Kibernetinio saugumo reikalavimai apima šiuos elementus: kibernetinio saugumo rizikos analizės, tinklų ir informacinių sistemų kibernetinio saugumo politiką
The organization has an information security policy developed and approved by top management. The policy shall include at least the following:
In addition, the task owner shall ensure that:
The organization proactively seeks to list and assess the likelihood and severity of various cyber security risks. The documentation shall include the following:
The organization has defined procedures for assessing and treating cyber security risks. The definition includes at least:
The task owner regularly checks that the procedure is clear and produces consistent results.
Cyber criminals can exploit configuration errors or technical vulnerabilities in applications, firewalls, or networks to access our information.
An organization must use defense-in-depth technologies to protect against, detect, and respond to cyber-attacks. The techniques should be suitable for controlling physical, logical and administrative controls.
Organization assesses cyber security risks by responding to situations where security has been mildly or severely compromised. The documentation shall include at least the following:
In systematic cyber security work, the impact of significant changes must be assessed in advance and they must be executed in a controlled way. The consequences of unintentional changes must be assessed and efforts made to mitigate possible adverse effects.
Significant changes may include: changes in the organization, operating environment, business processes and data systems. Changes can be identified e.g. through management reviews and other cyber security work.
The organization must determine an acceptable level for risks. The level is calculated based on the likelihood, impact and control of the risks.
After risk treatment, the organization assesses the remaining level of residual risk per risk.
Regarding the residual risk, clear decisions are made by the risk owner to either close the risk or return the risk to the processing queue.
The organization has an operating model for continuously improving the functionality and efficiency of the risk management process.
In the improvement, it is possible to use e.g. general standards (e.g. ISO 27005) or feedback from people involved in risk management.