Publications of the Ministry of Finance – 2021:8 Board Recommendation on the handling of classified documents Recommendation on the handling of classified documents Information Management Board Ministry of Finance Helsinki 2021 Publications of the Ministry of Finance 2021:8 Ministry of Finance © 2021 Authors and Ministry of Finance ISBN pdf: 978-952-367-512-4 ISSN pdf: 1797-9714 Layout: Government Administration Department, Publications Helsinki 2021 Finland Publication distribution Institutional Repository for the Government of Finland Valto julkaisut.valtioneuvosto.fi Publication sale Online bookstore of the Finnish Government vnjulkaisumyynti.fi https://julkaisut.valtioneuvosto.fi/ https://vnjulkaisumyynti.fi/ Description sheet 11 February 2021 Recommendation on the handling of classified documents Publications of the Ministry of Finance 2021:8 Subject Board Publisher Ministry of Finance Group Author Information Management Board Language English Pages 77 Abstract Under section 18 of the Act on Information Management in Public Administration, authorities operating in ministries, government agencies, public bodies and unincorporated state enterprises, along with courts of law and boards established to handle appeals shall security classify documents and mark them with a security classification to indicate the information security measures to be complied with when handling the documents. A security classification marking shall be applied if the document or information contained within it is secret on the basis of section 24, subsection 1, paragraphs 2, 5 or 7–11 of the Act on the Openness of Government Activities and the unauthorised disclosure or unauthorised use of the information contained in the document could prejudice national defence, preparedness for exceptional circumstances, international relations, combating of crime, public safety or the functioning of government finances and the national economy, or the safety of Finland in some other comparable manner. The purpose of the recommendation is to support the work of authorities which use the security classifications. The Information Management Board approved the recommendation on 11 February 2020, and this second, updated publication on 18 December 2020. Keywords Information Management Unit, Information Management Act, advisory boards, information management, public administration, responsibilities, definitions ISBN PDF 978-952-367-512-4 ISSN PDF 1797-9714 URN address http://urn.fi/URN:ISBN:978-952-367-512-4 http:// Kuvailulehti 11.2.2021 Suositus turvallisuusluokiteltavien asiakirjojen käsittelystä Valtiovarainministeriön julkaisuja 2021:8 Teema Lautakunnat Julkaisija Valtiovarainministeriö Yhteisötekijä Tiedonhallintalautakunta Kieli Englanti Sivumäärä 77 Tiivistelmä Julkisen hallinnon tiedonhallinnasta annetun lain 18 §:n mukaan valtion virastoissa, laitoksissa ja valtion liikelaitoksissa toimivien viranomaisten, tuomioistuimien ja valitusasioita käsittelemään perustettujen lautakuntien on turvallisuusluokiteltava asiakirjat ja tehtävä niihin turvallisuusluokkaa koskeva merkintä sen osoittamiseksi, minkälaisia tietoturvallisuustoimenpiteitä asiakirjaa käsiteltäessä noudatetaan. Turvallisuusluokkaa koskeva merkintä on tehtävä, jos asiakirja tai siihen sisältyvä tieto on salassa pidettävä viranomaisten toiminnan julkisuudesta annetun lain 24 §:n 1 momentin 2, 5 tai 7–11 kohdan perusteella ja asiakirjaan sisältyvän tiedon oikeudeton paljastuminen tai oikeudeton käyttö voi aiheuttaa vahinkoa maanpuolustukselle, poikkeusoloihin varautumiselle, kansainvälisille suhteille, rikosten torjunnalle, yleiselle turvallisuudelle tai valtion- ja kansantalouden toimivuudelle taikka muulla niihin rinnastettavalla tavalla Suomen turvallisuudelle. Suosituksen tavoitteena on tukea turvallisuusluokitusta käyttäviä viranomaisia. Tiedonhallintalautakunta hyväksyi suosituksen 11.2.2020, ja tämän toisen, päivitetyn julkaisun 18.12.2020. Asiasanat tiedonhallintalaki, tiedonhallintalautakunta, lautakunnat, tietoturva, julkinen hallinto, luokitukset, asiakirjat, tieto, suositus ISBN PDF 978-952-367-512-4 ISSN PDF 1797-9714 Julkaisun osoite http://urn.fi/URN:ISBN:978-952-367-512-4 http:// Presentationsblad 11.2.2021 Rekommendation om behandling av säkerhetsklassificerade handlingar Finansministeriets publikationer 2021:8 Tema Nämnder Utgivare Finansministeriet Utarbetad av Informationshanteringsnämden Språk Engelska Sidantal 77 Referat Myndigheter vid statliga ämbetsverk och inrättningar, statliga affärsverk, domstolar och nämnder som har inrättats för att behandla besvärsärden ska enligt 18 § i lagen om informationshantering inom den offentliga förvaltningen säkerhetsklassificera handlingar och förse dem med anteckning om säkerhetsklass som visar vilket slag av informationssäkerhetsåtgärder som ska vidtas vid behandlingen av dem. Anteckning om säkerhetsklass ska göras, om en handling eller informationen i den är sekretessbelagd enligt 24 § 1 mom. 2, 5 eller 7–11 punkten i lagen om offentlighet i myndigheternas verksamhet och om obehörigt avslöjande eller obehörig användning av handlingen kan orsaka skada för försvaret, för förberedelser inför undantagsförhållanden, för internationella relationer, för brottsbekämpningen, för den allmänna säkerheten eller för stats- och samhällsekonomins funktion, eller på något annat jämförbart sätt för Finlands säkerhet. Syftet med rekommendationen är att stödja myndigheter som använder säkerhetsklassificering. Informationshanteringsnämnden godkände rekommendationen den 11 februari 2020 och denna uppdaterade publikation den 18 december 2020. Nyckelord informationshanteringslagen, informationshanteringsnämnden, nämnder, informationssäkerhet, offentlig förvaltning, klassificeringar, handlingar, information, rekommendation ISBN PDF 978-952-367-512-4 ISSN PDF 1797-9714 URN-adress http://urn.fi/URN:ISBN:978-952-367-512-4 Contents 1 Introduction.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2 Points of departure for security classification.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 2.1 Basis for security classification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 2.2 Assessment of security classification level. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 2.3 International equivalence of security classification levels.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 3 Marking the security classification level. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 3.1 Marking methods.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 3.2 Removal and modification of marking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 3.3 Earlier classifications and markings.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 4 Document handling requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 4.1 Registration and monitoring of document handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 4.1.1 Document registration and monitoring, security classification level IV (TL IV).. . . . . . . . . . . . . . . . . . . 22 4.1.2 Document registration and monitoring, security classification level III (TL III).. . . . . . . . . . . . . . . . . . . 23 4.1.3 Document registration and monitoring, security classification level II (TL II). . . . . . . . . . . . . . . . . . . . . 24 4.1.4 Document registration and monitoring, security classification level I (TL I).. . . . . . . . . . . . . . . . . . . . . . 25 4.2 Access to and receipt of documents.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 4.2.1 Access to documents.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 4.2.2 Measures on the part of a recipient (other than central government).. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 4.3 Transfer of a document over a data network .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 4.4 Carriage of documents.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 4.4.1 Carriage of unencrypted documents at security level IV.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 4.4.2 Carriage of unencrypted documents at security levels III–I.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 4.5 Copying of documents.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 4.6 Storage of information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 4.6.1 Storage of information, security classification level IV (TL IV).. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 4.6.2 Storage of information, security classification levels III, II and I (TL III, TL II, TL I).. . . . . . . . . . . . . . . 33 4.7 Destruction of documents.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 4.7.1 Destruction by shredding, security classification level IV (TL IV).. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 4.7.2 Destruction by shredding, security classification level III (TL III).. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 4.7.3 Destruction by shredding, security classification level II (TL II).. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 4.7.4 Destruction by shredding, security classification level I (TL I) .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 4.7.5 Destruction using combined methods.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 4.7.6 Destruction of information in electronic format.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 5 Points of departure for multi-tier protection of documents and data processing. 37 5.1 Information management design and security design.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 5.2 Risk assessment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 5.3 Catering for aggregation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 6 Using security areas to protect document handling and information systems.. . . . 40 6.1 Protection in administrative areas.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 6.1.1 Goal and tools of physical security measures.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 6.1.2 Choice of physical security measures.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 6.1.3 Minimum requirements for physical security measures in an administrative area.. . . . . . . . . . . . . . . 43 6.2 Secured areas. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 6.2.1 Goal and tools of physical security measures.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 6.2.2 Choice of physical security measures.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 6.2.3 Minimum requirements for physical security measures in a secured area.. . . . . . . . . . . . . . . . . . . . . . . . . 49 7 Minimum requirements for the protection of information systems and telecommunications arrangements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 7.1 Protection of information inside and outside premises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 7.1.1 Means of handling, security classification level IV (TL IV).. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 7.1.2 Means of handling, security classification level III (TL III).. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 7.1.3 Means of handling, security classification level II (TL II). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 7.1.4 Means of handling, security classification level I (TL I).. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 7.2 Separation of information systems.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 7.3 Vulnerability management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 7.4 Change management methods that cater for security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 7.5 Backup copy procedures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 7.6 Principle of least privilege.