisions agreed in
bilateral security agreements when receiving international security classified
information (e.g. EU, NATO) electronically or by other methods. If necessary,
foreign documents should also be marked with domestic protection level/
security classification markings.
8.8
Saving and storage of documents
Public and classified document material should be kept separate.
Documents containing classified information should be stored so that only
staff possessing access rights can process the material.
Electronic systems should use solutions that fulfil the requirements of each
protection level.
Supervision of the storage of classified information must be arranged.
Classified information saved in data storage media should be protected by
using approved encryption solutions in accordance with the protection level
in question.
Classified (protection levels I – III) paper documents, including drafts, should
be stored in at least a Euro II standard data cabinet or safe, in accordance with
documents’ protection level. Documents belonging to protection level IV should
be stored in a locked location.
80
8.9
Access to information
A public authority should maintain secure procedures to ensure that only
those authorised to do so are allowed to process secret information or
information protected for some other reason.
A public authority should employ a sufficiently strong procedure to
authenticate persons and/or parties requesting a service when providing an
opportunity to process secret information or information protected for some
other reason.
8.10 Archiving of information resources
Archiving must be based on structures and requirements specified in archive
formation plans.
In archiving, conditions set for processing by the protection level and
agreements must be taken into account.
Documents relating to international activities must be archived in the
manner prescribed in agreements.
With respect to permanently archived documents, the regulations of the
National Archive Service should be observed.
8.11 Revising the protection level of documents
A public authority must assess the currency of its documents’ protection levels
when giving information from them to those that request it.
A document’s author and/or competent authority is responsible for
reclassifying the document and discontinuing its protection requirement.
8.12 Destruction of information resources
Unnecessary copies of documents should be disposed of after their purpose
has been served. They should be destroyed by a person authorised to do so by
the organisation. Those who prepare documents are responsible for destroying
draft documents during the preparation stage.
In the destruction of material, steps must be taken to ensure that it does not
come into the possession of unauthorised parties.
Paper documents are destroyed using a procedure fulfilling the requirements
set for the protection level in question.
Electronic files are erased from digital media, workstations and servers as
well as from other equipment in the manner required by the protection level
81
in question. Temporary files generated while using information systems must
be deleted after their purpose has been served in accordance with information
management instructions.
A public authority must ensure that, an information system does not save
information requiring a security classification in the memory of a workstation
or a server environment that could be accessed by unauthorised parties. This
requirement also applies to temporary files and other records.
Secret paper documents should be destroyed by incineration, shredding or
by collecting them in a locked container, whose contents are destroyed in an
audited and controlled environment.
8.13 Deciding on the disclosure of a document
The disclosure of information from a document in the possession of a public
authority is determined in accordance with the Openness Act. A document’s
classification marking does not affect a public authority’s obligation to review,
on a document-by-document basis, access to a document when a party
requests information from it by virtue of the Openness Act. Markings made
in accordance with the Act on International Information Security Obligations
do not allow scope for discretion in terms of secrecy, unlike markings in
accordance with the Openness Act.
The disclosure of a document is, as a rule, decided by the public authority
which possesses the document. A public authority may, however, forward a
request to receive information to the authority that prepared the document or to
the authority responsible for processing the case. Under the Act on International
Information Security Obligations, a request relating to the receipt of a security
classified document must always be forwarded to the public authority to which
the party to the agreement has supplied the document. Forwarding is also
obligatory when a request concerns documents requiring a security classification
marking in accordance with provisions separately issued by the Government.
No such provisions have been issued to date.
The secrecy provisions of the Openness Act prevent the disclosure of
information to a third party. A staff member whose task it is in the authority to
handle the issue in question is not considered to be a third party as referred to in
the Act. In accordance with section 26(3) of the Openness Act, information may
also be disclosed, under the conditions prescribed therein, to a party working on
an assignment on the authority’s behalf. It is worth noting that those working
on assignments on behalf of public authorities are governed by a non-disclosure
obligation in accordance with section 23(2) of the Openness Act, so a secrecy
obligation exists without a separate non-disclosure agreement. A party given an
assignment on a public authority’s behalf and those employed by such parties
should always be informed of any secrecy obligation.
82
If it is essential to disclose classified information material to those working
on an assignment on a public authority’s behalf, steps should be taken in advance
to ensure that they have at their disposal the necessary premises required for
processing such information as well as appropriate procedures and knowledge
of the public authority’s processing requirements. Specific provisions should
be included in contracts to verify that information is processed appropriately.
Tasks involving the processing of personal data can be commissioned to be
carried out abroad only under the conditions prescribed in the Personal Data
Act. Under preparation are provisions on corporate security reviews. Their use
is always worth considering if processing extensive and significant tasks for the
functioning of society are commissioned to be performed outside the public
administration.
A document´s secrecy obligation is dependent on the time at which an issue
is examined. A secrecy marking stating a security or protection level indicates
the situation when the information material was prepared. A secrecy obligation
and information security requirements can change over the course of time.
Accordingly, when deciding on a request for information, it is necessary to
review whether the grounds for a secrecy classification and secrecy still exist.
If documents falling within the sphere of international information security
obligations are involved, the party that prepared the document must be contacted.
8.14 Impact of encryption on the processing
of information material
Encryption methods are used to change the information into an
incomprehensible form. Information is restored to clear text form using the
correct additional information (encryption key). Encryption methods can also
be used to safeguard and verify the integrity of information.
External memories used for saving information, hard drives of portable
workstations, network services and email are entities in which encryption is
typically employed. Protecting the information contained in the memories of
equipment as well as telecommunications using encryption techniques ensures
that the information they contain is not disclosed to third parties even in the
event of equipment being stolen or lost.
Information belonging to protection level I must always be strongly
encrypted or otherwise strongly protected and it is stored or processed only
in controlled separate networks. Information belonging to protection level II
must be strongly encrypted when it is transferred or processed in a base- or
increased-level information processing environment. Information belonging to
protection level III can be saved in clear text form in the servers of a controlled
increased or high information security level network. In other network
environments, protection level III information can be transferred or saved
83
only when appropriately encrypted. Information belonging to protection level
IV should also be encrypted when it is transferred or saved in a public network
and its servers, unless some other security arrangement has been agreed between
the sender and recipient.
The encryption of information may be strong or weak. Different levels of
encryption can be obtained with various encryption methods. When using
a strong encryption method, the interpretation of the information can be
considered to last sufficiently long.
Secret information can be transferred and stored only when protected by
encryption methods etc. approved by the public authority. Special care should
be taken with the security of passwords and tools used in encryption.
A document that is sufficiently strongly encrypted can be processed like a
public document.
84
85
ANNEXES
Annex 1: Obligations set by legislation
A review of legislation with respect to information security can be found in
the publication Effective Information Security (VAHTI 5/2009).
In terms of these instructions, the key items related to normative guidance are:
In Finnish legislation
• Act on the Openness of Government Activities (625/1999):
- Good information management practice, fundamentals of information
security work, secrecy and confidentiality obligation, secrecy markings,
classification criteria
• Decree on the Openness of Government Activities and on Good
Practice in Information Management (1030/1999):
- Reports and assessments for the implementation of good information
management practice
- Registers and other document records
• Decree on Information Security in Central Government (681/2010)
- General fundamentals of information security, requirements for the
classification and handling of documents
• The Act on International Information Security Obligations (588/2004):
- Handling of international material
• Personal Data Act (523/1999)
- Good information processing practice, exclusivity of purpose,
protection obligation
• Special statutes relating to the processing of personal data
• Archives Act
- Document management and archiving
• Special legislation
More on normative guidance from FINLEX (www.finlex.fi).
In international information security obligations binding on Finland
• PFP Document Security Agreement between Finland and NATO,
22 September 1994
• Security Agreement between Finland and the WEU, 22 April 1997
(SopS 42/1998)
• EU Council Decision on adopting the Council’s security regulations
(2001/264/EC)
• Agreement between the European Space Agency and the European Union
on the security and exchange of classified information (SosO 95/2004)
• Bilateral information security agreements binding on Finland: e.g. with
Germany, France, Slovakia, Estonia, Italy and Poland
Further information on international agreements is available at the address:
www.formin.fi
86
Annex 2: Stamps for secret documents and information
Secrecy stamp and protection level marking
SALASSA PIDETTÄVÄ
Suojaustaso __
JulkL (621/1999) 24.1 §:n _______k
Lain (___/______) ___ §:n ______k
A protection level (suojaustaso) may, if necessary, be stated on the SALASSA
PIDETTÄVÄ (SECRET) stamp. A number indicating the protection level is
written manually or mechanically on the stamp. The salassa pidettävä (secret)
stamp is used in documents that contain secret information as defined in
either subparagraphs 1, 3–6, 11–32 of section 24(1) of the Openness Act or
in other statutes. In addition, the stamp can be used on protection level IV
documents that contain classified information subject to official discretion or
exclusivity of purpose.
Security classification marking stamps
KÄYTTÖ RAJOITETTU
Suojaustaso IV
LUOTTAMUKSELLINEN
Suojaustaso III
ERITTÄIN SALAINEN
Suojaustaso I
SALAINEN
Suojaustaso II
JulkL (621/1999) 24.1 §:n _______k
L (____/_____) ____ §:n ____k
JulkL (621/1999) 24.1 §:n _______k
L (____/_____) ____ §:n ____k
JulkL (621/1999) 24.1 §:n _______k
L (____/_____) ____ §:n ____k
JulkL (621/1999) 24.1 §:n _______k
L (____/_____) ____ §:n ____k
A special security classification marking may be made in connection with,
or instead of, a secret document’s protection level marking. A security
classification marking can only be used with secret documents that are
deemed secret on the basis of subparagraphs 2, 7-10 of section 24(1) of the
Openness Act or the Act on International Information Security Obligations. A
security classification marking must always be made on international security
classified material (588/2004, section 8).
87
Annex 3: Detailed instructions to public authorities
to facilitate the secure processing of documents
This Annex presents detailed instructions to public authorities on the
measures necessary to create a secure environment for the processing of all
secret information, both domestic and foreign. Requirements are given in the
order presented in the main document (chapter 4).
1. General requirements at all protection levels
(1) A public authority must maintain procedures that ensure the controlled
processing of documents and information throughout their entire life
cycle. These procedures must meet the requirements of good information
management practice.
(2) The procedures must be based on a process-based archive formation plan
maintained by the public authority.
(3) Processing rules are set up to ensure that secret information can only be
used by those who have the right to access such information (confidentiality).
At the same time, the aim is to ensure that information is available
(availability) and accurate (integrity).
(4) Documents must be protected for as long as they are subject to security
measures in accordance with the law and agreements and statutes binding on
Finland and any notification made by the author of the material.
(5) A public authority must ensure that staff in the service of the public
authority have the necessary knowledge concerning: whether the documents
being processed are secret or public; the procedures to be followed in giving
and processing information; and the procedures, security arrangements and
division of responsibilities to be followed in the protection of documents and
information systems.
(6) A public authority must provide necessary additional guidance and
training. The competence of staff should be monitored.
(7) A public authority must regularly audit the implementation of information
security measures concerning sensitive information material and monitor
the effectiveness of issued instructions and technical information security
measures.
88
2.
Requirements relating to staff
(1) Staff members must know and have a good understanding of the operation
and instructions of the work equipment they use.
(2) They must master the processing rules for secret documents.
(3) Processing rights must be linked to their tasks and based on the decision
of a supervisor.
Position
Issue
PROTECTION
LEVEL IV
PROTECTION
LEVEL III
PROTECTION
LEVEL II
PROTECTION
LEVEL I
(4)
When a person’s right to possess
material changes, the material must
be destroyed or removed in a manner
determined by the organisation’s
management.
yes
yes
yes
yes
(5)
no
The granting of a processing right
requires that a basic background check
(security clearance) be performed.
yes *
yes
yes
(6)
A public authority must maintain a
list of processing rights to classified
information:
(7)
domestic information material
international information material
no
no
in accordance
with
agreements
yes
yes
yes
yes
Processing right requires individual
to pass an information security
competence test
recommended yes, when
processing
information
in a network
environment
yes
yes
* The organisation decides separately which staff groups should be subject to a basic background check (security clearance).
International agreements also set obligations with respect to background checks for those processing classified information.
3.
Requirements relating to information security culture
(1) A public authority must arrange information security training for all
staff and ensure that they have sufficient expertise and understand the risks
associated with information security.
(2) For more detailed information see section 4.3 of these instructions.
4. Requirements relating to premises security
(1) The purpose of premises security is, as part of physical security, to protect
staff, information and material.
89
(2) A public authority must specify security solutions for offices and computer
rooms. Instructions should specify the required structural solutions and
monitoring systems, and possibly access rights to premises.
(3) A public authority is responsible for the security of premises used in
information work.
For an outline of premises security, see section 4.4 of the main document.
5. Requirements set for IT environment and information services
5.1. IT environment implementation and maintenance
(1) A public authority should plan and maintain its information systems
and services so that the information processing required by the authority’s
procedures can be performed in all of its premises in accordance with good
information management practice. Information processing environments
are classified at the base, increased and high information security level
environments according to how they fulfil the technical and administrative
requirements set for the different security levels (see Annex 5).
(2) Premises are classified into 4 different classes (security zones). Premises in
which information of protection levels I - III is held must have, for example,
continuous access control, an intrusion detection system and a documented
locking system. The above-mentioned IT environments must take into account
the risks of electromagnetic radiation.
See the IT environment description in chapter 5 of the main document.
5.2. Implementing information services
A public authority should plan and maintain an infrastructure, which
enables the recording of documents and facilitates the protection of
information and safeguards their accessibility, integrity and reliability. Even
if the implementation of these objectives is achieved in electronic operating
environments partly by developing information security and IT solutions, it
is ultimately a question of good planning and of developing an organisation’s
practices that support them.
The table below presents, by protection level, certain essential requirements
for implementing information services. A more detailed list of requirements is
presented in Annex 4.
