NCSI FULFILMENT PERCENTAGE
Version 10 Jun 2019
GENERAL CYBER SECURITY INDICATORS
-
1. Cyber security policy development 7/7 100%77 100%
-
1.1. Cyber security policy unit 333
Requirements
CriteriaA central government entity (ministry or equivalent) has a specialised official or unit responsible for national cyber security policy development.
Accepted referencesOfficial website or legal act
Evidence
The Government Information Security Management Board (VAHTI) processes and coordinates the central governments's key information security and cyber security guidelines.
-
1.2. Cyber security policy coordination format 222
Requirements
CriteriaThe central government has a committee, council, working group, etc. for national-level cyber security policy coordination.
Accepted referencesOfficial website or legal act
Evidence
https://turvallisuuskomitea.fi/en/security-committee/the-security-committee-operation/
The Security Committee coordinates the implementation of the Cyber Security Strategy and its Implementation Programme. The Government Information Security Management Board (VAHTI) processes and coordinates the central governments's key information security and cyber security guidelines.
-
1.3. Cyber security strategy 111
Requirements
CriteriaThe central government has established a national-level cyber security strategy or other equivalent document.
Accepted referencesValid official document
Evidence
https://www.defmin.fi/files/2378/Finland_s_Cyber_Security_Strategy.pdf
The Security Committee in its meeting 12th March 2018 decided to update the current national Cyber Security Strategy. The new Strategy is expected to be completed in 2020.
-
1.4. Cyber security strategy implementation plan 111
Requirements
CriteriaThe central government has established an implementation plan to the national-level cyber security strategy or other equivalent document.
Accepted referencesValid official document or its enforcement act
-
-
2. Cyber threat analysis and information 5/5 100%55 100%
-
2.1. Cyber threats analysis unit 333
Requirements
CriteriaA central government entity has a national-level unit that is specialised in national strategic cyber threat situation analysis.
Accepted referencesOfficial website or legal act
Evidence
https://www.kyberturvallisuuskeskus.fi/fi/toimintamme/cert
https://www.finlex.fi/en/laki/kaannokset/2014/en20140917.pdf
Information Security Code, Section 304, points 7, 8, 10, 11
-
2.2. Public cyber threat reports are published annually 111
Requirements
CriteriaThe public part of the national cyber threat situation analysis is published at least once a year.
Accepted referencesOfficial public report
Evidence
Services of CERT-FI (Available only in Finnish). CERT-FI is part of NCSC-FI and Finnish Transport and Communications Agency, Traficom (https://www.finlex.fi/en/laki/kaannokset/2014/en20140917.pdf).
Document in Finnish, translation of this publication into English is in process. Annual public cyber threat reports are published in Finnish, Swedish and English annually.
-
2.3. Cyber safety and security website 111
Requirements
CriteriaPublic authorities provide at least one cyber safety and security website for cyber security and ICT professionals, and regular users.
Accepted referencesWebsite
-
-
3. Education and professional development 9/9 100%99 100%
-
3.1. Cyber safety competencies in primary or secondary education 111
Requirements
CriteriaPrimary or secondary education curricula include cyber safety / computer safety competences.
Accepted referencesOfficial curriculum or official report
Evidence
http://www.oph.fi/saadokset_ja_ohjeet/opetussuunnitelmien_ja_tutkintojen_perusteet/perusopetus
Transversal competences/ ICT competence (T5), general goals of basic education: “The pupils develop their ICT competence in four main areas: […] 2) The pupils are guided in using ICT responsibly, safely and ergonomically.”They learn to perceive its (ICT’s) significance, potential and risks in a global world.”
Special goals of grades 1-2/ ICT competence (T5): Responsible and safe use of ICT: “Together with the teacher, the pupils search for safe ways of using ICT and the related etiquette." Special goals of grades 3-6/ ICT competence (T5): Responsible and safe use of ICT: “The pupils are guided in responsible and safe use of ICT[…]” Special goals of grades 7-9/ ICT competence (T5): Responsible and safe use of ICT: “The pupils are guided to use ICT in way that is safe and ethically sustainable. They learn how to protect themselves from possible information security risks and how to avoid losing data. They are guided towards responsible activities by reflecting on, for example, the meaning of the concepts of information protection and copyrights and the potential repercussions of irresponsible and illegal activities.”
http://www.oph.fi/saadokset_ja_ohjeet/opetussuunnitelmien_ja_tutkintojen_perusteet/lukiokoulutus
-
3.2. Bachelor’s level cyber security programme 222
Requirements
CriteriaThere is at least one cyber security / electronic information security focused programme at Bachelor’s or equivalent level.
