VAHTI 2b/2012 Requirements for ICT Contingency Planning

To Government Ministries and Agencies

INSTRUCTIONS ON REQUIREMENTS FOR ICT CONTINGENCY PLANNING

The objective of the Ministry of Finance’s Instructions on Requirements for ICT Contingency Planning is to enhance and harmonise ICT contingency planning within the ministries and organisations in their administrative branches. According to the Government Resolution on Enhancing Information Security in Central Government (26 November 2009), one of the development priorities is preventive measures and contingency planning. According to the Decree on Information Security in Central Government (681/2010), which came into force on 1 October 2010, every central government organisation must achieve the base level of information security by 30 September 2013. The base level of information security includes procedures in exceptional situations.

These instructions are directed at public sector actors as well as companies in a service agreement relationship with the public sector. The purpose of the requirements is to harmonise key functions with respect to the contingency planning of both the public sector and the private sector. This improves the capacity of services provided and accessed via electronic networks to withstand disruptions and promotes the continuity and recovery of services in exceptional situations. These instructions enhance organisations’ contingency planning for information security and cyber threats.

Central government organisations must take into account the ICT contingency planning requirements outlined in these instructions. The requirements should be extended to the central government’s internal and external service providers. In procurement preparations and calls for tender concerning individual systems, it is essential to take into account contingency planning requirements.

Guided by the ministries, the administrative branches and agencies should specify for each organisation, service and system the level of contingency they require. Organisations should establish a timetable for the implementation of services in accordance with the contingency levels as well as the adequate resourcing of implementation as part of normal operational and financial planning.

Updated: 9.6.2020