90
Position Issue
PROTECTION
LEVEL IV
PROTECTION
LEVEL III
PROTECTION
LEVEL II
PROTECTION
LEVEL I
(1)
Secret information material
must be stored throughout
its secrecy period so that it
is accessible only to those
authorised to do so. Use of
premises must be monitored
using access control and other
measures.
yes
yes
yes *
yes *
(2)
Back-ups taken of information
systems must be processed like
the original documents. The
protection level of back-ups
is determined according to the
highest protection level class
of the information contained
in the back-ups.
yes
yes
yes
yes
(3)
Premises that contain secret
information must be locked on
departing and/or the possibility
of the information being
processed by third parties
must be otherwise prevented.
yes
yes, and it is
recommended
that documents
be transferred
to a safe.
International
documents
must be stored
in a safe.
yes,
and documents
must be
transferred
to a safe.
yes,
and documents
must be
transferred to a
safe (computer
or data storage
medium)
(4)
The processing of secret
electronic information material
must be recorded in an electronic
log, information system, case
management system, manual
register or in the document itself.
recommended;
yes with
respect to
personal
data (PDA,
section 11)
recommended;
yes with respect
to sensitive
personal data
yes
yes
(5)
Processing of secret information
material in open information
networks.
encrypted
or protected
in open
information
networks
encrypted
or protected
in open
information
networks
encrypted or
protected in
open information networks
processing not
permitted in
open information
networks
(6)
Processing of secret information
material in public authorities’
information network.
as clear
text in base
information
security level
information
network,
checking access
authorisations
as clear text
in increased
or high
information
security level
information
networks
as clear text
in controlled
information
networks
fulfilling high
information
security level
requirements
permitted
in strongly
protected
separate network
fulfilling high
information
security level
requirements and
to which there
is no connection
from other
information
networks
(7)
Saving of secret information
material in public authorities’
information network.
can be saved
on base
information
security level
servers
as clear text
protected by
user Ids;
encryption is
recommended
encrypted or
protected on
base information security
level servers;
permitted as
clear text on
increased and
high information security
level servers
strongly
encrypted
or otherwise
strongly
protected if
system fulfils
high information security
level requirements
permitted
in strongly
protected
controlled
separate network
fulfilling high
information
security level
requirements.
91
Position Issue
PROTECTION
LEVEL IV
PROTECTION
LEVEL III
PROTECTION
LEVEL II
PROTECTION
LEVEL I
(8)
permitted;
information
must be
protected
e.g. using
encryption
permitted;
information
must be saved
in encrypted
form
special
approval,
information
must be saved
using strong
encryption
not permitted
without a
case-by-case
official
decision
Processing of secret information
material in electronic form
outside the workplace
Processing requires official
decision in all classes
(cf. Decree on Information
Security, section 16)
* Information can be stored only in premises covered by monitored and documented access control and locking arrangement
and belonging to classified security areas.
5.3 Deciding on the disclosure of a document
(1) The disclosure of information from a document in the possession of a
public authority is determined in accordance with the Openness Act.
(2) A public authority must specify who is responsible for deciding on
requests, made under the Openness Act, to receive information from a
classified document. The most appropriate course is to assign this task to a
public servant in a supervisory position, unless there are special reasons for
doing otherwise.
(3) To perform an assignment requiring transfer of classified information, the
assignee must know the processing rules for classified information and the
requirements set by agreements.
When a public authority has a need to transfer classified information, it must
in advance ensure that concerning the assignment
(a)the authority has with the information recipient a valid security
agreement covering security arrangements corresponding to the
documents’ security classification
(b)the information recipient and those in its service have given a nondisclosure agreement, where an international agreement or statute so
requires
(c)those who receive and process information know the authority’s
processing rules in respect of such information.
(4) It is appropriate that a request to receive information from a document
that contains classified information be forwarded to the public authority
responsible for considering the matter as a whole (Openness Act, section 15).
(5) When handling requests for documents that contain classified information,
a check should be made to ensure that the grounds for the classification and
secrecy of the information still exist.
92
Annex 4: Processing requirements for secret documents
and information
This annex presents detailed processing instructions for documents containing
secret information. Processing requirements are presented in table form by
protection level.
Requirements have been grouped into different life cycle stages.
The diagram below presents the typical processing of a document and its
stages. The item “Access to information” is particularly relevant to information
users.
The diagram does not present all of the different situations that information
users may encounter in different tasks.
Revision and removal of classification is done by making a proposal on this
for its reassessment.
Public access to documents in archives is directed by secrecy legislation.
2. Luokittelu
2.
Classification
and marking
B. Creation,
preparation,
updating
and
maintenance
3.
Registration
Drafts
1.
A.Reception
4.
Copying
Stages of document processing
(numbers refer to the corresponding sections below)
5.
Distribution
6.
Transfer
7.
Reception
11.
Review and
removal of
classification
8. Saving
and storage
9. Access to
information
10.
Archiving
12. Destruction
Requirements relating to entire life cycle
The following table presents general processing instructions for documents
that require processing in accordance with a protection level. These
instructions relate to the entire life cycle of information. In the sections that
follow, requirements are more detailed and concern the processing stages in
question.
93
Position
Issue
PROTECTION
LEVEL IV
PROTECTION
LEVEL III
PROTECTION PROTECTION
LEVEL II
LEVEL I
(1)
Protection level-specific requirements
for documents must be taken into
account during their entire life cycle.
yes
yes
yes
yes
(2)
An official document must display
sufficient information to identify it.
yes
yes
yes
yes
(3)
Documents must be processed with care
so that only those who have the right to
do so can access information. Protection
of documents must be safeguarded
particularly in situations where in the
same premises there are staff who have
no right to process the information in
question.
yes
yes
yes
yes
(4)
With respect to international
documents, international agreements
should be observed, if they have been
enacted. In other situations, Finnish law
should be followed.
yes
yes
yes
yes
(5)
Document processing requirements
apply, irrespective of the form in which
the information is stored or presented.
yes
yes
yes
yes
(6)
Documents must be processed in
accordance with the archive formation
plan.
yes
yes
yes
yes
(7)
Documents must not be left in clear view yes
or unsupervised on departing working
premises. Protection level IV documents
may be left temporarily in clear view,
taking into account premises and locking
arrangements.
yes
yes
yes
(8)
In document processing, the classspecific requirements set for the
processing environment should be taken
into account.
yes
yes
yes
yes
(9)
In document processing, the
requirements set for staff security
(processing right conditions and
knowledge of processing rules) should
be taken into account.
yes
yes
yes
yes
(10)
Document processing outside the
workplace should be avoided. If tasks
so require, however, documents should
be processed in accordance with the
principles and requirements given in
these instructions.
yes
yes
yes
yes
(11)
A record should remain of the processing
of a document to facilitate its monitoring
and any copies made of it during the
period for which protection is required.
Not required
except for
personal
data
Recommended,
obligatory for
sensitive
personal data
Log data or
processing
acknowledgement
list
Complete,
copy-specific
record
of those
who have
viewed the
document
94
1. Document creation and reception
Reception of information means (1a) those situations in which an organisation
receives documents produced elsewhere.
The document creation stage (1b) means those processing stages when
new information is introduced to the information material or updates are
made. Often the producer of the information is a person, but various processes
of information systems may produce information automatically for certain
information assets.
Position Issue
PROTECTION
LEVEL IV
PROTECTION
LEVEL III
PROTECTION PROTECTION
LEVEL II
LEVEL I
(1)
yes
When collecting and transferring
information material and preparing and
creating a document, due consideration
must be given to secrecy legislation,
archive formation plan requirements and
instructions issued by public authorities.
yes
yes
yes
(2)
While preparing documents, due
consideration should always be given to
the fact that, during the entire process,
material is processed in an environment
in which only those who are authorised
to process the material can do so.
yes
yes
yes
yes
(3)
When preparing information material,
information belonging to different
security classes should be presented as
far as possible in different documents.
yes
yes
yes
yes
(4)
An official document must be registered,
or managed in some other way.
yes
yes
yes
yes
(5)
International security classified
documents are stamped with the
corresponding domestic security class
stamps if so prescribed in an agreement
binding on Finland or if otherwise
required by Finnish law. A security
classification marking must always be
made on international security classified
material (588/2004, section 8).
yes
yes
yes
yes
(6)
In information systems that automatically yes
produce information such as monitoring
and log data or other secret information,
those who process information should
make sure that they have the right to
access the information in question.
yes
yes
yes
95
2. Document classification and marking
Document classification means the measures required when specifying the
correct protection level for a document or information. Marking means
the stamping of a document to indicate its protection level or security class
(Annex 2).
Position Issue
PROTECTION
LEVEL IV
PROTECTION
LEVEL III
PROTECTION PROTECTION
LEVEL II
LEVEL I
(1)
Secret documents must be classified
in accordance with laws and decrees.
yes
yes
yes
yes
(2)
Information is classified by the person
who issues an assignment relating to
the case or creates the information
for the first time or who decides on the
classification of documents. The Act
on International Security Obligations
must be taken into account.
yes
yes
yes
yes
(3)
A protection level marking is made by
the author or the first recipient of the
material or by the person who has the
right to decide on the processing and
use of the material.
yes
yes
yes
yes
(4)
The classification is confirmed by the
signatory of the document with his/her
manual or electronic signature.
All information does not necessarily
have a signatory.
yes
yes
yes
yes
(5)
yes
Documents are marked with a stamp
corresponding to the highest protection
level of the document’s parts. It is
recommended that documents be
prepared so that information belonging
to different protection levels is presented
in separate documents.
yes
yes
yes
(6)
Secret documents should be furnished
with the appropriate stamps and
corresponding markings when an
organisation has decided on their use.
yes
yes
yes
yes
(7)
The stamp is positioned in the upper
right corner of the first page.
yes
yes
yes
yes
(8)
The stamp is also placed
on the document’s other pages.
not required
not required
yes
yes
(9)
The colour of the stamp is red
not required
not required
yes
yes
(10)
Paper marked with a red diagonal
line or a printing method that makes
a corresponding marking is used.
no
no
yes
yes
(11)
Document pages are numbered and
the number of pages is marked.
not required
yes
yes
yes
(12)
In documents that have a metadata
structure, the security class is marked
with a corresponding abbreviation.
not required
RAJ (R)
yes
LUOT (L)
yes
SAL (S)
yes
ERSAL(E)
96
Position Issue
PROTECTION
LEVEL IV
PROTECTION
LEVEL III
PROTECTION PROTECTION
LEVEL II
LEVEL I
(13)
When information is processed
electronically, screens should display
the classification of the information
being processed with the markings
presented in Annex 2.
recommended * recommended * yes
yes
(14)
A domestic stamp is added to a
document by the organisation that
receives the document from a foreign
party.
not required
yes
recommended yes
* Not required in information systems in which access rights are restricted only to those processing the information,
nor in monitoring and security sector and corresponding information systems in which secret information is processed
as a rule and where access rights are restricted only to those authorised to access the information.
3.Registration
Document registration means in this context the measures by which a
document is marked in the register or corresponding record that is used to
monitor a public authority’s information resources.
Position
Issue
PROTECTION
LEVEL IV
(1)
Documents are entered according
to protection level in a register or other
record specified for this purpose.*
recommended recommended yes
yes **
(2)
It is recommended that protection
level abbreviations be used in the
register or other record.
ST IV
ST III
ST II
ST I
(3)
It is recommended that security
classification abbreviations be used
in the register or other record.
RAJ (R)
LUOT (L)
SAL (S)
ERSAL (E)
PROTECTION
LEVEL III
PROTECTION PROTECTION
LEVEL II
LEVEL I
* In case management systems, register information (record information) includes information on document protection
levels. Such a register can be used, if necessary, to present lists of documents belonging to different protection levels
in different views. Information recorded in the public part of the register should be public. Secret registers should be
implemented so that only those who possess access rights can process the registers in question.
** A separate register or other record should be maintained for documents belonging to protection level I.
97
4.
Copying
Copying of information material means the measures by which copies are
made of the original document. These include, for example, photocopying and
copying of files to various data storage media as well as extracts taken from
documents and information material.
Position
Issue
PROTECTION
LEVEL IV
PROTECTION
LEVEL III
PROTECTION PROTECTION
LEVEL II
LEVEL I
(1)
Copies are processed in the same way
as the original document.
yes
yes
yes
yes
(2)
In the case of electronic document
copies, the document identity should
be verified (integrity verification).
yes
yes
yes
yes
(3)
Both electronic and paper copies may
be made of the original document.
yes
yes
yes;
traceability
must be
secured
not without
the author’s
permission,
traceability
must be
secured
(4)
Copies must be stamped with the stamp original is
corresponding to the original document sufficient
(a copied stamp is sufficient, as is a black
and white stamp).
original is
sufficient
should be
stamped
with a red
stamp
should be
stamped with
a red stamp
5. Distribution
Document distribution covers the decision of the document’s recipients and
verification of the recipients’ need for, access rights to and ability to process
the document (secret information material).
Position
Issue
PROTECTION
LEVEL IV
PROTECTION
LEVEL III
PROTECTION PROTECTION
LEVEL II
LEVEL I
(1)
The document signatory decides the
distribution and processing.
yes
yes
yes
yes
(2)
The document should show to whom
the document or its parts are distributed.
Metadata and database information
should show the protection level and
distribution of the information.
yes
yes
yes
yes
(3)
The distribution of a document is
specified, based on the information
contained in the document, for the
parties to whom it applies.
yes
yes
yes
yes
(4)
Distribution should be addressed
to an organisation, which confirms
registration of document. A person’s
name or task can also be used in
distribution information.
yes
yes
yes
yes
98
Position
Issue
PROTECTION
LEVEL IV
PROTECTION
LEVEL III
PROTECTION PROTECTION
LEVEL II
LEVEL I
(5)
Disclosure of a secret document must
be documented.
not required
yes
yes
yes
(6)
A prerequisite of document disclosure is
that a right to disclose the information
has been prescribed in law and that
the recipient has the necessary rights
to handle the material as well as the
competence to process it in accordance
with requirements. *
yes
yes
yes
yes
(7)
The distribution of international documents is implemented in accordance
with international agreements and/or
the requirements prescribed for each
document in question.
yes
yes
yes
yes
* Documents are generally delivered to an organisation. When transferring documents between public authorities, it is
recommended that both the recipient’s need for the information and the correct address of the receiving party be verified.
