Data system listing and owner assignment

Critical
High
Normal
Low

Organisation must maintain a listing of used data systems and their owners. Owner is responsible for completing the related documentation and possible other security actions directly related to the data system.

Data system documentation must include at least:

  • System purpose and linked responsibilities
  • System's data location (covered in a separate task)
  • System's maintenance and development responsibilities and linked partners (covered in a separate task)
  • When necessary system's access roles and authentication methods (covered in a separate task)
  • When necessary systems interfaces to other systems (covered in a separate task)
Connected other frameworks and requirements:
I06: Pääsyoikeuksien hallinnointi
4 luku, 13 §: Tietoaineistojen ja tietojärjestelmien tietoturvallisuus
24. Responsibility of the controller
GDPR
5. Principles relating to processing of personal data
GDPR
32. Security of processing
GDPR

Documentation of data sets for data stores

Critical
High
Normal
Low

The organization shall maintain a list of data sets contained in the data stores it manages.

The documentation shall include at least the following information:

  • Data systems and other means used to process the data sets
  • Key categories of data in the data set (and whether it contains personal data)
  • Data retention period (discussed in more detail in a separate task)
  • Information on archiving / disposal of data (discussed in more detail in a separate task)
Connected other frameworks and requirements:
T07: Tietojen luokittelu
4 luku, 13 §: Tietoaineistojen ja tietojärjestelmien tietoturvallisuus
4 luku, 15 §: Tietoaineistojen turvallisuuden varmistaminen
6. Lawfulness of processing
GDPR
5. Principles relating to processing of personal data
GDPR

Data store listing and owner assignment

Critical
High
Normal
Low

Organisation must maintain a listing of controlled data stores and their owners. Owner is responsible for completing the documentation and other possible security actions directly related to the data store.

Data store documentation must include at least:

  • Connected responsibilities
  • Data processing purposes (covered in a separate task)
  • Data sets included in the data store (covered in a separate task)
  • Data disclosures (covered in a separate task)
  • When necessary, data stores connections to action processes
Connected other frameworks and requirements:
2 luku, 5 §: Tiedonhallintamalli ja muutosvaikutuksen arviointi
6. Lawfulness of processing
GDPR
5. Principles relating to processing of personal data
GDPR
8.1.1: Inventory of assets
ISO 27001
ID.GV-4: Processes
NIST CSF

Identifying critical functions and related assets

Critical
High
Normal
Low

The organization has a clear process, according to which it identifies the most critical functions in terms of its operations (e.g. services offered to customers), which are subject to the highest continuity requirements.

Items in the IT environment that are necessary for these activities (such as information systems, data reserves, operating processes, partners, units, hardware) are classified as critical.

Critical functions are considered with the highest priority, e.g. in continuity planning, and stricter safety requirements can be applied to them than to other objects in the environment.

Connected other frameworks and requirements:
1.1 (MIL1): Manage IT and OT Asset Inventory
C2M2

Alkuperäisten turvatoimien soveltaminen tietojen kopioihin ja käännöksiin

Critical
High
Normal
Low

Tulostimet ja kopiokoneet tulkitaan tietojärjestelmiksi ja niiden tulee siten täyttää vaatimukset sekä teknisen, fyysisen että hallinnollisen tietoturvallisuuden osalta. Tekniset vaatimukset voi täyttää muun muassa erillislaiteratkaisulla.

Vaatimus voidaan täyttää siten, että toteutetaan alla mainitut toimenpiteet:

  • Kopioita käsitellään kuten alkuperäistä tietoa.
  • Kopion voi luovuttaa edelleen vain henkilölle, jolla on käsittelyoikeus tietoon ja tarve tietosisältöön.
  • Kopion/tulosteen saa ottaa vain ko. turvallisuustason vaatimukset täyttävällä laitteella.



Connected other frameworks and requirements:
1.1 (MIL1): Manage IT and OT Asset Inventory
C2M2

Documentation of other protected assets

Critical
High
Normal
Low

The organization shall list all relevant protected assets to determine ownership and to ensure that security measures cover all necessary items.

A large portion of the protected assets (including data sets, data systems, personnel / units, and partners) are treated through other tasks. In addition, the organization must list other important assets, which may be, depending on the nature of its operations, e.g. hardware (servers, network equipment, workstations, printers) or infrastructure (real estate, power generation, air conditioning).

Connected other frameworks and requirements:
8.1.1: Inventory of assets
ISO 27001
8.1.2: Ownership of assets
ISO 27001
ID.AM-1: Physical device inventory
NIST CSF
ID.AM-2: Software and app inventory
NIST CSF
5.9: Inventory of information and other associated assets
ISO 27001
No items found.