Data system listing and owner assignment

Critical
High
Normal
Low

Organisation must maintain a listing of used data systems and their owners. Owner is responsible for completing the related documentation and possible other security actions directly related to the data system.

Data system documentation must include at least:

  • System purpose and linked responsibilities
  • System's data location (covered in a separate task)
  • System's maintenance and development responsibilities and linked partners (covered in a separate task)
  • When necessary system's access roles and authentication methods (covered in a separate task)
  • When necessary systems interfaces to other systems (covered in a separate task)
Connected other frameworks and requirements:
I06: Pääsyoikeuksien hallinnointi
4 luku, 13 §: Tietoaineistojen ja tietojärjestelmien tietoturvallisuus
24. Responsibility of the controller
GDPR
5. Principles relating to processing of personal data
GDPR
32. Security of processing
GDPR

Staff guidance and training procedure in cyber security

Critical
High
Normal
Low

Our organization has defined procedures for maintaining staff's cyber security awareness.These may include e.g. the following things:

  • staff receive instructions describing the general guidelines of digital security related to their job role
  • staff receive training to maintain the appropriate digital and cyber security skills and knowledge required for the job role
  • staff demonstrate through tests that they have the security skills and knowledge required for the job role

Training should focus on the most relevant security aspects for each job role and include often enough the basics, which concern all employees:

  • employee's personal security responsibilities (e.g. for devices and processed data)
  • policies relevant for everyone (e.g. security incident reporting)
  • guidelines relevant for everyone (e.g. clean desk)
  • organization's security roles (who to contact with problems)
Connected other frameworks and requirements:
T11: Turvallisuuskoulutus ja -tietoisuus
2 luku, 4 §: Tiedonhallinnan järjestäminen tiedonhallintayksikössä
29. Processing under the authority of the controller or processor
GDPR
32. Security of processing
GDPR
7.2.1: Management responsibilities
ISO 27001

Treatment process and documentation of occurred security incidents

Critical
High
Normal
Low

All security incidents are addressed in a consistent manner to improve security based on what has happened.

In the incident treatment process:

  • the reported incident is confirmed (or found unnecessary to record)
  • the type and cause of incident is documented
  • the risks associated with the incident are documented
  • the risks are re-evaluated and treated if that is necessary after the incident
  • risk mitigation measures or a decision their acceptance is documented
  • people who need to be informed of the results of the incident treatment are identified (including external ones)
  • possible need for a post-incident analysis is determined
Connected other frameworks and requirements:
T06: Turvallisuuspoikkeamien hallinta
32. Security of processing
GDPR
12. Transparent information, communication and modalities for the exercise of the rights of the data subject
GDPR
16.1.5: Response to information security incidents
ISO 27001
DE.AE-2: Analyze detected events
NIST CSF

Personnel guidelines for safe data system and authentication info usage

Critical
High
Normal
Low

The organization should have defined guidelines for the generally acceptable use of data systems and for the management of the necessary credentials.

In addition, the owners of data systems classified as 'High' or 'Critical' priority can define, document, and implement more specific guidelines for the use of that particular data system. These guidelines can describe e.g. security requirements related to the data contained in the system.

Connected other frameworks and requirements:
32. Security of processing
GDPR
29. Processing under the authority of the controller or processor
GDPR
8.1.3: Acceptable use of assets
ISO 27001
12.1.1: Documented operating procedures
ISO 27001
9.1.1: Access control policy
ISO 27001

Regular reviewing of data system access rights

Critical
High
Normal
Low

Data system owner determines the access roles to the system in relation to the tasks of users. The compliance of the actual access rights with the planned ones must be monitored and the rights reassessed at regular intervals.

When reviewing access rights, care must also be taken to minimize admin rights and eliminate unnecessary accounts.

Connected other frameworks and requirements:
I06: Pääsyoikeuksien hallinnointi
4 luku, 16 §: Tietojärjestelmien käyttöoikeuksien hallinta
24. Responsibility of the controller
GDPR
32. Security of processing
GDPR
5. Principles relating to processing of personal data
GDPR

Designation of data set owners

Critical
High
Normal
Low

An owner is assigned to each data set. The owner is responsible for the life cycle of the information asset and is responsible for performing the management tasks related to that asset.

The owner's duties include e.g.:

  • ensuring the documentation of asset
  • ensuring appropriate protection of asset
  • regularly reviewing access rights
  • ensuring proper handling of information, also on disposal

The owner can delegate some of the tasks, but the responsibility remains with the owner.

Connected other frameworks and requirements:
32. Security of processing
GDPR
8.1.2: Ownership of assets
ISO 27001
18.1.3: Protection of records
ISO 27001
4 luku, 13 §: Tietoaineistojen ja tietojärjestelmien tietoturvallisuus
4 luku, 15 §: Tietoaineistojen turvallisuuden varmistaminen

General security competence and awareness of personnel

Critical
High
Normal
Low

Personnel under the direction of the entire organization must be aware:

  • how they can contribute to the effectiveness of the information security management system and the benefits of improving the level of information security
  • the consequences of non-compliance with the requirements of the information security management systemwhich roles in the personnel have effects to the level of security

In addition, top management has defined ways in which personnel are kept aware of security guidelines related to their own job role.