This is underlined particularly with respect to documents requiring processing at protection levels I and II. The competence
to process secret information requires that staff know the processing rules and possess the right to process the information
in question, and the organisation has premises and information systems that fulfil the requirements. In assignments given
to partners, contracts must include security requirements in which detailed procedures are agreed. Disclosure of secret
information must be traceable and in accordance with procedures specified in the contract.
6. Transfer of information material
Transfer of information material means in this context the measures by
which copies taken of documents are transferred to the parties specified in
distribution. Transfer can take place, for example, via post, email, electronic
storage media or by granting processing rights.
Position
Issue
(1)
(2)
PROTECTION
LEVEL III
PROTECTION
LEVEL II
PROTECTION
LEVEL I
A secret document should be distributed yes
so that unauthorised parties cannot gain
access to secret information.
yes
yes
yes
In information systems, the distribution
of information is implemented either
via email or by granting access rights.
Processing of secret information should
be based on access rights.
yes
yes
yes
on a limited
basis *
(3)
The sender must ensure that a secret document is transferred only to those who
have a right to it based on their tasks.
not required
recommended yes
yes
(4)
When transferring a document by email, yes
the sender should verify the recipient’s
address.
yes
yes
use
of email not
permitted
(5)
Document transfer by transportation
company (e.g. postal service)
based on a
risk analysis,
by registered
mail or in
some other
secure way
not permitted;
transfer only
by courier or
internally by
own staff
not
permitted;
transfer only
by courier
In the case of international documents,
the security classification procedures
specified in contracts between parties
should also be observed.
PROTECTION
LEVEL IV
in a closed
nontransparent
envelope
99
Position
Issue
PROTECTION
LEVEL IV
PROTECTION
LEVEL III
PROTECTION
LEVEL II
PROTECTION
LEVEL I
(6)
Processing of secret security classified
information by telephone
(without encryption device)
yes, with due
care
not permitted
not permitted
not
permitted
(7)
Discussing secret information on the
telephone (without encryption device)
yes, with due
care
yes, with due
care
not permitted
not
permitted
(8)
Discussing secret information on a
telephone equipped with an encryption
device (telephone connection with
end-to-end encryption; official approval
required for encryption device for the
processing of information belonging to
the protection level in question)
as clear text
as clear text
as clear text
not
permitted
(9)
Transfer of secret information as text
(SMS) message
not permitted not permitted
without
without
encryption
encryption
not permitted not
without strong permitted
encryption
(10)
Telefax: unencrypted line transfer
(point-to-point)
not permitted
yes, but
recipient’s
presence should
be ensured
not permitted
not
permitted
(11)
Telefax: encrypted line transfer
(point-to-point). Encryption device
requires official approval.
yes
yes
yes
not permitted, except
with special
permission
of competent
authority
(12)
Transfer of electronic document in open
information network
encrypted
or protected
in a manner
decided by
the authority
encrypted
or otherwise
protected
not permitted
not
permitted
(13)
Transfer of electronic document in
public authority’s internal network.
Secret information material and
information can be transferred only
in the parts of information systems
and information networks that fulfil
the requirements for the transfer of
information resources prescribed for the
protection level in question.
as clear text
in base
information
security level
environment
encryption
recommended,
as clear text
in increased
information
security level
environment
strongly
encrypted
as clear text
in high
information
security level
environment
on a limited
basis *
(14)
Transfer of electronic document using
storage medium
Storage media used outside a
permanent office should be equipped
with methods that encrypt the entire
information resource. In addition, there
are class-specific requirements:
(See also table 8, item 5)
When they contain information, storage
media (hard drive, memory sticks etc.)
should be processed according to the
highest protection level required by
the information they contain.
yes
yes
yes
yes
All transfers of
information
between work
equipment must
be recorded
in a log. The
same applies
to destruction
of information.
Storage of
information is
permitted only
in separately
controlled
storage media.
Permitted
only in
named
workstations.
Copying of
information
only with
the written
consent of
the author.
* Information and documents belonging to protection level I may be transferred only in specified and approved high information security level systems, strongly encrypted or otherwise protected. In these systems, the requirement is that information
is encrypted on servers/workstations and that only those entitled to receive a document can gain access to it.
100
7. Measures undertaken by the recipient
Measures undertaken by the recipient mean the measures that the recipient
should perform when receiving secret information material.
Position
Issue
PROTECTION
LEVEL IV
PROTECTION
LEVEL III
(1)
The recipient of a document records
the received material in a register or
other record.
recommended
recommended yes
yes
(2)
Acknowledgment of receipt
not required
as required
yes
yes
(3)
Record of receipt
not required
recommended yes
yes
(4)
Having received a document,
the recipient is responsible for all
obligations and has the right to access
and process information.
yes
yes
yes, but no
right to
expand
distribution
8. PROTECTION PROTECTION
LEVEL II
LEVEL I
yes, in
relation to
handling of
tasks
Storage and saving of information material
Storage and saving of information material means the measures employed to
store information during the stages when it is prepared and used.
Position
Issue
PROTECTION
LEVEL IV
PROTECTION
LEVEL III
PROTECTION PROTECTION
LEVEL II
LEVEL I
(1)
Public and secret document material
(information) must be managed
throughout its entire life cycle.
yes
yes
yes
yes
(2)
Users must process and attend to
secret information for which they are
responsible so that only authorised
staff can gain access to it.
yes
yes
yes
yes
(3)
Information saved on information
network servers must be protected
by access rights.
yes
yes
yes
yes *
(4)
Encryption or other strong protection
of information assets saved on
information servers.
in base
information
security level
environment,
can be saved
as clear text,
encryption
recommended
encrypted
on base
information
security level
servers,
permitted
as clear text
on increased
and high
information
security level
servers
encrypted
on high and
increased
information
security
level servers
on a limited
basis *
(5)
Data storage media must be processed
according to the highest protection
level required by the information they
contain. Equipment should incorporate
methods that encrypt the entire
information asset.
encryption
yes
recommended
yes, using
strong
encryption
on a limited
basis *
101
Position
Issue
PROTECTION
LEVEL IV
PROTECTION
LEVEL III
PROTECTION PROTECTION
LEVEL II
LEVEL I
(6)
Users should make sure that the
documents they process are stored in
the environment intended for them.
More detailed instructions are available
in application-specific instructions or
those issued by the organisation.
This applies to all documents.
yes
yes
yes
yes
(7)
Draft documents are stored and
saved like corresponding completed
documents.
yes
yes
yes
yes
(8)
Paper documents, external data storage
media containing secret information
and corresponding equipment must be
stored in the safes and vaults intended
for them or in corresponding locked and
monitored premises.
recommended, yes
measures
should be
taken to
ensure that
external
parties cannot
access the
information
yes
yes
* Information and documents belonging to protection level I may be stored only in separately specified and approved
high information security level environments, strongly protected. In these environments, the requirement therefore is that
information is encrypted on servers/workstations and that only those entitled to receive the document can gain access to it.
9. Access to information (use of information)
Access to information means in this context the situations and procedures by
which users receive secret information for processing. In information systems,
these are implemented by means of access management and user authentication.
Position
Issue
PROTECTION
LEVEL IV
PROTECTION
LEVEL III
PROTECTION PROTECTION
LEVEL II
LEVEL I
(1)
Reading of information on network
servers.
as clear text
starting
from base
information
security level
networks
as clear text
starting from
increased
information
security level
networks
as clear text on a limited
basis *
in high
information
security level
networks
(2)
Remote access using equipment and
a connection given by the employer for
this use, provided that the operating
environment fulfils the requirements
set for the protection of information.
permitted
using
protected
connection
permitted
using
protected
connection,
strong
authentication
of users
not
permitted
using strong- permitted
ly encrypted
or protected
connection
in controlled
high information security level network, strong
authentication of users
(3)
Minimum requirements
for user’s workstation connected
to information network.
base
information
security level
workstation
increased
information
security level
workstation
high information security level
workstation
not
permitted
* Information and documents belonging to protection level I may be processed only in separately specified and approved high
information security level environments, strongly protected. In these systems, the requirement therefore is that information
is encrypted on servers/workstations and that only those entitled to receive the document can gain access to it.
102
10. Archiving of information material
Archiving of information material means the procedures by which the storage
of information is ensured during a set life cycle. Generally, archives are located
outside the operating environment.
Position
Issue
(1)
(2)
(3)
11. PROTECTION
LEVEL IV
PROTECTION
LEVEL III
PROTECTION PROTECTION
LEVEL II
LEVEL I
yes
Archiving must be based on structures
and requirements specified in an archive
formation plan.
yes
yes
yes
In archiving, attention must be paid
to the conditions set by the protection
level and agreements.
yes
yes
yes
yes
International documents are archived
in the manner specified in legislation
and agreements
yes
yes
yes
yes
Revision and removal of classification
Revision of classification means assessing a document’s level of secrecy taking
into account the grounds for secrecy at the time of assessment. If there are no
legal grounds for secrecy, the protection level obligation should be removed or
amended correspondingly.
Position
Issue
PROTECTION
LEVEL IV
PROTECTION
LEVEL III
(1)
A re-assessment of classification is
performed by the organisation that
prepared the document.
recommended yes
yes
yes
(2)
A document becomes public when the
longest secrecy period mentioned in
law has passed from the preparation or
receipt of the document or when there
are no longer any legal grounds for
secrecy. A marking on this is made on
the document, for example by striking
through the secrecy marking.
yes
yes, each
case should
be confirmed
with the
authority
that
prepared the
document
yes, each
case should
be confirmed
with the
authority
that
prepared the
document
(3)
If a document’s protection level is
changed in an assessment, a marking,
signature and justification for the
change should be recorded.
recommended yes
yes
yes
(4)
The parties entitled to receive a
document and any copies taken of
it should be informed of the change.
recommended recommended yes
yes
yes
PROTECTION PROTECTION
LEVEL II
LEVEL I
103
12.
Destruction of information material
Destruction of information material means the measures, which are meant
to destroy information material, such as documents. The shred size is in
accordance with DIN 32757/DIN 4.
Position
Issue
PROTECTION
LEVEL IV
PROTECTION
LEVEL III
PROTECTION PROTECTION
LEVEL II
LEVEL I
(1)
Original documents must be destroyed
in accordance with the archive
formation plan after their purpose has
been served.
yes
yes
yes
(2)
Unnecessary copies of documents
must be destroyed after their purpose
has been served.
yes
yes
immediately! immediately!
(3)
Draft documents must be destroyed
after their purpose has been served.
yes
yes
immediately! immediately!
(4)
Destruction must be performed so that
secret information and information
containing personal data does not fall
into the hands of unauthorised parties.
yes
yes
yes
yes
(5)
The author of information is
responsible in the preparation stage
for the destruction of information not
transferred to an organisation for use.
yes
yes
yes
yes
(6)
Staff authorised by an organisation
are responsible for the destruction
of completed documents contained in
the organisation’s case management
system.
yes
yes
yes
the document
signatory is
responsible *
(7)
Those who possess information
are responsible for the destruction
of information (copies, corresponding
information).
yes
yes
no, see (6)
no, see (6)
(8)
Documents included in PL I and PL II
classes are destroyed by authorised
responsible persons assigned by the
organisation. When documents are
destroyed, a list of those who have
viewed them is retained. In electronic
systems, log files etc. that contain
processing information are saved.
-
-
yes
responsible
person *
(9)
The archive manager is responsible
for destroying the original document.
In situations where a document is not
transferred to the archive manager
(e.g. documents stored for a fixed term,
electronic documents), the holder
of the document is responsible for
destruction in the manner required by
the protection level.
yes
yes
yes
responsible
person *
yes
104
Position
Issue
PROTECTION
LEVEL IV
PROTECTION
LEVEL III
PROTECTION PROTECTION
LEVEL II
LEVEL I
(10)
Electronic files are destroyed from
workstations and servers and from
other storage media in accordance
with more detailed instructions issued
by the authority in question.
The DELETE function alone does not
destroy information.
yes
yes
yes
yes
(documents
are not
saved on
information
network
servers)
(11)
Temporary files created while using
information should be removed
sufficiently often.
yes
yes
yes
yes
(12)
Storage media containing information
should be destroyed in accordance with
more detailed instructions issued by
the authority in question. Storage
media include all equipment that store
information.
yes
yes
yes
yes
(13)
Information in information systems
and assets should be destroyed in
accordance with requirements
specified for them.
yes
yes
yes
yes
(documents
not on
servers)
(14)
The following procedures are used in
the destruction of paper documents:
1. supervised incineration
2. in a shredder whose shred size is,
by class, at most
3. transferred to an incineration plant
etc. in a closed container
1. yes
1. yes
1. yes
1. yes
2. 3.9 x 30 mm 2. 1.9 x 15 mm 2. 1.9 x 15 mm 2. 0.78 x 11 mm
3. yes
3. permitted, 3. not
permitted
whenclosed
container is
located in
locked and
monitored
premises.
3. not
permitted
* Destruction of documents belonging to protection level I may also be specified as belonging to a certain position within
an organisation. This procedure helps ensure the practical implementation of measures. The signatory must give permission
for this procedure when preparing /distributing the document.
105
Annex 5: Detailed requirements for information security
levels
1
Requirements for information security management
1.1
Leadership requirements
Subarea name
1.1.1 Strategic control
Objectives
The organisation has recognised the factors and obligations linked with its core functions
that steer the management of continuity and special situations as well as the protection
of information. Continuity management and information security measures support the
objectives of the organisation’s core functions.
Base-level
requirements
1. The requirements set by legislation in respect of the organisation’s activities have been
recognised and communication of these to staff has been organised and responsibilities
assigned.
2. The organisation’s core functions and processes have been recognised and organised,
and responsibilities assigned.
3. The organisation has a written information security policy approved by its management.
Increased-level
additional
requirements
4. The organisation has a written strategy-level plan, which expresses how information
security work is organised and responsibilities assigned to achieve the core objectives.
High-level
additional
requirements
5. The organisation has an annual information security development plan.
6. Information security elements are also used in performance guidance.
Examples of good
practices
• For requirements 3 and 4: An organisation has an information security policy and
an information security strategy based on it, which describes how the policy goals will
be achieved.