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 7.7 Identification of users and equipment.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 7.7.1 Inside a physically protected administrative area or secured area. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 7.7.2 Substitute procedures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 7.7.3 Further information .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 7.8 Necessary functionalities.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 7.9 Traceability.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 7.10 Detection.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 7.11 Encryption solutions.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 7.12 Handling in cloud services.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 8 Statutes .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 9 Guidelines and other materials.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 8 Publications of the Ministry of Finance 2021:8 1 Introduction This Recommendation of the Information Management Board was prepared in the division of security classified documents appointed by the Board for a term running from 1 April 2020 to 31 December 2021. The division is chaired by Senior Ministerial Adviser Tuija Kuusisto of the Ministry of Finance and Chief Senior Specialist Tuula Seppo of the Digital and Population Data Services Agency served as secretary to the division. The Information Management Board appointed the members of the division from among experts in the various information management entities. In addition, at its meetings, workshops and seminars the division also widely consulted outside experts. The draft Recommendation was made available for comments via the Lausuntopalvelu public service for online consultation between 23 November and 4 December 2020. The Act on Information Management in Public Administration (906/2019, Information Management Act) lays down provisions on the responsibilities relating to information security measures of public administration information management entities and authorities as well as private individuals and corporations or corporations subject to public law other than those serving as authorities insofar as they perform public administrative tasks. The Act also lays down provisions on the minimum standard of information security measures. Section 18 of the Information Management Act lays down provisions on the obligation of authorities operating in State agencies and institutions, the courts of law and committees established to handle appeals to security classify certain documents. The Government Decree on Security Classification of Documents in Central Government (1101/2019, hereinafter Security Classification Decree) lays down provisions on the security classification of the documents referred to in section 18 of the Information Management Act, the markings to be made in documents to be classified and the information security measures related to the handling of classified documents in central government authorities. This Recommendation serves as a guide to information management entities and authorities in the implementation of the information security requirements laid down in the Security Classification Decree. The Recommendation is intended to support the authorities using security classifications. It provides advice on how to assess the need for and degree of security classification and the risks relating to the information to be classified as well as how to pay attention to the protection of information at all stages https://finlex.fi/en/laki/kaannokset/2019/en20190906.pdf https://finlex.fi/fi/laki/kaannokset/2019/en20191101.pdf 9 Publications of the Ministry of Finance 2021:8 Publications of the Ministry of Finance 2021:8 of its handling in different areas and throughout the lifecycle of the information. The Recommendation contains relevant practical examples and means of implementation. In addition, it provides advice to recipients of classified information on the appropriate handling of the information. When making use of the Recommendation, it must be noted that the requirements of the Decree may be fulfilled in many different ways and the authority’s risk management plays a key role when choosing among them. Under the Information Management Act, information security measures shall be assessed on a risk basis. When assessing the implementation of information security measures for secret information, utilisation of the recommendations concerning documents at security classification level IV described in this Recommendation is recommended. The aim of this approach is for the requirements on the handling of secret documents to be consistent with those concerning documents at security classification level IV. This approach avoids needing separate information systems for a single purpose so as to handle secret documents and documents at security classification level IV, for example multiple case management systems for use by all personnel at an agency. On the other hand, it also avoids the accidental handling of documents at security classification level IV in information systems that do not fulfil the requirements for such documents. When assessing information security measures in respect of secret information, the recommendations concerning documents at security classification levels I–III may also be utilised on a case-by-case basis. Unless otherwise provided, documents that are secret on the basis of section 24 of the Act on the Openness of Government Activities and the information contained in such documents shall constitute secret official documents. A security classification shall be performed when a document or the information contained therein is secret on the basis of section 24, subsection 1, paragraphs 2, 5 or 7–11 of the Act on the Openness of Government Activities. The additional requirement applies that the unauthorised disclosure or unauthorised use of the information contained in the document can cause prejudice to national defence, preparedness for exceptional circumstances, international relations, combating of crime, public safety or the functioning of government finances and the national economy or to the safety of Finland in another comparable manner. In the application of the Security Classification Decree, the other key statutes relating to security classification and secrecy shall also be taken into account. Provisions on matters including the publicity of official documents, grounds for secrecy and obligations relating to the provision of documents are laid down in section 12 of the Constitution of Finland (731/1999) and in the Act on the Openness of Government Activities (621/1999). Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation) and the Data Protection Act (1050/2018) that supplements it contain provisions on the processing of personal data and on non-disclosure obligations. https://www.finlex.fi/en/laki/kaannokset/1999/en19990731.pdf https://www.finlex.fi/en/laki/kaannokset/1999/en19990621_20150907.pdf https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679&qid=1611742528109 https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679&qid=1611742528109 https://www.finlex.fi/en/laki/kaannokset/2018/en20181050.pdf 10 Publications of the Ministry of Finance 2021:8 The Act on the Processing of Personal Data in Criminal Matters and in Connection with Maintaining National Security (1054/2018) contains provisions on matters including the processing of personal data in the context of preventing, detecting or investigating criminal offences or referring them for consideration of charges and safeguarding against, and preventing threats to, public security. In addition to the recommendations appearing in this Recommendation, a central government authority shall also take into account all other specific regulation relating to its activities and the processing of personal data. The Office of the Data Protection Ombudsman is a national supervisory authority which supervises the compliance with data protection legislation (tietosuoja.fi). Provisions on the secrecy obligation of a document classified in accordance with international information security obligations and on the implementation of international information security obligations are laid down in the Act on International Information Security Obligations (588/2004). The National Security Authority (NSA) has issued guidelines on the processing of international classified information [in Finnish] (Ministry for Foreign Affairs NSA 2020). This current document is the second version of the Recommendation initially issued by the Information Management Board in 2020. https://finlex.fi/en/laki/kaannokset/2018/en20181054.pdf https://finlex.fi/en/laki/kaannokset/2018/en20181054.pdf https://tietosuoja.fi/en/home https://www.finlex.fi/fi/laki/ajantasa/2004/20040588 https://www.finlex.fi/fi/laki/ajantasa/2004/20040588 11 Publications of the Ministry of Finance 2021:8 Publications of the Ministry of Finance 2021:8 2 Points of departure for security classification In this Recommendation, classified document means the documents referred to in section 18, subsection 1 of the Information Management Act. The obligation to security classify documents applies to the authorities operating in State agencies and institutions, the courts of law and committees established to handle appeals.1 2.1 Basis for security classification While a classified document is always secret, a secret document is not always classified. A security classification shall be performed when a document or the information contained therein is secret on the basis of section 24, subsection 1, paragraphs 2, 5 or 7–11 of the Act on the Openness of Government Activities. The additional requirement applies that the unauthorised disclosure or unauthorised use of the information contained in the document can cause prejudice to national defence, preparedness for exceptional circumstances, international relations, combating of crime, public safety or the functioning of government finances and the national economy or to the safety of Finland in another comparable manner.2 A security classification marking may not be used in cases other than those referred to in subsection 1 unless the making of the marking is necessary to implement an international information security obligation or unless the document is otherwise connected to international cooperation. Documents referred to in the Act on International Information Security Obligations (588/2004) shall be marked with a security classification as provided in said Act. 1 See Information Management Act, section 18, subsection 1. 2 Section 3 of the Security Classification Degree describes the kinds of harm that the unauthorised disclosure or unauthorised use of a document or information contained in it may cause at each security classification level. 