We ensure continuity of operations

Sustainability goal: We ensure the continuity of Valtori’s operations in all security conditions

Meeting safety requirements and ensuring the continuity of operations are permanent principles of Valtori’s operations both in disruptions to normal conditions and in emergency conditions. 

Changes in the operating environment in the security situation due to the Russian invasion of Ukraine in particular had an impact on Valtori’s priorities in developing comprehensive security. Among other things, Finland’s NATO membership, securing the adequacy of energy and electricity supply, and the tightened cyber threat situation have had a change in the activities. 

New security services for customers

We continued the productisation of information security services and the development of monitoring and observation capabilities as part of the joint services security development programme PATO.

The aim of the programme is to expand surveillance and response capabilities to the national top level and to create comprehensive situational awareness reporting. The programme also improves cyber security capabilities and reduces the surface of threat vectors and cyberattacks. Information security products strengthen, for example, monitoring solutions and observation capabilities. Comprehensive information security is being developed for terminal device and server protection services, cloud information security services and network information security services. In security-related productisation, the activities are developed and verified in accordance with ISO 27001 standardisation.

The most significant outputs of the PATO programme in 2023 include several up-to-date information security services, which can be used to strengthen monitoring solutions and observation capabilities. New services were productised, for example, in network security services (WAAP network protection), cloud security services (ZTNA cloud security) and terminal device and server protection services (Pilvi mobile protection). 

Read more in Finnish about the new services on our website at Turvaa pilvestä – uusilla tietoturvapalveluilla sujuvuutta päätetyöskentelyyn 

Investment in uninterrupted services

Uninterrupted services are one of Valtori’s key objectives. While the number of extensive incidents was increasing slightly in 2023, the number of incidents was at a good level and the target was not exceeded. Investments were made in disruption management and related communications and cooperation between different teams, and the work will continue. 

One of the key development areas is the development of measuring the impacts of widespread disturbances (including lost working hours). Management of and recovery from disturbances and recovery to normal conditions are implemented in a systematic and controlled manner at Valtori, using pre-established continuity and recovery plans and the operating methods specified in them.

Ensuring the continuity of Valtori operations

In 2023, a preparedness audit was carried out in the administrative branch of the Ministry of Finance. At the same time, the state of preparedness at Valtori was examined. A security-classified report was prepared for the audit, which provides good grounds for further development of preparedness.

Valtori’s preparedness policy was updated and adopted at the end of 2023. In connection with the update, the responsibilities, arrangements and concepts of preparedness were specified. Similarly, instructions were issued for planning preparedness and storing material in order to achieve more uniform and easily reported output. At the same time, a situational picture of preparedness was drawn up, on the basis of which basic information on preparedness is known. The situational picture and instructions will be developed in 2024. 

Valtori participated in several exercises, planning events and working groups during the year (including the national cyber defence exercise) with other security authorities and central government actors. In addition, we organised nine safety training courses in 2023 (Security clinics) for all Valtori employees. The variable themes of the training events included Valtori’s preparedness policy, verification of Valtori’s services and data protection in procurements. 

During the previous year, Valtori’s premises were classified into different categories based on their use. The purpose of the classification is to ensure the appropriate availability of facilities in all security situations. During 2023, physical safety reviews were carried out in two facilities at Valtori. The reviews did not reveal any serious shortcomings.

Ensuring service compliance 

A formal operating model for verifying information security as part of the service deployment process was continued in 2023. The verification rate for services in the Tori service area was 68%, while the rate for the Tuve service area was 84%. In the case of non-conformities identified in the verifications, necessary risk mitigation measures were taken and/or compensatory security mechanisms were implemented. 

Data protection activities supported the compliance of services by carrying out assessments of services containing personal data and by participating in national projects promoting the use of cloud services, for instance. 

A follow-up evaluation of the certification of the comprehensive safety management system was carried out in November 2023 by KPMG IT Sertifiointi Oy. The monitoring assessment is part of the annual assessment required for the certification of the overall safety management system in accordance with the ISO27001 standard. The certification covers the communications technology and terminal equipment services of the security network services provided by Valtori and Valtori’s information security services with essential support functions, such as management and financial and HR administration. Five minor deviations were observed in the assessment. Valtori has submitted corrective actions to the deviations, which KPMG has found sufficient. 

Experts from Valtori Akatemia to information security services

Organised for the fifth time in 2023, the Valtori Akatemia trainee programme this time focused on the safety and security network. 

38 people selected for the programme familiarised themselves with tasks related to information security, cyber surveillance, telecommunications, and data centres and servers.  

Progress metrics

Support request SLA (%)

2023 actual: 95.6
2022 actual: 96.0
2021 actual: 93.1

Number of extensive incidents (qty/month)

2023 actual: 3.0
2022 actual: 4.1
2021 actual: 3.9

Compliance of produced services verified by external assessment bodies (%)

The availability of audit resources has challenged the achievement of the objectives of the verification of the information security requirements of services.

2023 actual: 76 
2022 actual: 63
2021 actual: 53.5 

Case studies

Implementation of the Tori management model. The purpose of the management model is to ensure the participation of customers in the development of shared services and the quality and information security of the Tori operating environment. The operators in the Tori management model established their operations after the start-up phase, and Valtori supports and prepares the operators’ operations in accordance with the management model. The transfer of the functions of the management model at Valtori to the so-called production phase has mostly taken place. 

EU-R approval for the Tuve service environment. We continued the assessment of the compliance of the Tuve services launched in the previous year with the aim of obtaining the EU-R approval for key Tuve services.