Tools and models
Effective Information Security (VAHTI 5/2009)
• particularly Annex 1: Model policies and planning frameworks
Setting and measuring information security objectives
(Tietoturvatavoitteiden asettaminen ja mittaaminen, VAHTI 6/2006)
Information Security and Management by Results (VAHTI 1/2005)
Government Resolution on Information Security in Central Government 2009, and
background material
CAF assessment model www.vm.fi/caf
Observations
Everything is based on the organisation management’s commitment to information
security and its ability to apply the requirements of core functions in information security
management.
106
Subarea name
1.1.2 Resourcing and organising
Objectives
Sufficient resources for the objectives have been allocated to continuity management
and information security.
Base-level
requirements
1. The organisation has a nominated information security officer, whose information
security responsibilities are outlined in his/her job description.
2. The information security officer has time to carry out his/her information security
responsibilities.
Increased-level
additional
requirements
3. The responsibilities have been mentioned in the job descriptions of all those who have
information security responsibilities.
4. The organisation has sufficient information security staff for its size and objectives.
5. Resourcing of information security has been taken into account in the organisation’s
operational and financial planning or budget and implementation is monitored.
High-level
additional
requirements
6. The position of information security officer is a full-time job.
Examples of good
practices
• For requirement 1: The administration manager who processes information security
matters alongside his/her main occupation acts as the organisation’s information
security officer.
• For requirement 3: An organisation does not use personal job descriptions, but role
descriptions. The role description of the case management system administrator includes
responsibility for removing access rights as requested.
• For requirements 4 and 5: An organisation will be assigned new tasks that will require
moving to the high information security level in 2012. As a result, more should be invested
in information security work and this should be entered in the budget.
Tools and models
Effective Information Security (VAHTI 5/2009)
• Information security example donut dial for annual planning, p. 25
• Annex 2: Information security responsibilities by role
Observations
Even a small organisation can reach the base level with modest resources.
If a higher information security level is needed, resources should be increased.
107
Subarea name
1.1.3 Coordination of cooperation
Objectives
Planning of continuity management and information security is implemented as a joint
effort between core and support functions.
Base-level
requirements
1. Organisation management and the staff responsible for different subareas of information
security engage in regular discussions.
2. The organisation has a task force for information security which meets regularly.
Increased-level
additional
requirements
3. Management and information security officer meet at least once per year.
4. The task force meets at least twice per year.
High-level
additional
requirements
5. Perceived risks, set information security objectives and their achievement, and changes
arising from future needs are among the topics discussed at the meetings.
6. Minutes are kept of the meetings and implementation of agreed measures is monitored.
Examples of good
practices
• For requirements 1, 3, 5: An organisation following an information security management
model in accordance with the ISO27001 standard arranges management review events
every six months.
• For requirement 1: An agency’s information security officer meets the senior
management of the agency once per month. The information security officer of an agency’s local office also meets the management of the office regularly in a monthly meeting.
• For requirements 2 and 4: An organisation has a group that meets monthly and discusses
all security issues.
• For requirement 2: The management group of a small organisation discusses information
security issues at least once per year and the information security officer participates in
the discussion.
Tools and models
General instructions on ICT contingency planning (ICT-toiminnan varautuminen häiriö- ja
erityistilanteisiin, VAHTI 2/2009)
• Chapter 2
Observations
The objective is for information security officers and the organisation’s senior
management to engage in regular discussions with each other. Cooperating with other
levels of the organisation hierarchy and with those responsible for other areas of security
is recommended, but these instructions focus on providing senior management with tools
to direct information security work.
108
Subarea name
1.1.4. Reporting and communicating to stakeholders
Objectives
Communication and reporting responsibilities and the procedures with stakeholders are
specified so that the parties have the information necessary for cooperation, its development
and decision-making.
Base-level
requirements
1. The organisation identifies stakeholders and their liaison points to whom it is responsible
for information security.
2. Management has organised and assigned responsibilities for the reporting of information
security issues affecting stakeholders as well as the communication of information
security incidents.
Increased-level
additional
requirements
3. Information security issues are reported to stakeholders annually or in a manner
determined by management.
4. There must be a model template of the stakeholder report.
High-level
additional
requirements
5. If not otherwise agreed, the report includes indicators on conformance with requirements,
the achievement of information security objectives, incidents, measures undertaken as a
result of incidents, and other major information security changes.
6. Reporting is developed on the basis of stakeholder feedback.
Examples of good
practices
• For requirements 1 and 3: A service centre is responsible for the information security
of services to those who order services, and part of the service is a quarterly report which
has a section on information security.
• For requirement 2: An organisation that processes personal data of citizens has a model for
how any leaking of these data is to be communicated to stakeholders, including citizens.
Tools and models
Setting and measuring information security objectives (Tietoturvatavoitteiden
asettaminen ja mittaaminen, VAHTI 6/2006)
• Section 5.6: Example of reporting procedures and report contents
Management of information security incidents (Tietoturvapoikkeamatilanteiden
hallinta, VAHTI 3/2005)
• Section 2.2.6: Creating an incident communications plan
Observations
The purpose of this section is to encourage organisations to identify the parties to whom
information security issues should be reported, even if the party itself has not yet
independently requested this information. This promotes the information security of central
government as a whole.
109
Subarea name
1.1.5 Management in special situations
Objectives
Management of special situations is organised and taken into account in procedures.
Base-level
requirements
1. Processing of information security incidents is organised and responsibilities assigned.
2. Serious information security incidents are reported without delay to management and
a record is kept of them.
Increased-level
additional
requirements
3. The organisation has a written model for processing information security incidents. The
instruction has specified on a role level who will investigate what has happened on whose
orders and who will decide on official contacts (e.g. making a preliminary investigation
request) and on communication.
4. A follow-up analysis is made of information security incidents and the necessary corrective
measures initiated to prevent a repetition of the incident.
High-level
additional
requirements
5. An annual summary is made of perceived information security incidents.
6. Information on the incidents is exchanged with partners and partners’ experiences used.
Examples of good
practices
• For requirement 5: An annual trend analysis of information security incidents is made,
with the causes of problems itemised.
• For requirement 6: Cooperation is implemented in connection with benchmark
evaluations.
Tools and models
Management of information security incidents (Tietoturvapoikkeamatilanteiden
hallinta, VAHTI 3/2005)
• Section 2.2.4: Incident response organisation and powers
General instructions on ICT contingency planning (ICT-toiminnan varautuminen
häiriö- ja erityistilanteisiin, VAHTI 2/2009)
Observations
An information security incident is, according to VAHTI’s definition, an intentional or
unintentional state that has or may compromise the integrity, confidentiality or availability
of an organisation’s information or services.
110
Subarea name
1.1.6 Reporting to management
Objectives
Information on the implementation and costs of development activities is communicated
to the organisation’s management.
Base-level
requirements
1. Reporting of information security is organised and responsibilities assigned.
2. Information security issues are reported regularly to the organisation’s management.
Increased-level
additional
requirements
3. The reporting procedure has been outlined in writing.
4. Information security issues are reported to the organisation’s management at least
annually.
High-level
additional
requirements
5. Continuous reporting is based on specified operational indicators.
6. The report includes measurement data on use of resources, achievement of information
security objectives, incidents, measures undertaken as a result of incidents, and other
major information security changes.
Examples of good
practices
• For requirements 1 and 3: An organisation has a management-approved template for
an annual information security report. The information security officer is responsible
for creating the report.
Tools and models
Setting and measuring information security objectives (Tietoturvatavoitteiden
asettaminen ja mittaaminen, VAHTI 6/2006)
• Section 5.6: Example of reporting procedures and report contents
Observations
Management is responsible for an organisation’s activities. For management to make wellgrounded decisions on necessary risk management measures, it must receive information
about the adequacy and impact of measures already undertaken as well as possible problem
areas.
111
1.2 Requirements set for strategies and planning
Subarea name
1.2.1 Impact of operating environment
Objectives
The operating environment and its impact on activities are recognised.
Base-level requirements
1. Separate operating environments for the processing of information and the associated
systems and processes have been recognised.
2. The special requirements of each operating environment and the information security
objectives have been recognised.
Increased-level
additional requirements
3. Operating environments and associated systems have been documented.
4. Environment and system listings are reviewed and if necessary updated at least annually.
High-level
additional requirements
5. The life-cycle stages of environments have been documented and the document contains
criteria on when and how an environment moves from one stage to another.
6. The special information security requirements of each life-cycle stage have been specified
and documented.
Examples of good
practices
• For requirement 1: An organisation has a head office and regional unit. The regional unit
handles permit issues; other functions take place at the head office. Information systems
relating to permit issues have also been located in the regional unit’s premises.
• For requirements 1 and 2: An organisation has three separate environments for the same
information system, which is critical for the organisation activities: development, testing
and production environments, each of which has a separate user IAM policy.
• For requirement 5: An organisation changes its email system to another and in the
transition stage there are two email systems, the old one and the new one. The old system
is in the withdrawal stage of its life cycle, the new one is in production.
• For requirement 6: An organisation has made the decision that personal data contained
in test material in the testing stage of an information system should be scrambled.
Tools and models
General instructions on ICT contingency planning (ICT-toiminnan varautuminen
häiriö- ja erityistilanteisiin, VAHTI 2/2009)
• Section 1.3
ITIL and ISO/IEC20000.
Observations
It is important to recognise the degree of integration or fragmentation of one’s own operating
environment, be it operating premises, remote operating locations or information resources.
An organisation’s operating environment influences, via risk analysis, elements of information
security and it is particularly important also in terms of continuity and recovery planning.
When listing environments it is important to understand not only that they are physically
separate but also that they are at a different life cycle stage.
112
Subarea name
1.2.2 Specification of objectives
Objectives
Requirements for service continuity management, special situations and the protection
of information are based on the requirements of the organisation’s core functions.
Base-level requirements
1. The assets to be protected in respect of the information security of each core function
and process have been recognised and classified according to the required information
security level.
2. Information security objectives have also been incorporated into core functions and
processes.
Increased-level
additional
requirements
3. Confidentiality, integrity and availability have been taken into account in
the specification of information security objectives.
4. There are high-level descriptions of core functions and processes.
High-level
additional
requirements
5. Essential information security processes or measures have been incorporated into
function or process descriptions or they have been documented separately.
6. Performance indicators have been linked to operational information security objectives.
Examples of good
practices
• For requirement 1: In handling of benefit applications, personal data files consisting of
applicant information, the decision database and the information system facilitating
public electronic services have been specified as protected assets and they have been
classified according to the confidentiality of the information they contain.
• For requirement 2: Operational information security objectives have been specified in
each function’s own scorecards.
• For requirements 3 and 6: An individual security objective is that public electronic
services are accessible to citizens during 99.9% of official opening hours and that the
number of information security incidents in which citizens are able to see or change
each others’ information when using the service is zero on an annual level.
• For requirement 5: One of an organisation’s core functions is the transaction process.
The process describes how customer identities are checked, how transaction data are
stored and how information is protected if it is transferred to another public authority.
Tools and models
Setting and measurement of information security objectives (Tietoturvatavoitteiden
asettaminen ja mittaaminen, VAHTI 6/2006)
• Section 3: Information security performance management
• Section 4.4: Information security activity indicators
Description of processes (JHS 152)
• Annex 1: Process basic information form
• Annex 2: Table of functions
Observations
Information security targets are specified from the perspective of core functions.
The specification of the core function assets to be protected (i.e. information resources,
information systems, register etc.) and these assets’ information security requirements
constitute a significant background factor in the setting of information security objectives.
Some of the protected assets are common to the whole organisation (e.g. workstations,
telecommunications), but their importance varies for the operation of different key
processes.
When objectives are identified, a risk assessment is made in order to ascertain what risks
there are to the fulfilment of the objectives in the operating environment.
113
Subarea name
1.2.3 Developing operations through risk assessment
Objectives
The organisation ensures that the level of information security corresponds with the
organisation’s strategic objectives. Information security development takes into account
the information security threats and risks confronting the organisation. A regular risk
management procedure is in use.
Base-level requirements
1. The organisation regularly makes information security risk assessments.
2. Based on the risk assessment, information security is improved in terms of excessive
risks through measures decided by management.
Increased-level
additional
requirements
3. The organisation makes an assessment of core function information security risks
at least annually.
4. The organisation has a risk assessment procedure and instructions.
5. The organisation has a written information security plan, which specifies which
technical and administrative measures and processes are used in the organisation
to manage perceived information security risks.
High-level
additional
requirements
6. The organisation makes an assessment of information security risks also in connection
with major changes.
7. The organisation has a risk management policy.
8. A record is kept of the biggest risks on an organisational level and the implementation
of risk management measures is monitored.
Examples of good
practices
• For requirements 1 and 4: An organisation has agreed that the assessment of
information security risks is done in two parts. Firstly, individuals in positions of
responsibility in core functions make their own information security risk assessment
within their own function and thereafter the organisation holds a joint information
security assessment event at which common issues and risks highlighted at the
assessment event are discussed.
• For requirements 2 and 5: In a risk assessment, an accidental disclosure of non-public
information via portable data storage media was identified to carry a very high risk
to an organisation. The organisation decided to invest in user-friendly encryption
software and in staff training in order to reduce the risk to the desired level. The
information security plan was updated accordingly.
Tools and models
Instructions on risk assessment to promote information security in central government
(Ohje riskien arvioinnista tietoturvallisuuden edistämiseksi valtionhallinnossa, VAHTI
7/2003)
• Section 3.2: Model process for risk assessment
• Table 5, p. 47 – example of risk management plan
• Annex 2: Check lists for the recognition of information risks
Effective Information Security (VAHTI 5/2009)
• Information security plan framework, p. 88
General instructions on ICT contingency planning (ICT-toiminnan varautuminen
häiriö- ja erityistilanteisiin, VAHTI 2/2009)
• Chapter 6
ENISA, risk management procedures information portal
Observations
A risk analysis is made only when the operating environment and the objectives set for
operations by the core functions are known. Based on a risk analysis, the necessary
technical measures and information security management processes are planned to
ensure that the objectives set for information security are achieved and that risks remain
at an acceptable level in the operating environment. Selected measures and principles are
described or updated in the information security plan or other corresponding document.
