Professional Documents
Culture Documents
INDUSTRIALSECURITYMANUAL
Finland
unofficialtranslation
draft
1December2011
1
2
Introduction..........................................................................................................................3
DutiesandorganisationoftheNationalSecurityAuthority...................................................4
2.1 OrganisationoftheNationalSecurityAuthorityinFinland..................................................4
2.2 NationalSecurityAuthority...................................................................................................5
2.3 DesignatedSecurityAuthorities............................................................................................5
3 Internationalinformationsecurityobligations......................................................................6
3.1 ActonInternationalInformationSecurityObligations.........................................................6
3.2 GeneralSecurityAgreements...............................................................................................6
4 Internationalcooperation.....................................................................................................7
4.1 Cooperationbetweensecurityauthorities...........................................................................7
4.2 CooperationwithintheEU....................................................................................................7
4.3 CooperationwithNATO........................................................................................................8
4.4 CooperationwithMISWG.....................................................................................................8
5 Internationalclassifiedprojects.............................................................................................9
5.1 Bilateralprojects...................................................................................................................9
5.2 Multilateralprojects..............................................................................................................9
6 Phasesofprojectnegotiations............................................................................................10
7 Projectsecurity...................................................................................................................11
7.1 Projectsecuritydocumentation..........................................................................................11
7.1.1 ProgrammeSecurityInstructions(PSI)........................................................................11
7.1.2 SecurityAspectsLetter(SAL).......................................................................................11
7.1.3 SecurityClassificationGuide(SCG)..............................................................................12
7.2 Aspectsofsecurity..............................................................................................................12
7.2.1 Securitymanagement..................................................................................................12
7.2.2 Personnelsecurity........................................................................................................13
7.2.3 Physicalsecurity...........................................................................................................14
7.2.4 Technicalinformationsecurity...................................................................................14
7.3 RequestforVisit..................................................................................................................14
8 Transferofclassifiedinformationandmaterial...................................................................16
8.1 Diplomaticcourieranddiplomaticmail..............................................................................16
8.2 Handcarriage......................................................................................................................17
8.2.1 Performanceofthecouriersassignment...................................................................17
8.3 Commercialcourierservicesandpostalservices...............................................................18
8.4 Freight.................................................................................................................................18
9 Securityclearances..............................................................................................................19
9.1 Phasesoffacilitysecurityclearance....................................................................................19
9.2 Accreditationofinformationsystems.................................................................................20
9.3 Phasesofpersonnelsecurityclearance..............................................................................20
9.4 SecurityClearanceCertificates............................................................................................21
10 Securityresponsibilitiesandobligationsofcompanies........................................................23
10.1 Responsibilitiesoftheprimecontractor............................................................................23
10.1.1 Foreignsubcontractors................................................................................................24
10.1.2 Foreignemployees.......................................................................................................24
10.2 Dutiesoftheprojectsecurityofficer..................................................................................25
10.3 Breachesofsecurityandcompromiseofclassifiedinformation........................................25
ANNEXES
1 Introduction
The manual serves as a tool when preparing for project negotiations and gives
practicaladviceonthevariousprojectstages.Companiesarewelladvisedtogivedue
consideration to the instructions provided here also in their inhouse security
planning,whichwilllowerthethresholdforparticipationinclassifiedprojectsinthe
future.
Chapters2to4ofthemanualdiscussthebasicconceptsofinternationalprojectsand
theactivitiesofthesecurityauthorities.Chapters5and6addresstheindividualtypes
ofprojectsandthevariousstages ofprojectnegotiations.Chapter7dealswiththe
differentaspectsofsecurity,typicalsecurityinstructionsissuedforprojectsandthe
requestforvisitsprocedure.Chapter8discussesthetransferofclassifiedinformation
and Chapter 9 security certificates. Chapter 10 addresses the responsibilities of
companiesparticipatinginclassifiedprojects.
2 DutiesandorganisationoftheNationalSecurityAuthority
2.1 OrganisationoftheNationalSecurityAuthorityinFinland
The National Security Authority (NSA) and the organisation operating under its
auspices have jointly created the necessary preconditions for Finnish companies to
participate in international projects in which classified information or materials are
handled.ProvisionsontheactivitiesoftheNSAorganisationanditsdutiesaresetout
in the Act on international information security obligations (Laki kansainvlisist
tietoturvallisuusvelvoitteista588/2004).