12 Publications of the Ministry of Finance 2021:8 2.2 Assessment of security classification level The security classification level of a document is based on assessment of the harm arising from its unauthorised disclosure. In assessing the harm required for security classification, account shall be taken of factors including the following: y which protected interest mentioned in law is subject to the harm y what is the extent, magnitude and duration of the estimated harm y what are the impacts of the estimated harm y whether risks arise from the aggregation of documents (‘aggregate effect’) y what kinds of threat factors affect the potential materialisation of the harm. Section 3, subsection 1, paragraphs 1–4 of the Security Classification Decree describes how documents that are to be classified are divided into the different classification levels: 1. documents at security classification level I, where the unauthorised disclosure or unauthorised use of the secret information contained in the document can cause exceptionally grave prejudice to the interests to be protected that are referred to in section 18, subsection 1 of the Information Management Act. 2. documents at security classification level II, where the unauthorised disclosure or unauthorised use of the secret information contained in the document can cause significant prejudice to the interests to be protected that are referred to in section 18, subsection 1 of the Information Management Act. 3. documents at security classification level III, where the unauthorised disclosure or unauthorised use of the secret information contained in the document can cause prejudice to the interests to be protected that are referred to in section 18, subsection 1 of the Information Management Act. 4. documents at security classification level IV, where the unauthorised disclosure or unauthorised use of the secret information contained in the document can be disadvantageous to the interests to be protected that are referred to in section 18, subsection 1 of the Information Management Act. It is recommended that authorities assess the requirement of harm in advance on a risk basis so as to accomplish consistency in classification. The risk assessment shall take into account the harm possibly arising to the interests to be protected from the unauthorised disclosure or unauthorised use of the information. Every attempt should be made to estimate the consequences in concrete terms, taking into account the interest to be protected as a whole. 13 Publications of the Ministry of Finance 2021:8 Publications of the Ministry of Finance 2021:8 In individual cases, it may be possible that while the information is secret on the basis of section 24, subsection 1, paragraphs 2, 5 or 7–11 of the Act on the Openness of Government Activities, its unauthorised disclosure or unauthorised use is not capable of harming the safety of Finland in the manner described in section 18 of the Information Management Act or in a comparable manner. In such an event, the marking SALASSA PIDETTÄVÄ shall be used. Although this may apply in individual cases, as a rule, when the requirement of harm clause in section 24, subsection 1, paragraphs 2, 5 or 7–11 concerning secrecy is fulfilled, the requirement of harm under section 18 of the Information Management Act may also be deemed to be fulfilled. In the interests of avoiding over- and under-classification, an organisation shall be familiar with the special regulation related to its particular field and attend to the strengthening of the secrecy and security classification regulation capacities of its personnel. The organisation shall ensure that documents are duly security classified. The management of an information management entity shall attend to the determination of information management responsibilities, guidance and instructions, training, proper tools and supervision (Information Management Act, section 4). The recommendation of the Information Management Board addresses in more detail the implementation of management responsibilities in information management [in Finnish] (Ministry of Finance 2020:18). The information shall be classified by the person who gives the commission relating to the matter or first generates the information, or by the person who in the capacity of decision-maker on the matter decides on the classification of the document. The person who classifies the information assesses the potential secrecy of the information and the provision on which the secrecy is based. When the information is secret on the basis of section 24, subsection 1, paragraphs 2, 5 or 7–11 of the Act on the Openness of Government Activities and the unauthorised disclosure or unauthorised use of the information can cause prejudice to national defence, preparedness for exceptional circumstances, international relations, combating of crime, public safety or the functioning of government finances and the national economy or to the safety of Finland in another comparable manner, the information constitutes information that is to be classified. With regard to a document that contains information that is to be classified, the degree of potential harm shall be assessed and the security classification level marking shall be made according to the degree of harm. Annex 1 describes the secrecy and security classification assessment process relating to this assessment (the Act on International Information Security Obligations is not taken into account in the flow chart). The table appearing as Annex 2 provides examples for assessing the harm required for security classification from the viewpoint of the interest to be protected. http://urn.fi/URN:ISBN:978-952-367-288-8 http://urn.fi/URN:ISBN:978-952-367-288-8 14 Publications of the Ministry of Finance 2021:8 The classification shall always be performed on a case-by-case basis on the basis of the risk assessment. The effect of combining information and the aggregate effect shall be taken into account in risk assessment and in the dimensioning of information security measures in the handling of the information, as these may heighten the risks and necessitate information security measures on the basis of the risk assessment. For example, when two pieces of information at security classification level TL IV are combined, the end result may fall at levels TL I–IV depending on the outcome of the combination. The aggregate effect is discussed in more detail in chapter 5.3. In the performance of a commissioned task, the documents prepared in consequence of the commission shall be considered, as a rule, official documents of the commissioning authority as provided in section 5 of the Act on the Openness of Government Activities. The provisions of the Act on the Openness of Government Activities (or other provisions) shall apply to the secrecy of such documents and, under section 14 of the said Act, the decision on granting access to such documents shall, as a rule, be made by the commissioning authority. With regard to documents that are to be classified, it is recommended that security classification be separately agreed in commissioning situations when the handling of documents that are to be classified is anticipated. For example, when a private enterprise performs a task, such as the design and production of software or a piece of equipment, on commission from a central government authority subject to an obligation to security classify and information and documents that are to be classified arise during the performance of the task, the commission agreement should provide that the commissioned party classifies the documents arising in the commission relationship in the manner agreed with the commissioning party. Security classification in general and the level of security classification in respect of certain types of information should be agreed at least broadly. In such a case, it may also be held that the authority subject to an obligation to security classify made the original decision on classification of information relating to the matter and then instructs the commissioned party to comply with the decision. 2.3 International equivalence of security classification levels The documents referred to in the Act on International Information Security Obligations constitute datasets subject to special protection and shall be classified in the manner determined in the said Act. The information referred to in the Act means classified information of other States or international organisations. Section 4 of the Security Classification Decree lays down provisions on the equivalents of Finnish security classifications in fulfilling international information security obligations. Unless otherwise 15 Publications of the Ministry of Finance 2021:8 Publications of the Ministry of Finance 2021:8 provided in the international information security obligation, the provision shall be complied with. The National Security Authority (NSA) has issued separate guidelines on the processing of international classified information. The national and EU security classification levels and their abbreviations are given side by side in the table below. The rules of handling are different for the different levels and the security rules for protecting EU classified information (EUCI) shall be complied with when handling documents at the EU security classification levels. 3 Table 1.  Security classification levels and their abbreviations and EU equivalents National security classification level EU classification Security classification level I TL I ERITTÄIN SALAINEN (E) TRÈS SECRET UE/ EU TOP SECRET TS-UE/ EU-TS Security classification level II TL II SALAINEN (S) SECRET UE/ EU SECRET S-UE/ EU-S Security classification level III TL III LUOTTAMUKSELLINEN (L) CONFIDENTIEL UE/ EU CONFIDENTIAL C-UE/ EU-C Security classification level IV TL IV KÄYTTÖ RAJOITETTU (R) RESTREINT UE/ EU RESTRICTED R-UE/ EU-R 3 See European Council security rules (2013/488/EU) 16 Publications of the Ministry of Finance 2021:8 3 Marking the security classification level 3.1 Marking methods The security classification level marking indicates the information security measures that are to be complied with in handling the document. When there are no grounds for classifying the document, the security classification marking may not be used. The basis for secrecy shall be recorded on the marking. The provisions on security classification markings are laid down in section 3, subsections 2–5 of the Security Classification Decree. There are four security classification levels and corresponding markings: y documents at security classification level I are marked ERITTÄIN SALAINEN, y documents at security classification level II are marked SALAINEN, y documents at security classification level III are marked LUOTTAMUKSELLINEN, and y documents at security classification level IV are marked KÄYTTÖ RAJOITETTU. In addition to the said markings, the markings TL I; TL II; TL III; and TL IV may be used. Documents at security classification levels I–IV shall be marked according to the model in Figure 1 with the stamp of the relevant security classification level and, when necessary, they shall also be also stamped salassa pidettävä to indicate secrecy. The legislative basis for secrecy shall be recorded on the document and in the metadata. Secrecy markings are based on the Act on the Openness of Government Activities and are therefore beyond this Recommendation’s scope of guidance. 17 Publications of the Ministry of Finance 2021:8 Publications of the Ministry of Finance 2021:8 Figure 1.  