City’s digital security
The main focus of the assessment was on examining whether the city has prepared for digital security risks in an adequate and appropriate manner. The 2017–2021 City Strategy had the goal of Helsinki being the most digitalised city in the world. Digitalisation increases the dependency on well-functioning data systems considerably, which exposes the overall system to digital security risks.
The city has only partially prepared for digital security risks in an adequate and appropriate manner. For instance, the organisation of digital security still needs improvement. In the future, the organisation of digital security and communications will be supported by the new risk management software and the digital security group which is the object of the reform. The fact that the DigiABC training sessions for the entire personnel take a lot of time, due to the large size of the organisation, creates challenges for training the personnel.
The city’s risk management follows its own instructions which mainly utilise the instructions drafted by the VAHTI group for public administration. Risks are assessed a couple of times a year during the economic planning process. No precise schedule has been set for the implementation of the risk management methods, even though the city’s own instructions require setting a schedule and measuring the effectiveness of the administration methods. In any incident related to digital security, the continuity of the city’s service operations will largely be protected. The plans have been tested in some of the most central systems, but there is no compiled data available. Individual tests have provided information on how to act during an incident. However, no large-scale exercise has been organised because the resources necessary for the participation have not been available.
the City Executive Office must
- develop the organisation, controlling and management of the different sectors of digital security, and ensure that the objectives and actions of the different sectors are uniform.
- set schedules for the risk management methods and ensure that they are implemented on time.
- provide the resources needed for an expansive exercise entity, and participate in digital security exercises on a larger scale than before while also taking into account the dependencies between the service and system entities, or hold the exercises independently.
- ensure that the digital security group acts in accordance with the set objectives.
- monitor the progress of the city personnel’s DigiABC training sessions.