Development of digital end cyber security in public administration
The tasks of the Ministry of Finance include the general development of information security in public administration. In this role, the Ministry of Finance participates in processes such as the development of the national cyber security strategy and the development of information and cyber security legislation (including emergency powers legislation, information system assessment legislation and the national implementation of the EU’s cyber security directive (NIS2)).
In recent years, the development focus areas have included, for example, the development of incident management and contingency planning in the shared ICT services as well as the improvement of information security and data protection in the critical sectors of society (Titukri).
The Ministry of Finance develops, together with other authorities, the establishment of cyber security situation awareness in public administration and supports the development and use of the Digital and Population Data Services Agency’s digital security and information services, such as:
- Digital Security Overview Service
- Digital Security Risk Management Information
- Digital Security Barometer
Finland’s Cyber Security Strategy 2024–2035 will make cyber security a more integral part of Fin-land’s concept for comprehensive security. The strategic objectives and development proposals described in the strategy cover the key goals and needs for development relating to digital and cyber security in public administration. The strategy’s implementation plan will include significant measures and objectives relating to the improvement of cyber security in public administration. Digital and cyber security in public services are promoted through the measures defined in the implementation plan for Finland’s Digital Compass, specifically under the objective ‘Comprehen-sively secure public services.’
In 2020–2023, the digital security in the public sector was promoted in the Haukka project described in the 2020–2023 implementation plan of the Government Resolution on digital security. The project improved digital security skills and awareness with the aid of exercises, training and digital security events, enhanced strategic work related to digital security and the management of strategic digital risks, created concrete tools for digital security development as well as carried out pilot projects to improve digital and cyber security especially in municipalities.
The Haukka project’s final report and its appendix, the Haukka project’s impact assessment report, describe the project results and their impacts in more detail.
International cyber and digital security cooperation in the public sector focuses on cooperation with the EU, NATO and the OECD and interaction with the international research community.
Reports and other publications
International comparison of digital security
The Ministry of Finance commissioned an international comparison report for the development of digital security in public administration. The report examined the steering, duties, structures, risks and resources of digital security in Australia, Estonia, Germany, Israel, the Nether-lands, Russia, Sweden and the United Kingdom, comparing them to Finland.
Comparative information was collected from the reference countries’ public documents on the basis of questions drawn up by the Ministry of Finance and the report compiler. The comparison tapped into international assessments of digitalisation progress, cyber security and preparedness for change. The comparison has been used as one source in the preparation of the principles for developing digital security in public administration and, in the future, it will be used in planning and implementing development actions.
Digital security cost effectiveness report
The Ministry of Finance analysed the cost effectiveness in digital security. The report proposes that the assessment of cost effectiveness in digital security would be based on agencies’ annual risk assessments as well as operational indicators. Risk assessments would include the assessment of each significant risk also from the digital security perspective by describing the likelihood and impacts of the risk, the potential losses caused by the realisation of the risks as well as protection measures and their effects on the risk.
The aim is to allocate digital security investments on the basis of the risk analysis in order to prevent material risks. The operational indicators would measure goals, the benefits of which cannot be assessed in euros.
Results of municipalities' digital security risk survey
In autumn 2020, the Ministry of Finance conducted a risk survey about municipalities’ digital security. A total of 73 municipalities responded. On the basis of the answers, municipalities’ most significant digital security risks were associated with the management of extensive information security breaches and the potentially resulting special personal data leaks as well as the responsible management’s failure to carry out risk management measures identified through risk management. The risks assessed as having the most significant impacts were security risks related to data recovery after incidents, to lack of practising for incidents and to the processing and transfer of data in critical information pools. The report proposed measures to mitigate risks.
Report on the current state and development needs of digital security assessment activities
In the Haukka project, the Ministry of Finance analysed the current state and development proposals of digital security assessment. The report describes challenges identified in the digital security assessment in public administration and proposes related corrective development measures. The security of digital services in public administration requires more comprehensive security thinking. The Act on the Assessment of the Information Security of Public Authorities’ Information Systems and Telecommunications Arrangements (1046/2011) focuses on the assessment of technical information security. However, the determination of sufficient level of security requires that minimum requirements are set for all aspects of digital security and they are used as a basis for defining a set of criteria that makes it possible to reliably determine the fulfilment of the minimum requirements or other compliance.
