Effective Information Security


Effective Information Security

PO Box 28 (Snellmaninkatu 1 A) FI-00023 GOVERNMENT
Tel. +358 9 16001
Internet: www.financeministry.fi
Layout: Pirkko Ala-Marttila

ISSN 1455-2566 (print)
ISBN 978- 951-804-982-4 (print)
ISSN 1798-0860 (pdf)
ISBN 978-951-804-983-1 (pdf)

Edita Prima Plc
Helsinki 2009

Introducing the organisation – VAHTI'S task

The Ministry of Finance is responsible for the steering and development of central government information security in Finland and has set up the Gov­ernment Information Security Management Board (VAHTI) as the body responsible for cooperation, steering and development in the area of central government information security. In its work, VAHTI supports the Govern­ment and the Ministry of Finance in decision-making and in the preparation of decisions relating to central government’s information security.

VAHTI’s objective is, by developing information security, to improve the reliability, continuity, quality, risk management and contingency planning of central government functions and to promote information security so that it becomes an integral part of central government activity, steering and perform­ance management.

VAHTI handles all the significant central government information secu­rity policies and the steering of information security measures. VAHTI also handles central government information security statutes, instructions, rec­ommendations and targets. All areas of information security are subject to VAHTI’s scrutiny.

VAHTI’s work has improved central government information security, and the effectiveness of its work is evident not only in the central government but also in companies and internationally. The result is a very comprehensive set of general information security instructions (www.vm.fi/VAHTI). Led by the Ministry of Finance and VAHTI, a number of joint information security projects have been implemented with ministries and agencies. VAHTI has prepared, managed and implemented the central government information security devel­opment programme, in which significant development work has been achieved at a total of 26 development locations by 300 people appointed to the projects.

VAHTI promotes the development of networked operating practices in pub­lic administration information security work.

In addition to the central government, the results of VAHTI’s work are also widely utilised in local government, the private sector, international cooperation and everyday life. For three years in succession, VAHTI has been recognised with an award for exemplary work in improving Finland’s information security.


Executive summary

The Government Information Security Management Board (VAHTI) has pro­duced for the central government’s use comprehensive instruction and recom­mendation material over the entire field of information security. These sum­marised instructions serve as a manual and as a link to the more extensive instructions and present their main elements in condensed form. Moreover, these instructions emphasise the management perspective, management and supervisor responsibility as well as information security planning. Their pur­pose is to give the management of central government organisations, and par­ticularly their senior information management staff and security and infor­mation security personnel, together with people otherwise working in the said tasks, instructions for managing information security as part of their own work.

These instructions have been written primarily for central government use, but they are for the most part also applicable to other organisations. Informa­tion security has been described as an entity that includes operational processes and people as well as the security and safeguarding of information material and information systems. The main elements are people, processes, informa­tion material, information technology and availability of information. Policy, instructions, training and the consequent common understanding and oper­ating practices that arise are the cornerstones of an organisation’s good infor­mation security culture.

An organisation’s internal data processing, production and customer serv­ice depend on the confidentiality, integrity and availability of the information behind them, namely on information security. A breach of information security can undermine an organisation’s operational reliability and interrupt or prevent the provision of services used by both internal and external services. Without information security measures as well as backup measures created in advance, the electronic services and activities provided by society cannot be guaranteed in a normal situation nor, in particular, in the event of serious disruptions or emergency conditions.

It is the task of the management, as part of their own management work, also to ensure the information security of their organisation’s operations. Part of the management process should be to ensure that the level of information security and risk management corresponds to the targets set for them and that

sufficient maintenance and development resources have been allocated to infor­mation security functions. Attention should also be paid to the wellbeing of employees, because a high level of security can be achieved only by an organi­sation where employees are well motivated in their work.

The management develop and strengthen the principles of their organisa­tion’s information security and risk management. In addition, measures should be taken to ensure that management receive regular reports on the organisa­tion’s information security situation and events as well as on any corrective measures arising from them.

This publication gives an overall picture of what an information security management system created on the basis of an information security and risk management system, and supporting good information management practice, should be like and how it should operate. With the aid of an information secu­rity management system, an organisation can ensure the achievement of both its own and the Government’s targets in accordance with the resolution on cen­tral government information security and other guidelines, general information principles and statutes, as well as instructions given by the Ministry of Finance. The most important objective of VAHTI activity and instructions is to enhance central government information security.

The VAHTI instructions support organisations in the planning, implemen­tation and maintenance of information security as well as in preparing the nec­essary documents.


The introduction to these instructions describes the general principles and jus­tification of information security from a central government perspective.

Chapter 2 deals with the fundamentals of information security as well as the organisation, monitoring and reporting of information security, including risk management.

Chapter 3 examines the organisation of information security, its incorpo­ration into processes as well as its implementation and practical evaluation.

The main details of the elements of information security are discussed from Chapter 4 onwards on the basis of a traditional eight-element subdivision. Chap­ter 11 examines the principles of continuity and emergency conditions planning and Chapter 12 the classifications used in information security.

Appended to these instructions is a set of document models relating to the building of an organisation’s information security management system.

Appendix 1 presents model policies and planning frameworks.

Appendix 2 is a list of information security responsibilities and related roles.