Acceptable use of information and other associated assets

Our organization has defined procedures for maintaining staff's cyber security awareness.These may include e.g. the following things:

• staff receive instructions describing the general guidelines of digital security related to their job role
• staff receive training to maintain the appropriate digital and cyber security skills and knowledge required for the job role
• staff demonstrate through tests that they have the security skills and knowledge required for the job role

Training should focus on the most relevant security aspects for each job role and include often enough the basics, which concern all employees:

• employee's personal security responsibilities (e.g. for devices and processed data)
• policies relevant for everyone (e.g. security incident reporting)
• guidelines relevant for everyone (e.g. clean desk)
• organization's security roles (who to contact with problems)

Papers containing sensitive information should be disposed of in an agreed manner, for example, using a shredder or by incineration.

Especially when local or unstructured data needs to be handled a lot due to the nature of the activity, it may be necessary to develop training that describes the risks involved for staff.

Common problems with local and unstructured data include e.g.:

• no backups
• no access management
• hard to locate

For data you do not want to lose, that you want to control, or that is important to find in the future, staff should use data systems designed for it.

The organization should have defined guidelines for the generally acceptable use of data systems and for the management of the necessary credentials.

In addition, the owners of data systems classified as 'High' or 'Critical' priority can define, document, and implement more specific guidelines for the use of that particular data system. These guidelines can describe e.g. security requirements related to the data contained in the system.

A process for reporting incidents is maintained to help staff report incidents efficiently and consistently.

Things to report as an incident include e.g.:

• unauthorized access to data / premises
• action against security guidelines
• suspected security issue (e.g. phishing, malware infection)
• data system outage
• accidental or intentional destruction / alteration of data
• lost or stolen device
• compromised password
• lost physical identifier (e.g. keychain, smart card, smart sticker)
• suspected security weakness (e.g. on utilized data system or other procedures)

The personnel guidelines emphasize the obligation to report security incidents as soon as possible in accordance with the agreed process. The instructions also describe other operations in the event of an incident (e.g. recording seen error messages and other details).

The Data Protection Officer (or other responsible person) has drawn up operating instructions for personnel handling personal data. In addition, the Data Protection Officer is ready to advise the controller, personal data processing partners or their own staff on compliance with GDPR or other data protection requirements.

There are separate instructions for staff to use mobile devices. The instructions cover:

• restrictions on installing software and using various services on your organization's devices
• procedures for the registration of new devices
• requirements for physical protection of equipment and installation of updates
• access control requirements
• protecting your organization’s data with encryption, malware protection, and backup
• the ability of the organization to remotely control the device