Language switcher

You are here

RIA has compiled an information security guidebook for the public sector

The Information System Authority (RIA) and its partners have updated the Estonian information security standard (E-ITS), which contains data on information security threats and provides measures for public sector authorities to help maintain security in their systems.

Naine laob paberipakke torni

‘The public sector and local governments have numerous databases and information systems full of sensitive data. The aim of the information security standard is to give authorities a basis for handling information security that is updated regularly and suitable for the Estonian legal system. The better we can implement the standard, the better we are able to cope with unexpected circumstances, be more transparent in our activities, and ensure trust for the state information systems and the state as a whole,’ said Ilmar Toom, Head of RIA’s Standards and Supervision Department.

In 2019–2020, RIA carried out supervision proceedings in all local governments and found that many of them are significantly lacking. For example, there were issues in monitoring information security and deficiencies in reporting incidents. There were local governments where information security was the task of deputy heads or other people in the administrative unit. Precepts were issued to about a quarter of the local governments to eliminate the deficiencies.

According to Toom, the world of a public institution did not necessarily fall apart 30 years ago if the employees failed to lock their document archive for a moment. ‘However, if the systems are left defenceless today, databases can be leaked within minutes and information systems may be rendered unusable if they are encrypted. In Estonia, 3,000 automatic attempts are made every minute to access the systems of some public institution, which is why the new Estonian information security standard could be considered an information security guidebook for the public sector – abiding by it allows preventing threats and minimising risks,’ Toom noted.

Mihkel Sinisalu, a cybersecurity expert of KPMG Baltics who took part in the development of E-ITS, said that while compiling the standard was a time-consuming and highly challenging project, is was a sorely needed one. ‘By creating this new standard, we took a large and important step closer to a safer digital environment.’ Sinisalu added that this information security guidebook includes modern information security requirements for Estonian companies and organisations. This will make us all feel safer regarding the use and storage of personal data as well as data security and will hopefully help to prevent possible cyber-attacks against both the state and individuals.

The new Estonian information security standard (E-ITS) will replace the voluminous information security system ISKE. Despite the smaller volume, the standard handles sets of measures that have been sorely missed for a while. For example, the standard focuses separately on industrial automation devices and their management. The update will also provide a set of security measures for vehicles as cars have an increasing amount of information technology that can be abused.

Materials related to E-ITS can be found in the portal eits.ria.ee »

KPMG Baltics OÜ, Cybernetica AS, and the Tallinn University of Technology took part in the development of the standard in addition to RIA’s experts. The updated standard was reviewed by 20 Estonian information security practitioners.

The Estonian information security standard was created with funding from the European Regional Development Fund under the support scheme ‘Raising Public Awareness about the Information Society’.

Seiko Kuik
Press Officer of the Information System Authority

More news on the same subject

30.07.2021

Further explanation of the Information System Authority (RIA) on data theft

People whose document photo was illegally downloaded do not have to get a new document or a new photo. The incident has no impact on ID-cards, Mobile-ID, Smart-ID or e-services.

28.07.2021

The Police and Border Guard Board and the Information System Authority stopped the illegal downloading of data

28.7.2021 – Experts of the Information System Authority (RIA) have stopped the mass downloading of document photos from the identity documents database. The downloading was made possible via a security vulnerability in the photo transfer service managed by RIA. The police have detained a suspect and initiated criminal proceedings to establish the circumstances of the incident.