Tietoturvavaatimusten analysointi ja määrittely

Whenever new data systems are acquired, a pre-defined procurement process and rules are followed. The rules ensure that the supplier is able to guarantee an adequate level of security, taking into account the priority of the system.

Whenever new data systems are acquired or developed, pre-defined security rules are followed, taking into account the priority of the system. The rules ensure that adequate measures are taken to ensure the security of the data and data processing in the system.

The organization has defined the certifications or standards required of key partners. Commonly recognized standards related to cyber security include:

• ISO 27001 (information security management system)
• SOC2 (general security, also called SSAE 16)
• ISO 27701 (data protection management system)
• ISO 27017 (cyber security in cloud services) or ISO 27018 (data protection in cloud services)
• other popular e.g. NIST (general), CSA (cloud software), PCI DSS (card payments and data)

Certifications required from partners can make organization's own partner management more efficient and provide good evidence of a particular level of security or privacy of the partner.

Determined system portfolio management means a clear picture of the organization's system as a whole, the benefits of different systems and future needs.

The aim of system portfolio management is to achieve e.g.:

• efficiency benefits by understanding the whole and e.g. the possibilities of integrations
• eliminate duplication
• save on unnecessary licensing costs
• control the number of suppliers
• facilitate staff guidance

The processing agreement binds the actions of the data processor (such as the system vendor).

It can be important for us to ensure an important partner takes responsibility of e.g. access control (logging) and data recovery at the end of the contract according to our preferred policies.