NSA
MinistryforForeignAffairs
directsandmonitorsthatinternationalclassifiedinformation
isprotectedandprocessedproperly
issuessecurityclearancecertificates
negotiatesGeneralSecurityAgreements
coordinatesinteragencycooperation
takescareofInternationalcooperation
investigatessecuritybreaches
DSA
DSA
DSA
NCSA
MinistryforDefence
DefenceCommand
FinnishSecurity
Finnish
IntelligenceService
Communications
steersDSAactivitiesinthe
isrespojsiblefor
Regulatory
defensesector
personneland
isresponsiblefor
Authority
conductsinternational
facilitysecurity
personneland
cooperation
clearancesfor
facilitysecurity
isresponsiblefor
clearances
issuaessecurityguidelines
domesticdefence
informationand
forinternationalprojectsin
projects
andcommuni
thebranchofadministration
cationssecurity
involved
andrelated
2.2 NationalSecurityAuthority
AsprovidedintheActoninternationalinformationsecurityobligations,theNational
Security Authority (NSA) in Finland is the Ministry for Foreign Affairs. The NSA
overseesandcontrolsthatinternationalclassifiedinformationisdulyprotectedand
processed in the central government and in companies. The NSA coordinates the
activities of designated security authorities, represents Finland on international
security committees and working parties, and participates in the preparation of
international security regulations. Additionally, the NSA concludes bilateral and
multilateralgeneralsecurityagreementsandgrantsPersonnelandFacilityClearance
Certificates (PSCCs) for the purpose of international cooperation. The NSA is also
responsibleforinvestigatingbreachesofinformationsecurity.
2.3 DesignatedSecurityAuthorities
PursuanttotheActoninternationalinformationsecurityobligations,theDesignated
Security Authorities (DSA) in Finland are: the Ministry of Defence, the Defence
Command,theFinnishSecurityIntelligenceService,andtheFinnishCommunications
RegulatoryAuthority.TheDSAsareresponsibleforthedutiesstipulatedbylawand
forinternationalinformationsecurityobligations.
The Ministry of Defence is responsible for the duties of the DSA in the branch of
administration and participation in international cooperation as the expert
representing the NSA. Additionally, the Ministry of Defence approves the security
instructionsforinternationalprojectsandissuesguidelinesfortheirpreparationinits
branchofadministration.
TheDefenceCommandconductsPersonnelSecurityClearances(PSCs)inthedefence
administration as well as Facility Security Clearances (FSCs) for domestic defence
contracts.
3 Internationalinformationsecurityobligations
3.1 Actoninternationalinformationsecurityobligations
3.2 GeneralSecurityAgreements
Finland has concluded General Security Agreements with several countries and
certaininternationalorganisations.ThepurposeoftheGeneralSecurityAgreements
is to protect the classified information owned by States and international
organisations that the parties exchange directly between themselves or between
public or private legal entities or individuals under their jurisdiction. Consequently,
businesssecretsorsensitivecorporatedocumentsarenotcoveredbytheGSAs.
TheGeneralSecurityAgreementscontainprovisionsontheprotectionandhandling
of classified information, classified contracts, visits and breaches of security. They
provide the basis for international classified projects and their provisions are also
applicable to companies as appropriate. All security documents pertaining to the
project must make reference to the General Security Agreement and must be
preparedsothattheyarenotincompatiblewiththeprovisionsoftheGSA.
Asarule,aGeneralSecurityAgreementisrequiredforinternationalprojectsinwhich
a Finnish company gains access to the classified information of another State. Due
consideration, therefore, must be given to this at the project planning stage. In
Finland,internationalGeneralSecurityAgreementsareratifiedbyParliamentandthe
obligationscontainedinthemenforcedbylaw.Thewholeprocesstakesonetothree
years.AnyneedforsuchanagreementmaybecommunicatedtotheNSAwhichwill
take action at its discretion. A list of the existing General Security Agreements is
providedinAnnex1.
4 Internationalcooperation
4.1 Cooperationbetweensecurityauthorities
In Finland, the NSA has access to the contact details of the competent security
authoritiesofallitscontractingparties.Additionally,theNSAhasthefull,uptodate
contact details of all EU Member States and the Members of the Multinational
Industrial Security Working Group (MISWG) including international organisations
observers in their security agencies. If necessary, the network of Finnish diplomatic
missionscanbeusedasachannelofcommunication.
In cases where a Finnish company gains access to classified information during the
courseofaproject,contactsbetweenforeignsecurityauthoritiesarehandledbythe
FinnishNationalSecurityAuthority.
4.2 CooperationintheEU
TheMemberStatesNSAsparticipateinthepreparationoftherulesandguidelines
fortheprotectionofEUclassifiedinformationandthesecurityinstructionsrelating
toEUprojects.
The Councils security rules1 provide the basis for the protection of EU classified
information. Additionally, the Commission, the European Parliament and the
European External Action Service have their own security rules corresponding to
those applied by the Council. The Council security rules contain a section on
corporate security specifying minimum requirements for EU projects in which EU
classified information is processed. Other security rules, such as the Commissions
securityrules,maybeappliedtoindividualprojectsonacasebycasebasis.
TheequivalenceoftheclassificationmarkingsusedbyFinlandandbytheEU,aswell
as the general protection requirements associated with the classifications, are
presented in the NSA Guide Instructions for handling international classified
information,publishedin2010.
CouncilDecisiononthesecurityrulesfortheprotectionofEUclassifiedinformation,Council
SecurityRules(2011/292/EU).
4.3
CooperationwithNATO
NATOsexistingSecurityPolicy2ismaintainedbytheNATOOfficeofSecurity(NOS).
AmendmentsareadoptedbytheNATOMilitaryCommitteeinwhichallthemember
countriesarerepresented.
