TUTCRIS Research Portal

Cyber-attacks have grown in importance to become a matter of national security. A growing number of states and organisations around the world have been developing defensive and offensive capabilities for cyber warfare. Security criteria are important tools for defensive capabilities of critical communications and information systems (CIS). Various criteria have been developed for designing, implementing and auditing CIS. The paper is based on work done from 2008 to 2016 at FICORA, the Finnish Communications Regulatory Authority. FICORA has actively participated in development and usage of three versions of Katakri, the Finnish national security audit criteria. Katakri is a tool for assessing the capability of an organisation to safeguard classified information. While built for governmental security authorities, usefulness for the private sector has been a central design goal of the criteria throughout its development. Experiences were gathered from hundreds of CIS security audits conducted against all versions of Katakri. Feedback has been gathered also from CIS audit target organisations including governmental authorities and the private sector, from other Finnish security authorities, from FICORA's accredited third party Information Security Inspection Bodies, and from public sources. This paper presents key lessons learnt and discusses recommendations for the design and implementation of security criteria. Security criteria have significant direct impacts on CIS design and implementation. Criteria design is always a trade-off between the varying goals of the target users. Katakri has tried to strike a balance between the different needs for security criteria. The paper recommends that criteria design should stem from a small set of strictly defined use cases. Trying to cover the needs of a wide variety of different use cases quickly renders the criteria useless as an assessment tool. In order to provide sufficient information assurance, security criteria should describe requirements on a reasonably concrete level, but also provide support for the security and risk management processes of the target users.