VAHTI 5/2009 Effective Information Security

Executive summary

The Government Information Security Management Board (VAHTI) has pro­duced for the central government’s use comprehensive instruction and recom­mendation material over the entire field of information security. These sum­marised instructions serve as a manual and as a link to the more extensive instructions and present their main elements in condensed form. Moreover, these instructions emphasise the management perspective, management and supervisor responsibility as well as information security planning. Their pur­pose is to give the management of central government organisations, and par­ticularly their senior information management staff and security and infor­mation security personnel, together with people otherwise working in the said tasks, instructions for managing information security as part of their own work.

These instructions have been written primarily for central government use, but they are for the most part also applicable to other organisations. Informa­tion security has been described as an entity that includes operational processes and people as well as the security and safeguarding of information material and information systems. The main elements are people, processes, informa­tion material, information technology and availability of information. Policy, instructions, training and the consequent common understanding and oper­ating practices that arise are the cornerstones of an organisation’s good infor­mation security culture.

An organisation’s internal data processing, production and customer serv­ice depend on the confidentiality, integrity and availability of the information behind them, namely on information security. A breach of information security can undermine an organisation’s operational reliability and interrupt or prevent the provision of services used by both internal and external services. Without information security measures as well as backup measures created in advance, the electronic services and activities provided by society cannot be guaranteed in a normal situation nor, in particular, in the event of serious disruptions or emergency conditions.

It is the task of the management, as part of their own management work, also to ensure the information security of their organisation’s operations. Part of the management process should be to ensure that the level of information security and risk management corresponds to the targets set for them and that

sufficient maintenance and development resources have been allocated to infor­mation security functions. Attention should also be paid to the wellbeing of employees, because a high level of security can be achieved only by an organi­sation where employees are well motivated in their work.

The management develop and strengthen the principles of their organisa­tion’s information security and risk management. In addition, measures should be taken to ensure that management receive regular reports on the organisa­tion’s information security situation and events as well as on any corrective measures arising from them.

This publication gives an overall picture of what an information security management system created on the basis of an information security and risk management system, and supporting good information management practice, should be like and how it should operate. With the aid of an information secu­rity management system, an organisation can ensure the achievement of both its own and the Government’s targets in accordance with the resolution on cen­tral government information security and other guidelines, general information principles and statutes, as well as instructions given by the Ministry of Finance. The most important objective of VAHTI activity and instructions is to enhance central government information security.

The VAHTI instructions support organisations in the planning, implemen­tation and maintenance of information security as well as in preparing the nec­essary documents.

Updated: 8.6.2020