TheequivalenceoftheclassificationmarkingsusedbyFinlandandNATOaswellas
thegeneralprotectionrequirementsassociatedwiththeclassificationsarepresented
in the NSA Guide Instructions for handling international classified information
(Kansainvlisenturvallisuusluokitelluntietoaineistonksittelyohje)publishedin2010.
4.4
CooperationwithMISWG
In 1985, the key NATO countries established the Multinational Industrial Security
Working Group (MISWG) to prepare best corporate security practices and to
standardiseproceduresandgeneralconceptsinordertofacilitatetheactivitiesofthe
internationalsecurityagencies.MISWGisanunofficialandinformalentity.Currently,
itsmembershipincludes39statesororganisations.FinlandwasinvitedtotheGroup
in2005.
MISWG has prepared a large number of jointly approved guidelines and forms that
facilitate cooperation between security agencies. For example, standardised
templatesareusedwhenarequestismadetothepublicauthorityofanotherState
for a Facility or Personnel Security Clearance and when a response is given. The
documentation also provides descriptions of the international security instructions
appliedininternationalcommercialprojects.
NATOSecurityPolicy,NSP(CM(2002)49)).
5 InternationalClassifiedprojects
Aninternationalclassifiedprojectmeansaprojectlaunchedbyaforeigngovernment
authority,companyorinternationalorganisation,inwhichparticipationmayrequire
accesstoclassifiedinformation.Acompanymayneedaccesstoclassifiedinformation
alreadyatthebiddingstageoratleastwhenperformingaclassifiedcontractrelated
totheproject.
5.1 Bilateralprojects
A bilateral project means a project in which the contracting parties are a foreign
procurementunitandaFinnishcompany.Asarule,participationinabilateralproject
requiresaGeneralSecurityAgreement(GSA)betweenFinlandandthehostcountry.
Undercertaincircumstances,theprocurementunitmayacceptparticipationbythe
FinnishcompanyevenwithoutaGSA.
The national security authorities of the countries involved approve the security
documentation3relatedtoaninternationalproject.Itisonlyaftersuchapprovalthat
theprocessingofclassifiedinformationintheprojectmaystart.Thenationalsecurity
authorities of both contracting parties control project security in the manner
specified in the security documentation until the project is considered to be
completed.However,completionoftheprojectdoesnotnecessarilymeanthatthe
projectrelated security obligations would automatically lapse as information
processedinthecourseoftheprojectmaycontinuetoremainconfidentialandthus
governedbytheprovisionsoftheprojectsecuritydocumentation.
5.2 Multilateralprojects
Multilateralprojectsdifferfrombilateralprojectsmainlyinhowtheprojectsecurity
documentationisimplementedandapproved.Withmultilateralprojects,itisoften
necessary to reconcile the security requirements of several participating countries.
Consequently,theresultingsecuritydocumentationbecomesmoremultidimensional
thaninbilateralprojects.
EUandNATOprojectswiththeirownspecificfeaturesaregovernedbytheinhouse
securityregulationsoftheseorganisations.
Seesection7.1formoredetails.
6 Phasesofprojectnegotiations
Finally,thecompanyandforeignprocurementunitsigntheClassifiedContract,which
alsocontainstheprojectspecificsecurityinstructions.
10
7 Projectsecurity
7.1 Projectsecuritydocumentation
7.1.1 ProgrammeSecurityInstructions(PSI)
TheProgrammeSecurityInstructions(PSI)providecomprehensivesecurityguidelines
fortheprojectandaredesignedto:
serveasareferencetothekeysecurityregulationstobeappliedtothe
project;
providemoredetailedinstructionsforapplication;
reconcilenationaldifferences;
allocateresponsibilitiesforthefulfilmentofthesecurityrequirements;and
serveasasetofprinciplesandhelpmemoriseregulationsduringproject
implementation.
APSIisusuallyaccompaniedbyaSecurityClassificationGuidespecifyingthesecurity
classificationstobeappliedforindividualprojectpartsormaterials.
Inbilateralprojects,thecompanyparticipatingintheprojectnormallydraftsthePSI,
afterwhichthePSIistobesubmittedforapprovaltothesecurityauthoritiesofthe
countries concerned. It is also advisable to keep the security authorities of the
participatingcountriesinformedoftheprogressmadeinthepreparationofthePSI.It
is a timeconsuming process which needs to be initiated at an early phase. An
exampleofthecontentsofthePSIisprovidedinAnnex2.
7.1.2 SecurityAspectsLetter(SAL)
TheSecurityAspectsLetter(SAL)isamoreconcisesecuritydocument.SALspecifies
thesecurityrequirementsfortheprojectorthepartsofthecontractthatneedtobe
11
protected from disclosure. SAL may be used if the security requirements relatedto
theprojectarestraightforwardorifitisneededtosupplementthePSIwithregardto
aspecificsubcontractor.
Asarule,SALprovidesanswerstothefollowingquestions:
Howcantheauthorisationtohandletheinformationbeobtained?
Whatlawsandregulationsareapplied?
Whatlevelofprotectiontheprojectinformationrequires?
