Regular malware inspection of data systems supporting critical business processes

Critical
High
Normal
Low

The data systems (and their content) that support critical business processes are regularly reviewed to locate malware. All unauthorized files and changes will be formally investigated.

Connected other frameworks and requirements:
12.2: Protection from malware
ISO 27001
12.2.1: Controls against malware
ISO 27001
PR.DS-6: Integrity checking
NIST CSF
DE.CM-4: Malicious code detection
NIST CSF
8.7: Protection against malware
ISO 27001

Change management procedure for significant changes to data processing services

Critical
High
Normal
Low

Inadequate change management is a common cause of incidents for digital services.

An organization shall document the change management process that must be followed whenever significant changes are made to developed digital services or other computing services that affect cyber security. The process includes requirements e.g. for the following:

  • Defining and documenting the change
  • Assessing the risks and defining the necessary control measures
  • Other impact assessment of the change
  • < li>Testing and quality assurance
  • Managed implementation of the change
  • Updating a change log
Connected other frameworks and requirements:
14.2.2: System change control procedures
ISO 27001
14.2.4: Restrictions on changes to software packages
ISO 27001
PR.DS-6: Integrity checking
NIST CSF
8.32: Change management
ISO 27001

Security rules for the development and acquisition of data systems

Critical
High
Normal
Low

Whenever new data systems are acquired or developed, pre-defined security rules are followed, taking into account the priority of the system. The rules ensure that adequate measures are taken to ensure the security of the data and data processing in the system.

Connected other frameworks and requirements:
I13: Ohjelmistoilla toteutettavat pääsynhallintatoteutukset
4 luku, 13 §: Tietoaineistojen ja tietojärjestelmien tietoturvallisuus
14.1.1: Information security requirements analysis and specification
ISO 27001
14.1.2: Securing application services on public networks
ISO 27001
14.2.5: Secure system engineering principles
ISO 27001
No items found.