VAHTI 2b/2010 Instructions on Implementing the Decree on Information Security in Central Government
To the management of government agencies
The purpose of information security in central government is to ensure the continuity and quality of official activities as well as the implementation of due process of law. These instructions provide guidelines of the implementation of the Decree on Information Security in Central Government (Valtioneuvoston asetus tietoturvallisuudesta valtionhallinnossa 681/2010; hereinafter Decree on Information Security).
These instructions are intended for the management of organisations and for those responsible within organisations for security, information services and information management.
The general duty of central government authorities to take care of information security is based on the Act on the Openness of Government Activities (Laki viranomaisten toiminnan julkisuudesta 621/1999; hereinafter the Openness Act). Under the Act, the authorities must ensure that the protection, integrity and quality of documents and information systems, and the information contained in them, are safeguarded by appropriate procedures and information security arrangements, taking into account the significance and purpose of the information as well as the threats directed at documents and informationsystems and the costs arising from information security measures (section 18(2) (4) of the Act).
The Decree on Information Security, issued by the Government on 1 July 2010 based on the Act on the Openness of Government Activities, is applied to central government authorities. Central government organisations refer to central government administrative authorities and other central government agencies and institutions as well as courts of law and other judicial authorities (section 3(1)). The Decree repealed sections 2 and 3 of the Decree on the Openness of Government Activities and on Good Practice in Information Management (1030/1999; hereinafter the Openness Decree).
The Decree on Information Security came into force on 1 October 2010. It contains provisions relating to a transition period, according to which public authorities must implement their data processing to the base-level information security requirements prescribed in section 5 of the decree within three years of the decree having come into force, i.e. by 30 September 2013. The decree lays down provisions on general information security requirements and levels of security classification, including requirements concerning processing of documents at different classification levels. It is worth noting that in the Decree the term document also means information material saved in electronic form or otherwise saved as a technical record. Especially secret documents are subject to regulation (Decree on Information Security,section 8, section 9(2)).
The classification of documents is not compulsory under the Decree. Each authority must decide whether and when to introduce classification. Processing requirements relating to classification must be implemented within 5 years of classification being introduced. Authorities may assign classification to certain documents only or to such stages of document processing where measures are necessary in the interest to be protected (Decree on Information Security,section 8(1)).
Planning the introduction of document classification is important. Classification should facilitate the exchange of secret information between authorities. It is particularly recommended therefore that classification be implemented in public authorities that either receive secret documents from other authorities or transfer secret documents to other authorities regularly and in high volume.
Government agencies should ensure that all of the base-level information security requirements prescribed in section 5 of the Decree on Information Security are fulfilled within the three-year transition period prescribed in the Decree. A preparatory survey related to this must be initiated during autumn 2010.
To implement security requirements and, more generally, the good information management practice prescribed in the Openness Act, it is important for each authority to ensure that
- an inventory of documents in the public authority’s control has been made and that the significance of the information contained within the documents has been assessed in the manner prescribed in section 1 of the Openness Decree, an analysis of operational information security risks have been made, and the implementation of information security has been planned (Decree on Information Security, section 4, section 5(1)(1)),
- the authority has at its disposal sufficient expertise to ensure/safeguard information security and that tasks and responsibilities relating to the management of information security are defined;
- tasks and responsibilities relating to document processing are defined, and that the confidentiality and other protection of documents and the information contained therein are safeguarded by granting access to documents only to those who need secret information or personal data recorded in personal data files in their work;
- the availability and accessibility of information in different situations is safeguarded and procedures are created to overcome exceptional situations; unauthorised manipulation and other unauthorised or inappropriate processing of information is prevented through appropriate and sufficient security arrangements and other measures concerning access management, access monitoring, information networks, information systems and information services;
- document data processing and storage facilities are adequately monitored and protected;
- the reliability of personnel and others engaged in document processing tasks is ensured if necessary through the background check procedure or other available means based on law;
- guidelines and training on the appropriate processing of documents and the information contained therein are given to personnel and others engaged in document processing tasks;
- compliance with given instructions is monitored and the need for instructions to be updated is regularly assessed;
- arrangements are made to ensure that the prescribed information security requirements are also observed when the public authority’s documents are processed based on a contract, for example within data processing service companies (Decree on Information Security, section 6);
- care is taken to ensure that officials know the significance of classification labelling/ markings and that these do not release the public authority from their duty on a case-by-case basis to consider the openness of a document and whether access to a document is in accordance with the Openness Act and its case law when information is requested on the basis of the Openness Act.
The Decree on Information Security and these Instructions are an importantmpart of the implementation of the Government Resolution on Enhancing Information Security in Central Government Information Security, dated 26 November 2009.
These Instructions replace earlier VAHTI instructions, namely Information security instructions for the processing of government data VAHTI 2/2000 and Instructions for processing sensitive international data VAHTI 4/2002, and are significantly more comprehensive than the latter.