Model stamps for security classification markings The security classification level shall be marked in Swedish in documents prepared in the Swedish language or translated into Swedish. The marking may also be made in other cases when the authority deems it necessary. In Swedish, documents at security classification level I are marked YTTERST HEMLIG; documents at security classification level II are marked HEMLIG; documents at security classification level III are marked KONFIDENTIELL; and documents at security classification level IV are marked BEGRÄNSAD TILLGÅNG. The security classification level of a document shall also be indicated in the information on the document in the case register referred to in section 25 of the Information Management Act and in another information pool generally used by an authority for information management.4 The marking may be made on a separate document to be attached to the document if it is not technically feasible to make markings on a document or to modify the marking or if the handling requirements corresponding to the security classification level are needed only for a certain short period.5 The document shall clearly indicate the parts of the document which contain classified information. Individual paragraphs, chapters or annexes may be marked e.g. by using the security classification level abbreviations (E), (S), (L) or (R) before the paragraph, chapter or annex. When the same security classification level applies to all parts of the document, these parts may be marked with brackets, in which case the text hakasulkeilla merkitty teksti on salassa pidettävää ja turvallisuusluokan X tietoa shall appear at the beginning of the document to indicate that all text within brackets is secret and at security classification level X. 4 See Security Classification Decree, section 3, subsection 4. 5 See Security Classification Decree, section 3, subsection 5. 18 Publications of the Ministry of Finance 2021:8 The security classification level of information may also be stated orally when classified information is addressed at e.g. meetings. In common international practice, the security classification level, page number and date is clearly recorded on each page. For documents at security classification levels III–I, the number of the copy is also often recorded on each page when the document is to be distributed in more than one copy. These practices are recommended for nationally classified documents as well. 3.2 Removal and modification of marking If there are no longer legal grounds for the security classification of a document or if it is necessary to modify the security classification level, an appropriate marking of the removal or modification of the marking shall be made on the document on which the original marking was made and in the information on the document referred to in section 3, subsection 4 of the Security Classification Decree. The appropriateness of the marking shall be checked at the latest when providing a third party access to the document (Security Classification Decree, section 5, subsection 1). The following steps shall be taken when modifying the classification of a document: y Where the document is in paper format, the stamp indicating security classification level or secrecy shall be crossed out. y The text salassapito päättynyt shall be written below the stamp to indicate that secrecy has expired, and the text shall be accompanied by the date and the signature of a competent public official. y The changed status of the document to public shall also be recorded in the document register. y Where the document is in electronic format, the marking is accomplished by modifying the metadata, and e.g. documents subject to request for information shall be accompanied by a separate cover message indicating the date of expiration of secrecy. y The metadata modification shall be recorded in the document log data. If the document has been received from another authority, the marking related to a security classification level may be removed or modified only by permission of the authority that prepared the document or by permission of the authority in charge of the handling of the matter in its entirety unless it is clear that there are no longer grounds for the use of a security classification level (Security Classification Decree, section 5). The need for a marking related to security classification with regard to filed documents 19 Publications of the Ministry of Finance 2021:8 Publications of the Ministry of Finance 2021:8 or documents stored in a central government authority shall be assessed if the central government authority takes up a document for other handling (Security Classification Decree, section 16). 3.3 Earlier classifications and markings Documents handled in 2010–2019 during the period when the Government Decree on Information Security in Central Government, issued pursuant to the Act on the Openness of Government Activities and preceding the Security Classification Decree, was in force, shall retain their original marking until a need to re-take the document up for handling arises. In such a case, the secrecy and security classification level of the document shall be re-assessed on a case-by-case basis in accordance with the current provisions. In such a case, information classified at protection levels I–IV may be classified as secret and also given a security classification if the conditions for security classification are fulfilled. The table below is provided as an aide to re-assessment. Table 2.  Secrecy and security classification level shall be reconsidered in respect of each document. Classifications in 2010–2019 Classification as of 2020 ERITTÄIN SALAINEN, protection level I (ST I) ERITTÄIN SALAINEN TL I SALAINEN, protection level II (ST II) SALAINEN TL II LUOTTAMUKSELLINEN, protection level III (ST III) LUOTTAMUKSELLINEN TL III KÄYTTÖ RAJOITETTU, Protection level III (ST III), Protection level IV (ST IV) KÄYTTÖ RAJOITETTU TL IV SALASSA PIDETTÄVÄ, Protection level III (ST III), Protection level IV (ST IV) SALASSA PIDETTÄVÄ When re-assessing the classification of information, in respect of information classified earlier at different protection levels and re-assessed to be classified as secret but not as security classified, regard shall be had to the fact that under the Information Management Act, information security measures shall be assessed on a risk basis. When assessing the implementation of information security measures in respect of secret information, 20 Publications of the Ministry of Finance 2021:8 utilisation of the recommendations described in this Recommendation concerning documents at security classification level IV is recommended. When assessing information security measures in respect of secret information, the recommendations concerning documents at security classification levels I–III may also be utilised on a case-by-case basis. 21 Publications of the Ministry of Finance 2021:8 Publications of the Ministry of Finance 2021:8 4 Document handling requirements 4.1 Registration and monitoring of document handling Under section 25 of the Information Management Act, an information management entity shall maintain a case register of matters that are being and have been considered by the authorities, into which information on the matter, its consideration and the documents shall be registered. An authority shall, without delay, register a document it has received or drafted in the case register. The case register is maintained to implement document publicity, to specify requests for information, to structure the details of documents and other corresponding details, to organise the measures relating to document handling, to monitor case processing times, and to guide processes. In addition to the provisions laid down in section 26 of the Information Management Act concerning the mandatory details to be recorded in the case register, the registration of a document shall also indicate the date of its receipt. Provisions on the measures to be implemented for the purpose of monitoring document handling, such as registration for security purposes, are laid down in section 14 of the Security Classification Decree. When granting handling rights, regard shall be had to the requirements under section 8 of the Security Classification Decree concerning handling rights and lists thereof. In registration, for example, the details described in section 26 of the Information Management Act shall be taken into account, subject to the clarifications described in the following. The following shall be registered in respect of handling: y handler (person or organisation – when not an authority) and y date. 22 Publications of the Ministry of Finance 2021:8 The following shall be registered in respect of receipt: y original sender (organisation or person), y recipient, y other handler when the document is received by another (e.g. registry), y date of receipt, y date of registration, and y manner of receipt (analogue/electronic). The following shall be registered in respect of dispatch: y original dispatcher, y other handler when the document is dispatched by another (e.g. registry), y recipient of dispatch, y external recipient of dispatch (organisation or person), y date of dispatch, y date of registration, and y manner of dispatch (analogue/electronic). The action-oriented case management division under the Information Management Board is currently drafting a recommendation on the implementation of case management at information management entities and on document registration. 4.1.1 Document registration and monitoring, security classification level IV (TL IV) Documents at security classification level IV (TL IV) shall be prepared and registered primarily with the case management system in use when this system fulfils the requirements of TL IV. The recipient organisations or persons shall be recorded in the document, cover note or in connection with the document. A document at security classification level IV shall be marked with the stamp for security classification level IV and also with the stamp salassa pidettävä to indicate secrecy when necessary. The legislative basis for secrecy shall be recorded on the document and in the metadata. The case management system for documents at security classification level IV is typically the same as the general case management system. 23 Publications of the Ministry of Finance 2021:8 Publications of the Ministry of Finance 2021:8 4.1.2 Document registration and monitoring, security classification level III (TL III) Documents at security classification level III (TL III) shall be prepared with a case management system or other system that fulfils the requirements of TL III. The dispatch and receipt of a document shall be registered (Security Classification Decree, section 14). In addition, the handling of a document at security classification level III shall be monitored in an electronic log, an information system, a case register or the document itself (Security Classification Decree, section 14). The document shall be registered and its dispatch and receipt shall be monitored in a separate electronic case register that is subject to secrecy and security classification or manually when no case register that fulfils the requirements of TL III is available. Case registers at security classification levels III–I are typically case registers separate from the security classification level IV case register and case management systems. However, case number management may be accomplished in a single case register intended for public, secret and classified case numbers. In such an event, care shall be taken not to record any secret or classified information in the metadata of this public case register or case management system. Documents at security classification level III shall be marked with the stamp for security classification level III and also with the stamp salassa pidettävä to indicate secrecy when necessary. The legislative basis for secrecy shall be recorded on the document and in the metadata. The recipient organisations or persons shall be recorded in the document, cover note or in connection with the document. A list of persons handling documents at security classification levels III shall be maintained (Security Classification Decree, section 14, subsection 1, paragraph 4). This list may, for example, be maintained on a separate cover page on which the names of the recipient of the document and the persons who have gained access to the information are recorded. When the document is returned to the registry (registration point), the details of the persons who have gained access to the information have accrued on the cover page. When a system that fulfils the requirements of security classification level III and allows electronic monitoring of handling is in use, the monitoring of persons who handled a document may be accomplished through logging or other system data. The registration obligation only applies to information in document format. The exchange of an individual piece of information at security classification level III (e.g. conversation or brief note) which may at a later date be verified from those party to the exchange need not be registered separately. For example, the persons who have gained access to information at an event may be verified at a later date from the list of event participants. 