Content library
Tietoturvasuunnitelma (THL 3/2024)
6.10: Työasemien, mobiililaitteiden ja käyttöympäristön tukipalveluiden hallinta

How to fill the requirement

Tietoturvasuunnitelma (THL 3/2024)

6.10: Työasemien, mobiililaitteiden ja käyttöympäristön tukipalveluiden hallinta

Task name
Priority
Status
Theme
Policy
Other requirements
Selection and use of malware detection software on all devices
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Malware protection
22
requirements

Task is fulfilling also these other security requirements

I09: Haittaohjelmasuojaus
Katakri
12.2.1: Controls against malware
ISO27 Full
12.2: Protection from malware
ISO27 Full
6.5: Tietojärjestelmien asennus, ylläpito ja päivitys
Self-monitoring
DE.CM-4: Malicious code detection
NIST
1. Task description

Centrally select and install malware detection and repair programs and update them regularly for preventive or regular scanning of computers and media.

Programs should check at least the following:

  • files received over the network or storage media are scanned for malware before use
  • email attachments and downloaded files are scanned for malware before use
  • websites are scanned for malware
Tietojärjestelmän käyttöohjeiden ja tukipalvelujen kuvaaminen
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Social and health services security plan
System's user instructions and support
4
requirements

Task is fulfilling also these other security requirements

6.2: Tietojärjestelmien asianmukaisen käytön kannalta tarpeelliset käyttöohjeet
Self-monitoring
6.4: Menettelytavat virhe- ja ongelmatilanteissa
Self-monitoring
6.4: Tietojärjestelmien käyttöohjeet ja ohjeiden mukainen käyttö
Tietoturvasuunnitelma
6.10: Työasemien, mobiililaitteiden ja käyttöympäristön tukipalveluiden hallinta
Tietoturvasuunnitelma
1. Task description

Omavalvontasuunnitelmassa on selvitettävä, miten on varmistettu, että tietojärjestelmän käyttäjällä on saatavilla tarpeelliset käyttöohjeet vähintään sillä kielellä, jonka osaaminen on vähimmäisvaatimus työtehtävässä toimimiselle.

Lisäksi omavalvontasuunnitelmassa kuvataan, millaisia tukipalveluja on saatavissa järjestelmien käytön tueksi ja kuinka käyttäjät saavuttavat nämä tukipalvelut.

Personnel guidelines for safe usage of mobile devices
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Remote work and mobile devices
Mobile device management
20
requirements

Task is fulfilling also these other security requirements

11.2.6: Security of equipment and assets off-premises
ISO27 Full
6.2.1: Mobile device policy
ISO27 Full
10.1.1: Policy on the use of cryptographic controls
ISO27 Full
11.2.8: Unattended user equipment
ISO27 Full
12.6.2: Restrictions on software installation
ISO27 Full
1. Task description

There are separate instructions for staff to use mobile devices. The instructions cover:

  • restrictions on installing software and using various services on your organization's devices
  • procedures for the registration of new devices
  • requirements for physical protection of equipment and installation of updates
  • access control requirements
  • protecting your organization’s data with encryption, malware protection, and backup
  • the ability of the organization to remotely control the device
Personnel guidelines for safe processing of personal and confidential data
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Processing principles and accountability
27
requirements

Task is fulfilling also these other security requirements

29. Processing under the authority of the controller or processor
GDPR
7.2.2: Information security awareness, education and training
ISO27 Full
18.1.4: Privacy and protection of personally identifiable information
ISO27 Full
12.1.1: Documented operating procedures
ISO27 Full
11.2.8: Unattended user equipment
ISO27 Full
1. Task description

The Data Protection Officer (or other responsible person) has drawn up operating instructions for personnel handling personal data. In addition, the Data Protection Officer is ready to advise the controller, personal data processing partners or their own staff on compliance with GDPR or other data protection requirements.

Personnel guidelines for safe data system and authentication info usage
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Data system management
26
requirements

Task is fulfilling also these other security requirements

32. Security of processing
GDPR
29. Processing under the authority of the controller or processor
GDPR
8.1.3: Acceptable use of assets
ISO27 Full
12.1.1: Documented operating procedures
ISO27 Full
9.1.1: Access control policy
ISO27 Full
1. Task description

The organization should have defined guidelines for the generally acceptable use of data systems and for the management of the necessary credentials.

In addition, the owners of data systems classified as 'High' or 'Critical' priority can define, document, and implement more specific guidelines for the use of that particular data system. These guidelines can describe e.g. security requirements related to the data contained in the system.

Automatically updating and running malware prevention software
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Update and patch management
19
requirements

Task is fulfilling also these other security requirements

I09: Haittaohjelmasuojaus
Katakri
12.2.1: Controls against malware
ISO27 Full
12.2: Protection from malware
ISO27 Full
6.5: Tietojärjestelmien asennus, ylläpito ja päivitys
Self-monitoring
MWP-01: Keeping anti-malware software up to date
Cyber Essentials
1. Task description

Malware protection systems automatically check for and install updates at desired intervals and also run the desired scans at the selected frequency without needed user actions.

Maintenance and updating of data systems according to manufacturer guidelines
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Update and patch management
5
requirements

Task is fulfilling also these other security requirements

6.5: Tietojärjestelmien asennus, ylläpito ja päivitys
Self-monitoring
6.10: Työasemien, mobiililaitteiden ja käyttöympäristön tukipalveluiden hallinta
Tietoturvasuunnitelma
6.6: Tietojärjestelmien asennus, ylläpito ja päivitys
Tietoturvasuunnitelma
Article 7: ICT systems, protocols and tools
DORA
4.1: Tietojärjestelmien tietoturvallisuus
TiHL: Tietoturva
1. Task description

The organization must make sure that data systems are maintained and updated according to the manufacturer guidelines

Mobile device security policies and their monitoring
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Remote work and mobile devices
Mobile device management
7
requirements

Task is fulfilling also these other security requirements

6.2.1: Mobile device policy
ISO27 Full
8.1: User endpoint devices
ISO27k1 Full
CC6.7: Restriction and protection of information in transmission, movement or removal
SOC 2
6.10: Työasemien, mobiililaitteiden ja käyttöympäristön tukipalveluiden hallinta
Tietoturvasuunnitelma
3.1.4: Management of IT and mobile data storage devices
TISAX
1. Task description

The security policies defined in the mobile device management system aim to protect the organization’s data. For example, to reduce the risk of losing devices, you can specify that the device be locked after 5 minutes of inactivity or that the device be completely wiped after 3 failed login attempts.

It may make sense to test new policies first with a small group of users. Policies also require oversight. You can initially select a setting for policies that informs the administrator of settings that violate the policy, but does not completely block access.

No items found.