Preliminary study for crating a set of assessment criteria for digital security in public administration
The Ministry of Finance’s Haukka project analysed the bases for assessment criteria of digital security in public administration. The set of criteria used in assessing the security of public administration information systems and services should define the minimum criteria for all aspects of digital security, used for assessing the services. In addition, the set of assessment criteria would describe in what situations, in response to what risks, on what bases and in what aspects of digital security criteria that exceed the minimum level would be needed. It should also describe these situations, risks, bases and criteria. The assessment criteria should be equally suitable for assessments during service development, the verification of requirements set for the service in the purchasing phase and in-use assessments. As the use of self-learning and independently developing systems is expanding, assessment criteria for these systems are also required.
Preliminary study for a state-municipality cooperation model for digital security
The Ministry of Finance’s Haukka project analysed a state-municipality cooperation model for digital security. The preliminary study shows that, in the current state, digital security cooperation between the state and municipalities is built in many different ways and a clear cooperation model is missing. One of the Haukka project’s follow-up tasks is to create a state-municipality cooperation and management model for dig-ital security. Related to this, it is also examined how to arrange government officials’ and regional administrative authorities’ support for municipalities in digital security development and incidents. As the provisions related to wellbeing services counties have entered into force, an analysis is also made of a statewellbeing services county-municipality cooperation model for digital security as well as of support provided to wellbeing services counties in implementing digital security operating models.
Public administration's digital security architecture
The Ministry of Finance’s Haukka project assessed the current state of public administration’s digital security architecture and prepared development proposals. On the basis of the report, both the assessment of digital security maturity and the concept and implementation of the digital security architecture are challenging. The fast development of digitalisation, the varying definitions of “digital security” and “digital security architecture” and the scarcity of experts influence the overview of the state of digital security. It is proposed that the concepts of “digital security” and “digital security architecture” are made clearer. To support the planning of the digital security architecture content, the report proposes using the widely known NIST Cybersecurity Framework, aiming at improving the cyber security of critical infrastructure. Another proposal is that the assessment of public administration’s digital security maturity should be carried out regularly. A key goal is to ensure continuity management and the management of risk and threat identification. All municipalities should achieve at least level 3 in digital security maturity by the end of 2023.
Summary report of public Digiturvakompassi podcasts
The Haukka project, aimed at developing digital security in public administration, created a summary of the key content of the #digiturvakompassi podcasts number 1–21 published in 2020–2021. The podcast guests were asked about various things, such as their views on trust and how it could be maintained and developed with regard to digital security. A key aspect that was highlighted was societal trust towards institutions and organisations, which authorities must build and foster. The podcast guests also had numerous tips for ensuring digital security in one’s own life. The guests especially emphasised having the right kind of attitude towards acting in the digital world and the challenges one faces there as well as increasing understanding at the practical level.
Report on international assessment legislation related to digital security
The Haukka project, aimed at developing digital security in public administration, analysed international assessment legislation related to digital security, audit arrangements and standards used in activities. The reference countries were Denmark, Sweden, Estonia, Germany, the Netherlands and Singapore. On the basis of the report, these countries, including Finland, have no consistent legislation in this area, apart from the EU regulation. Instead, they apply varying practices. The report proposes that, in the future, information systems and services would be assessed regularly during their life cycle and it would be ensured that the assessment criteria would be in line with international standards. It is also proposed that, in addition to assessment institutions, individuals participating in assessment activities would also be certified; however, taking into account that this kind of certificate does not replace experience in assessment activities and technical information security, for example.
Digital security service roadmap for municipalities
One of the tasks of the Haukka project is to maintain a roadmap for the development of digital security in municipalities and monitor the roadmap’s implementation. The Digital and Population Data Services Agency is responsible for creating the roadmap and, to support the roadmap work, the Ministry of Finance has established a coordination group for services that promote digital security and are intended for municipalities. The members of the group come from ministries, agencies, municipalities and communities that are responsible for arranging, developing and producing the services. On 1 February 2022, the first plan of the roadmap was published.