24 Publications of the Ministry of Finance 2021:8 Documents at security classification level III should primarily be handled electronically, in which case the logging performed by the case management system is often sufficient. The primary tool for manual registration of handling, dispatch and receipt shall be the case management system in which the matter in question is being considered. Handling may also be registered e.g. on a paper document or in connection with it, in which case every attempt should be made to enter the details in an electronic case register or case management system. Since the dispatch and receipt of documents shall be registered separately for each document, no unnecessary printouts or copies of a document at security classification level III may be made to widen its distribution when the document can be handled electronically in the manner required by the matter. Responsibility for registering any handling resides with the person handling a document at security classification level III. For example, the person who grants access to a document shall, when dispatching or copying the document, manually record the person to whom access to the document has been granted. Responsibility for the dispatch (to an external actor) and receipt (from an external actor) of a document at security classification level III resides with the dispatching party or the party entered as the recipient. 4.1.3 Document registration and monitoring, security classification level II (TL II) Documents at security classification level II (TL II) shall be prepared with a case management system or other system that fulfils the requirements of TL II. The dispatch and receipt of such documents shall also be registered (Security Classification Decree, section 14). In addition, the handling of a document at security classification level II shall be monitored in an electronic log, an information system, a case register or the document itself (Security Classification Decree, section 14). The recipient organisations or persons shall be recorded in the document, cover note or in connection with the document. A document at security classification level II shall be marked with the stamp for security classification level II and also with the stamp salassa pidettävä to indicate secrecy when necessary. The legislative basis for secrecy shall be recorded on the document and in the metadata. The registration shall indicate the persons to whom the document has been distributed. Documents at security classification level II (TL II) shall be prepared with a case management system or other system that fulfils the requirements of TL II. The document shall be registered and its dispatch and receipt shall be monitored in a separate electronic 25 Publications of the Ministry of Finance 2021:8 Publications of the Ministry of Finance 2021:8 case register that is subject to secrecy and security classification or manually when no case register that fulfils the requirements of TL II is available. A list of persons handling documents at security classification levels II shall be maintained (Security Classification Decree, section 14, subsection 1, paragraph 4). This list may, for example, be maintained on a separate cover page on which the names of the recipient of the document and the persons who have gained access to the information are recorded. When the document is returned to the registry (registration point), the details of the persons who have gained access to the information have accrued on the cover page. When a system that fulfils the requirements of security classification level II and allows electronic monitoring of handling is in use, the monitoring of persons who handled a document may be accomplished through logging or other system data. 4.1.4 Document registration and monitoring, security classification level I (TL I) Documents at security classification level I shall be prepared on a separate workstation that fulfils the requirements, or manually. The dispatch and receipt of a document shall be registered (Security Classification Decree, section 14). The handling of a document at security classification level I shall be recorded in an electronic log, an information system, a case register or the document itself (Security Classification Decree, section 14, subsection 1, paragraph 1). The document shall be registered and its dispatch and receipt shall be monitored in a separate electronic case register that is subject to secrecy and security classification and fulfils the requirements of security classification level I, or manually in such a way that the requirements of security classification level I are fulfilled. A document at security classification level I shall be marked with the stamp for security classification level I and also with the stamp salassa pidettävä to indicate secrecy when necessary. The legislative basis for secrecy shall be recorded on the document and in the metadata. A list of persons handling documents at security classification level I shall be maintained (Security Classification Decree, section 14, subsection 1, paragraph 4). This list may, for example, be maintained on a separate classified cover page on which the names of the recipient of the document and the persons who have gained access to the information are recorded. When the document is returned to the registry (registration point), the details of the persons who have gained access to the information have accrued on the cover page. When a system that fulfils the requirements of security classification level II and allows the 26 Publications of the Ministry of Finance 2021:8 electronic monitoring of handling in a way that no information at security classification level I is covered by the monitoring of handling, the monitoring of persons who handled a document may be done through logging or other data in this system. 4.2 Access to and receipt of documents The requirements imposed on the processing of datasets apply throughout the lifecycle of the information. The person handling the information occupies a special role in the implementation of these requirements. Under all situations of working with the information, that person is responsible for the correct personal handling of the information with the tools indicated and approved by the employer and in compliance with the employer’s instructions. Official information is characterised by the fact that a competent authority or a representative of that authority shall be identified or determined for the information. This competent authority has key responsibility for information within its competence. The provisions on the obligation of the authorities to attend to the secrecy and protection of information when disclosing secret information for the performance of a commissioned task are laid down in section 26, subsection 3 of the Act on the Openness of Government Activities. Information may only be disclosed to a party entitled to gain access to the information. Provisions on the obligation of secrecy and non- disclosure and on prohibition of use are laid down in sections 22 and 23 of the Act on the Openness of Government Activities. 4.2.1 Access to documents A central government authority shall ensure in advance that the protection of a classified document is duly organised if the authority grants access to a classified document to a party other than a central government authority. The requirement does not apply to disclosing information on the contents of a document based on a party’s right of access to information (Security Classification Decree, section 6). With regard to granting access to documents, at least the following access situations may be identified: the general grounds for granting access to secret information, granting access to another central government authority, granting access to e.g. an enterprise on the basis of a commission, and granting access to another party on the basis of a request for information. An authority shall maintain secure procedures that allow only persons with right of access to handle classified information. The authority shall employ a verification procedure of sufficient strength, for example by requiring strong identification of persons or parties requesting service, when offering the opportunity to handle classified information. 27 Publications of the Ministry of Finance 2021:8 Publications of the Ministry of Finance 2021:8 The Act on the Openness of Government Activities governs granting access to a document that is in the possession of an authority. The classification marking of a document has no impact on the obligation of an authority to assess the publicity of the document on a case-by-case basis and individually for each document whenever someone requests access to the document on the basis of the Act on the Openness of Government Activities. Unlike classification under the Act on the Openness of Government Activities, classification under the Act on International Information Security Obligations leaves no room for discretion with regard to secrecy. Under section 14 of the Act on the Openness of Government Activities, the decision to grant access to an official document shall be made by the authority in possession of the document unless otherwise provided in law. If access is requested to a document prepared by another authority or pertaining to a matter under consideration by another authority, the request may be forwarded to be dealt with by the authority that has prepared the document and is responsible for the consideration of the matter as a whole (Act on the Openness of Government Activities, section 15, subsection 1). If access is requested to a document which, in accordance with the Information Management Act, is required to bear a security classification marking and which has been drafted by another authority, the request shall be transferred for the consideration of the authority that had drafted the document. (Act on the Openness of Government Activities, section 15, subsection 3). In considering a request for access, it shall be determined whether the grounds for secrecy and security classification remain in existence. The secrecy of a document depends on the point in time from which the matter is examined. A secrecy or security classification marking reflects the situation at the time of the preparation of the dataset. The possible consequences of the disclosure of the information contained in a document may change over time. Under section 5, subsection 1 of the Security Classification Decree: If there are no longer legal grounds for the security classification of a document or if it is necessary to modify the security classification level, an appropriate marking of the removal or modification of the marking referred to in section 3 shall be made on the document on which the original marking was made and in the information on the document referred to in section 3, subsection 4. Typically, the decision to modify the security classification level is made by the official who presents the document or by the person who decides the matter. The appropriateness of the marking shall be checked at the latest when providing a third party access to the document. 