Shield against threats

Many information security threats may be related to the organisation’s operational culture or habitual practices. As the digital operating environment is constantly changing and old habits require updating, “we have always done it like this” type of thinking may pose information security threats.

You can protect yourself from information security threats by developing your organisation’s ability to shield against threats and by using the latest technology to improve detection capability and set protection mechanisms. Reserve sufficient resources for these technical solutions and their maintenance.

Access control is managed by using

• Individual user names
• a different password in every service
• sufficiently long and versatile passwords
• multi-factor authentication
• bocking login from specific locations, networks, and devices.

When granting access to systems and services, follow these two principles:

1. Limit access rights to the narrowest possible rights that allow the user or process to perform the tasks assigned to it.
2. Limit access rights to the shortest possible period of time.

By doing so, you effectively minimise the risk of access rights ending up in the hands of cyber criminals.

High-quality, well-maintained, systematic and actively developed access management provides protection against the most common information security threats.

All members of staff should be actively informed about the organisation’s

• principles of identity management
• processes related to their maintenance, and
• mechanisms for reporting deviations.

In order to minimise risks, each representative of staff must be familiar with the up-to-date deviation reporting process.

For example, if a representative of an organisation’s staff accidentally enters their user name and password on a scam site, the extent of the damage can be reduced by notifying the appropriate parties as soon as possible. This way, leaked IDs can be removed from use as soon as possible.

• Suomi.fi guide: Data has been stolen or leaked from my organisation (Digital and Population Data Services Agency)Opens in a new window.
• Guide: How to protect yourself against online scams (National Cyber Security Centre)Opens in a new window.

Identity and access management must also be taken into account in the specification of procurement requirements. Identity and access management involve a lot of legislative requirements, which must be taken into account in procurement. This prevents your organisation from purchasing systems or services that endanger its ICT environment.

Examples of dangerous work combinations, or risk roles, in information security tasks:

1. A role in which one person both grants access rights and monitors their use.
2. A role in which the same person is both the data protection officer supervising the implementation of information security and the person who decides on the principles, processes and practices related to information security.

Dangerous work combinations should be avoided when working with information security, as they result in an unnecessary risk to the organisation. Smaller organisations have a higher risk of dangerous work combinations.

Try to identify and avoid gaps between roles and responsibilities where possible.

It is important to notify all employees of the information security roles. There must be substitute arrangements for critical roles, and both parties must have sufficient competence to manage their responsibilities.

The management must decide on the processes related to competence development and monitoring. The entire organisation must follow the planned processes and develop them as the operating environment changes.

Developing the organisation’s information security expertise may require, for example,

• changes in the information security environment
• technological developments, or
• staff turnover.

You can reduce information security risks by taking change factors into account as part of the competence development plan.

Ensuring sufficient competence applies not only to the organisation’s staff but also to key stakeholders. The organisation must also ensure that the parties involved in the supply chains have sufficient information security competence. It can use the agreements to achieve this, for example.

When backing up data, ensure that the backups are protected and available also if the organisation’s environment is compromised and during exception conditions. The operating environment must be recoverable by reasonable measures.

The backup principles determine the length of the period the organisation can afford to lose its data so that it can restore its operations.

For example, if an organisation cannot withstand losing data from the current week, a backup must be made and protected, for example, once a day.

Dividing environments into parts is a good way to limit the potential impacts of the risks caused by deviations.

Document your organisation’s information systems, environments and equipment in a register. Update the register when the information changes to keep the registry up to date.

• Suositus tietoturvallisuudesta hankinnoissa (Ministry of Finance Finland, in Finnish)Opens in a new window.

• Julkisen hallinnon tietoturvallisuuden arviointikriteeristö (Julkri) (Ministry of Finance, PDF, in Finnish)Opens in a new window.
• Course: Julkri – Assess And Develop Information Security (eOppiva)Opens in a new window.

It is the management’s responsibility to commit to protecting and leading the physical operating environment and to show an example and create a good safety culture also in the physical operating environment.

• No devices outside the organisation are connected to the IT environment (such as USB sticks found in the car park).
• Outsiders are not allowed to enter the organisation’s premises without supervision.
• Keep the electronic ID card visible.

• The Digitally Secure Life training module (Digital and population data services agency)Opens in a new window.

When it comes to the physical operating environment, you should also take into account the risks of loss so that the safety and operational culture of the organisation cannot be compromised by accident or negligence.