Henkilöstöturvallisuus ja tietoturvakoulutus

Our organization has defined procedures for maintaining staff's cyber security awareness.These may include e.g. the following things:

• staff receive instructions describing the general guidelines of digital security related to their job role
• staff receive training to maintain the appropriate digital and cyber security skills and knowledge required for the job role
• staff demonstrate through tests that they have the security skills and knowledge required for the job role

Training should focus on the most relevant security aspects for each job role and include often enough the basics, which concern all employees:

• employee's personal security responsibilities (e.g. for devices and processed data)
• policies relevant for everyone (e.g. security incident reporting)
• guidelines relevant for everyone (e.g. clean desk)
• organization's security roles (who to contact with problems)

All employees handling confidential information should sign a confidentiality or non-disclosure agreement before processing confidential information.

The confidentiality commitment should include, among other things:

• a clear definition of confidential information
• the expected duration of the commitment
• required actions when the commitment is terminated
• the responsibilities and actions of signatories to prevent unauthorized disclosure of information
• ownership of information, trade secrets, and intellectual property and how this relates to the protection of confidential information
• permissible use of confidential information and the signatory's rights to use the information
• the right to audit and monitor activities involving confidential information

The requirements and needs for confidentiality agreements are reviewed and updated at regular intervals.

The employment contracts specify the responsibilities of the employee and the organization for cyber security.

Contracts should include e.g.:

• the employee's legal responsibilities and rights, such as those related to copyright or data protection law
• the employee's responsibility for following the instructions, e.g. related to the use of hardware and data and the classification of information
• the employee's or temporary employee's responsibility for processing information received from other companies or other parties
• measures if the employee or temporary worker violates the safety requirements of the organization
• continuing obligations after termination of employment

Our organization has defined procedures for coordinating, at the time of termination of employment, e.g..:

• Hardware recovery
• Removal of access rights
• Restoration of other information assets

Our organization has defined the actions to be taken in the event of a breach of confidentiality. These may include e.g. the following steps:

• investigating what data was breached and how harmful this was
• investigating the intentionality of the act
• investigating what was set as conseguence on the confidentiality agreement
• deciding whether and how to proceed (e.g. legal actions)
• deciding whether outside assistance is needed

At the very least, job applicants applying for key cyber security roles should be subject to background checks, taking into account relevant laws and regulations.

The check may include:

• review of recommendations
• verification of CV accuracy
• verification of educational qualifications
• verification of identity from an independent source
• other more detailed checks (e.g. credit information, review of previous claims or criminal record)

The background check may also be extended to, for example, teleworkers, contractors or other third parties. The depth of the background check can be related to the category of the accessed data.