28 Publications of the Ministry of Finance 2021:8 4.2.2 Measures on the part of a recipient (other than central government) The obligation to security classify applies to authorities operating in State agencies and institutions, the courts of law and committees established to handle appeals (Information Management Act, section 18). Classified materials may also be received by parties to which security classification does not apply, such as municipalities, joint municipal authorities and rescue departments, and by private parties in the performance of commissioned tasks. Chapter 2.2 contains recommendations on security classification and making security classification markings when documents that are to be classified are prepared in consequence of a commission given by an authority subject to the obligation to classify. The recipient shall handle the document in the manner agreed (security agreement or equivalent) and in compliance with the instructions given by the authority that has granted access. The recipient shall ensure that third parties do not gain access to a classified document. A classified document is always also secret and the provisions of the Act on the Openness of Government Activities concerning secrecy, non-disclosure and prohibition of use (sections 22 and 23) and the provisions of the Information Management Act therefore naturally apply to classified materials. It is recommended that a party in receipt of information supplement its own handling guidelines with the instructions relating to the classified documents and arrange training relating to these. Also an information management entity other than one subject to the obligation to security classify shall, under section 25 of the Information Management Act, without delay register in the document register any document of which it is in receipt or which it has prepared. The recipient of a document, for example a registry, shall check which official has the right ex officio to handle the document. When dispatching the document to the said official, regard shall be had to the procedures in chapter 4.4 relating to carriage of documents. When an actor other than an information management entity within the meaning of the Information Management Act is in receipt of a classified document, the actor shall check who has the right of access to the classified information and supply the document only to such persons. 4.3 Transfer of a document over a data network Classified documents may be transferred outside the security areas of authorities or via an information system or telecommunications arrangement at a lower security level than the said security classification level only in encrypted form of sufficient reliability. If the transfer of classified documents takes place in a security area in other than a public data network and sufficient protection of the information can be implemented by physical protection measures, unencrypted transfer or encryption at a lower security level may 29 Publications of the Ministry of Finance 2021:8 Publications of the Ministry of Finance 2021:8 be used (Security Classification Decree, section 12). In order for the said section on non- encryption or encryption at a lower security level to be applicable, access to the said information by unauthorised persons must be prevented by means of physical access control. The following aspects shall be taken into consideration in the transfer: 1. When transferring classified information outside physically protected areas, for example via a public network, the material or traffic shall be protected with encryption of sufficient security. y For example the Internet and the MPLS networks provided by operators shall be considered public networks. y In practice, manners of implementation include e.g. VPN solutions between users’ terminal devices and the information systems of the authority, IPSec encryption between the networks of organisations, and secure email and file encryption solutions provided to end users. 2. When transferring classified information within physically protected areas and inside a network protected at an at least equivalent level, lower- level encryption or unencrypted transfer may be used on the basis of the outcomes of the risk management process. 3. The encryption procedure processes and encryption key management processes shall have been designed and implemented. The practices and the processes shall have been described and instructed to users, who shall have been provided with training. 4. Only authorised users and processes have access to the protected data of encryption keys. The processes require at the least: y keys of sufficient cryptographical strength, y secure key distribution, y secure key storage, y regular key rollovers, y changing of outdated or exposed keys, and y prevention of unauthorised key changes. 30 Publications of the Ministry of Finance 2021:8 When choosing protection solutions for the classified information of an authority, it is recommended that the choice be made primarily from among the encryption solutions approved by the Finnish Transport and Communications Agency National Cyber Security Centre (Encryption solutions approved by NCSA-FI [in Finnish] (Finnish Transport and Communications Agency Traficom 2020). It should be noted that encryption solutions must be configured and used in accordance with settings that have been assessed to be secure. 4.4 Carriage of documents The risks relating to carriage shall be assessed and the necessary information security measures designed and implemented on a risk basis on the basis of the identified risks. Under section 13 of the Security Classification Decree, classified documents may be carried outside security areas by protecting the electronic data carriers with adequate encryption. It is up to the authority to assess the adequate encryption solution for the security classification level in question. When the data storage media has been adequately encrypted, it may be dispatched to the recipient e.g. by post. The carriage of classified documents outside the physically protected security areas of an authority shall be executed securely. The security of encryption solutions is discussed in more detail in chapter 7.11. 4.4.1 Carriage of unencrypted documents at security level IV In the carriage of documents at security level IV, attention shall be paid to the requirements of the adequate encryption of electronic data carriers (e.g. flash drive, CD- ROM or DVD) laid down in section 13 of the Security Classification Decree. No specific requirements apply to the carriage of these, any more than to the carriage of paper documents at security classification level IV. Both may therefore e.g. be dispatched by post as ordinary packages. However, the package must bear no outward signs that it contains secret, classified information. 4.4.2 Carriage of unencrypted documents at security levels III–I In the carriage of documents at security levels III-I, attention shall be paid to the requirements of the adequate encryption of electronic data carriers (e.g. flash drive, CD- ROM or DVD) laid down in section 13 of the Security Classification Decree. An unencrypted document at security classification levels III–I (paper or electronic format, e.g. flash drive, CD-ROM or DVD even if encrypted) shall be appropriately packaged for carriage and https://www.kyberturvallisuuskeskus.fi/sites/default/files/media/file/NCSA_salausratkaisut.pdf 31 Publications of the Ministry of Finance 2021:8 Publications of the Ministry of Finance 2021:8 carried to the recipient under continuous control, or the document shall be carried to a recipient in another safe manner approved by a central government authority whereby the confidentiality and integrity are ensured in a manner that is adequate for the said security classification level. Documents, for example, shall be carried to the recipient by a personal courier or a courier service, or be collected by the recipient. The procedure employed and the related actors shall have the approval of an authority for the carriage of documents at the security classification level in question based on a risk-basis assessment conducted by the authority. The delivery of unencrypted documents at security classification levels III–I for carriage may be implemented within an organisation by means of a centralised function. In authorities, this is typically the registry of the authority. The said function shall have in place the necessary policies, guidelines and tools to allow the implementation of secure carriage. The internal function and the handling chain may only consist of security-cleared personnel. For the carriage of documents at security classification levels III–I, the organisation shall have secure envelopes, secrecy envelopes or security pouches. These shall always be sealed inside an ordinary envelope. In packaging, care shall be taken to ensure that the package bears no outwards signs of it containing classified information. The outermost cover of the package shall indicate the address of the recipient authority (typically its registry) and also the return address in case the package cannot be delivered. Any indication that the package contains classified information should first appear only inside the external cover of the package. The envelope or package shall be non-transparent. In internal distribution, a document may be delivered in a sealed pouch or directly to the recipient in person. The date of dispatch and the recipient shall be recorded by the dispatching organisation and the dispatching party shall monitor the delivery to ensure that it reaches its destination. The recipient shall inspect the integrity of the seal on the envelope or package and immediately report any doubt about the integrity. Advice of receipt shall be submitted to the dispatcher by returning the enclosed tracking form or by other means of tracking the delivery. Deliveries containing information at security classification levels III–I shall primarily be made to the registry of an authority or to another party responsible for receiving deliveries and registering documents. It is recommended that the recipients of the document (by name or position) inclusive of organisation details should be recorded on the document itself in as much detail as possible. 