ICT risk management

The organization proactively seeks to list and assess the likelihood and severity of various cyber security risks. The documentation shall include the following:

• Description of the risk
• Evaluated impact and likelihood of the risk
• Tasks for managing the risk or other treatment options
• Acceptability of the risk

The organization has defined procedures for assessing and treating cyber security risks. The definition includes at least:

• Risk identification methods
• Methods for risk analysis
• Criteria for risk evaluation (impact and likelihood)
• Risk priorisation, treatment options and defining control tasks
• Risk acceptance criteria
• Process implementation cycle, resourcing and responsibilities
• The results should be included into the organization risk management process

The task owner regularly checks that the procedure is clear and produces consistent results.

All security incidents are addressed in a consistent manner to improve security based on what has happened.

In the incident treatment process:

• the reported incident is confirmed (or found unnecessary to record)
• the type and cause of incident is documented
• the risks associated with the incident are documented
• the risks are re-evaluated and treated if that is necessary after the incident
• risk mitigation measures or a decision their acceptance is documented
• people who need to be informed of the results of the incident treatment are identified (including external ones)
• possible need for a post-incident analysis is determined

The organization has defined a process for addressing identified technical vulnerabilities.

Some vulnerabilities can be fixed directly, but vulnerabilities that have a significant impact should also be documented as security incidents. Once a vulnerability with significant impacts has been identified:

• risks related to the vulnerability and the necessary actions are identified (e.g. patching the system or other management tasks)
• necessary actions are scheduled
• all actions taken are documented

Organization carries out threat intelligence by gathering information about information security threats related to its operations and how to protect against them. The goal is to increase awareness of the threat environment, so that own security level can be better evaluated and adequate control measures implemented.

When collecting threat intelligence, all three levels must be taken into account:

• strategic threat intelligence (e.g. information on the growing types of attackers and attacks)
• tactical threat intelligence (e.g. information about tools and technologies used in attacks)
• operational threat intelligence (e.g. details of specific attacks)

Principles related to threat intelligence should include:

• setting targets for threat intelligence
• identification, verification and selection of information sources used in threat intelligence
• gathering threat intelligence
• data processing for analysis (e.g. translation, formatting, compression)

The organization should create and maintain incident response plans. The response plans should include at least:

• Incident or the type of incident for which the plan has been made
• Goal for plan
• Responsible persons and related stakeholders and contact information
• Planned immediate actions
• Planned next steps

Organisation must develop a clear, comprehensive definition of what constitutes a reportable security event or observation, ensuring it covers the following categories:

• Personnel misconduct or misbehavior.
• Intrusion, theft, unauthorized access to security zones, and vulnerabilities in security zones.
• Cybersecurity incidents such as vulnerabilities in IT systems, and detected successful or unsuccessful cyber-attacks.
• Supplier and partner incidents that could negatively impact the security of the organization.

Organisation must have a defined procedure for reporting of incidents and it should be communicated to the personnel:

• Design and implement effective reporting mechanisms tailored to perceived risks.
• Ensure these mechanisms are well communicated and accessible to all employees, stakeholders, and relevant parties to facilitate timely and accurate reporting of security events.
• Conduct training sessions and awareness programs to ensure that all relevant employees and stakeholders understand the definition of reportable security events and are familiar with the reporting mechanisms.

The organization must enable asset based risk management from the ISMS settings.

Asset-based risk management should be set to cover all needed asset types with high enough criticality. The asset based risk management should be used at least for:

• System providers
• Data systems
• Data stores
• Other stakeholders
• Other assets

Inadequate change management is a common cause of incidents for digital services.

An organization shall document the change management process that must be followed whenever significant changes are made to developed digital services or other computing services that affect cyber security. The process includes requirements e.g. for the following:

• Defining and documenting the change
• Assessing the risks and defining the necessary control measures
• Other impact assessment of the change
• Testing and quality assurance
• Managed implementation of the change
• Updating a change log

As part of the security risk assessment, the organization shall make assessments of the severity and probability of the risk materializing.

The organization shall have a clearly instructed risk scale that allows each participant in the risk assessment to decide on the appropriate level of severity and probability.

The organization must determine an acceptable level for risks. The level is calculated based on the likelihood, impact and control of the risks.

When implementing information security risk management, the organisation must identify the risks that require treatment and define treatment plans for them, which often consist of new information security measures.

The organisation has defined how regularly the treatment plans defined as a whole are evaluated and their proportionality to the risk assessment (risk severity and probability).

Implemented risk management measures and the overall situation of risk management are checked regularly.

The operating model for monitoring the status of risk management is clearly described.

Organization must consider the threat intelligence process findings in the information security risk management process. Threat intelligence can detect, for example, the proliferation of certain types of attacks or the development of new technologies, based on which assessments of certain information security risks must be updated, which may lead to the need to reduce risks through treatment plans.

The organization has an operating model for continuously improving the functionality and efficiency of the risk management process.

In the improvement, it is possible to use e.g. general standards (e.g. ISO 27005) or feedback from people involved in risk management.