Content library
Tietoturvasuunnitelma (THL 3/2024)
6.9: Fyysinen turvallisuus osana tietojärjestelmien käyttöympäristön turvallisuutta

How to fill the requirement

Tietoturvasuunnitelma (THL 3/2024)

6.9: Fyysinen turvallisuus osana tietojärjestelmien käyttöympäristön turvallisuutta

Task name
Priority
Status
Theme
Policy
Other requirements
Encryption of laptops
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Encryption
13
requirements

Task is fulfilling also these other security requirements

10.1.1: Policy on the use of cryptographic controls
ISO27 Full
6.6.4: Fyysisten tilojen, laitteiden ja tulosteiden turvallisuus
Self-monitoring
TEK-18.1: Etäkäyttö - tietojen ja tietoliikenteen salaaminen
Julkri
8.24: Use of cryptography
ISO27k1 Full
CC6.7: Restriction and protection of information in transmission, movement or removal
SOC 2
1. Task description

Laptops are protected by full-disk encryption.

Physical access control to building, offices and other premises
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Physical security
Property security
30
requirements

Task is fulfilling also these other security requirements

F04: Kulkuoikeuksien hallinta
Katakri
11.1.2: Physical entry controls
ISO27 Full
11.1.1: Physical security perimeter
ISO27 Full
6.6.4: Fyysisten tilojen, laitteiden ja tulosteiden turvallisuus
Self-monitoring
PR.AC-2: Physical access control
NIST
1. Task description

Secure areas of the organization cannot be accessed unnoticed. The premises are protected by appropriate access control. Only authorized persons have access to the secure areas.

Defining the types of removable media used
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Management of data sets
Removable media
16
requirements

Task is fulfilling also these other security requirements

8.3.1: Management of removable media
ISO27 Full
8.3.3: Physical media transfer
ISO27 Full
A.11.4: Protecting data on storage media leaving the premises
ISO 27018
13.2.1: Information transfer policies and procedures
ISO27 Full
13: Communications security
ISO 27018
1. Task description

Removable media includes e.g. flash memories, SD memories, removable storage drives, USB sticks and DVDs.

The organization has defined which removable media is allowed to be used.

Personnel guidelines for safe disposal of paper data
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Physical security
Non-electronic data and copies
15
requirements

Task is fulfilling also these other security requirements

I17: Salassa pidettävien tietojen jäljentäminen - Tulostus ja kopiointi
Katakri
8.3.2: Disposal of media
ISO27 Full
6.6.4: Fyysisten tilojen, laitteiden ja tulosteiden turvallisuus
Self-monitoring
A.11.7: Secure disposal of hardcopy materials
ISO 27018
PR.DS-3: Asset management
NIST
1. Task description

Papers containing sensitive information should be disposed of in an agreed manner, for example, using a shredder or by incineration.

Guidelines for operating in processing areas for confidential information
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Physical security
Property security
8
requirements

Task is fulfilling also these other security requirements

7.6: Working in secure areas
ISO27k1 Full
42: Turvallisuusalueiden määrittely
Sec overview
11.1.5: Working in secure areas
ISO27 Full
SEC-05: Remote access user authentication
Cyber Essentials
6.9: Fyysinen turvallisuus osana tietojärjestelmien käyttöympäristön turvallisuutta
Tietoturvasuunnitelma
1. Task description

Organization has defined the areas for handling confidential information and the operating rules that are followed in all activities that take place in the corresponding areas.

In the rules, consideration should be given to the following points:

  • the rules and related areas are communicated only personnel for whom the information is relevant
  • unsupervised work in areas is minimized
  • areas are physically locked and checked regularly
  • prohibition of unauthorized recording devices (e.g. phones, video cameras)
  • monitoring the transportation of terminal devices
  • publishing emergency instructions in an easily accessible way
Safe placement of equipment
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Physical security
Equipment maintenance and safety
19
requirements

Task is fulfilling also these other security requirements

Toiminnan jatkuvuuden hallinta
Katakri
F08: Toiminnan jatkuvuuden varmistaminen
Katakri
11.1.3: Securing offices, rooms and facilities
ISO27 Full
11.2.1: Equipment siting and protection
ISO27 Full
11.1.4: Protecting against external and environmental threats
ISO27 Full
1. Task description

For example, data processing equipment, as well as other important equipment, should be placed in the premises safely and with consideration. Placement should restrict unauthorized access to devices.

Preventing unauthorized viewing personal data
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Physical security
Property security
9
requirements

Task is fulfilling also these other security requirements

F06: Salakatselulta suojautuminen
Katakri
11.1.3: Securing offices, rooms and facilities
ISO27 Full
6.6.4: Fyysisten tilojen, laitteiden ja tulosteiden turvallisuus
Self-monitoring
FYY-05.2: Turvallisuusalue - Salaa katselun estäminen
Julkri
7.3: Securing offices, rooms and facilities
ISO27k1 Full
1. Task description

Irrespective of the form in which the information is presented, personal data or other confidential information shall be processed in such a way that the information isn't disclosed for outsiders.

Preventing eavesdropping
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Physical security
Property security
8
requirements

Task is fulfilling also these other security requirements

F07: Salakuuntelulta suojautuminen
Katakri
11.1.3: Securing offices, rooms and facilities
ISO27 Full
6.6.4: Fyysisten tilojen, laitteiden ja tulosteiden turvallisuus
Self-monitoring
FYY-05.1: Turvallisuusalue - Äänieristys
Julkri
7.3: Securing offices, rooms and facilities
ISO27k1 Full
1. Task description

Conversations concerning personal data or other confidential information shall not be conveyed to adjacent premises to those who do not have the right to information.

No items found.