Instructions on Implementing the Decree on Information Security in Central Government

 

Instructions on Implementing the Decree on Information Security in Central Government

Ministry of Finance
PO BOX 28 (Snellmaninkatu 1 A, Helsinki)
FI-00023 GOVERNMENT, FINLAND
Internet: www.vm.fi
Layout: Taina Ståhl


ISSN 1455-2566 (print)
ISBN 978-952-251-380-9 (print)
ISSN 1798-0860 (PDF)
ISBN 978-952-251-381-6 (PDF)


To the management of government agencies

 The purpose of information security in central government is to ensure the continuity and quality of official activities as well as the implementation of due process of law. These instructions provide guidelines of the implementation of the Decree on Information Security in Central Government (Valtioneuvoston asetus tietoturvallisuudesta valtionhallinnossa 681/2010; hereinafter Decree on Information Security).

These instructions are intended for the management of organisations and for those responsible within organisations for security, information services and information management.

The general duty of central government authorities to take care of information security is based on the Act on the Openness of Government Activities (Laki viranomaisten toiminnan julkisuudesta 621/1999; hereinafter the Openness Act). Under the Act, the authorities must ensure that the protection, integrity and quality of documents and information systems, and the information contained in them, are safeguarded by appropriate procedures and information security arrangements, taking into account the significance and purpose of the information as well as the threats directed at documents and informationsystems and the costs arising from information security measures (section 18(2) (4) of the Act).

The Decree on Information Security, issued by the Government on 1 July 2010 based on the Act on the Openness of Government Activities, is applied to central government authorities. Central government organisations refer to central government administrative authorities and other central government agencies and institutions as well as courts of law and other judicial authorities (section 3(1)). The Decree repealed sections 2 and 3 of the Decree on the Openness of Government Activities and on Good Practice in Information Management (1030/1999; hereinafter the Openness Decree).

The Decree on Information Security came into force on 1 October 2010. It contains provisions relating to a transition period, according to which public authorities must implement their data processing to the base-level information security requirements prescribed in section 5 of the decree within three years of the decree having come into force, i.e. by 30 September 2013. The decree lays down provisions on general information security requirements and levels of security classification, including requirements concerning processing of documents at different classification levels. It is worth noting that in the Decree the term document also means information material saved in electronic form or otherwise saved as a technical record. Especially secret documents are subject to regulation (Decree on Information Security,section 8, section 9(2)).

The classification of documents is not compulsory under the Decree. Each authority must decide whether and when to introduce classification. Processing requirements relating to classification must be implemented within 5 years of classification being introduced. Authorities may assign classification to certain documents only or to such stages of document processing where measures are necessary in the interest to be protected (Decree on Information Security,section 8(1)).

Planning the introduction of document classification is important. Classification should facilitate the exchange of secret information between authorities. It is particularly recommended therefore that classification be implemented in public authorities that either receive secret documents from other authorities or transfer secret documents to other authorities regularly and in high volume.

Government agencies should ensure that all of the base-level information security requirements prescribed in section 5 of the Decree on Information Security are fulfilled within the three-year transition period prescribed in the Decree. A preparatory survey related to this must be initiated during autumn 2010.

To implement security requirements and, more generally, the good information management practice prescribed in the Openness Act, it is important for each authority to ensure that

  • an inventory of documents in the public authority’s control has been made and that the significance of the information contained within the documents has been assessed in the manner prescribed in section 1 of the Openness Decree, an analysis of operational information security risks have been made, and the implementation of information security has been planned (Decree on Information Security, section 4, section 5(1)(1)),
  • the authority has at its disposal sufficient expertise to ensure/safeguard information security and that tasks and responsibilities relating to the management of information security are defined;
  • tasks and responsibilities relating to document processing are defined, and that the confidentiality and other protection of documents and the information contained therein are safeguarded by granting access to documents only to those who need secret information or personal data recorded in personal data files in their work;
  • the availability and accessibility of information in different situations is safeguarded and procedures are created to overcome exceptional situations; unauthorised manipulation and other unauthorised or inappropriate processing of information is prevented through appropriate and sufficient security arrangements and other measures concerning access management, access monitoring, information networks, information systems and information services;
  • document data processing and storage facilities are adequately monitored and protected;
  • the reliability of personnel and others engaged in document processing tasks is ensured if necessary through the background check procedure or other available means based on law;
  • guidelines and training on the appropriate processing of documents and the information contained therein are given to personnel and others engaged in document processing tasks;
  • compliance with given instructions is monitored and the need for instructions to be updated is regularly assessed;
  • arrangements are made to ensure that the prescribed information security requirements are also observed when the public authority’s documents are processed based on a contract, for example within data processing service companies (Decree on Information Security, section 6);
  • care is taken to ensure that officials know the significance of classification labelling/ markings and that these do not release the public authority from their duty on a case-by-case basis to consider the openness of a document and whether access to a document is in accordance with the Openness Act and its case law when information is requested on the basis of the Openness Act.


The Decree on Information Security and these Instructions are an importantmpart of the implementation of the Government Resolution on Enhancing Information Security in Central Government Information Security, dated 26 November 2009.

These Instructions replace earlier VAHTI instructions, namely Information security instructions for the processing of government data VAHTI 2/2000 and Instructions for processing sensitive international data VAHTI 4/2002, and are significantly more comprehensive than the latter.

Introducing the organisation – Vahti's task

The Ministry of Finance is responsible for steering and reconciling the development of public administration and particularly central government information security in Finland. The Government Information Security Management Board (VAHTI), which has been established by the Ministry of Finance, is responsible for steering, developing and coordinating central government information security. VAHTI handles all significant central government information security policy and information security guidance matters. In its work, VAHTI supports the Government and the Ministry of Finance in decision-making and also in the preparation of decisions relating to central government information security.

VAHTI’s objective is, by developing information security, to improve the reliability, continuity, quality, risk management and contingency planning of central government functions and to promote information security so that it becomes an integral part of central government activity, steering and performance management.

VAHTI promotes the implementation of the Government Programme, the Security Strategy for Society, the Government IT Strategy, the Government Resolution on Security of Supply, the National Information Security Strategy, the Government Resolution on Enhancing Information Security in Central Government and other key policy outlines of the Government. On 26 November 2009, the Government made a Resolution on Enhancing Information Security in Central Government. The resolution emphasises VAHTI’s position and tasks as the key body responsible for the steering, development and coordination of central government information security.
In accordance with the resolution, the administrative branches allocate funds and resources for the development of information security and for cooperation coordinated within VAHTI.

VAHTI acts as the cooperation, preparation and coordination body of central government organisations responsible for developing the central government’s information security and data protection, and promotes the development of networked operating practices in public administration information security work.

VAHTI’s work has improved central government information security, and the effectiveness of its work is evident not only in central government but also in companies and internationally. The result is a very comprehensive set of general information security instructions (www.vm.fi/vahti). Led by the Ministry of Finance and VAHTI, a number of joint information security projects have been implemented with ministries and agencies as well as an extensive central government information security development programme.

For three years in succession, VAHTI has been recognised with an award for its exemplary work in improving Finland’s information security.

Acknowledgements

The following experts were involved in compiling the Instructions on Implementing the Decree on Information Security in Central Government:


Ms Tuire Saaripuu
Population Register Office
• Ms Irma Talonen
Ministry for Foreign Affairs
• Ms Erja Kinnunen
State Treasury
• Ms Hanna Aronen
Ministry of Transport and Communications
• Ms Merja Fleming
Ministry of Finance
• Mr Aku Hilve
Ministry of Finance
• Ms Marja-Leena Viitala
Ministry of Finance.

Tulosta