VAHTI 5/2009 Effective Information Security
The Government Information Security Management Board (VAHTI) has produced for the central government’s use comprehensive instruction and recommendation material over the entire field of information security. These summarised instructions serve as a manual and as a link to the more extensive instructions and present their main elements in condensed form. Moreover, these instructions emphasise the management perspective, management and supervisor responsibility as well as information security planning. Their purpose is to give the management of central government organisations, and particularly their senior information management staff and security and information security personnel, together with people otherwise working in the said tasks, instructions for managing information security as part of their own work.
These instructions have been written primarily for central government use, but they are for the most part also applicable to other organisations. Information security has been described as an entity that includes operational processes and people as well as the security and safeguarding of information material and information systems. The main elements are people, processes, information material, information technology and availability of information. Policy, instructions, training and the consequent common understanding and operating practices that arise are the cornerstones of an organisation’s good information security culture.
An organisation’s internal data processing, production and customer service depend on the confidentiality, integrity and availability of the information behind them, namely on information security. A breach of information security can undermine an organisation’s operational reliability and interrupt or prevent the provision of services used by both internal and external services. Without information security measures as well as backup measures created in advance, the electronic services and activities provided by society cannot be guaranteed in a normal situation nor, in particular, in the event of serious disruptions or emergency conditions.
It is the task of the management, as part of their own management work, also to ensure the information security of their organisation’s operations. Part of the management process should be to ensure that the level of information security and risk management corresponds to the targets set for them and that
sufficient maintenance and development resources have been allocated to information security functions. Attention should also be paid to the wellbeing of employees, because a high level of security can be achieved only by an organisation where employees are well motivated in their work.
The management develop and strengthen the principles of their organisation’s information security and risk management. In addition, measures should be taken to ensure that management receive regular reports on the organisation’s information security situation and events as well as on any corrective measures arising from them.
This publication gives an overall picture of what an information security management system created on the basis of an information security and risk management system, and supporting good information management practice, should be like and how it should operate. With the aid of an information security management system, an organisation can ensure the achievement of both its own and the Government’s targets in accordance with the resolution on central government information security and other guidelines, general information principles and statutes, as well as instructions given by the Ministry of Finance. The most important objective of VAHTI activity and instructions is to enhance central government information security.
The VAHTI instructions support organisations in the planning, implementation and maintenance of information security as well as in preparing the necessary documents.