114
Subarea name
1.2.4 Operating network management
Objectives
Continuity of services and protection of information in the partner network has been
planned and agreed.
Base-level
requirements
1. The organisation is aware of the operating networks in which it is involved and knows
which subcontractors and partners are working with its information and in which roles.
Increased-level
additional
requirements
2. The organisation has a written document which outlines its participation and role
in various subcontractor and cooperation networks as well as the general information
security requirements for participation.
High-level
additional
requirements
3. Operating networks are classified according to information security level and each class
has its own information security requirements.
4. Only service providers which have the capacity to protect the confidentiality of
documents and, if necessary, investigate violations of confidentiality in the manner
referred to in sections 13a-13k of the Act on the Protection of Privacy in Electronic
Communications (516/2004) may be selected as service providers.
Examples of good
practices
• For requirement 1: In connection with the specification of job descriptions, those
responsible for purchases maintain situation awareness of the operating network with
respect to subcontractors.
• For requirement 2: The information management strategy mentions that, when ICT
support functions are outsourced, subcontractors and partners must have at least the
same information security level as the organisation itself.
• For requirement 2: A service centre maintains a record of services ordered by each
customer organisation and of the information security levels they require.
Tools and models
Change and information security, from regionalisation to outsourcing – A controlled
process (Muutos ja tietoturvallisuus, alueellistamisesta ulkoistamiseen – hallittu
prosessi, VAHTI 7/2006)
General instructions on ICT contingency planning (ICT-toiminnan varautuminen
häiriö- ja erityistilanteisiin, VAHTI 2/2009)
• Chapter 5
Observations:
In this field, it is essential that an organisation recognises the subcontractor chains and
other cooperation networks in which it is involved and what this means for the information
processed in the networks. Operating networks can be reviewed in either a centralised or
decentralised manner according to whether decision-making on acquisitions and
cooperation is centralised or decentralised.
115
Subarea name
1.2.5 Special situations management
Objectives
Special situations management procedures have been planned, training given and exercises
held.
Special demands
for Finland
1. The organisation’s management is aware of the organisation’s responsibilities relating
to securing the functions vital to society (YTS).
Base-level
requirements
2. The organisation has a continuity plan or plans.
Increased-level
additional
requirements
3. The updating and review of continuity plans has been organised and responsibilities
assigned.
4. The functioning of continuity plans is tested and assessed regularly.
High-level
additional
requirements
5. Exercises are held with key partners on the functioning of continuity plans.
Examples of good
practices
• For requirement 2: Different continuity plans are tested in alternate years as table tests
or checklist tests.
• For requirement 4: An organisation arranges the testing of plans annually, simulating
a situation that poses a threat to continuity.
Tools and models
Effective Information Security (VAHTI 5/2009)
• Continuity plan framework, p. 76
General instructions on ICT contingency planning (ICT-toiminnan varautuminen
häiriö- ja erityistilanteisiin, VAHTI 2/2009)
Recommendations of the National Emergency Supply Agency
The Strategy for Securing the Functions Vital to Society, Government Resolution 2006
• Section 3.3: Strategic tasks of the ministries in securing the vital functions
• Annex 2: Preparedness for special situations
Observations
Continuity means the continuation of an organisation’s functions in the event of incidents.
Plans for the technical recovery of ICT systems from various incidents are discussed in
the item 2.12 “Recovery of information systems from incidents” below.
Work on requirements relating to securing functions vital to society as well as security
of supply is under way (VARE, HUOVI) and they will be specified separately.
116
1.3
Requirements set for people
Subarea name
1.3.1 Developing expertise and awareness, and sanctions
Objectives
Role- and task-specific requirements have been set for continuity management and
information protection expertise, its level is known, and it is developed.
The organisation encourages staff to observe and develop good continuity management
and information protection procedures.
The organisation has an agreed way of acting in the event of security incidents and cases
of misuse.
Special demands
for Finland
1. Technical supervision of employees is processed in accordance with the statutory
cooperation procedure (Act on the Protection of Privacy in Working Life, section 21).
Base-level
requirements
2. The organisation regularly arranges information security training for staff and other
interest groups. The expertise of information security staff is developed and maintained.
3. Information security issues are also discussed in the induction of staff.
4. All who work in the organisation are informed about amended information security
instructions and practices.
5. Compliance with rules is monitored and any failures to observe them are addressed.
Increased-level
additional
requirements
6.
7.
8.
9.
High-level
additional
requirements
12. Information security training takes into consideration changes and information security
incidents that have taken place in the organisation and its environment.
13. Positive attention is given to good information security work.
Examples of good
practices
• For requirement 2: An organisation arranges annually information security training
for staff as well as separate information security training for subcontractors. Information
security officer attends relevant seminars.
• For requirements 2 and 9: The information security policy outlines the consequences
of failure to comply with information security rules and instructions. Practical training
also mentions which issues must not be discussed outside the organisation.
• For requirement 8: The names of participants in information security training are listed
and the number of trained staff is monitored annually.
• For requirement 8: An organisation uses in its information security training a computerassisted training package that maintains a record of those who have completed training
and reminds those who have not yet attended a training course to register.
• For requirement 11: A regular information security survey of staff is conducted to
ascertain whether training has increased understanding and awareness.
• For requirement 13: Management or the information security manager praises individuals
and groups publicly for good work in taking information security into account.
The organisation has a written information security training plan.
Inductors have a written list of information security issues to be discussed.
The participation of staff in training is monitored.
The consequences of violating information security rules and instructions have been
described in the organisation and communicated to all employees.
10. Supervisor and subordinate have an annual discussion on the information security
responsibilities and on the need to develop expertise.
11. The information security expertise of staff is ascertained.
117
Tools and models
Information Security Instructions for Personnel (VAHTI 4/2009)
• Training Material (PowerPoint) (in Finnish)
Guide for information security trainers (Tietoturvakouluttajan opas, VAHTI 11/2006)
General instructions on ICT contingency planning (ICT-toiminnan varautuminen
häiriö- ja erityistilanteisiin, VAHTI 2/2009)
• Chapter 4
ENISA Information Security Awareness Guide
• Annexes 1–4, Information security awareness planning templates
• Annex 5: Citizens’ information security awareness survey sample
Online Safety School
Observations
The information security awareness of staff and a positive attitude towards information
security play a key role in preventing information security incidents arising from staff’s lack
of knowledge. Because information security can be perceived as a negative and complicating
issue , the influence of positive feedback should not be underestimated.
118
Subarea name
1.3.2 Management of human resources and tasks
Objectives
Staff and their roles have been planned and scaled in the manner required by the continuity
management and protection of information in an organisation’s core functions. Key roles and
key individuals have been specified and back-up arrangements planned.
Base-level
requirements
1. Information security measures and processes selected for implementation have been
organised and responsibilities assigned.
2. Key roles in information security have been specified and a deputy or deputies named
for them.
Increased-level
additional
requirements
3. There is a list of information security processes or measures selected for implementation
and of the individuals responsible for them.
4. The deputies to key information security staff have been trained in their tasks.
High-level
additional
requirements
5. The organisation has specified tasks or roles for which applicants must undergo
background checks, and the background check process is documented.
6. The organisation has carried out a survey of information security expertise.
Examples of good
practices
• For requirement 1: Firewall maintenance is perceived as a necessary information security
process and an owner and implementers is specified for it. An outsourcing partner is
selected as an implementer.
• For requirement 2: The information security manager has been confirmed in the
organisation as a key role and he or she has a named deputy. The information security
manager can be contacted by email via the role address [email protected]
([email protected]), and his or her deputy has access to this email
box to be able to review pending issues.
Tools and models
Personnel security as part of information security (Tärkein tekijä on ihminen henkilöstöturvallisuus osana tietoturvallisuutta, VAHTI 2/2008)
• Section 4.6.2: Background checks
• Annex 4: Agencies’ use of background check process
General instructions on ICT contingency planning (ICT-toiminnan varautuminen
häiriö- ja erityistilanteisiin, VAHTI 2/2009)
• Chapter 4
Observations
Information security measures and processes selected for implementation can arise in a
number of ways. Typically, new information security measures or processes to be
implemented arise as the result of the item “Developing operations through risk assessment”,
discussed above, and the item “Assessment and verification of operations” discussed below.
It is recommended that these items be documented in an information security plan.
Information security processes relating to information systems are discussed in section 2
below.
119
Subarea name
1.3.3 Actions in special situations
Objectives
Instructions for managing disruptions to critical functions have been prepared, training
given and exercises held
Special demands
for Finland
1. The confidentiality and correct processing of electronic messages, email, identification
information and geographic information are also addressed when information security
incidents are investigated (Act on the Protection of Privacy in Electronic Communications,
section 4 and 5; Act on the Protection of Privacy in Working Life, chapter 6).
Base-level
requirements
2. Staff knows where to report information security incidents and events or threats.
Increased level
additional
requirements
3. Staff who investigate information security incidents have been trained in their task.
High-level
additional
requirements
4. The organisation has a group trained in investigating information security incidents,
which holds regular exercises.
Examples of good
practices
• For requirement 1: An organisation has a written email policy, which takes into account
chapter 6 of the Act on the Protection of Privacy in Working Life.
Tools and models
CERT-FI instructions of the Finnish Communications Regulatory Authority
Management of information security incidents (Tietoturvapoikkeamatilanteiden
hallinta, VAHTI 3/2005)
Electronic Mail-handling Instruction for State Government, VAHTI 2/2006
• Annex 2: Email handling rules
• Annex 5: Model for email box opening form
Observations
Assignment of responsibilities and organisation of tasks in special situations belong to the
item “Management in special situations”, discussed in the management section above. Log
management of ICT systems is discussed in item 2.11 “Monitoring of information security
incidents” below.
Ensuring an organisation’s operational continuity is discussed in the item 1.2.5 “Special
situations management” above. ICT systems recovery planning is discussed in the item 2.12
“Recovery of information systems from incidents” below.
.
120
1.4 Requirements set for partnerships and resources
Subarea name
1.4.1 Contract management
Objectives
Contracts include requirements for operational continuity management, special situations
management and the protection of information as well as their implementation.
The management obligation concerning the continuity of critical operations and the
protection of information covers the entire supplier network
.
Base-level
requirements
1. Partnership and procurement activity is organised and responsibilities are assigned.
2. A written contract is concluded with each partner, specifying the information security
requirements of the cooperation or acquisition as well as how supervision, monitoring,
auditing and reporting of information security will take place.
Increased-level
additional
requirements
3. The necessary information security requirements are set for partners at the invitation to
tender or partnership negotiation stage.
4. The partnership contract specifies the information security level that the partner and any
possible subcontracting network should observe, taking the nature of the cooperation
into account.
High-level
additional
requirements
5. Before entering into a contract, the organisation audits the partner’s information security
procedures relating to the object of cooperation or asks for a written report on them.
6. The contract specifies the sanctions for information security incidents and violations.
Examples of good
practices
• For requirement 2: When contracts are prepared, a standard security annex, which also
covers information security issues, is used.
• For requirement 2: Selected partners have a framework agreement with the entire
administrative branch. If the framework agreement already has sufficient information
security requirements applying to the procurement object, a new information security
agreement does not need to be prepared.
• For requirement 3: The information security needs of the procurement object are taken
into account at the invitation to tender stage by making a risk analysis concerning the
procurement object and, based on this, information security requirements are specified
in the invitation to tender.
• For requirement 4: A base-level agency outsources information system maintenance to
an external organisation. The information system processes personal data, so the service
provider maintaining the information system must fulfil the high-level requirements
of this publication.
121
Tools and models
Personnel security as part of information security (Tärkein tekijä on ihminen
– henkilöstöturvallisuus osana tietoturvallisuutta, VAHTI 2/2008)
• Section 4.7: International personal security clearance
• Section 4.10: Security of purchased services
General Terms and Conditions of Government IT Procurement JIT 2007 (JHS 166)
• General Terms and Conditions, Chapter 27
• Model Contract for Application Procurement, Chapter 10
• Model Contract for Services, Chapters 7 and 11
• Model Contract for Consulting, Chapter 8
Change and information security, from regionalisation to outsourcing
– A controlled process (Muutos ja tietoturvallisuus, alueellistamisesta
ulkoistamiseen - hallittu prosessi, VAHTI 7/2006)
• Annexes 1A and 1B: Security contract models
• Annex 5: Personal data processing checklist
• Annex 6: Partner information security procedures checklist
National Emergency Supply Agency’s Sopiva project, Contract-based continuity and
preparedness requirements
Observations
The closer the object of a contract is to an organisation’s core activity, the better that
information security requirements included in invitations to tender or contracts can be based
on the results of the “Specification of objectives” and “Developing operations through risk
assessment” items, discussed above.
In the JIT 2007 model contract, information security has been taken into account on a fairly
general level. When using this, it is recommended that a separate information security annex
is prepared for each procurement object and that an opportunity to audit is required.
122
Subarea name
1.4.2 Securing operations in special situations
Objectives
Partners’ capability to manage disruptions and special situations has been specified and
verified.
Base-level
requirements
1. Monitoring of information security as well as recording and reporting of incidents
has been organised and responsibilities assigned concerning the cooperation.
2. Perceived information security incidents relating to partners are reported to them
immediately and corrective measures initiated as agreed.
Increased-level
additional
requirements
3. Written guidelines are available on the handling of information security incidents
with partners.
4. A written report is prepared on incidents and their causes.
5. Organisation-specific continuity exercises are held regularly.
High-level
additional
requirements
6. Exercises on cooperation in special situations are held with partners.
7. Information on the causes of incidents is used to improve contracts and operations.
Examples of good
practices
• For requirement 2: A service level agreement is concluded with a subcontractor, specifying that incidents are communicated by telephone to a contact person and corrective
measures are initiated within an agreed time.
• For requirement 7: A subcontractor mistakenly connected a test service to the internet.
The confidentiality of the test system and material was not originally taken into account
in the contract, and so this was added to the contract.