Forwhatpurposescantheclassifiedinformationbeused?
Whattechnicalmeansmustbeemployedtotransfertheinformation?
Howistheinformationmarked,andhowarethemarkingstobeinterpreted
inpractice?
Whomayormaynotbegiventheinformationandonwhatterms
(subcontractors)?
Whatisthenondisclosureperiodspecifiedfortheinformation?
Howistheinformationtobedestroyedorreturneduponcompletionofthe
project?
7.1.3 SecurityClassificationGuide(SCG)
The Security Classification Guide (SCG) is an important part of the PSI or SAL. It
provides a description of the elements of the classified project and specifies the
applicablesecurityclassificationlevels.TheSCGindicatestotheindividualsinvolved
intheprojectthesecurityclassificationlevelofeachprocessorprojectcomponent.
AnexampleofthecontentsoftheSCGisprovidedinAnnex3.
7.2 Elementsofsecurity
7.2.1 Securitymanagement
Securitymanagementorthemanagementofclassifiedinformationmeansallthe
measuresimplementedbyacompanytoprotectclassifiedinformation.
A key element of security management is the administration of classified
information.Internationalclassifiedprojectsimposeadditionalrequirementsonthe
administrativesecurityprocessestobeemployedbycompanies.Theprocessesareto
includeadescriptionofthemanagementofinternationalclassifiedinformationover
its entire life cycle. Such a description must cover at least the following lifecycle
stages:
Creationoftheinformation
12
o Formanyprojects,itisnecessarytomakeadistinctionbetween
informationcreatedbeforetheproject(backgroundinformation)and
duringit(foregroundinformation).Thismaydeterminewhichpartyholds
theintellectualpropertyrightstothegivenitemofinformation.
Informationclassificationandmarking
o Eveniftheintellectualpropertyrightsweredeemedtobelongtoa
company,theoriginatoroftheinformationistheStateorinternational
organisationunderwhoseauspicesoronwhoseassignmenttheclassified
informationhasbeencreated.
o Theoriginatordeterminesthesecurityclassificationlevelofthe
information.
o Thesecurityclassificationlevelmaynotbechangedwithouttheconsent
oftheoriginator.
o Theemployeesinvolvedintheprojectmustunderstandtheequivalence
ofthesecurityclassificationsrelativetothecompanysinhouse
classificationsystem.
Transfer,movementandreceptionofinformation
o Secureprocedures.
Recordofentry(registrationaccordingtosecurityclassificationlevel)
o Possiblyinaprojectspecificfile.
Copyingrules
Disseminationrules
o Specialconsiderationsregardingthirdparties.
Transferofinformation(physical,electronic)
o Projectspecificprocedures.
Requirementsconcerningstoringandsavingtheinformation
Righttoprocessinformation
Filingtheinformation
Proceduresforthereturnordestructionoftheinformation
Actionunderexceptionalcircumstances
7.2.2 Personnelsecurity
Personnel security means the protection of classified information from the security
risksposedbythestaffmembers.
Withinternationalclassifiedprojects,theimportanceofsecuritytrainingandcontrol,
and the vetting of staff are highlighted. The security instructions applying to an
international project define the classification levels at which the people handling
classified project information need to be security cleared. Normally, the lowest
13
security level at which a Personnel SecurityClearance is required is CONFIDENTIAL.
Allsecurityclearancesarecarriedoutinaccordancewithnationallegislation.When
steps are taken to ensure the fulfilment of international security obligations,
employeesareoftensecurityclearedaspartoftheFacilitySecurityClearance.
Accordingtotheprojectsecurityinstructions,accesstoclassifiedinformationisonly
given to people involved in the project on a needtoknow basis. Additionally, the
project security documentation may require that those who do not directly handle
classified information in their work, but who have access to the premises in which
suchinformationishandled,aresecuritycleared.
Staffmustknowhowtohandleprojectrelatedclassifiedinformationsecurely.While
basic level security training must be an integral part of induction, more detailed
guidance is always required in connection with international classified projects.
Oversightisalsorequiredtoensureanadequatelevelofsecurity.
7.2.3 Physicalsecurity
Physicalsecuritymeansthesecurityarrangementsinpremises,productionfacilities
and business travel. Physical security covers the requirements for the protection of
premisesaswellastherequirementsconcerningtheequipmentanddevicesusedfor
the protection of classified information. Such equipment and devices include safes,
shredders, control and alarm systems, and locks. Access control is also part of
physical security. Finland applies the National Security Auditing Criteria (KATAKRI),
which follow the internationally accepted level of physical security. The physical
securityrequirementsareattendedtointheFSCprocedure.
7.2.4 Technicalinformationsecurity
7.3 RequestforVisit
14
International classified projects often involve reciprocal visits between the project
partners. Visitors to secured areas in the premises of a foreign public authority or
company need an approval for the visit. Secured areas mean premises in which
classifiedinformationishandledorstored.
TheRequestforVisit(RfV)procedureensuresthatthevisitorholdstherequiredPSC
andthatthereisareasonforthevisit.