Report on an organisation’s information security tasks and how to organise them
The Haukka project, aimed at developing digital security in public administration, analysed organisations’ digital security tasks and how to organise them. The report is intended especially for wellbeing services counties and municipalities to support them in meeting their security obligations. On the basis of the report, in spring 2021, Kunta–valtio-jalostamo (Municipality-state idea refinery) started the more detailed description of the tasks covered by the report, as part of the implementation of the public governance strategy.
International comparison of digital security cooperation and management models
The Haukka project, aimed at developing digital security in public administration, prepared an international comparison of digital security cooperation and management models. It assessed the organisation and centralised tasks of digital security in Australia, Estonia, Germany, Israel, the Netherlands, Russia, Sweden and the United Kingdom, comparing them to Finland. Each reference country has established a centralised cyber security organisation responsible for digital security and cyber security tasks that serve entire society. In Australia, the Netherlands and the United Kingdom, the cyber security organisation is part of a centralised security agency. In Israel, the centralised organisation operates directly under the Prime Minister. In Germany, it operates under the Federal Ministry of the Interior. In Estonia, under the Ministry of the Economic Affairs and Communications. The tasks of the centralised organisation include, for example, managing cyber security incidents (CERT and CIRT activities), overseeing information networks, operating a 24/7 situation centre as well as creating and sharing a cyber security threat assessment. They also provide guidance, create digital operating environment security guidelines for administration, companies and private individuals and support other authorities in resolving and investigating cyber security incidents.
Pilot project for the impact assessment of digital security guidelines/recommendations
The Haukka project, aimed at developing digital security in public administration, piloted the impact assessment of digital security guidelines and recommendations. For the pilot project, an impact assessment framework was created for guidelines/recommendations. It was found to be very suitable for the impact assessment in question. It was observed that the four recommendations/guidelines assessed in the pilot project had impacts on digital security in public administration.
Interview report on digital security services targeted at municipalities
One of the goals of the Haukka project, aimed at developing digital security in public administration, was to develop digital security services targeted at municipalities. To develop the services, interviews were conducted among municipal representatives of the coordination group of municipalities’ shared digital security services, set up by the Ministry of Finance, and also some municipality-owned ICT companies. The interviews analysed the needs for digital security services, the needs associated with their purchasing and deployment as well as the roles of different parties in the provision of the services. The linked report was written on the basis of the interviews.
Preliminary study for an information pool in a digital operating environment
The Ministry of Finance’s Haukka project analysed the management of description data related to a digital operating environment. Pursuant to the Act on Information Management in Public Administration, information management entities must maintain an information management model which describes information management needed in taking care of the tasks of the authorities operating in the information management entity. The information management model forms a part of the information basis used in describing the activities. The activities use and contribute to developing information systems, data networks, software and their connections. These form a digital asset entity. Describing this entity makes it possible to carry out profitable operations and promotes efficient recovery from incidents, for example. In this preliminary study, this entity is called an information pool in a digital operating environment.
Report on cooperation and management models for digital security public administration
The Ministry of Finance’s Haukka project analysed the current state, desired state and key proposals and development needs of digital security cooperation in public administration. In the current state, cooperation is limited by the culture of cooperation, limited resources and skills, the availability, adoptability and usability of secure services, and the legislative and technical restrictions on sharing and using information. In the future, cooperation in digital security will require stronger skills and more uniform modes of operation, as well as stronger strategic, normative, resource and information guidance. The key obligations and joint modes of operations related to digital security must be mandatory. The definition and development of digital security services must be implemented jointly. The permanent URL address of the publication is http://urn.fi/URN:ISBN:978-952-367-201-7.
Use of machine learning in technical monitoring of digital security
The Ministry of Finance’s Haukka project prepared a report on the use of machine learning in technical monitoring of digital security. The report provides a general overview of what machine learning is about and how such technology can be used for technical monitoring of digital security. The report also describes the legislation affecting the utilisation of machine learning, the opportunities and risks of technology, the direction in which machine learning is going and what matters should be taken into account especially when purchasing machine learning systems.
Mer information:
Tuija Kuusisto, tietohallintoneuvos
finansministeriet, Den offentliga förvaltningens informations- och kommunikationstekniska avdelning, Enheten för styrning av tjänster och säkerhet Telefon:0295530065 E-postadress: [email protected]