VAHTI 1/2005 Information Security and Management by Results
Ministry of Finance is responsible for steering and development of information security in the Finnish Government and has set up The Government Information Security Management Board VAHTI for co-operation, steering and developing Government information security.
The results of VAHTI co-operation are widely utilised in local government, private sector and international co-operation as well, besides the Finnish Government.
Members of VAHTI represent various administrative sectors and levels of public administration as well as broad information security experience. The group is well known for its information security instructions and guidelines as well as other information security publications.
In 2003 VAHTI set up a task force to draw information security recommendation about management by results. This document is the translation of that recommendation, which was finalised in 2004.
The Ministry of Finance issued this Information Security Recommendation (hereinafter the Recommendation) drafted by the Government Information Security Management Board VAHTI in April 2004. The Recommendation supplements the existing extensive information security instructions issued by the Ministry of Finance and replaces the earlier information security recommendation of the Ministry “Management by results and Development Tools of Information Security” (The Ministry of Finance, VAHTI 2/1997).
Information security promotes the quality, effi ciency and productivity of government services. A suffi cient level of information security is a necessary pre-requisite for the continuance of the operations and operating ability of an organisation. Development of the performance management of information security has a high priority in the overall development of Government information security described inter alia in the Government Information Security Development Plan (VAHTI 1/2004).
The Recommendation presents a summary of the central principles of the development of information security as well as their connection to management by results, the management of offi ces and the evaluation of operations. Information security is an important part of the normal development of services and operations and therefore it has to be included also in management by results. The most central task is the integration of information security to the operational goals of organisations in performance agreements and steering.
The translation of the recommendation will be available in the English Internet pages of the Government Information Security Management Board: www.ministryoffinance.fi/security.
A sufficient level of information security is a necessary pre-requisite for the continuance and credibility of operations. Information security improves the service ability of offices and agencies as well as enhances the efficiency and quality of operations. The significance of information security has been continuously increasing in the management of organisations and in ensuring their operating ability as well as in maintaining disturbance-free and efficient operations. The Recommendation presents a summary of the central principles of the development of information security and their connection to management by results and the management of offices and the evaluation of operations. The Recommendation examines information security and information management as part of the management of offices and agencies, the provision of services and quality management.
Information security ensures the integrity, availability and confi dentiality of the information processed in an organisation. Information security as a concept is very wide. When extensively documented and well managed, its different parts, such as administrative security, personnel security, physical security, data transfer security, equipment security, software security, information material security and usage security, form a strong foundation for the continuity and reliability of the operations of the organisation and for its efficiency and effectiveness.
Information security and its continuous improvement are not an activity carried out for its own sake; instead, security occupies a central position for example in the provision of electronic services. When looked at from the point-of-view of citizens and users, the task of government is to provide electronic services whose reliability the user can trust and which are provided taking into account the basic rights of citizens.
The Recommendation handles information security according to the following division:
– the definition of information security as a whole;
– a presentation of general principles relating to information security using the Recommendation of the OECD as the basis;
– an examination of the guidelines of national information security as a background factor;
– the placement of information security in the management by results framework between the Ministry and the office;
– a description of the handling of information security as an internal steering process of an office including policy and instructions as well as monitoring and evaluation.
The Appendices of the Recommendation contain an example of the handling of informationsecurity issues in a management model based on the Balanced Scorecard (BSC; Appendix 1) as well as in an evaluation based on the quality system (Appendix 2).
The central content of the Recommendation Information Security and Management by results is summarised in the following eight points:
Recommendation 1. Information security is part of the management by results of government, where the operations of an offi ce or agency are examined as a whole and where several different perspectives are used in setting the performance targets (impacts, effectiveness, quality and human resources). Management by results also aims at strengthening good governance.
Recommendation 2. Information security is an extensive operational entity, and its foundation is formed by the security culture of the organisation and by human actions.
Recommendation 3. State government applies the principles of the security culture recommended by the OECD.
Recommendation 4. A national information security strategy creates a common basis for extensive development work in information security.
Recommendation 5. Information security is part of the ordinary development of operations, risk management and management by results, which can utilise both qualitative and quantitative information and meters based thereon.
Recommendation 6. In the improvement of information security, the offi ces and agencies must first of all ensure their main functions and defi ne the information security policy guiding all their operations. All those working in the organisation are, for their own part, responsible for information security.
Recommendation 7. Information security is part of the development of public services, where the central issues are the availability of services, the basic rights of citizens and good information management practice.
Recommendation 8. It is the task of the management to launch internal and external evaluations, to strengthen evaluation know-how and to ensure that the evaluation results are handled in an appropriate way as part of leadership and management by results.