Tools and models
Management of information security incidents (Tietoturvapoikkeamatilanteiden
hallinta, VAHTI 3/2005)
• Section 2.2.5: Incident exercises
General instructions on ICT contingency planning (ICT-toiminnan varautuminen
häiriö- ja erityistilanteisiin, VAHTI 2/2009)
Observations
The responsibilities of each party in a joint information security incident should be agreed,
because they may differ from the organisations’ internal operating models. It is worth
noting that a major disruption in service may also be an incident.
123
1.5
Requirements set for processes
Subarea name
1.5.1 Information resources management
Objectives
The security of documentary and other information material is maintained throughout its
life cycle. Information resources are handled in the organisation in accordance with the law
and good administrative practice.
Special demands
for Finland
1. The organisation has an archive formation plan (Archives Act, section 8), which is often
also called an information management plan.
2. The organisation keeps an index of any matters submitted and taken up for consideration
and any matters considered and decided (Openness Act, section 18).
Base-level
requirements
3. Employees know how information is processed in the organisation.
4. Every written document produced by the organisation contains an indication of
who has prepared it, when it was prepared and what its status of approval is.
5. Documents intended for destruction are destroyed so that confidentiality and data
protection are ensured.
Increased-level
additional
requirements
6. The organisation has written instructions on the processing of information, describing
how documents are approved and reviewed and which material is secret or subject to
some other non-disclosure obligation.
High-level
additional
requirements
7. The information management tools used by the organisation support the classification
and archiving of information.
Examples of good
practices
• For requirement 3: Induction highlights the basic issues in the processing of documents.
• For requirement 4: The organisation’s document template has designated places for the
names of the author and the approver, dates, and an explanation of any changes made.
Tools and models
Instructions for information security in case management
(Asianhallinnan tietoturvallisuutta koskeva ohje, VAHTI 5/2006)
• Section 9: Case management information security checklist
National Archives Service, Archive Formation Plan Guide
Instructions and models of the National Archives Service
Logging instructions (Lokiohje, VAHTI 3/2009)
Observations
The requirements of the item “Special demands for Finland” do not need to be implemented
in private sector organisations.
124
1.6
Requirements set for the measurement
Subarea name
1.6.1 Assessment and verification of operations
Objectives
The state of information security management in the organisation is monitored to ensure
that it serves the organisation’s core functions.
Base-level
requirements
1.
2.
3.
4.
Increased-level
additional
requirements
5. Information security audits or assessments are carried out every year.
6. The organisation has a written audit or assessment process approved by management,
which specifies, for example, the qualifications for the auditors or assessors.
7. Based on the report, the owner of the function or asset specifies and assigns responsibility
for the improvement measures by which perceived risks are reduced to an acceptable level.
High-level
additional
requirements
8. Audits or assessments thoroughly review the organisation’s core functions over a
five-year period.
9. External resources are also used in information security audits or assessments.
Examples of good
practices
• For requirement 1: An organisation may follow its own donut dial.
• For requirement 1: A party (e.g. internal auditing) decided by an organisation makes an
overall assessment of information security using, for example, the VAHTI 8/2006 instruction.
• For requirements 1-2: The management of an organisation has approved principles
according to which units assess the information security of their own activities every
other year and report on the results.
• For requirement 7: An organisation has created an audit plan according to which IAM
processes are audited in 2010, information security requirements for all outsourcing
and service level agreements are audited in 2011, and public electronic services processes
and information systems are audited in 2012.
Tools and models
See all VAHTI instructions www.vm.fi/vahti and particularly
Assessment of information security in central government
(Tietoturvallisuuden arviointi valtionhallinnossa, VAHTI 8/2006)
• Administrative security RTF assessment template
• Personnel security RTF assessment template
• Physical security RTF assessment template
• Telecommunications security RTF assessment template
• Software security RTF assessment template
• Hardware security RTF assessment template
• Information resources security RTF assessment template
• Operational security RTF assessment template
• Continuity planning RTF assessment template
• Contingency planning RTF assessment template
• Outsourcing RTF assessment template
CAF assessment model www.vm.fi/caf/
The State Treasury’s VIP audit experts are available for assessments www.statetreasury.fi/ttt
Observations
In audits and assessments, information security and its management should be considered
as an entity that serves the requirements of core functions. These can be implemented, for
example, by performing various technical information security audits and self-assessments.
A public authority can verify the information security level of its systems by using auditing
services in which the level of the authority’s information security measures is assessed
in relation to the Decree on Information Security and these instructions or, if the processing
of EU documents is involved, with reference to EU security rules.
It is essential for information security that the results of assessments and audits are
discussed and operations improved based on them.
Regular information security audits or assessments are carried out in the organisation.
Audits or assessments are planned and then approved by management.
The results of audits or assessments are reported to the owner of the function or asset.
A record of audit or assessment recommendations is kept on an organisation level and
implementation of improvement measures monitored.
125
2
Requirements for the management of information systems
2.1
Reporting to the information security officer
Subarea name
2.1 Reporting to the information security officer
Objectives
The information security officer receives information about the state of information security
for reporting to management and for assessing the sufficiency and effectiveness of information security mechanisms and processes.
Base-level
requirements
1. Regular reporting to the information security officer on the state of IT systems’
information security and their management has been organised and responsibilities
assigned.
2. Serious information security incidents are reported to the information security officer
without delay.
Increased-level
additional
requirements
3. Reporting is in writing.
High-level
additional
requirements
4. Reporting is based on agreed information security objectives and their indicators.
Practical examples
• For requirement 1: The information security manager attends each month a meeting with
information management staff at which any information security measures and updates
made as well as new perceived threats and risks are discussed.
• For requirement 1: An organisation has outsourced IT systems maintenance to two
different subcontractors. Service level agreements outline how a subcontractor reports
on the information security situation to the person responsible for the service. The person
responsible for the service then reports to the information security manager.
Tools and models
Setting and measuring information security objectives
(Tietoturvatavoitteiden asettaminen ja mittaaminen, VAHTI 6/2006)
• Section 5.6: Example of reporting procedures and report contents
Observations
Information must travel from the practical level upwards. On the base level, oral reporting
is sufficient, but email or other written means are better.
126
2.2
Asset management
Subarea name
2.2 Asset management
Objectives
The equipment, software and data files for which the organisation is responsible, as well
as the information systems consisting of them, have been recognised so that their security
can be ensured.
Special demands
for Finland
1. In respect of personal data files owned by the organisation, there is a data file system
description in accordance with section 10 of the Personal Data Act, and it is available for
data subjects to view.
2. There is an information system description in accordance with section 18 of the Openness
Act for each information system.
Base-level
requirements
3. The organisation has directories of the physical or virtual equipment, information systems,
services, software and licences owned or used by the organisation.
4. Ownership of equipment, data files and information systems has been organised and
responsibilities assigned.
5. The updating of equipment, information system, service and software directories
and their statutory descriptions has been organised and responsibilities assigned.
Increased-level
additional
requirements
6. The owner has documented the information content of equipment, information systems
and data files.
7. The owner has classified assets in accordance with the required information security levels.
8. Owners regularly review the content of equipment, information system, service and
software directories and their statutory descriptions.
High-level
additional
requirements
-
Practical examples
• For requirement 1: The user data file description of an organisation’s electronic public
service is available for viewing on the internet.
• For requirement 3: An organisation has acquired for its use virtual servers from a service
provider. Accounting for the virtual servers is accordingly obtained from the service
provider.
• For requirement 4: An organisation’s case management system is owned by the
administration unit and network infrastructure by the information management unit.
Units appoint the individuals to whom an ownership role belongs.
• For requirement 5: When a new workstation is taken into use, the workstation support is
to record the device and its information in an Excel table that serves as the workstation
device directory.
• For requirement 7: An organisation has two information systems: a travel management
system with an increased information security level and an electronic public services
system with a high information security level. Behind both systems are databases
operating on the same physical server due to appropriate use of resources.
The information security level of the database server must accordingly be high.
• For requirement 7: Information systems have been classified both according to information
security level and according to how essential they are for the organisation’s activities.
Tools and models
Personal data file system description RTF form template, www.tietosuoja.fi
Information system description RTF form template, www.tietosuoja.fi
Observations
It is essential to recognise the technical assets to be protected. The items “Specification of
objectives” and “Impact of operating environment”, in section 1 of Annex 5 above, discussed
the same issue from the perspective of an organisation’s main functions. This item goes
deeper into ICT aspects, because the perspective of main functions alone is not sufficiently
specific in terms of overall information security.
In addition to the recognition of assets to be protected, they must have an owner who has
the right to make practical decisions relating to them (e.g. risk level, introduction, removal
and installation changes). The owner may be an organisational unit; within the unit the
holders of the ownership roles should also be specified.
127
2.3
Introduction and removal of information processing environments
Subarea name
2.3 Introduction and removal of information processing environments
Objectives
Information processing environments, mainly information systems and workstations, are
taken into and removed from use securely in accordance with their life-cycle management
process.
Base-level
requirements
1. The information security requirements of a system’s information content are taken into
account in the installation of information systems and workstations and in their removal
from use.
2. Measures relating to the introduction of information systems and workstations and their
removal from use have been organised and responsibilities assigned.
Increased-level
additional
requirements
3. There are written guidelines for the first installation of information systems and workstations and their removal from use. They specify, for example, the information security
settings to be used at different security levels as well as the procedures for the handling
of equipment and the erasure of mass storage media when they are transferred from one
environment to another or when they are removed from the organisation’s control.
4. The updating of instructions has been organised and responsibilities assigned.
High-level
additional
requirements
5. High information security level information systems and workstations are hardened.
6. Information systems and workstations are maintained so that the information on mass
storage media is not disclosed to external parties.
Practical examples
• For requirements 1 and 3: An organisation has acquired workstations from an external
service provider, which is responsible for first installations and removal from use in
accordance with technical instructions specified in the information security annex of
the contract.
• For requirements 2-3: An organisation which has outsourced operating services has
prepared information system installation instructions with the subcontractor. They
outline how different information system platforms are installed by default and which
information security features are used in different information security level systems,
for example concerning logs, passwords and available services.
• For requirement 5: An organisation has agreed that the information security settings
of the Solaris operating system will be hardened using the Solaris security toolkit,
and Windows Server 2003 systems by using a Group Policy prepared on the basis of
CIS instructions.
Tools and models
Securing the central government’s key information systems (Valtionhallinnon keskeisten
tietojärjestelmien turvaaminen, VAHTI 5/2004)
• Chapter 12: Operational security
General instructions on protection against malware (Haittaohjelmilta suojautumisen
yleisohje, VAHTI 3/2004)
• Section 5.1: Workstation security settings
NIST maintenance and configuration instructions for technical systems
NIST information security checklists for technical systems
Center for Internet Security: hardening guidelines for different systems
• The guidelines are free but require registration.
Darik’s Boot and Nuke, free hard disk erasure program.
Observations
A careful basic installation which takes information security into account is a cornerstone
of the systems’ technical information security. Maintenance is facilitated by the systems
being as similar as possible. Hardening is recommended in high information security level
systems, which means that default settings affecting information security are tightened.
Hardening guidelines are available for various operating systems, databases and routers
from the USA’s NIST and CIS.
To prevent information leaks, measures should also be put in place to ensure that hard disks
of equipment removed from use are overwritten or reliably destroyed before their removal
from an organisation’s possession.
128
2.4
Updating of information processing environments and change management
Subarea name
2.4 Updating and change management of information processing
environments
Objectives
Information processing environments are updated in an orderly manner to prevent
information security problems and the exploitation of vulnerabilities.
Base-level
requirements
1. Monitoring the need for equipment and information system updates, making update
decisions and installing updates has been organised and responsibilities assigned,
particularly for information security updates.
2. Assessing whether equipment and information systems need to be updated, deciding
about them and implementing the updates have been organised and responsibilities
assigned.
3. The organisation has principles that outline which updates or changes are installed
immediately and which updates and changes require assessment that takes the risk
level into account.
Increased-level
additional
requirements
4. Non-urgent updates or changes are only made at a time agreed in advance
(‘maintenance window’) based on the update or change management principles.
5. Only programs and equipment approved by the system owner can be installed in or
connected to an information system.
6. The organisation’s update and change principles are in writing.
High-level
additional
requirements
7. The currency and success of updates is measured and monitored.
8. Updates and changes are tested before they are taken into production.
9. Organisation staff participate in information security cooperation groups.
Practical examples
• For requirements 1-3: An organisation has taken into use ITIL Change Management
process.
• For requirement 1: Workstation support has been assigned responsibility for monitoring
the information security situation of the Windows XP and Office environments.
Responsibility for monitoring the updates of an organisation’s Linux and Apache
environments has been assigned to a server maintenance group. Server update decisions
are made by the operations manager, and workstations are updated automatically.
• For requirement 2: An organisation has a standard installation for workstations.
In addition, it has been agreed that, with the supervisor’s permission, certain additional
applications can be installed on workstations.
• For requirement 4: An ICT service organisation has a maintenance window each Thursday
evening from 7–9 p.m. when necessary updates can be installed and changes made
without disrupting production too much.
• For requirement 7: Workstation support uses software that can be used to monitor in
what percentage of an organisation’s workstations a certain update has been made.
• For requirement 9: An organisation monitors the CERT-FI mailing list and participates
in joint meetings of central government’s information security staff.
129
Tools and models
Securing the central government’s key information systems (Valtionhallinnon keskeisten
tietojärjestelmien turvaaminen, VAHTI 5/2004)
• Section 12.4: Change management
Management of information security incidents (Tietoturvapoikkeamatilanteiden hallinta,
VAHTI 3/2005)
• Section 2.1.8. Secure maintenance of information systems
General instructions on protection against malware (Haittaohjelmilta suojautumisen
yleisohje, VAHTI 3/2004)
• Section 5.2: Software vulnerabilities and corrective updates
Observations
According to item 2.3 above technical information security is based on a standard
installation that takes information security into account. The level of information security
level deteriorates rapidly, however, if changes are made to an operating system or software
in a disorderly manner or information security updates are not installed at all.
Organisations have various kinds of information systems. Some systems are more susceptible
to attacks than others, due to their location, for example. In some systems the updating
is very simple, and in others rather challenging, due to accessibility requirements or lack
of software supplier support, for example. It is essential that challenging systems have
been recognised and consideration given to the way in which updates, particularly critical
information security updates, are made. If updating is not possible, the owner should
consider what other measures can be employed to reduce risk.
