Johdon vastuut

Our organization has defined procedures for maintaining staff's cyber security awareness.These may include e.g. the following things:

• staff receive instructions describing the general guidelines of digital security related to their job role
• staff receive training to maintain the appropriate digital and cyber security skills and knowledge required for the job role
• staff demonstrate through tests that they have the security skills and knowledge required for the job role

Training should focus on the most relevant security aspects for each job role and include often enough the basics, which concern all employees:

• employee's personal security responsibilities (e.g. for devices and processed data)
• policies relevant for everyone (e.g. security incident reporting)
• guidelines relevant for everyone (e.g. clean desk)
• organization's security roles (who to contact with problems)

The organisation regularly evaluates the level of cyber security and the effectiveness of the information security management system.

Organisation has defined:

• monitored metrics to provide comparable results on the development of cyber security level
• persons responsible for the metering
• methods, timetable and responsible persons for metrics reviewing and evaluation
• methods to document metric-related evaluations and results

Effective metrics should be usable for identifying weaknesses, targeting resources better and assessing organisation's success / failure related to cyber security.

Personnel under the direction of the entire organization must be aware:

• how they can contribute to the effectiveness of the information security management system and the benefits of improving the level of information security
• the consequences of non-compliance with the requirements of the information security management systemwhich roles in the personnel have effects to the level of security

In addition, top management has defined ways in which personnel are kept aware of security guidelines related to their own job role.

Management shall define responsibilities and establish procedures to ensure an effective and consistent response to security incidents.

Management must ensure e.g.:

• interference management has clear responsibilities
• there is a documented process for responding, handling and reporting incidents

The process must ensure e.g.:

• staff have a clear contact point / tool and instructions for reporting incidents
• the reported security breaches will be addressed by qualified personnel in a sufficiently comprehensive manner

The organization's top management must demonstrate a commitment to cyber security work and the management system. Management commits to:

• defining the frameworks or other requirements that form the basis for work (e.g. customer promises, regulations or certificates)
• determining the resources needed to manage security
• communicating the importance of cyber security
• ensuring that the work achieves the desired results
• promoting the continuous improvement of cyber security

Top management also decides the scope of the information security management system and records the decision in the description of the system. This means, for example, whether some parts of the organisation's activities or information are excluded from the scope of the management system, or whether it applies to all information / activities of the organization.