Kibernetinio saugumo politika ir rizikos analizės

The organization has an information security policy developed and approved by top management. The policy shall include at least the following:

• the basis for setting the organization’s security objectives
• commitment to meeting information security requirements
• commitment to continuous improvement of the information security management system

In addition, the task owner shall ensure that:

• the is appropriate for the organization's business idea
• the policy is communicated to the entire organization
• the policy is available to stakeholders as appropriate

The organization proactively seeks to list and assess the likelihood and severity of various cyber security risks. The documentation shall include the following:

• Description of the risk
• Evaluated impact and likelihood of the risk
• Tasks for managing the risk or other treatment options
• Acceptability of the risk

The organization has defined procedures for assessing and treating cyber security risks. The definition includes at least:

• Risk identification methods
• Methods for risk analysis
• Criteria for risk evaluation (impact and likelihood)
• Risk priorisation, treatment options and defining control tasks
• Risk acceptance criteria
• Process implementation cycle, resourcing and responsibilities
• The results should be included into the organization risk management process

The task owner regularly checks that the procedure is clear and produces consistent results.

Cyber criminals can exploit configuration errors or technical vulnerabilities in applications, firewalls, or networks to access our information.

An organization must use defense-in-depth technologies to protect against, detect, and respond to cyber-attacks. The techniques should be suitable for controlling physical, logical and administrative controls.

Organization assesses cyber security risks by responding to situations where security has been mildly or severely compromised. The documentation shall include at least the following:

• Description of the incident
• Risks associated with the incident
• New tasks introduced as a result of the incident
• Other measures taken due to the incident

In systematic cyber security work, the impact of significant changes must be assessed in advance and they must be executed in a controlled way. The consequences of unintentional changes must be assessed and efforts made to mitigate possible adverse effects.

Significant changes may include: changes in the organization, operating environment, business processes and data systems. Changes can be identified e.g. through management reviews and other cyber security work.

The organization must determine an acceptable level for risks. The level is calculated based on the likelihood, impact and control of the risks.

After risk treatment, the organization assesses the remaining level of residual risk per risk.

Regarding the residual risk, clear decisions are made by the risk owner to either close the risk or return the risk to the processing queue.

The organization has an operating model for continuously improving the functionality and efficiency of the risk management process.

In the improvement, it is possible to use e.g. general standards (e.g. ISO 27005) or feedback from people involved in risk management.