For the public sector
The security requirements for IT systems are summarised in the Estonian Information Security Standard (E-ITS). It is a cybersecurity guide which, if followed, should protect public sector organisations from most cyber threats. RIA also offers a cyber test created by them. The test can be found on the Moodle platform, which is familiar to many. The purpose of the cyber test is to raise and maintain the cybersecurity awareness of employees.
The Estonian information security standard (E-ITS) is a basis for handling information security. The standard is in Estonian and compatible with the Estonian legal space. It is compliant with the internationally acknowledged ISO/IEC 27001 information security management standard. The purpose of the E-ITS is to develop and improve the level of information security of the Estonian public authorities as well as private businesses. In addition, it aims to make dealing with information security more manageable for smaller organisations as well.
All materials related to E-ITS can be found in the portal https://eits.ria.ee/.
Organisations obligated to implement E-ITS
All organisations performing public duties must implement the E-ITS standard. Companies, regardless of their size and technologies in use, can use the E-ITS to achieve their information security goals. However, it is advisable to use the E-ITS, which has been adapted to Estonian circumstances, is in Estonian, and fully supported by the Information System Authority, in institutions that do not have a direct obligation to implement E-ITS, but need to ensure information security.
What are the key benefits of implementing E-ITS in your organisation?
- You ascertain the key objectives for your organisation and the processes needed to achieve them.
- You know the assets associated with your processes and their real protection needs in terms of availability, integrity, and confidentiality, as well as the need to protect against cyber threats.
- With well-organised information security that is integrated into all processes, you can focus on your core business operations and always be ready to respond adequately to attacks and other information security threats. You will also have the confidence that your organisation is operating in line with agreements and regulations.
- You can demonstrate the security and sustainability of your organisation to your customers and partners with an auditor’s assessment.
- A well-designed and sustainable information security process is going to ensure the continuity of services and a good reputation for your institution as well as a competitive advantage among similar institutions (I am better than my neighbour).
- By implementing the E-ITS, you contribute to the secure functioning of e-Estonia (one for all, all for one).
Important recommendations
- Together with your manager, analyse the information security objectives of your organisation – why is information security important to you?
- Review the business processes of your organisation, identify people responsible for the processes, identify assets associated with the business processes, find the appropriate security measures in the Estonian Information Security Standard, and implement them in each process.
- Implement risk management in your organisation.
- Monitor and improve the performance of the information security management system of your organisation regularly.
- Plan the resources of your organisation in the context of possible damage to remedy or prevent any consequences.
- Inform and train the managers and staff of your organisation regularly.
- Update your information security management in the event of changes and major incidents within your institution!
Information security and senior manager
- A senior manager is responsible for information security in the organisation because the senior manager sees the organisation as a whole, knows the objectives of the organisation, and understands what can threaten the achievement of the objectives in the course of business processes.
- The attitude of the manager determines whether the organisation has sufficient resources for information security, whether information security is understood by everyone in the organisation, whether it is self-evident, popular, and inclusive.
- Expensive security solutions will not make an organisation secure unless all employees contribute to the process. Supervision arranged by the senior manager is essential.
- In the event of an incident, the role of the senior manager is to provide the public with relevant information, including communication with the media.
Additional information
- All materials related to E-ITS can be found in the portal https://eits.ria.ee/.
- Basic training in information security management for the implementers of the Estonian Information Security Standard. The training provides the future implementers with the skills and knowledge for implementing the Estonian Information Security Standard.
- The Estonian information security standard was created with funding from the European Regional Development Fund under the support scheme ‘Raising Public Awareness about the Information Society’.