32 Publications of the Ministry of Finance 2021:8 4.5 Copying of documents Both electronic and paper format copies may be made of classified documents, taking into account the restrictions relating to copying and the handling rules pertaining to copies as well as all other requirements concerning the handling of classified documents (e.g. information system and telecommunications arrangement requirements). Copies of documents at security classification levels II–I may not be made without the permission of the authority which prepared the document (Security Classification Decree, section 14). The permission given shall be documented in writing and it shall include a mention of the copying permission and the possible wider distribution of the document. This permission shall be attached in connection with the document in an archive into which the details of those who have gained access to the information in the document also accrue. When copies are made of documents at security classification levels II–I, a list shall be made of the copies and of the persons handling the copies (Security Classification Decree, section 14). Each copy made shall be numbered and listed. The copying of documents at security classification levels II–I shall be implemented in a centralised manner within the organisation in compliance with specific instructions issued on the topic. The equipment used to copy paper documents shall have the approval of an authority for the copying of documents at the security classification levels in question. 4.6 Storage of information 4.6.1 Storage of information, security classification level IV (TL IV) Information pools containing documents at security classification level IV (KÄYTTÖ RAJOITETTU; TL IV) and the information systems used to handle such documents shall be located inside a security area and paper documents at security classification level IV shall be stored inside a security area ((Security Classification Decree, section 10). Paper documents at security classification level IV shall be stored in lockable office furniture that has been assessed as appropriate for the purpose and is located inside an administrative or security area. Such documents may temporarily be stored outside a security area or administrative area when the holder of documents commits to compliance with the substitute measures laid down in the security instructions issued by the authority. In situations where information at security classification level IV is handled and stored in a terminal device consistent with the security classification level in question that is located outside security areas, the information in the terminal device shall be protected with an encryption solution of sufficient security for the security classification level in question. In 33 Publications of the Ministry of Finance 2021:8 Publications of the Ministry of Finance 2021:8 particular, the sufficient integrity of the terminal device for the security classification level in question shall be ensured so as not to compromise confidentiality as a result of loss of terminal device integrity. The protection of information systems and telecommunications arrangements is discussed in more detail in chapter 7. 4.6.2 Storage of information, security classification levels III, II and I (TL III, TL II, TL I) Documents at security classification level I (ERITTÄIN SALAINEN; TL I) may only be stored or otherwise handled inside a secured area (Security Classification Decree, section 10). Documents at security classification levels III and II (LUOTTAMUKSELLINEN; TL III and SALAINEN; TL II) may be handled inside and outside security areas, however so that information pools containing documents at security classification level II or III and information systems used in the handling of these documents shall be placed in a secured area, and documents in paper form at security classification levels II and III shall be stored in a secured area (Security Classification Decree, section 10). Paper documents at security classification levels III, II and I (TL III, TL II and TL I) shall be stored inside a secured area in a storage solution that has been assessed as appropriate for the purpose, such as a safe or a vault. Documents at security classification levels II–III may also be handled inside and outside administrative areas by using a terminal device and telecommunications arrangement that fulfils requirements. A terminal device used to handle documents at security classification level II shall be stored inside a secured area, however. When electronic documents at security classification level III are stored in a terminal device outside secured areas, they shall be protected with an encryption solution of sufficient security for the security classification level. The information security of the terminal device shall be ensured. (Security Classification Decree, section 10) The protection of information systems and telecommunications arrangements is discussed in more detail in chapter 7. 4.7 Destruction of documents Under section 15 of the Security Classification Decree, a classified document which is no longer required shall be destroyed in such a way that recreation and reconstruction of the information in whole or in part is prevented in a manner that is sufficiently reliable for the said security classification level. The recipient of a document shall also attend to its appropriate destruction. If the document has been prepared by another authority, 34 Publications of the Ministry of Finance 2021:8 the authority that prepared the document shall be notified of the destruction of the document at security classification levels I and II that is no longer required unless it is returned to the authority that prepared the document (Security Classification Decree, section 15). The dispatching and receiving authority may agree on the practical procedures relating to notification, for example on submitting notifications relating to security classification level II on a semi-annual basis. Documents at security classification levels I and II may be destroyed only by a person assigned to this task by an authority. Any draft versions of a document may be destroyed by the person who prepared them. Technological advances will also have an impact on the reliable destruction of classified information. Available computing capacity, for example, allows the more efficient computer-assisted reconstruction of shredded information in paper format. On the other hand, it is becoming increasingly justified to accomplish the reliable destruction of storage media for information in electronic format (hard drives, USD drives and the like) by means of e.g. melting instead of the traditional shredding. The protection of information shall be ensured until the very end of the lifecycle of the information. This shall be taken into account especially in situations where a third-party service is used for information destruction, for example melting hard drives. In practice, the approach employed is usually a procedure in which the organisation responsible for the information supervises the information destruction process all the way to the end of the lifecycle. The role of personnel should also be taken into account in destruction processes. Organisations shall arrange for their personnel an explicit manner of destruction of classified information. In practice, this may translate into appropriate paper shredders and ensuring the security awareness of personnel, for example. 4.7.1 Destruction by shredding, security classification level IV (TL IV) The shredding of information at security classification level IV may be accomplished, for example, so that y remaining paper particle size is no more than 30 mm2 (DIN 66399 / P5 or DIN 32757 / DIN 4), y remaining magnetic hard drive particle size is no more than 320 mm2 (DIN 66399 / H-5), y remaining SSD drive and USB drive particle size is no more than 10 mm2 (DIN 66399 / E-5), and y remaining optical media particle size is no more than 10 mm2 (DIN 66399 / O-5). 35 Publications of the Ministry of Finance 2021:8 Publications of the Ministry of Finance 2021:8 4.7.2 Destruction by shredding, security classification level III (TL III) The shredding of information at security classification level IV may be accomplished, for example, so that y remaining paper particle size is no more than 30 mm2 (DIN 66399 / P5 or DIN 32757 / DIN 4), y remaining magnetic hard drive particle size is no more than 10 mm2 (DIN 66399 / H-6), y remaining SSD drive and USB drive particle size is no more than 10 mm2 (DIN 66399 / E-5), and y remaining optical media particle size is no more than 5 mm2 (DIN 66399 / O-6). 4.7.3 Destruction by shredding, security classification level II (TL II) The shredding of information at security classification level II may be accomplished so that, for example y remaining paper particle size is no more than 10 mm2 (DIN 66399 / P6). y remaining magnetic hard drive particle size is no more than 10 mm2 (DIN 66399 / H-6), y remaining SSD drive and USB drive particle size is no more than 1 mm2 (DIN 66399 / E-6), and y remaining optical media particle size is no more than 5 mm2 (DIN 66399 / O-6). 4.7.4 Destruction by shredding, security classification level I (TL I) The particle sizes for security classification level II may be employed in the destruction of information at security classification level I when protection is augmented by procedures approved by the authority. Such procedures typically consist of methods such as the controlled further treatment of the shredded particles by means of incineration or melting. 36 Publications of the Ministry of Finance 2021:8 4.7.5 Destruction using combined methods Destruction may be executed instead of or in addition to shredding by using various other methods which are secure enough to prevent the reconstruction of destroyed information (e.g. melting hard drives). The risks to classified information can also be reduced considerably through encryption at the various stages of the lifecycles of information and equipment. The destruction of information in electronic format is described in more detail in the National Cyber Security Centre guideline on overwriting and recycling [in Finnish] (Finnish Communications Regulatory Authority 2016). 4.7.6 Destruction of information in electronic format Especially the reliable destruction of electronic material should cover all devices which have been used to store classified information at some part of their lifecycle. Procedures shall be mutually agreed with service providers. In addition, it must be ensured that personnel are able to comply with the procedures. One has to make it sure that the individual components of devices (hard drives, memory components, solid state disks etc.) containing classified information have to be destroyed in a reliable manner especially when the device will be delivered to service, becomes obsolete, or is taken into use as a part of a recycling process. In case a reliable deletion manner (like an overwriting procedure approved by a competent authority) cannot be used, the component containing classified information cannot be delivered to a third party. In service situations where it is impossible to delete the memory content in a reliable way before the servicing, the service should be carried out under supervision in order to ensure that classified information does not end up in the hands of third parties during the service. A security agreement shall be concluded with the organisation that carries out the servicing. Service personnel shall be designated by the service provider and security clearance shall be obtained for them before any service measures are undertaken so as to ensure the security of the service personnel and service organisation. https://www.kyberturvallisuuskeskus.fi/sites/default/files/media/regulation/ohje-ylikirjoitus.pdf 37 Publications of the Ministry of Finance 2021:8 Publications of the Ministry of Finance 2021:8 5 Points of departure for multi-tier protection of documents and data processing 5.1 Information management design and security design Information management is based on the needs of the activities of the authorities. The Information Management Act creates the framework for the consistent and