Accepted referencesAccredited study programme
-
3.3. Master’s level cyber security programme 222
Requirements
CriteriaThere is at least one cyber security / electronic information security focused programme at Master’s or equivalent level.
Accepted referencesAccredited study programme
-
3.4. PhD level cyber security programme 222
Requirements
CriteriaThere is at least one cyber security / electronic information security focused programme at PhD or equivalent level.
Accepted referencesAccredited study programme
Evidence
https://www.jyu.fi/it/en/research/doctoral_school
There is no data collected on PhD programs at program level. Also in the Finnish higher education system PhD programs are organized more broadly. For example University’s computer science PhD program may be disciplined-based and within the program it is possible to focus on cyber security on PhD studies and make dissertation on that area. Links include examples of such dissertation and research activities on the field. For example the aim of the University of Jyväskylä is to form nationally significant center of excellence in cybersecurity so cybersecurity is a significant priority also in PhD education.
-
3.5. Cyber security professional association 222
Requirements
CriteriaThere is a professional association of cyber/electronic information security specialists, managers or auditors.
Accepted referencesWebsite
-
-
4. Contribution to global cyber security 2/6 33%26 33%
-
4.1. Convention on Cybercrime 111
Requirements
CriteriaThe country has ratified the Convention on Cybercrime.
Accepted referencesOfficial website of the convention
-
4.2. Representation in international cooperation formats 111
Requirements
CriteriaThe government is regularly represented in a cooperation format that is dedicated to international cyber security (e.g. FIRST).
Accepted referencesOfficial website of the cooperation format
Evidence
http://www.egc-group.org/contact.html
The government is regularly represented in a cooperation format that is dedicated to international cyber security (e.g. FIRST, EGC and Nordic Cyber Cooperation).
-
4.3. International cyber security organisation hosted by the country 003
Requirements
CriteriaA regional or international cyber security organisation is hosted by the country.
Accepted referencesOrganisation’s official website
Evidence
-
4.4. Cyber security capacity building for other countries 001
Requirements
CriteriaThe country has (co-)financed or (co-)organised at least one capacity building project for another country in the last 3 years.
Accepted referencesOfficial website or project document
Evidence
-
BASELINE CYBER SECURITY INDICATORS
-
5. Protection of digital services 4/5 80%45 80%
-
5.1. Cyber security responsibility for digital service providers 111
Requirements
CriteriaAccording to legislation, digital service providers (except micro and small enterprises): (1) must manage cyber/ICT risks or (2) must implement established cyber/information security requirements.
Accepted referencesLegal act
-
5.2. Cyber security standard for the public sector 001
Requirements
CriteriaPublic sector digital service providers must implement (1) cyber/ICT security requirements (defined by legislation) or (2) a widely recognised security standard.
Accepted referencesLegal act
Evidence
-
5.3. Competent supervisory authority 333
Requirements
CriteriaThe government has a competent authority in the field of cyber/information security that has the power to supervise public and private digital service providers regarding the implementation of cyber/information security requirements.
Accepted referencesOfficial website or legal act
-
-
6. Protection of essential services 0/6 0%06 0%
-
6.1. Operators of essential services are identified 001
Requirements
CriteriaThere is a legal act that allows to identify operators of essential services.
Accepted referencesLegal act
Evidence
-
6.2. Cyber security requirements for operators of essential services 001
Requirements
CriteriaAccording to the legislation, operators of essential services must manage cyber/ICT risks.
Accepted referencesLegal act
Evidence
-
6.3. Competent supervisory authority 003
Requirements
CriteriaThe government has a competent authority in the field of cyber/information security that has the power to supervise operators of essential services, regarding cyber/information security requirements.
Accepted referencesOfficial website or legal act
Evidence
-
6.4. Regular monitoring of security measures 001
Requirements
CriteriaOperators of essential services must regularly (at least once every 3 years) provide evidence of the effective implementation of cyber/information security policies (e.g. audit result, documentation, specific report).
Accepted referencesLegal act
Evidence
-
-
7. E-identification and trust services 9/9 100%99 100%
-
7.1. Unique persistent identifier 111
Requirements
CriteriaThe government provides a unique persistent identifier to all citizens, residents, and legal entities. For example, the identifier remains the same after document expiration and name change.