Often,theRfVprocedureisappliedevenifthevisitistootherthansecuredareas.If
so, the visitor is not required hold a valid Personnel Security Clearance (PSC). All
countriesdonotrequireaPSCforaccesstoRESTRICTEDinformation.
TheRfVissubmittedusingaspecialforminwhichtheinformationonthevisitand
visitors is entered. The need for aPSC depends on whether the visit is classifiedor
unclassified. The visiting company submits the RfV form to the competent security
authorityinFinland(NSAincivilmattersandDefenceCommandinmilitarymatters)
which,inturn,forwardstherequesttothecompetentsecurityauthorityofthehost
country.
15
8 Transferofclassifiedinformationandmaterial
Thesecurityinstructionsforinternationalclassifiedprojectsincludeprovisionsforthe
transmissionofclassifiedinformation.Internationally,thetransmissionmethodsare
divided into two categories: electronic transmission and physical transfer. Although
electronictransmissionisoftenregardedasthemostefficientandsecuremethodof
transmittinginformation,itimposescertainrequirementsfortheITsystems.Physical
transfer of classified information usually takes place in one of three ways: military
and diplomatic courier, hand carriage, or commercial courier. Classified machinery
andequipment,forexample,mayalsohavetobetransportedasfreightduetothe
large size of the consignment. The transmission methods to be applied for each
categoryofclassifiedinformationareindicatedintheprojectsecurityinstructions.A
specific plan of the transportation of classified material may be required in the
securityinstructions,specifyingthesafeguardsfortheprotectionoftheshipmentin
detail. The transportation plan is to be approved by the security authorities
concerned.
8.1 Diplomaticcourieranddiplomaticmail
Theprojectsecurityinstructionsmaydependingonthesecurityclassificationofthe
consignment require that a diplomatic courier or governmenttogovernment
channelsaretobeused.Consignmentscarriedbyadiplomaticcourierordispatched
asdiplomaticmailenjoyimmunityundertheViennaConvention.
ThediplomaticcourierservicesavailableinFinlandconsistoftheMinistryforForeign
Affairsdiplomaticmailandfreightanddiplomaticcourier.Whenthediplomaticmail
servicesoftheMinistryforForeignAffairsareused,itshouldbenotedthatasthey
operate according to a certain predetermined schedule, they may not always be
suitable for urgent deliveries. Another point worth mentioning is that the level of
security of diplomatic mail is based on the carriers security policy and that regular
commercialchannelsareusedforsuchcarriage.
Asarule,civilservantstravellingonadiplomaticorservicepassportcanbeassigned
as diplomatic couriers. The diplomatic courier must have a sufficiently high PSC
status. Training is provided for couriers to ensure that they understand their
obligationsandknowhowtoactinexceptionalcircumstances.
Beforeacceptingtheassignment,thecouriermustsignadeclarationstatingthathe
orsheunderstandsandacceptstheobligationsassociatedwiththeassignment.
abordercertificate
The courier passport serves as proof of the couriers diplomatic status. It is always
signed by a head of mission or, in the case of the Ministry for Foreign Affairs, the
head of the courier service. The border certificate is a document presented to the
foreignauthorities,indicatingtheparcelcodesandnumberofparcelsinthecourier
consignment.
8.2 Handcarriage
Normally, the project security instructions permit the use of hand carriage up to a
specifiedsecurityclassificationlevel.
The hand carriage courier receives a Courier Certificate4 and other relevant
documentsfromthedispatchingpartyauthorisinghimorherforthemission.When
necessary, the courier can present this certificate to the public authorities in the
countryofdestinationasproofofthemission.However,handcarriageconsignments
donotenjoyimmunityatbordercrossingsasdefinedintheViennaConvention.
A handcarriage courier must hold a sufficiently high PSC status and be given
adequate training for the task. Additionally, before accepting the assignment, the
courier must sign a declaration stating that he or she understands and accepts the
obligationsassociatedwiththeassignment.
8.2.1 Performanceofthecouriersassignment
Thecourierisrequiredto:
Assumepersonalresponsibilityforthedeliveryofthecouriermailtothefinal
destinationand/orrecipient.
Ensurethatthemailisneverleftunattended.
Handoverthemailandotherdocumentstoapredeterminedrecipientatthe
finaldestination.Therecipientsidentitymustbeverifiedbeforethecourier
mailishandedover.Therecipientacknowledgesreceiptofthecouriermail.The
CourierCertificate.NottobeconfusedwiththecourierpassportissuedbytheMinistryforForeign
Affairs.
17
dispatchingpartymayrequirethecouriertoreportonthecompletionofthe
assignmentbyphone.
Returnthecopyofthereceiptwiththerecipient'ssignatureretainedbythe
couriertothedispatchingparty.
8.3 Commercialcourierservicesandpostalservices
Commercial courier services and national postal services may normally be used at
least for carrying material of lower security classification. The use of commercial
courierservicesusuallyrequirestheapprovalofthesecurityauthorities.Often,the
commercialcourierservicesavailablearelistedintheprojectsecurityinstructions.
