2b/2012 Requirements for ICT Contingency Planning


2b/2012 Requirements for ICT Contingency Planning

PO Box 28 (Snellmaninkatu 1 A)
Tel. +358 295 16001
Internet: financeministry.fi
Layout: Pirkko Ala-Marttila
Juvenes Print – Finland University Print Ltd.


To Government Ministries and Agencies



25 September 2012 


The objective of the Ministry of Finance’s Instructions on Requirements for ICT Contingency Planning is to enhance and harmonise ICT contingency planning within the ministries and organisations in their administrative branches. According to the Government Resolution on Enhancing Information Security in Central Government (26 November 2009), one of the development priorities is preventive measures and contingency planning. According to the Decree on Information Security in Central Government (681/2010), which came into force on 1 October 2010, every central government organisation must achieve the base level of information security by 30 September 2013. The base level of information security includes procedures in exceptional situations.
These instructions are directed at public sector actors as well as companies in a service agreement relationship with the public sector. The purpose of the requirements is to harmonise key functions with respect to the contingency planning of both the public sector and the private sector. This improves the capacity of services provided and accessed via electronic networks to withstand disruptions and promotes the continuity and recovery of services in exceptional situations. These instructions enhance organisations’ contingency planning for information security and cyber threats.
Central government organisations must take into account the ICT contingency planning requirements outlined in these instructions. The requirements should be extended to the central government’s internal and external service providers. In procurement preparations and calls for tender concerning individual systems, it is essential to take into account contingency planning requirements.
Guided by the ministries, the administrative branches and agencies should specify for each organisation, service and system the level of contingency they require. Organisations should establish a timetable for the implementation of services in accordance with the contingency levels as well as the adequate resourcing of implementation as part of normal operational and financial planning.
Minister of Public Administration and Local Government                                                                     
Henna Virkkunen
Government IT Director                                                                    
Mikael Kiviniemi VAHTI Chairman
Enclosed: Instructions on Requirements for ICT Contingency Planning (VAHTI 2/2012)
FOR INFORMATION: Municipalities

VAHTI in brief

The Ministry of Finance is responsible for steering and reconciling the development of public sector, and particularly central government, information security in Finland. The Government Information Security Management Board (VAHTI), which has been established by the Ministry of Finance, is responsible for steering, developing and coordinating central government information security. VAHTI handles all significant central government information security policy and information security guidance matters. In its work, VAHTI supports the Government and the Ministry of Finance in decision-making and also in the preparation of decisions relating to central government information security.

VAHTI’s objective is, by developing information security, to improve the reliability, continuity, quality, risk management and contingency planning of central government functions and to promote information security so that it becomes an integral part of central government activity, steering and performance guidance.

VAHTI promotes the implementation of the Government Programme, the Decree on Information Security in Central Government (681/2010), the Security Strategy for Society, the Government IT Strategy, the Government Resolution on Security of Supply, the National Information Security Strategy, the Government Resolution on Enhancing Information Security in Central Government and other key policy outlines of the Government. On 26 November 2009, the Government made a Resolution on Enhancing Information Security in Central Government. The resolution emphasises VAHTI’s position and tasks as the key body responsible for the steering, development and coordination of central government information security. In accordance with the resolution, the administrative branches allocate resources for the development of information security and for cooperation coordinated within VAHTI.

VAHTI acts as the cooperation, preparation and coordination body of central government organisations responsible for the central government's development and steering of information security and data protection, and promotes the development of networked operating practices in public sector information security work.
VAHTI’s work has improved central government information security, and the effectiveness of its work is evident not only in central government but also in the business sector and internationally. The result is a very comprehensive set of general information security instructions (www.vm.fi/vahti and www.vahtiohje.fi). Led by the Ministry of Finance and VAHTI, a number of joint information security projects have been implemented with ministries and agencies as well as an extensive central government information security development programme.
For three years in succession, VAHTI has been recognised with an award for its exemplary work in improving Finland’s information security.