Significant violations of information security
- Data and the authentication data related to user IDs are known only by authorised parties.
- Unauthorised alteration of data is not possible. Third parties are not able to tamper with information systems.
- The service and the data contained are available to those who are authorised to access them.
When assessing the significance of an information security violation or another event, the adverse effects of the event or the severity of the information security threat must be examined. The following should always be protected, and any information security incidents in them are to be considered significant:
- services provided by the domain name registrar itself, as well as the information and communication systems employed in providing the services
- information security, protection of personal data and business secrets of the customers of the domain name registrar
- the Finnish fi-root administered by FICORA (following a violation of information security that directly or indirectly affects a domain name registrar).
Repeated, exceptionally lengthy or obviously deliberate action with a negative impact on a domain name registrar's ability to ensure the information security of its operations is also to be considered significant. In addition, an incident is to be considered significant if it is not possible to eliminate it through actions taken by the domain name registrar only.
The list of information security violation types below is not exhaustive. Its purpose is to clarify the severity level of the reporting threshold. Minor information security violations and threats of such violations may also be notified to FICORA if it is considered necessary.
Significant information security incidents that should be notified to FICORA include the following:
Hacking of the information systems of a domain name registrar
- unauthorised access to the system of a domain name registrar
- vulnerability or configuration error in the system of a domain name registrar that compromises information security.
Accidental disclosure of logins to third parties
- logins to FICORA’s systems falling into the hands of third parties.
- an opportunity to make unauthorised changes to domain names administered by a domain name registrar
- unauthorised changes made by the staff of the domain name registrar to FICORA’s domain name register
- unauthorised access to the self-service portal provided by the domain name registrar to its customers, intended for enabling customers to maintain the information related to their domain names.
- if the system of the domain name registrar is paralysed and/or customer access to the system is prevented
- the system failure affects the operation of FICORA’s system.
FICORA recommends that, at their discretion, domain name registrars notify FICORA also about minor violations of information security and threats of such violations. Such knowledge may be relevant in carrying out FICORA's other information security duties.
FICORA has the right, for instance, to undertake the necessary measures in order to detect, prevent, investigate and commit to pre-trial investigation any significant information security violations aimed at public communications networks or services using fi-domain names or their holders. FICORA may undertake these measures without consulting the domain name holder.
The necessary measures carried out by FICORA may be actions targeted at root fi name server data and may include the following:
- preventing and restricting traffic to the domain name
- rerouting traffic to the domain name to another domain name address
- any other comparable technical measures in the meaning of subsections 1–2.
Furthermore, FICORA's duties include:
- promoting the functionality, freedom from interference and security of telecommunications
- collecting information on violations of and threats to information security in respect of network services, communications services and added value services as well as on defects and interference situations in communications networks and services
- disseminating information security matters as well as communications network and service matters
- investigating violations of and threats to information security in respect of network services, communications services and added value services.