Accepted referencesLegal act
Evidence
https://www.finlex.fi/fi/laki/ajantasa/2009/20090661
Population Information Act (Section 11) (in Finnish) includes decrees about citizen personal identification
http://vrk.fi/en/population-information-system
More information is available in the pages of Population Register Center
https://www.finlex.fi/en/laki/kaannokset/2001/en20010244.pdf
Business Information Act includes decrees on legal entity identification:
-
7.2. Requirements for cryptosystems 111
Requirements
CriteriaRequirements for cryptosystems in the field of trust services are regulated.
Accepted referencesLegal act
Evidence
https://www.finlex.fi/data/normit/42947/M72A-2018-EN-v2.pdf
Section 7 Encryption requirements of the identification scheme and interfaces
-
7.3. Electronic identification 111
Requirements
CriteriaElectronic identification is regulated.
Accepted referencesLegal act
Evidence
http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32014R0910&from=EN
https://www.finlex.fi/en/laki/kaannokset/2009/en20090617.pdf
Act on Strong Electronic Identification and Electronic Signatures (Amends are not included in translation)
https://www.finlex.fi/fi/laki/ajantasa/2009/20090617
Amended and the current version of the Act
-
7.4. Electronic signature 111
Requirements
CriteriaE-signature is regulated
Accepted referencesLegal act
Evidence
http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32014R0910&from=EN
https://www.finlex.fi/en/laki/kaannokset/2003/en20030013.pdf
Act on Electronic Services and Communication in the Public Sector
-
7.5. Timestamping 111
Requirements
CriteriaTimestamping is regulated.
Accepted referencesLegal act
-
7.6. Electronic registered delivery service 111
Requirements
CriteriaElectronic registered delivery service between state entities, citizens and private sector entities is regulated. The service provides legally binding data exchange and guarantees the confidentiality and integrity of information.
Accepted referencesLegal act
-
7.7. Competent supervisory authority 333
Requirements
CriteriaThere is an authority responsible for the supervision of qualified trust service providers.
Accepted referencesOfficial website or legal act
Evidence
https://www.traficom.fi/en/communications/cyber-security
https://www.kyberturvallisuuskeskus.fi/fi/luottamuksellinen-viestinta
"Traficom's Cybersecurity Center monitors that communications intermediaries implement their network and communications services in a secure manner, so that the confidentiality of communications is not compromised. In addition, the Center controls and monitors the compliance of communications brokers with the rights and obligations of the law in the handling of confidential communications."
-
-
8. Protection of personal data 4/4 100%44 100%
-
8.1. Personal data protection legislation 111
Requirements
CriteriaThere is a legal act for personal data protection.
Accepted referencesLegal act
-
8.2. Personal data protection authority 333
Requirements
CriteriaThere is an independent public supervisory authority that is responsible for personal data protection.
Accepted referencesOfficial website or legal act
-
INCIDENT AND CRISIS MANAGEMENT INDICATORS
-
9. Cyber incidents response 5/6 83%56 83%
-
9.1. Cyber incidents response unit 333
Requirements
CriteriaThe government has a unit (CSIRT, CERT, CIRT, etc.) that is specialised in national-level cyber incident detection and response.
Accepted referencesOfficial website or legal act
Evidence
https://www.kyberturvallisuuskeskus.fi/fi/toimintamme/cert
https://www.finlex.fi/en/laki/kaannokset/2014/en20140917.pdf
Information Security Code, Section 304
-
9.2. Reporting responsibility 001
Requirements
CriteriaDigital service providers and operators of essential services have an obligation to notify appointed government authorities of cyber security incidents.
Accepted referencesLegal act
Evidence
-
9.3. Single point of contact for international coordination 222
Requirements
CriteriaThe government has designated a single point of contact for international cyber security coordination.
Accepted referencesOfficial website or legal act
Evidence
https://ec.europa.eu/digital-single-market/en/implementation-nis-directive-finland
Finnish Communications Regulatory Authority (FICORA)
-
-
10. Cyber crisis management 3/5 60%35 60%
-
10.1. Cyber crisis management plan 001
Requirements
CriteriaThe government has established a crisis management plan for large-scale cyber incidents.
Accepted referencesLegal act
Evidence
-
10.2. National-level cyber crisis management exercise 222
Requirements
CriteriaThe government has conducted a national-level cyber crisis management exercise or a crisis management exercise with a cyber component in the last 3 years.