Development of information systems and applications is discussed in the item “Management
of information system development and application maintenance” below.
130
2.5
Formation of secure areas and filtering between them
Subarea name
2.5 Formation of secure areas and filtering between them
Objectives
Transferring information from one network to another requires authorisation.
Base-level
requirements
1. The organisation has recognised and separated the parts of an information network that
require different protection levels, and restricts and filters traffic between networks of
different protection levels.
2. Adding, changing and removing rules on firewalls and other telecommunications devices
is organised and responsibilities assigned.
3. Rules of firewalls or other filtering devices have been documented.
4. Incoming traffic from a public network is restricted and filtered on the principle “all traffic
is prohibited unless separately permitted”. Outgoing traffic is also filtered.
5. The organisation has a remote access policy.
Increased-level
additional
requirements
6. The organisation has a written firewall and traffic filtering policy and the updating
of rules process is documented.
7. The currency of firewall and other filtering device rules are regularly reviewed.
8. Only equipment approved by the network owner can be connected to information networks.
9. The remote access policy is in writing. The policy specifies which equipment and networks
are approved for accessing and which systems can be used and maintained.
High-level
additional
requirements
10.Networks are monitored for information security incidents and breaches, and perceived
incidents are addressed.
Practical examples
• For requirement 1: An organisation has differentiated three logically separate information
network segments: a semi-trusted network (DMZ) containing public services, a workstation network containing workstations and a server network containing storage and
servers, which have been isolated with a firewall.
• For requirement 2: An organisation has agreed that only the information security manager
can request a telecommunications service provider to change the public network firewall.
• For requirement 3: In the firewall management user interface, every opening rule contains
a comment field in which the maker of the opening request, the reason for the request and
its validity are entered of.
• For requirement 8: The permission of the network owner must always be requested
to connect a new server. The owner of a WLAN visitor network has given permission to
visitors to connect their computers to the network.
• For requirement 10: An IDS/IPS system is used in a high protection level information
network to detect and prevent information security breaches.
Tools and models
Instructions on internet information security in government information management
(Valtion tietohallinnon internet-tietoturvallisuusohje, VAHTI 1/2003)
• Section 3.2: Connection to internet
Secure remote access from insecure networks (Turvallinen etäkäyttö turvattomista
verkoista, VAHTI 2/2003)
General instructions on protection against malware (Haittaohjelmilta suojautumisen
yleisohje, VAHTI 3/2004)
• Section 5.4: Protecting an organisation network
• Section 5.5: Work outside the organisation
Observations
After the introduction of the central government’s shared telecommunications network,
most of the requirements relating to external connections are automatically fulfilled in the
network’s user organisations.
Operational separation of networks and traffic filtering are essential in preventing threats
coming from networks. Technically this is fairly simple, but the management of firewalls
and their filtering rules is a very common problem. Particularly when outsourcing, it must
be agreed very clearly who can make changes, on the basis of what information changes
can be made, and who has responsibility for different parts of the maintenance process.
For example, the service provider cannot approve a change, but can perform a technical
check and implementation.
131
2.6
Access control
Subarea name
2.6 Access control
Objectives
Access to information only by authorised users.
Base-level
requirements
1. The information system owner approves the reliability of the identity and the strength
of the identification required to access information contained by the system.
2. Both successful and unsuccessful log-ins are recorded in a log file, so that the system
log-ins of an individual user can be ascertained and reliably linked to his or her identity.
3. Use of weak passwords is prevented.
Increased-level
additional
requirements
4. The organisation has a written access control policy, which specifies, among other things,
the technical identification methods acceptable at different security levels,
user ID locking and opening principles, and quality requirements and change principles
for passwords and other identifiers.
5. Access control logs are stored so that they cannot be modified later.
6. Too many unsuccessful authentications in succession to the most important systems
or services lock the user ID in question.
High-level
additional
requirements
7. There are written instructions on the granting, use and renewal of certificates and
an up-to-date list of the certificates in use.
8. In high-level systems, access control logs and audit trails are also produced for actions
within a system in accordance with operational requirements.
9. Statistics are maintained on instances of unsuccessful authentication as well as
attempted actions that fail due to lack of authorisation.
Practical examples
• For requirement 1: Based on risk analysis, an organisation has found that authentication
is not needed for use of a WLAN visitor network, because no access to protected
information on the organisation’s internal network is technically possible; a user ID/
password combination is sufficient for use of workstations; authentication with a smart
card is needed to access the organisation’s human resources and payroll system.
• For requirement 1: An organisation has a systems priority classification approved by
systems owners determining the strength of authentication required.
• For requirement 1: Different authentication methods have been specified for an
organisation’s network services in accordance with VAHTI 12/2006 instructions. Systems’
owners approve proposals presented by information management if they are in line with
the requirements of the information contained in the systems.
• For requirement 3: The organisation has issued written instructions on good password
practice, including the minimum length of passwords. Quality checking of passwords has
been introduced in systems where it is possible.
• For requirement 8: A health information system logs any viewing of a patient record;
if necessary, the viewer’s need for information and access to it can be traced.
Tools and models
Principles and good practices of identity and access management (Käyttövaltuushallinnon
periaatteet ja hyvät käytännöt, VAHTI 9/2006).
Identification in public administration network services (Tunnistaminen julkishallinnon
verkkopalveluissa, VAHTI 12/2006)
• Sections 4.2−4.3: Reliability of user identification and Reliability of user identification
required by service types.
Personnel security as part of information security (Tärkein tekijä on ihminen – henkilöstöturvallisuus osana tietoturvallisuutta, VAHTI 2/2008)
• Section 4.12: Access management and identification
Observations
Access control is one of the most important practical information security measures. It is
an advantage for an organisation to have standardised principles for authentication and the
logging of access control data, but system-specific principles are also acceptable when, for
example, a jointly agreed way cannot be implemented for technical reasons. It is probable
that a unit that serves as a system owner does not have the necessary expertise to make
concrete technical procedure decisions. Accordingly, IT experts present options and their
risk levels and the owner approves the most suitable option. A user’s first registration as
a user of an organisation’s systems and the granting of access authorisations is discussed
in item 2.7 below.
132
2.7
Identity and access management
Subarea name
2.7 Identity and access management
Objectives
User IDs and access rights can be connected to the individuals that use them.
Base-level
requirements
1. The organisation has agreed identity and access management (IAM) principles.
The granting, changing and removal of user IDs and authorisations has been organised
and responsibilities assigned in accordance with these principles.
2. Access rights are personal or role-specific.
3. Access rights are based on an employment relationship or other written contract, and use
of systems is prevented technically without undue delay after the justification for access
expires.
4. The access rights of individual users can be ascertained.
5. When a new staff member joins the organisation, the first identification is made from
photographic proof of identity or, for an electronic service, using a similar level of
authentication.
Increased-level
additional
requirements
6. The organisation has a written IAM policy and management process.
7. Every access right has an owner.
8. System access rights are reviewed at least once per year, and unnecessary user IDs,
roles and authorisations are closed or removed.
9. The granting process leaves a record of the grounds on which a user was granted an
access right.
10.Prohibited task- and role-combinations have been documented, and when authorisations
are granted or changed the creation of prohibited combinations is monitored and
prevented.
High-level
additional
requirements
11.The number of maintenance and administrator authorisations is monitored and statistics
are kept.
12.Time devoted to the removal of access authorisations is monitored and statistics are kept.
13.The organisation has a documented procedure for the immediate removal or suspension
of user IDs or access rights.
Practical examples
• For requirement 1: An organisation has agreed that all individuals in a public service or
employment relationship automatically receive a user ID for a workstation; user IDs for
applications or servers are given only when a supervisor considers this necessary for their tasks.
• For requirement 2: Workstation user IDs connected to the Virtu trust network are personal.
• For requirement 3: A large organisation operates an automated identity management
system, which is used, among other things, to delete an individual’s user IDs immediately
when the individual’s employment or public service relationship ends.
• For requirement 5: The identity of a potential employee is checked at the interview stage
from photographic proof of identity. In electronic public services, users can register with
bank identity codes.
• For requirement 7: An organisation has agreed that a system owner also owns the
authorisations made for that system, whether they are personal or role-specific or
between technical systems.
Tools and models
Principles and good practices of identity and access management (Käyttövaltuushallinnon
periaatteet ja hyvät käytännöt, VAHTI 9/2006).
• Section 2.2: Access authorisation register planning requirement.
• Chapter 3: Creating preconditions for good access authorisation management.
Personnel security as part of information security (Tärkein tekijä on ihminen – henkilöstöturvallisuus osana tietoturvallisuutta, VAHTI 2/2008)
• Section 4.5: Authorisation
Observations
In an organisation, it would be advantageous for all systems to be covered by the IAM
policy and process, but if this is not possible then principles and processes should be made
specific to each information security level. System-specific implementations should be
avoided, because their maintenance and deployment consume more resources than standard
principles. Most of the measures mentioned here are not in the operating area of the
IT department; they should be part of the processes of staff administration.
133
2.8
Malware protection
Subarea name
2.8 Malware protection
Objectives
The organisation’s information assets are protected from damage caused by malware
(viruses, spyware, back doors etc.).
Base-level
requirements
1. The organisation filters malware both at the workstation level and at all email and WWW
traffic entry and exit points.
2. Malware descriptions are updated regularly and automatically.
Increased-level
additional
requirements
3. Users are advised how to identify email that disseminates malware and what to do when
they suspect malware is present.
4. The currency of malware descriptions is monitored.
High-level
additional
requirements
5. A workstation must not be connected to high information security level networks, unless
it has been ascertained that it is free of malware.
6. The coverage of malware filtering is measured and monitored.
Practical examples
• For requirement 1: Based on risk analysis, an organisation has found that at the
workstation level malware protection is needed only in Windows-based workstations
and in smartphones in which the organisation’s email and calendar services are in use. In
addition, a malware filter is installed in the email server and in the WWW proxy server.
Tools and models
General instructions on protection against malware (Haittaohjelmilta suojautumisen
yleisohje, VAHTI 3/2004)
• Chapter 5: How to avoid infection
• Annex 3: User’s quick guide
ISO/IEC27002 standard
• Sections 10.4 and 10.6
Observations
Malware spreads in a number of different ways; email and WWW pages are the most typical
but certainly not the only channels. Increasing malware filtering to WWW connection points
may require additional financial investment, but will probably reduce the amount of work
arising from malware removal.
Recognition and blocking of tailored malware attacks is technically difficult. For this reason,
raising user awareness of the problem is very important.
134
2.9
Protection of physical environment
Subarea name
2.9 Protection of physical environment
Objectives
Realisation of information security risks is also prevented by using suitable physical security
procedures.
Base-level
requirements
1. The organisation has recognised the protection class required for its own premises and
differentiated the parts requiring a different protection class by restricting movement
between premises.
2. The organisation has agreed on a personal and role level who can access IT equipment
premises, and access control has been organised accordingly.
Increased-level
additional
requirements
3. The differentiation of premises into protection classes has been documented.
4. The locations of telecommunications equipment, connections and connection points
have been taken into account in protection classification.
High-level
additional
requirements
5. Premises and movement in them is monitored and the monitoring procedure is
documented.
6. Outsiders’ activity in computer rooms is monitored.
Practical examples
• For requirements 1 and 4: An internal network telecommunications socket was removed
from sauna facilities used by an organisation, because they were also hired to outsiders.
Tools and models
Recommendation on premises security in central government (VM 1/01/1999)
Effective Information Security (VAHTI 5/2009)
• Section 12.2: Classification of facilities.
Security recommendation for ICT premises (Tietoteknisten laitetilojen turvallisuussuositus,
VAHTI 1/2002)
• Chapter 3: Information security measures for IT equipment premises by subarea.
Personnel security as part of information security (Tärkein tekijä on ihminen – henkilöstöturvallisuus osana tietoturvallisuutta, VAHTI 2/2008)
• Annex 5: Implementation of access management in accordance with EU regulations
Protective construction requirements
• S1-S3, Internal Security Programme STOII
Observations
In physical security, this corresponds to information network differentiation.
135
2.10
Back-up management
Subarea name
2.10 Back-up management
Objectives
Uncontrolled loss of information from the organisation is prevented, and the impact of
various disruptions on the organisation’s activities is reduced.
Base-level
requirements
1. The making of back-up copies in the organisation has been organised and responsibilities
assigned.
2. The organisation has recognised the essential assets to be protected by back-up copying
to be made according to a plan. The restoration of back-up copies has also been planned.
Increased-level
additional
requirements
3. The organisation has a back-up policy and process, which have been prepared taking
operational requirements into account and which provide instructions on the handling
of back-up and safe copies during transfer and storage.
4. The organisation makes safe copies of the most important systems and they and the
original back-up copies are stored in different premises.
High-level
additional
requirements
5. The restoration of different systems’ back-up copies is tested regularly.
6. Statistics are kept on the amount of information restored from back-up copies and
the reasons for restoration.
Practical examples
• For requirement 2: An organisation for which telecommunications infrastructure is
a critical protected item also makes back-up copies of the configurations of routers
and other active network devices.
• For requirement 3: A full back-up of a high-level information system is made every
week, and a back-up of altered information is made every night, because a system
requirement is the capability to return to the previous day’s situation after a malfunction.
An unencrypted safe copy of a system can be transferred to another building only when
accompanied by an organisation employee.
• For requirement 5: Every six months, a test is made of the restoration of some back-up
volume to a test system.
Tools and models
The Finnish Pension Alliance (TELA) insurance industry recommendation
• making safe copies
Observations
Back-up copying policies may be system-specific.
A safe copy means a full back-up of a system and is intended for long-term storage.
When planning back-up copying, it is important to decide what will be back-up copied and
how often (database, software with settings, operating system). In addition, time limits
of continuity and recovery plans should be taken into account.
Ensuring an organisation’s operational continuity is discussed in the item 1.2.5 “Special
situations management” above. ICT systems recovery planning is discussed in the item 2.12
“Recovery of information systems from disruptions” below.
