Tampere University of Technology

TUTCRIS Research Portal

Experiences from development of security audit criteria

Research output: Chapter in Book/Report/Conference proceedingConference contributionScientificpeer-review


Original languageEnglish
Title of host publicationProceedings of the 16th European Conference on Cyber Warfare and Security, ECCWS 2017
PublisherTAPPI Press; Curran Associates, Inc
Number of pages8
ISBN (Electronic)9781911218432
Publication statusPublished - 2017
Publication typeA4 Article in a conference publication
EventEuropean Conference on Information Warfare and Security -
Duration: 1 Jan 2000 → …

Publication series

ISSN (Print)2048-8602


ConferenceEuropean Conference on Information Warfare and Security
Period1/01/00 → …


Cyber-attacks have grown in importance to become a matter of national security. A growing number of states and organisations around the world have been developing defensive and offensive capabilities for cyber warfare. Security criteria are important tools for defensive capabilities of critical communications and information systems (CIS). Various criteria have been developed for designing, implementing and auditing CIS. The paper is based on work done from 2008 to 2016 at FICORA, the Finnish Communications Regulatory Authority. FICORA has actively participated in development and usage of three versions of Katakri, the Finnish national security audit criteria. Katakri is a tool for assessing the capability of an organisation to safeguard classified information. While built for governmental security authorities, usefulness for the private sector has been a central design goal of the criteria throughout its development. Experiences were gathered from hundreds of CIS security audits conducted against all versions of Katakri. Feedback has been gathered also from CIS audit target organisations including governmental authorities and the private sector, from other Finnish security authorities, from FICORA's accredited third party Information Security Inspection Bodies, and from public sources. This paper presents key lessons learnt and discusses recommendations for the design and implementation of security criteria. Security criteria have significant direct impacts on CIS design and implementation. Criteria design is always a trade-off between the varying goals of the target users. Katakri has tried to strike a balance between the different needs for security criteria. The paper recommends that criteria design should stem from a small set of strictly defined use cases. Trying to cover the needs of a wide variety of different use cases quickly renders the criteria useless as an assessment tool. In order to provide sufficient information assurance, security criteria should describe requirements on a reasonably concrete level, but also provide support for the security and risk management processes of the target users.


  • Auditing, Criteria, Cyber security, Information assurance, Katakri

Publication forum classification

Field of science, Statistics Finland