Connected other frameworks and requirements:
32. Security of processing
GDPR
29. Processing under the authority of the controller or processor
GDPR
7.2.2: Information security awareness, education and training
ISO 27001
7.2.1: Management responsibilities
ISO 27001
PR.AT-1: Awareness
NIST CSF

Process for initiating data breach treatment

Critical
High
Normal
Low

Our organization has pre-defined procedures through which the detected security breach will be addressed. The process may include e.g. the following things:

  • who are part of a team that is ready to respond to breaches
  • how and along what channel the entire team is immediately notified of the breach
  • the team determines the severity (low, medium, high) of the breach based on predefined criteria
  • the breach management is continued with a larger group according to the severity level
Connected other frameworks and requirements:
24. Responsibility of the controller
GDPR
32. Security of processing
GDPR
16.1.5: Response to information security incidents
ISO 27001
16.1.7: Collection of evidence
5.26: Response to information security incidents
ISO 27001

Amount, competence and adequacy of key cyber security personnel

Critical
High
Normal
Low

The organization shall have a sufficient number of trained, supervised and, where necessary, properly security cleared personnel who play key roles in information security, performing management tasks related to the information security management system.

The organization has defined:

  • what qualifications this staff should have
  • how qualifications are acquired and ensured (e.g. through appropriate training and training monitoring)
  • how qualifications can be demonstrated through documentation

The owner of the task regularly reviews the number and level of competence of the security personnel.

Connected other frameworks and requirements:
T03: Turvallisuustyön resurssit
32. Security of processing
GDPR
37. Designation of the data protection officer
GDPR
6.1.1: Information security roles and responsibilities
ISO 27001
ID.GV-2: Cybersecurity role coordination
NIST CSF

Monitoring suppliers' compliance with security requirements

Critical
High
Normal
Low

A designated responsible person actively monitors the supplier's activities and services to ensure compliance with the security terms of the contracts and the proper management of security incidents.

Monitoring includes the following:

  • monitoring the promised service level
  • reviewing supplier reports and arranging follow-up meetings
  • regular organization of independent audits
  • follow-up of problems identified in audits
  • more detailed investigation of security incidents and review of related documentation
  • review of the supplier's future plans (related to maintaining the service level)
Connected other frameworks and requirements:
32. Security of processing
GDPR
15.1.1: Information security policy for supplier relationships
ISO 27001
15.2.1: Monitoring and review of supplier services
ISO 27001
ID.GV-2: Cybersecurity role coordination
NIST CSF
ID.SC-1: Cyber supply chain
NIST CSF

Avoiding and documenting shared user accounts

Critical
High
Normal
Low

Shared accounts should only be allowed if they are necessary for business or operational reasons and should be separately approved and documented.

If shared accounts are used for admin purposes, passwords must be changed as soon as possible after any user with admin rights leaves their job.

Connected other frameworks and requirements:
32. Security of processing
GDPR
9.2.4: Management of secret authentication information of users
ISO 27001
I07: Tietojenkäsittely-ympäristön toimijoiden tunnistaminen
5.16: Identity management
ISO 27001
4.1 (MIL1): Establish Identities and Manage Authentication
C2M2

Privacy-related codes of conduct and certification

Critical
High
Normal
Low

GDPR encourages the introduction of a number of general codes of conduct and certification mechanisms, data protection shields and marks, especially at the European Union level.

The idea behind all of these is to show that the processing is in line with good data processing and data protection requirements. The European Data Protection Council will gather all available certification mechanisms publicly available.

Connected other frameworks and requirements:
32. Security of processing
GDPR

Pseudonymisation of personal data

Critical
High
Normal
Low

Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information.

Connected other frameworks and requirements:
32. Security of processing
GDPR
8.11: Data masking
ISO 27001

Anonymization of personal data

Critical
High
Normal
Low

Anonymisation means modifying personal information so that the person can no longer be identified from it. For example, data can be roughened to a general level or data about an individual can be deleted. Identification is irreversibly prevented in anonymisation, in contrast to pseudonymisation, where data can be restored to their original form using additional information.

Connected other frameworks and requirements:
32. Security of processing
GDPR
8.11: Data masking
ISO 27001

Minimization of information outside data systems

Critical
High
Normal
Low

A large amount of valuable information in an organization has often accumulated over time into hard-to-find and manageable unstructured data — excels, text documents, intranet pages, or emails.

Once this information has been identified, a determined effort can be made to minimize its amount.Important data outside data systems is subject to one of the following decisions:

  • move into a data system
  • get rid of (when the information is old, no longer necessary or otherwise irrelevant)
  • is kept in use and a responsible person is appointed to manage the risks
Connected other frameworks and requirements:
32. Security of processing
GDPR
8.1.3: Acceptable use of assets
ISO 27001
8.3.1: Management of removable media
ISO 27001
9.4.4: Use of privileged utility programs
ISO 27001
A.11.2: Restriction of the creation of hardcopy material
ISO 27018
No items found.