Get an overview of information security

Information, systems and functions are only available to those entitled to use them and they cannot be used by third parties.

Information, systems and functions are correct and up to date and they have not changed uncontrollably.

The information, systems and functions are available to those entitled to them within pre-agreed limits.

The organisation and its management must ensure that

1. an overview of information security is accessible to everyone and
2. everyone has enough time at work to familiarise themselves with the key areas of information security.

Information security training that concerns the entire organisation

• ensures the perception of information security risks and their realisation
• ensures the roles and responsibilities related to information security risk management
• makes processes run as planned
• reduces the likelihood and impact of the realisation of risks.

Good implementation of information security principles also ensures

• functionality of plans related to residual risk management
• response to information security deviations
• management of deviations and recovery from them.

Information security refers to measures that ensure the appropriate safety of information, that is, its integrity, confidentiality and availability. Information security concerns digital and analogue knowledge and knowledge of persons or employees.

Information is protected against, for example,

• unauthorised and unlawful use
• accidental loss
• destruction or damage.

Various technical or organisational measures, such as data encryption or security classifications, can be used to protect information.

Deviation refers to an event that differs from a desired or usual activity. A deviation can be

• water damage or power cut
• information leakage
• disruption in a digital service.

Cyber environment refers to a digital parallel reality created by people, which globally connects people and devices across national borders through information technology, automated control systems, the internet and social media.

– Ministry for Foreign Affairs

Cybersecurity refers to the target state in which the cyber environment can be trusted and securely operated. Cybersecurity ensures the safety of a digital and networked society and organisations and the impact cybersecurity has on their functions.

Measures related to cybersecurity can manage and tolerate various cyber threats and their impacts. Taking care of information security is part of cybersecurity.

Read more about cybersecurity on the website of the Ministry for Foreign AffairsOpens in a new window..

A potential harmful event or course of development that targets the cyber environment and, if realised, jeopardises a function dependent on it.

– TEPA Term Bank

The most common cyber threats are ransomware attacks, scam messages and denial of service attacks.

Procedures to ensure that users, devices, applications and systems have access to information in data systems according to their role.

– TEPA Term Bank

Non-disclosable information is information that is defined as non-disclosable under the Act on the Openness of Government Activities or other legislation.

• Suositus salassa pidettävien asiakirjojen käsittelystä (Ministry of Finance, in Finnish)Opens in a new window.

• Kyberturvallisuuden sanasto (The Security Committee, PDF, in Finnish)Opens in a new window.
• Glossary of Central Cyber Security Terms (National Cyber Security Centre)Opens in a new window.

For example, deep fake scams using artificial intelligence have developed in recent years.

Previously, online scam messages were easier to identify because they often contained more typos and mistakes than usual. As AI is currently trained with more extensive data, grammatically good language is no longer a guarantee of safety.

Management must commit to active communication, and communication must be regular, clear and multi-channel. Not all staff representatives participate in personnel events or read internal news.

Documentation of communications helps manage the risks that are the responsibility of the organisation’s management. Once the documentation of communications has been taken care of and the documentation has been maintained, the managers and supervisors can demonstrate that information about the responsibilities and roles has been provided regularly.