Information security of networks and services
This page contains information on the steering and supervision concerning legal obligations imposed on players.
Besides the legislation, regulations, recommendations and supervision decisions, cooperation and exchange of information are in a key position in the steering of information security.
Information on FICORA's information security services focusing on cooperation and exchange of information can be found in the section Information security.
The information security of network and communications services is laid down in law. If necessary, FICORA specifies the legislation with binding technical regulations. FICORA supervises that network and communications services meet the minimum requirements of acts and regulations. In addition to acts and technical regulations, FICORA issues recommendations, guidelines and working group reports. As part of its technical supervision, FICORA monitors, if necessary, international standardisation groups and other international development.
Examples of electronic communications networks and public communications services provided in them, pertaining to FICORA's supervision responsibilities, are
- fixed and wireless telephone and data networks
- telephone service text and multimedia services
- internet access services, i.e. broadband services based on different technologies (e.g. xDSL, cable modem, ethernet/optical fibre, mobile data, WiMax, WLAN)
- email, VoIP and instant messaging services provided via internet access
- terrestrial television and radio networks
- cable television and IPTV
- transmission and distribution of television and radio programmes in mass communications networks
Obligations related to technical supervision often concern the way how a network or a service is implemented. They can concern, for example, information security measures, such as traffic filtering.
Supervision surveys to telecommunications operators
Telecommunications operators are surveyed by FICORA in writing. The purpose of the surveys is to examine how the operators meet the requirements laid down in provisions and regulations in their own operations. The surveys are detailed and they are usually defined to concern certain topics. On the basis of the replies, FICORA can
- provide telecommunications operators with information on good practices
- impose obligations on operators to repair defects
- target supervision and guidance
- assess the needs to amend regulations
- produce general, public information on networks and services
The purpose of technical inspections is to ensure that communications networks and services of telecommunications operators are implemented as required by provisions. An inspection can be a general inspection or it can focus on a defined topic.
If necessary, an inspection can also be carried out in order to resolve a single complaint. An agreement on inspections is usually made in advance. Telecommunications operators may have to submit a preliminary clarification before the inspection. FICORA can commission an independent expert of its choice to carry out an information security audit.
Subject to inspections are both the actual systems used for service provision and the systems supporting the provision. A record of the inspection is drawn up and, if necessary, the telecommunications operator subject to the inspection is obliged, on a separate decision, to repair the defects.
FICORA may investigate the operations of telecommunications operators on its own initiative or on the basis of a complaint. Based on its investigation, FICORA may oblige a telecommunications operator to change its operations or procedures.
By its decision, FICORA cannot oblige that an individual customer's communications service is repaired in certain time. The decision can only be used for resolving whether the operations of the telecommunications operator have been in accordance with provisions. If necessary, FICORA can prohibit the unlawful operations or, in extreme cases, oblige the telecommunications operator to disconnect a device or subscription causing information security disturbances from the network. Instead, the customer may be entitled to a standard compensation or some other kind of compensation due to a violation of contract. Disputes concerning compensations are settled by a general court of law. Consumer customers can also contact the Consumer Disputes Board.
FICORA's decisions concerning information security may be appealed to the Administrative Court. The decision must be complied with despite any appeal unless the Administrative Court orders otherwise.
According to law, telecommunications operators are obliged to notify on their own initiative FICORA of significant information security violations and threats concerning communications networks and services. The obligation to notify concerns both communications network operators and communications service operators.
In addition to the investigation of information security violations and the situational picture of disturbances, the information provided by telecommunications operators is also used for developing provisions. The information provided by telecommunications operators is also used for monitoring systems used by telecommunications operators.
Public authority networks mean communications networks built for the needs of government measures and state security, military defence, public order and security, border control, rescue activities, maritime rescue activities, emergency centre activities, immigration, first aid services, railway security, or civil defence.
Because the set of users using public authority networks is subject to prior restriction, the networks are not public telecommunications.
Public authority networks may be incorporated into telecommunications operators' general communications networks. Thus, according to the Information Society Code, they must not cause information security disturbances in general communications networks and services.
FICORA is responsible for accrediting information systems processing international classified information. Governmental systems that relate to the fulfilment of international information assurance obligations, and the systems of companies participating in international invitations for tender requiring accreditation of a National Communications Security Authority, fall within the scope of the accreditation process. Auditing activities related to the accreditation process are subject to a charge and accreditation is valid for a limited period.
The obligations of players processing international classified information are laid down in the Act on International Information Security Obligations.
In addition, FICORA is responsible for assessing, at an authority's request, that the information security of their information systems or telecommunications arrangements complies with requirements. Authorities within the public administration must have the information security of their information systems and telecommunications arrangements assessed only by FICORA or an inspection body accredited by it.
The obligations concerning players processing information produced authorities are laid down in the Act on the Assessment of the Information Security of Public Authorities' Information Systems and Telecommunications Arrangements.
Information Society Code (917/2014) Chapter 29 Quality Requirements for Communications Networks and Communications Services, Chapter 33 Management of Information Security and Interference and Related Notifications, and Chapter 35 Preparedness
Act on International Information Security Obligations (588/2004, in Finnish)