Countrieshavedifferentpoliciesontheuseofcommercialcourierservices.However,
the guiding principle is that if the consignment does not specify that it contains
classified information and the commercial courier is unaware of carrying classified
documentsandmaterial,thecommercialcourierneednotbesecuritycleared.If,on
the other hand, the commercial courier is aware of carrying classified documents,
theymustusuallybesecuritycleared.
8.4 Freight
18
9 Securityclearances
9.1 Phasesoffacilitysecurityclearance
IntheFSCprocedure,thecompetentauthorityverifiesthesecurityperformanceof
the company concerned in the following respects: securitymanagement; personnel
security; physical security; and technical information security. The security levels
verified by the authority are level II (SECRET), level III (Confidential) and level IV
(RESTRICTED). In verifying security, the security authorities apply the National
SecuritySuditingCriteriaKATAKRI.
Security clearance starts with a meeting of the security authorities and company
representatives,duringwhichthepublicauthoritytellsaboutthetheprocessandthe
company representative describes the project at hand. At the meeting, the parties
agree on the timetable for security clearance and appoint persons who will be
responsibleforit.
The actual security clearance begins when the company presents its security
documentation or prepares it to an agreed timetable for review by the security
authority. The authority reviews the documentation and reports any non
conformances to the company, which takes the necessary measures to correct the
incidences identified by the authority. When the corrections have been made, the
next step is the actual security auditing phase. During this phase, the NSA/DSA
security auditors verify the practical implementation of the measures necessary to
achievetherequiredlevelofsecurity.Anyinformationsecurityincidencesdetected
inthecourseofsecurityauditingarereportedtothecompany,whichwillthentake
thenecessaryaction.
Ifthecompanyfailstoremedytheindicatedinformationsecurityincidencesandto
achieve the required level of security within the agreed period of time, or the
company withdraws from the project, the public authority will discontinue the
securityaudit.
Additionally, all persons taking part in the project undergo a Personal Security
Clearance(PSC),whichisalwaysincludedintheFSCprocess.
When the public authority deems that the overall security level of the company
meets at the least the minimum requirements, the company signs a written
commitment to maintain the level achieved. Based on this commitment, the NSA
grantstheFacilitySecurityClearance(FSC)tothecompanywhich,inturn,forwardsit
totheforeignauthorityrequestingsuchclearance.
Aslongasthecommitmentremainsinforce,thecompanyisrequiredtoreportany
changes in the companys ownership base, project personnel or security
arrangementstothecompetentauthority.Normally,theundertakingisvalidforfive
19
years.UndertheActonInternationalInformationSecurityObligations,anybreachof
the undertaking is punishable (Laki kansainvlisist tietoturvallisuusvelvoitteista,
2004/588,chapter3,section20).
9.2 Accreditationofinformationsystems
Ifclassifiedprojectinformationishandledinthecompanysinformationsystem,the
system must be accredited. Accreditation means the approval of the technical
information security solution, which indicates that it satisfies the level of security
required for the project. Accreditation is a process during which the competent
authoritydefines,inconsultationwiththeowneroftheinformationsystem,thelevel
of risk the system is exposed to and approves the protective measures
commensurate with the risks including the instructions for the secure use of the
system.Usually,theaccreditationprocessincludesaspecificauditoftheinformation
systemwhichwillnotbecarriedoutuntilallthesecurityfeaturesofthesystemhave
beendeployed.
9.3
PhasesofPersonnelSecurityClearance
The Facility Security Clearance process always includes the Personnel Security
Clearance of all the company employees participating in the project. Under certain
circumstances,aPersonnelSecurityClearancealoneisenoughforparticipation.
When conducting a PSC, the competent authority5 checks the background of the
person in question by using the procedure stipulated by law. A PSC requires the
personswrittenconsent,whichisgivenusingastandardisedform.6Thepersonsjob
descriptionandroleintheprojectarealsospecifiedintheform.
AforeigneremployedbyaFinnishcompanymayalsobesecuritycleared;however,it
should be borne in mind that the Finnish authorities have limited resources to
investigatethebackgroundofforeigners.TheActonBackgroundChecks(177/2002)
containsanexhaustivelistoftheregisterstobeusedforsecurityclearance;however,
Limited security clearance: local police; standard or extensive security clearance: Finnish Security
IntelligenceService.Incaseofdefenceprojects,theauthorityisalwaysDefenceCommand.
6
http://www.poliisi.fi/poliisi/supo60/home.nsf/files/Perusmuotoinen_turvallisuusselvitys_060801b/$file/Perusmuotoi
nen_turvallisuusselvitys_060801b.pdf.
20
conductingasecurityclearancedoesnot,assuch,provideanybasisforinvestigating
thedataheldbyforeignauthoritiesonthepersoninquestion.
When a security clearance is made of a foreigner or a Finn who lives or has lived
abroad,theperiodoftimefromwhichthedataisavailabletothepublicauthoritiesis
tobeindicatedinthesecurityclearancereport.
ApreconditionappliedbytheNationalSecurityAuthorityforthegrantingofaPSCis
thatthepersonhaslivedinFinlandforthefiveyearsprecedingtheissuanceofthe
clearance.
