Language switcher

You are here

RIA has compiled an information security guidebook for the public sector

The Information System Authority (RIA) and its partners have updated the Estonian information security standard (E-ITS), which contains data on information security threats and provides measures for public sector authorities to help maintain security in their systems.

Naine laob paberipakke torni

‘The public sector and local governments have numerous databases and information systems full of sensitive data. The aim of the information security standard is to give authorities a basis for handling information security that is updated regularly and suitable for the Estonian legal system. The better we can implement the standard, the better we are able to cope with unexpected circumstances, be more transparent in our activities, and ensure trust for the state information systems and the state as a whole,’ said Ilmar Toom, Head of RIA’s Standards and Supervision Department.

In 2019–2020, RIA carried out supervision proceedings in all local governments and found that many of them are significantly lacking. For example, there were issues in monitoring information security and deficiencies in reporting incidents. There were local governments where information security was the task of deputy heads or other people in the administrative unit. Precepts were issued to about a quarter of the local governments to eliminate the deficiencies.

According to Toom, the world of a public institution did not necessarily fall apart 30 years ago if the employees failed to lock their document archive for a moment. ‘However, if the systems are left defenceless today, databases can be leaked within minutes and information systems may be rendered unusable if they are encrypted. In Estonia, 3,000 automatic attempts are made every minute to access the systems of some public institution, which is why the new Estonian information security standard could be considered an information security guidebook for the public sector – abiding by it allows preventing threats and minimising risks,’ Toom noted.

Mihkel Sinisalu, a cybersecurity expert of KPMG Baltics who took part in the development of E-ITS, said that while compiling the standard was a time-consuming and highly challenging project, is was a sorely needed one. ‘By creating this new standard, we took a large and important step closer to a safer digital environment.’ Sinisalu added that this information security guidebook includes modern information security requirements for Estonian companies and organisations. This will make us all feel safer regarding the use and storage of personal data as well as data security and will hopefully help to prevent possible cyber-attacks against both the state and individuals.

The new Estonian information security standard (E-ITS) will replace the voluminous information security system ISKE. Despite the smaller volume, the standard handles sets of measures that have been sorely missed for a while. For example, the standard focuses separately on industrial automation devices and their management. The update will also provide a set of security measures for vehicles as cars have an increasing amount of information technology that can be abused.

Materials related to E-ITS can be found in the portal »

KPMG Baltics OÜ, Cybernetica AS, and the Tallinn University of Technology took part in the development of the standard in addition to RIA’s experts. The updated standard was reviewed by 20 Estonian information security practitioners.

The Estonian information security standard was created with funding from the European Regional Development Fund under the support scheme ‘Raising Public Awareness about the Information Society’.

Seiko Kuik
Press Officer of the Information System Authority

More news on the same subject


Large-scale denial-of-service attacks have ended

29.4.2022 – According to the assessment of the Information System Authority (RIA), the denial-of-service attacks that began on 21 April concluded by the evening of 25 April. The purpose of the denial-of-service attacks was to disrupt the operation of 13 websites, but due to the countermeasures applied, the effect of the attacks was insignificant.


DDoS attacks against state websites had no significant effect

21.4.2022 – From 4 p.m. this evening, the security incident management organisation (CERT-EE) of the Information System Authority (RIA) identified distributed denial-of-service (DDoS) attacks against state websites. The attacks caused short-term interruptions in the accessibility of some websites, but had no significant effects.