CSC comments on the risk management of communication networks and information systems in its statement

CSC has issued a statement on the Finnish Government's proposal for amending acts related to the European Union Directive on security of network and information systems.

Network and information system risks should be brought under control and notification given of deviations

The Government proposes that provisions be included in the Information Society Code on the obligation of service providers in a key role for society's functions to see to the management of risks associated with the communication networks and information systems they use and on the obligation to notify the supervisory authority and, in certain cases, the public of significant information security deviations.

These obligations would apply to providers of electronic marketplaces, search engines and cloud services. The acts would not specify how risk management should be implemented, and in this respect, the actors could choose the methods for controlling information security risks best suited for their business, systems and other risk management efforts.

The Government proposal would also contain a provision on the supervisory authorities' right to engage in cooperation required to supervise compliance with information security obligations and, if necessary, exchange secret information. An obligation to notify other EU Member States of information security deviations where necessary if the deviation has significant impacts on the provision of key services in the Member State in question would also be imposed on the supervisory authorities in the acts.


Picture: ThinkStock

CSC stresses risk management

A precondition for promoting digitalisation as required under the Government Programme is that the operational capability of key ICT services is ensured by flexible and effective methods in all circumstances. CSC notes in its statement that there are extremely sound reasons for updating and renewing the list of key services for society. It would also be justified to extend the obligations under the Information Society Code to everyday ICT service providers. Major downtime in the daily ICT services provided for citizens, companies and the public administration cause serious disruptions affecting the whole country.

CSC also calls for risk management, and certain minimum risk management criteria, in order to safeguard information security under the Information Society Code.

– The aim of the central government's current security requirements is good, but the statutes and guidelines are fragmented, rigid and difficult to implement. Several hundred overlapping requirements are in place. Risk management is a good starting point for ensuring information security. However, it is important to set certain minimum criteria for risk management, which include sufficiently extensive risk identification and mitigation as well as the assignment of responsibilities for the mitigation measures. Good information security practices (including VAHTI) are a good reference for sufficient risk management. Having their information security management certified is one way in which service providers can prove that they are following good information security practices, says Urpo Kaila, CSC Head of Security.

Safety mechanisms for confidential data, small actors not to be excluded

CSC considers that safety mechanisms to prevent inappropriate disclosure of secret information should be included in the proposed amendments to the Information Society Code.

Kaila also notes that the Information Society Code should lay down the conditions on which secret information may be shared between EU Member States, ensuring that confidential information belonging to the Government or companies, or citizens' data protection, are not put at risk.

According to CSC, security requirements should be applied flexibly to avoid hampering smaller actors' development or market entry. The protection measures should also be proportionate to the importance of the object to be protected, should any data leakages or service downtime occur.

The EU Directive on security of network and information systems entered into force in August 2016, and the Member States must transpose its provisions into their national legislation by summer 2018.

CSC actively seeks to participate in societal debate and influence national and international operating preconditions that are highly significant for the company or its stakeholders. Among other things, CSC issues statements on legislative proposals and reports. A key goal of its exertion of influence is promoting the competitiveness of Finnish research.

– By responding to requests for statements, CSC wishes to share its special expertise for the benefit of research, education and the entire Finnish society, says Irina Kupiainen, Programme Director at CSC.