Accepted referencesExercise document/website or press release
Evidence
-
10.3. Participation in international cyber crisis exercises 111
Requirements
CriteriaThe country's team has participated in an international cyber crisis management exercise in the last 3 years.
Accepted referencesExercise document/website or press release
Evidence
-
10.4. Operational support of volunteers in cyber crises 001
Requirements
CriteriaThe procedures for using volunteers in the field of cyber security are established by legislation.
Accepted referencesLegal act
Evidence
-
-
11. Fight against cybercrime 9/9 100%99 100%
-
11.1. Cybercrimes are criminalised 111
Requirements
CriteriaCybercrimes are defined by legislation.
Accepted referencesLegal act
Evidence
https://www.finlex.fi/en/laki/kaannokset/1889/en18890039.pdf
Finland has implemented the European instrument on cybercrime and the resulting measures. Council Framework Decision 2005/222/JHA on attacks against information systems has been transposed into Finnish law. Finland has also transposed Directive 2013/40/EU on attacks against information systems. In that context the Criminal Code, especially chapter 38 concerning data and communications offences, was amended. These amendments came into force 4.9.2015. The Criminal Code (CC), especially Chapter 38 concerns data and communications offences. The following acts are criminalised therein: Computer break-in (Chapter 38, Sections 8 to 8(a)) and aggravated computer break-in (Chapter 38, Section 8); Aggravated interference with ommunications, petty interference with communications, interference in an information system and aggravated interference in an information system (Chapter 38, Sections 5 to 7(b)); Damage to data, aggravated damage to data and petty damage to data (Chapter 35, Sections 3(a) to 3(c)); Message interception and aggravated message interception (Chapter 38, Sections 3 and 4); Endangerment of data processing and an offence involving a system for accessing protected services (Chapter 34, Section 9(a) and Chapter 38, Section 8 (b)).
-
11.2. Cybercrime unit 333
Requirements
CriteriaThere is a government entity with a specific function of combatting cybercrime.
Accepted referencesOfficial website or legal act
Evidence
http://www.poliisi.fi/rikokset/kyberrikollisuus
The Cybercrime Centre was established 2015. Functions of the Centre are defined in decision made by National Police Board. This decision is restricted and not available in public.
The Cybercrime Centre in the National Bureau of Investigations (NBI) is established as a organized body to investigate cybercrime, but all police districts are also responsible for investigating cybercrime. The centre is responsible for international, organized, technically challenging and larger cybercrime cases. Police districts are responsible for all cases that have happened in their region. In addition to prevention of cybercrime, the new centre is involved in internet intelligence as well as conducting threat assessments. The Cyber Crime Prevention Centre generates and maintains an analyzed cybercrime situation picture and disseminates it as part of the Finnish combined situation picture.
-
11.3. Digital forensics unit 333
Requirements
CriteriaThere is a government entity with a specific function of digital forensics.
Accepted referencesOfficial website or legal act
Evidence
http://www.poliisi.fi/rikokset/kyberrikollisuus
All police districs have their own IT forensic groups. The ways districts have organised pre-trial investigation of cybercrime vary a lot. In many districts there are no specialised investigators. The Cybercrime Centre supports all police units with investigation of cybercrime, IT forensic examinations, intelligence on internet and international cooperation. The only Forensic laboratory is located in the NBI. The operations of the laboratory are based on a quality system compliant with the ISO 17025 standard. In order to optimise the processes, its operations extensively utilise laboratory automation and various information systems, for instance.
-
11.4. 24/7 contact point for international cybercrime 222
Requirements
CriteriaThe government has designated an international 24/7 contact point for cybercrimes.
Accepted referencesOfficial website or legal act
Evidence
- National Bureau of Investigation
- Ministry of Justice, International Affairs
-
-
12. Military cyber operations 6/6 100%66 100%
-
12.1. Cyber operations unit 333
Requirements
CriteriaMilitary forces have a unit (cyber command, etc.) that is specialised in planning and conducting cyber operations.
Accepted referencesOfficial website or legal act
-
12.2. Cyber operations exercise 222
Requirements
CriteriaMilitary forces have conducted a cyber operations exercise or an exercise with a cyber operations component in the country in the last 3 years.
Accepted referencesExercise document/website or press release
-
12.3. Participation in international cyber exercises 111
Requirements
CriteriaThe country's military team has participated in an international cyber operations exercise in the last 3 years.
Accepted referencesExercise document/website or press release
Evidence
Locked Shields, 8-12 April 2019
-
CONTRIBUTORS
Secretariat of the Security Committee