WhenconductingaPSC,theFinnishSecurityIntelligenceServicetakesnopositionon
the eligibility of the person; instead, it gives an evaluation of the information that
mayberelevanttotheclearancebasedonthedatacontainedintheregisters.This
information will be reported in writing to both the employer and the National
Security Authority who will then determine whether the preconditions for the
grantingofthePSCaremet.
AccordingtotheActonBackgroundChecks(Lakiturvallisuusselvityksist,177/2002),
the subject is entitled to know whether any security investigation has been
conductedinrespectofhimorherandtoaccesstheinformationprovidedinthePSC
report. To exercise such right of access, an appointment is made with the Finnish
SecurityIntelligenceServiceorDefenceCommand.Itshouldbenoted,however,that
such right of access does not exist if the item of information originates from a
registertowhichthepersonhasnorightofaccess(e.g.FinnishSecurityIntelligence
Servicesoperativeinformationsystem).Ifso,heorshemayasktheDataProtection
Ombudsman to check his or her data contained in the Finnish Security Intelligence
Servicesoperativeinformationsystem.
9.4
SecurityClearanceCertificates
The NSA evaluates the reliability of the company or individual based on the
statement issued by the authority conducting the security investigation and, if no
impediment exists, grants the requested security certificates (PSC, FSC). The NSA
informstherequestingforeignauthorityoftheissuanceofthePSCorFSCcertificate.
With domestic defence contracts, the competent security authority is the Defence
Command.
Both PSC and FSC certificates may be granted for a maximum period of five years.
The security authorities regularly audit the security procedures applied by the
companyduringthevalidityoftheFacilitySecurityClearancecertificate.
Should any incident occur during the validity of the Facility Security Clearance
21
certificateaffectingthecompanyscapacitytomaintaintherequiredlevelofsecurity,
the clearance level granted under the certificate may be downgraded. A FSC
certificateiscancelledifitsbasisceasestoexistorifsuchachangetakesplaceinthe
companys circumstances that the authority is no longer satisfied that the security
and reliability criteria continue to be met. Any financial costs incurred due to a
cancellation are to be paid by the company concerned. The National Security
Authorityinformsthepartyrequestingthecertificateofanychangesinthesecurity
level.BeforeaFSCcertificatecanberestoredtothepreviouslevel,aproperauditis
tobecarriedoutbythecompetentauthority.
22
10 Securityresponsibilitiesandobligationsofcompanies
10.1 Responsibilitiesoftheprimecontractor
Companiesparticipatingininternationalclassifiedprojectsareadvisedtoengagein
cooperation with the national security authorities at the outset of the project in
ordertobeabletoidentifytheirresponsibilitiesandobligations.
Onceprojectparticipationiscertainandthecompanyhasrecognisedthattheproject
involves security requirements pertaining to it, the company should initiate a
preliminaryriskmanagementprocess.Ariskanalysishelpsidentifytheareasinwhich
thecompanyssecurityperformanceshouldbeimproved.Ausefultoolinthisprocess
is the National Security Auditing Criteria (KATAKRI)7, which specifies the detailed
security requirements applied by the Finnish authorities in respect of projects with
differentsecuritycategories.
The subcontractors used by the prime contractor are normally mentioned in the
contractandarethusautomaticallyboundbytheobligationsimposedintheproject
security instructions. If the use of other subcontractors becomes necessary during
the course of the project, their security level must be verified as specified in the
Classified Contract. Usually at least a minimum update of the project security
instructions and the undertaking given to the authority are required. The prime
contractor is responsible for ensuring that any subcontractors not approved by the
procurementunitarenothiredintheproject.
Theprocurementunitmayspecifycertainrestrictionsastotheuseofforeignersor
subcontractorcompaniesownedbyforeigners.Theprimecontractormustgivedue
considerationtoanysuchrestrictionsintheselectionofsubcontractors.
Usually,subcontractorsaresubjecttothesamesecurityrequirementsastheprime
contractors. The prime contractor is responsible for the security requirements
applicabletotheirsubcontractors.
www.defmin.fi
23
10.1.1 Foreignsubcontractors
Ifthesubcontractorisaforeigncompany,theprimecontractormayasktheNSAof
Finland to obtain an FSC certificate for the company. The Finnish NSA will then
forward the request to the subcontractors NSA. As a rule, a General Security
AgreementshouldexistbetweenFinlandandthecountryconcerned.
Fortherequest,theNSAneedsatleastthefollowing:
Informationonthesubcontractorcompany(name,businessregistrationnumber
andstreetaddress)andcontactperson.
As accurate reasons for the FSC request as possible. Such reasons may, for
example, be participation in a project in which classified information of some
Stateishandledandinwhichtheforeigncompanyistoserveasasubcontractor
of a Finnish company. Reference is also to be made to the project security
standard requiring an FSC certificate of the subcontractor. Additionally, the
reasons should indicate the type of classified information to be protected
(classified information of national importance to Finland; EU classified
information; NATO classified information; classified information of national
importancetootherState).Therequestshouldbeaccompaniedbytherelevant
sectionsofthesecurityinstructionsinwhichthereasonsarespecified.