high-quality management of datasets. The design of information management shall take into account the different formats of datasets, the different stages of handling, the management of the information contained in the datasets, and the changes taking place in the information management entity. Provisions on an information management model and assessment of transformative impact are laid down in section 5 of the Information Management Act. When essential administrative reforms with an effect on the contents of the information management model take place or are planned or new information systems are introduced within an information management entity, it shall assess the impacts of these changes in relation to information security requirements and information security measures as well. The changed requirements shall be taken into account in the information management model. The Information Management Board’s recommendation for an information management model [in Finnish] (Ministry of Finance 2020:29) provides guidance on preparing the information management model and the recommendation on the assessment of the transformative impact of information Management [in Finnish] (Ministry of Finance 2020:53) provides recommendations for performing the assessment of the transformative impact. The central aspect of arranging information management is to design the key actions and information security measures. This design should be based on risk management and the requirements imposed on the activities of the authority. Information security arises from a combination of different measures. Provisions on multi-tier protection are laid down in section 7 of the Security Classification Decree. Multi-tier protection helps ensure that in the event of the failure of one layer of protection, the remaining security measures will prevent, preclude and contain any damage. In addition, measures shall be designed to detect and trace any actions and events that compromise protection. Security measures shall also be designed to restore activities, as quickly as possible, to the pre-compromise security level. Implementation http://urn.fi/URN:ISBN:978-952-367-328-1 http://urn.fi/URN:ISBN:978-952-367-328-1 http://urn.fi/URN:ISBN:978-952-367-318-2 http://urn.fi/URN:ISBN:978-952-367-318-2 38 Publications of the Ministry of Finance 2021:8 5.2 Risk assessment The protection of classified information is based on risk management. Security measures shall be designed on the basis of an assessment of risks. Risk management is supported by assessments and audits of various kinds. In designing security measures, attention shall be paid in particular to: y the activities or sector of the authority, y the security classification level, meaning and intended use of the classified information, y personnel security, for example the risk of undue influence on public officials, y the volume and aggregation of information,6 y the manner of handling of classified information, y the environment of the place where classified information is handled and stored (building setting, placement within building, premises or part thereof ), y the environment of handling and storing classified information in electronic format, for example the location of the information in various cloud computing services that may be situated in different States and thus be subject to different legislation, y any threat factors to the information, such as the assessed risk to the information arising from intelligence services, criminal activity and the organisation’s own personnel, and y the costs incurred from the information security measures. 5.3 Catering for aggregation The aggregate effect involves a phenomenon where a large quantity of data may constitute a whole of greater significance than its individual components. In such a case, classification and protection needs may differ from those applicable to individual data elements. An aggregate of classified information at a given security classification level in information systems may warrant a level of protection corresponding to a higher classification than that of its individual components – for example, a large quantity of information at security classification level IV in a compiled form creates an information pool at security classification level III. Quantity is not the only determining factor; in some 39 Publications of the Ministry of Finance 2021:8 Publications of the Ministry of Finance 2021:8 cases, the combination of two data sources, for example, may result in an upgrade of the information pool’s security classification level. No method of calculation generally applicable in all circumstances is available for assessing the aggregate effect. When assessing the aggregate effect, the requirements of the Information Management Act on the performance of security classification shall be taken into account. Even a large quantity of non-classified secret information will not always result in an aggregate effect and fulfilment of the grounds for classification; instead, the end result is often only a non-classified aggregate subject to secrecy. Correspondingly, even a large quantity of classified information will not always result in an aggregate effect. The assessment of the aggregate effect on a case-by-case basis always calls for determination of the current and estimated substantive content of the information pool in question and an assessment of whether the aggregate shall be classified at a higher level. Aggregation to security classification level IV, even up to level III, may under some circumstances occur in respect of non-classified data elements subject to secrecy. Data collected on enterprises which are central to security of supply or which maintain Finland’s critical infrastructure, for example, might as individual data elements be interpreted to constitute business secrets and, as such, non-classified information subject to secrecy. However, a given group of data elements could, when combined, constitute an aggregate which, falling into the hands of third parties, could cause harm to e.g. national defence, security of supply or preparedness for emergency conditions. The substantive content of such an aggregate might also warrant protection from the viewpoint of national safety (the public interest) and thus fulfil the grounds for security classification. When the security classification level of an information system or other key information pool is interpreted to stand at a higher level than that of individual data elements due to the aggregate effect, the protection measures for this information pool should be implemented according to the requirements for the higher security classification level. According to this procedure, access to the information should be limited, following the need-to-know principle, to give access only to the necessary parts of the information. The procedure should also detect unauthorised access attempts to the part of the classified information where no need-to-know can be recognised. 40 Publications of the Ministry of Finance 2021:8 6 Using security areas to protect document handling and information systems Under section 9 of the Security Classification Decree, the information management entity shall determine the physically protected security areas to protect the handling of classified documents and the information systems. Security areas consist of physically protected administrative areas and secured areas. 6.1 Protection in administrative areas Administrative area refers to the areas and spaces used for the authority’s ordinary work, such as office space or entities made up of multiple office premises. These may include e.g. server rooms, data centres or business premises, for example. The actor which controls the premises ensures that only persons pre-authorised by the authority have independent access to the premises. No particular requirements apply to the structures defining an administrative area. In addition to the minimum requirements for an administrative area presented in this Recommendation, the choice of physical security measures shall be influenced by the outcome of the authority’s risk assessment. Risk assessment is discussed in chapter 5.2. The effectiveness of individual security measures and of the overall security system in the area shall be re-evaluated at regular intervals. The process of vision achievement and regular evaluation is illustrated in the Figure below. 41 Publications of the Ministry of Finance 2021:8 Publications of the Ministry of Finance 2021:8 Figure 2.  Vision process and regular evaluation Implementation of minimum administrative area requirements Choice of security (multi-tier protection) Administrative area under Decree (1101/2019) Risk assessment Achievement of security measure goals for the area 6.1.1 Goal and tools of physical security measures The goal of physical security measures is to prevent unauthorised access to classified information: a) by ensuring that classified information is handled and stored in an appropriate manner, b) by allowing for segregation of personnel in terms of access to classified information on the basis of their need-to-know and, where appropriate, their security clearance, c) by deterring, impeding and detecting unauthorised actions, and d) by denying or delaying surreptitious or forced entry by intruders. 6.1.2 Choice of physical security measures Based on the risk assessment and in keeping with the principle of multi-tier protection, the authority shall determine the appropriate combination of security measures that is sufficient relative to the risk assessment. This combination shall consist of administrative, functional and physical tools including: 42 Publications of the Ministry of Finance 2021:8 y structural barriers: a physical barrier with which the area or space to be protected is defined and unauthorised intrusion is impeded and slowed down. y access control: access to the area or space is restricted through controls. The goal is to detect unauthorised access attempts, to prevent the access of unauthorised persons and to monitor those persons moving within the area. Access control may be exercised over an area, one or more building in an area, or areas or rooms within a building. Control may be exercised by mechanical, electronic or electro-mechanical means, by security personnel and/or a receptionist, or by any other physical means. y intrusion detection system (IDS): an IDS (burglar alarm system) may be used to enhance the level of security offered by the structural barrier. The system may also be used in place of, or to assist, security staff. y security personnel: trained, supervised and, where necessary, appropriately security-cleared security personnel may be employed for, among other things, in support of access and control and in order to detect and deter from action individuals planning covert intrusion. y closed circuit television (CCTV): CCTV may be used by security personnel in order to impede and investigate incidents and to verify alarms in the area or space. Security personnel may use CCTV for active real-time surveillance or for passive footage analysis after the fact. y procedures to maintain security: determination of responsibilities and duties, various processes and operating models including access control and key management, instructions to and training of personnel, and servicing and maintenance of systems. y lighting: potential intruders may be deterred by using lighting that permits the effective surveillance of the area by security personnel either directly or indirectly through a CCTV system. y any other appropriate p