136
2.11
Monitoring of information security incidents
Subarea name
2.11 Monitoring of information security incidents
Objectives
Information security incidents can be detected and investigated.
Special demands for
Finland
1. The confidentiality and correct processing of electronic messages, identification data
and location data are also addressed in the processing of log data (Act on the Protection
of Privacy in Electronic Communications, sections 4 and 5).
Base-level requirements
2. Equipment, software and information systems make sufficient logs and audit trails
of their activities.
Increased-level
additional requirements
3. The organisation has a written log collection, alert and monitoring policy, which has
been prepared taking operational requirements into account.
High-level
additional requirements
4. On the basis of log monitoring, a situation picture is formulated, information security
incidents detected and operations developed.
Practical examples
• For requirements 2 and 3: In an organisation, all equipment and information
systems write their logs into a centralised log server, which maintenance staff
can use, if necessary, to investigate the causes of malfunctions and information
security incidents.
Tools and models
Instructions for information security in case management
(Asianhallinnan tietoturvallisuutta koskeva ohje, VAHTI 5/2006)
• Chapter 5: Log and change history data.
Logging instructions (Lokiohje, VAHTI 3/2009)
ISO/IEC 27002
• Section 10.10: Monitoring
Observations
The item 2.2 “Asset management” above covers the equipment, software and systems
that an organisation has. Concrete log instructions may be system- or platform-specific,
but the organisation should have general principles on what is logged, where and for how
long; the kinds of signals that trigger an immediate alert to maintenance staff should also
be specified. The automation of log monitoring saves staff costs.
Requirements relating to the handling of information security incidents have also been
outlined in the items 1.1.5 “Management in special situations” and 1.3.3 “Actions in special
situations” above.
137
2.12
Recovery of information systems from disruptions
Subarea name
2.12 Recovery of information systems from disruptions
Objectives
Contingency plans are prepared for disruptions encountered by ICT systems,
to ensure that the systems recover sufficiently quickly from such disruptions.
Special demands
for Finland
1. ICT system owners know their responsibilities in respect of ICT contingency planning,
and operations have been organised and responsibilities assigned accordingly.
Base-level
requirements
2. The investigation of ICT system disruptions and recovery from them has been organised
and responsibilities assigned.
3. The organisation has a general recovery strategy and plan for disruptions to its own
most important systems, including a management-approved order of importance
for ICT services.
Increased-level
additional
requirements
4. The organisation has written recovery plans for its most important systems.
High-level
additional
requirements
5. A record is kept of system disruptions and their causes. This information is used in risk
analyses and service level agreements.
Practical examples
• For requirement 2: In an organisation, the information management operations
manager is responsible for the smooth operation of ICT services. The operations manager
has appointed for each ICT service a technical officer to initiate measures in accordance
with the recovery plan if necessary.
• For requirement 3: As a general recovery strategy, an organisation has selected the
outsourcing of services and sufficient service level agreements. Recovery plan
preparation is thus the responsibility of the service provider.
• For requirement 4: An organisation has selected the use of back-up equipment as a
general ICT services recovery strategy. As a result the organisation has plans concerning
the transfer of the most important services to the back-up equipment if the situation
so demands.
Tools and models
Effective Information Security (VAHTI 5/2009)
• Recovery plan framework p. 77
Securing the central government’s key information systems
(Valtionhallinnon keskeisten tietojärjestelmien turvaaminen, VAHTI 5/2004)
• Sections 4.3, 5.7 and 10.6: Special characteristics of the recovery of different systems
Preliminary study of ICT contingency planning in central government
Tools to continuity management prepared by the National Emergency Supply Agency
Observations
Securing the continuity of organisations’ core processes and operations is discussed in
the item 1.2.5 “Special situations management” above. Here, only the recovery of ICT
systems from various disruptions and problems is addressed.
138
2.13
Management of information system development and application maintenance
Subarea name
2.13 Management of information system development and
application maintenance
Objectives
The correspondence of developed and maintained information systems with the desired
information security level is ensured, irrespective of the system development method
(e.g. commercial off-the-shelf, customised or the result of own development).
Base-level
requirements
1. The system owner approves the information security level which the system will follow
when ready or after changes.
2. A risk analysis is carried out to identify the system’s information security requirements
for an invitation to tender, requirement specification or project plan for the installation
of a new version.
3. Functionality tests are performed before the system is taken into production.
Increased-level
additional
requirements
4. The procuring organisation has an information system architecture policy containing
information security requirements which procured and developed systems must fulfil.
5. If the organisation procures customised information systems or develops them itself,
it has a documented development process, and information security has been taken into
account in its various stages.
6. As part of a procurement or development project, a written security plan and users’
manual is prepared for each system, specifying how the system is protected in production
and the nature of the information security measures required of users.
7. The information security of system specifications and implementations has been audited.
High-level
additional
requirements
8. The information security officer checks each system’s information security description
or plan(s).
9. During development or customisation work, information security reviews of critical
elements are arranged and minutes kept of these reviews.
Practical examples
• For requirement 1: An organisation has a systems priority classification approved
by systems owners, on the basis of which the required information security level is
determined.
• For requirement 2: In addition to a risk analysis, the contents of section 10.3 of VAHTI
instructions 5/2004 are used as a checklist in preparing information security requirements
for acquired software.
• For requirement 9: Reviews are arranged, for example, as peer reviews, in project group
or programming team meetings, or using an external auditor.
Tools and models
Information security recommendation for central government information system
development (Tietojärjestelmäkehityksen tietoturvallisuussuositus, VAHTI 3/2000)
Securing the central government’s key information systems
(Valtionhallinnon keskeisten tietojärjestelmien turvaaminen, VAHTI 5/2004)
• Chapter 10: Software security
• For application maintenance also section 12.4: Change management
Change and information security, from regionalisation to outsourcing – A controlled
process (Muutos ja tietoturvallisuus, alueellistamisesta ulkoistamiseen – hallittu
prosessi, VAHTI 7/2006)
• An information security assessment model for outsourced information systems, p. 61
Observations
Good operating practices concerning the procurement and development of information
systems, taking information security into account, help an organisation in safeguarding
its overall information security. The earlier the information security requirements set for
software are known, the better the quality of the result and the lower the costs. A risk analysis
is an excellent tool in the preparation of information security requirements, provided that
it focuses on the system itself and not on the project’s scheduling or staff risks. Particularly
at the invitation to tender stage, detailed requirements for information security are
recommended, to ensure that information security is taken into account at as early a stage as
possible.
One of the best means of positively impacting the quality of programming is to arrange
reviews and make developers aware of the reviews.
139
Annex 6: Substitute procedures
For a good reason owing to the special characteristics of an organisation’s
functions, it may not be able to implement individual requirements set by the
information security levels. It is therefore possible to take into use substitute
procedures to fulfil the original objective of the requirements and to ensure
an adequate level of information security. Substitute procedures can be used
temporarily, for example, when implementing an original requirement is set
in the budget at the end of an organisation’s operating and financial planning
period. A technical restriction relating to a single system is not, however,
sufficient justification to deviate from a requirement in all systems.
It should be noted that substitute procedures may not be used for statutory
requirements.
A substitute procedure can only be approved if the organisation has
documented sufficient justifications to deviate from the original requirement,
assessed the risks arising from deviation, and specified and implemented adequate
controls to reduce risk to the level demanded by the original requirement. The
management of the organisation must approve these justifications.
The internal approval of an organisation alone is not sufficient for information
processing environments relating to a number of organisations; the use of a
substitute procedure is always approved by an external auditor, approved by the
Ministry of Finance. The use of substitute procedures should be avoided; they
are always individual cases and their number should be minimised.
The following description must be completed for each substitute procedure:
Description of substitute procedure
Requirement being
replaced
State here the original requirement to which the substitute procedure relates.
Justification for why
the requirement
cannot be fulfilled
Describe why it is not possible for the organisation to implement the original requirement.
The objective of
the requirement,
and risk assessment
Describe the objective of the original requirement or the risk that the original requirement
controls, and the risk caused by deviation from the requirement.
Description of
substitute procedure
Describe the alternative way or ways by which the objective of the original requirement is
fulfilled in the organisation or the risk caused by deviation from the requirement is reduced
to a level which corresponds to the required level of implementation or is higher than that.
Validity of the
substitute procedure
Substitute procedures are mainly meant to be temporary solutions. Give the timetable
within which the organisation intends to fulfil the original requirement.
Approvals
A prerequisite for the use of substitute procedures is that at least the organisation’s
management has reviewed them and approved that they are necessary and adequate.
140
Annex 7: Valid VAHTI publications
• VAHTI Annual Report 2011 (VAHTIn toimintakertomus 2011, VAHTI
1/2012)
• Instructions on government ICT procurement
(Valtion ICT-hankintojen tietoturvaohje, VAHTI 3/2011) *
• Information security instructions for management
(Johdon tietoturvaopas, VAHTI 2/2011) *
• Information Security Instructions for Social Media, VAHTI 4b/2010
• Information security instructions on internal networks
(Sisäverkko-ohje, VAHTI 3/2010) *
• Instructions on Implementing the Decree on Information Security
in Central Government, VAHTI 2/2010
• Government Resolution on Enhancing Information Security
in Central Government, VAHTI 7/2009
• Targeted cyber attacks
(Kohdistetut hyökkäykset, VAHTI 6/2009) *
• Effective Information Security, VAHTI 5/2009
• Information Security Instructions for Personnel, VAHTI 4/2009
• Logging instructions
(Lokiohje, VAHTI 3/2009) *
• General instructions on ICT contingency planning
(ICT-toiminnan varautuminen häiriö- ja erityistilanteisiin,
VAHTI 2/2009) *
• General instructions for projects´ information security
(Hankkeen tietoturvaohje, VAHTI 9/2008) *
• Central government information security glossary
(Valtionhallinnon tietoturvasanasto, VAHTI 8/2008)
• Informationssäkerhetsanvisning för personalen, VAHTI 7/2008
• Information security is an attitude
– A report of public administration information security training needs
(Tietoturvallisuus on asenne! Selvitys julkishallinnon
tietoturvakoulutustarpeista, VAHTI 6/2008) *
• Preliminary study on government 24/7 information security monitoring
(Valtionhallinnon 24/7-tietoturvavalvonnan hanke-ehdotus,
VAHTI 5/2008) *
• Information security instructions on central government encryption
practices (Valtionhallinnon salauskäytäntöjen tietoturvaohje,
VAHTI 3/2008) *
• Personnel security as part of information security
141
(Tärkein tekijä on ihminen - henkilöstöturvallisuus osana
tietoturvallisuutta, VAHTI 2/2008) *
• Smartphone information security – Good practices
(Älypuhelimien tietoturvallisuus - hyvät käytännöt, VAHTI 2/2007) *
• From participation to influence – Central government challenges in
international information security work
(Osallistumisesta vaikuttamiseen - Valtionhallinnon haasteet
kansainvälisessä tietoturvatyössä, VAHTI 1/2007) *
• Identification in public administration network services
(Tunnistaminen julkishallinnon verkkopalveluissa, VAHTI 12/2006) *
• Guide for information security trainers
(Tietoturvakouluttajan opas, VAHTI 11/2006) *
• Principles and good practices of identity and access management
(Käyttövaltuushallinnon periaatteet ja hyvät käytännöt, VAHTI 9/2006) *
• Information security assessment in central government
(Tietoturvallisuuden arviointi valtionhallinnossa, VAHTI 8/2006) *
• Change and information security, from regionalisation to outsourcing
– a controlled process
(Muutos ja tietoturvallisuus, alueellistamisesta ulkoistamiseen
- hallittu prosessi, VAHTI 7/2006) *
• Setting and measuring information security objectives
(Tietoturvatavoitteiden asettaminen ja mittaaminen, VAHTI 6/2006) *
• Instructions for information security in case management
(Asianhallinnan tietoturvallisuutta koskeva ohje, VAHTI 5/2006) *
• A survey of information security resources in central government
(Selvitys valtionhallinnon tietoturvaresurssien jakamisesta,
VAHTI 3/2006) *
• Electronic Mail-handling Instruction for State Government,
VAHTI 2/2006
• Management of information security incidents
(Tietoturvapoikkeamatilanteiden hallinta, VAHTI 3/2005) *
• Information Security and Management by Results, VAHTI 1/2005
• Securing the state administration’s key information systems
(Valtionhallinnon keskeisten tietojärjestelmien turvaaminen,
VAHTI 5/2004) *
• Datasäkerhet och resultatstyrning, VAHTI 4/2004
• General instructions on protection against malware
(Haittaohjelmilta suojautumisen yleisohje, VAHTI 3/2004) *
142
• Instructions on risk assessment to promote information security
in central government
(Ohje riskien arvioinnista tietoturvallisuuden edistämiseksi
valtionhallinnossa, VAHTI 7/2003) *
• Recommendation on the assessment of the information security
management system
(Tietoturvallisuuden hallintajärjestelmän arviointisuositus,
VAHTI 3/2003) *
• Secure remote access from insecure networks
(Turvallinen etäkäyttö turvattomista verkoista, VAHTI 2/2003) *
• Central government internet information security instructions
(Valtionhallinnon tietohallinnon internet-tietoturvallisuusohje,
VAHTI 1/2003) *
• Central government remote working information security instructions
(Valtionhallinnon etätyön tietoturvallisuusohje, VAHTI 3/2002) *
• Information security recommendation for ICT premises
(Tietoteknisten laitetilojen turvallisuussuositus, VAHTI 1/2002) *
• General instructions of the information security of e-services
(Sähköisten palveluiden ja asioinnin tietoturvallisuuden yleisohje,
VAHTI 4/2001) *
• Information security recommendation on central government
information system development
(Tietojärjestelmäkehityksen tietoturvallisuussuositus, VAHTI 3/2000) *
* Only available in Finnish
MINISTRY OF FINANCE
Snellmaninkatu 1 A, Helsinki
PO BOX 28, 00023 Government
Tel. +358 2955 30009
Fax +358 9 160 33123
www.financeministry.fi
2b/2010
VAHTI
August 2012
ISSN 1455-2566 (print)
ISBN 978-952-251-380-9 (print)
ISSN 1798-0860 (PDF)
ISBN 978-952-251-381-6 (PDF)