10.1.2 Foreignemployees
ToobtainaPSCcertificateforforeignemployees,theFinnishcompanymustcontact
theNSA.TheNSAmayrequestsecuritycertificatesfromcountrieswithwhichFinland
hasaGeneralSecurityAgreement.CertificatesmayalsoberequestedfromEUand
MISWG countries on a casebycase basis. The security clearance procedure varies
fromonecountrytoanother.
ThefollowinginformationmustbesubmittedtotheNSAfortherequest:
24
As accurate reasons for the PSC request as possible. The reason may, for
example, be participation in an international classified project in which the
persons have access to classified information or premises where they may gain
access to classified information. Additionally, the reasons should indicate the
typeofclassifiedinformationtobehandledintheproject(classifiedinformation
of national importance to Finland; EU classified information; NATO classified
information;classifiedinformationofnationalimportancetootherState).
10.2 Dutiesoftheprojectsecurityofficer
A Facility Security Officer (FSO) is always to be appointed for the project in the
securityinstructions.Often,theofficeristhecompanyssecuritymanager.Whilethe
company may also have others responsible for security, such as the data security
officer,responsibilityinrespectoftheforeignprocurementunitandauthoritieswill
alwaysrestwiththedesignatedFacilitySecurityOfficer.
TheFacilitySecurityOfficerplaysakeyroleintheassuranceofprojectsecurity.Heor
sheisresponsibleforthepracticalimplementationoftherequirementsspecifiedin
the security instructions, including staff training and supervising activities.
Additionally,theFacilitySecurityOfficerorhis/heralternatearerequiredtoreportall
incidences detected. The Facility Security Officers are required to keep in contact
withoneanother,forexampleinconnectionwithrequestsforvisits.
10.3 Breachesofsecurityandcompromiseofclassifiedinformation
Further damage must be prevented where possible and steps taken to ensure that
thosedirectlyinvolvedinthebreachofsecurityarenotassignedtoinvestigateit.
TheNSAwillinformthenationalsecurityauthorityoftheothercountryconcernedof
anybreachofsecurityand/orcompromiseofclassifiedinformationthatmaycometo
25
its attention. The NSA will take prompt action to resolve the matter and bring to
justicethoseguiltyofapunishableactoromission.
26
ANNEX 1
EFFECTIVEDATEOFTHEAGREEMENT
TREATY 22SEPTEMBER1994
GERMANY
ESA(EUROPEANSPACEAGENCY)
FRANCE
SLOVAKIA
POLAND
ESTONIA
LATVIA
ITALY
OCCAR (ORGANISATION FOR
ARMAMENTCOOPERATION)
BULGARIA
SLOVENIA
CZECHREPUBLIC
SPAIN
NORDICCOUNTRIES
27
Industrial security manual
ANNEX 2
1. Presentationofthedocument
a. Purposeofdocument
b. Definitionofsecurityresponsibilities
c. Terminology
2. Generalsecurityinstructions
a. Generalprinciples
b. Accesstoclassifiedinformation
c. Crossbordertransferofinformationandmaterial
d. Markingprojectinformation
e. Procedurestoprotectunclassifiedbutrestrictedinformation
f. Procedurestoprotectclassifiedinformation
g. Securityclassification
h. Informationsecurityincidences
3. Disclosureofinformation
a. Unilateraldisclosure
b. Disclosureofinformationandmaterialtononparticipantsorthirdparties
c. Disclosureofprojectinformationatpublicevents
d. Generaldisclosureofprojectinformation
e. Authorisationsregardingexhibitions
4. Internationalvisits
a. General
b. GeneralRequestforVisitprocedures(or)
c. SimplifiedRequestforVisitprocedures
5. Subcontractors
a. Finnishsubcontractors
b. Internationalsubcontractors
6. Securityclearedpremises
a. General
b. Listofsecurityclearedpremises
c. Distributionofthelist
d. Updatingthelist
e. UseoftheFISandPSCI/RfVforms
7. Securityplanintheeventthecontractexpiresortheprincipalcontractingpartyisnot
electedtocontinue
a. General
b. Informationownedbythepublicauthorities
28
c. Informationownedbytheprincipalcontractingparty
8. Securitytraining
a. Generalprinciples
b. Inductiontosecurityissues
c. Securityawareness
d. Inductiontotravelsecurity
e. Securityinstructionsrelatedtothecompletionofthetask
9. Listofannexes
a. AnnexA
i. Particularsoftheprojectpartiesandprincipalcommercialcontracting
parties
b. AnnexB
i. SecurityClassificationGuide
ii. Contents
iii. General
1. Purpose
2. Authorisation
3. Securityclassifications
4. ListoftermsusedintheGuide
5. Recommendedclassifications
6. Instructionsfordowngradingthesecuritylevel
7. Otherinstructions
8. Markingclassifiedinformation
9. Updateplan
c. AnnexC
i. RequestforVisitprocedure
d. AnnexD
i. Protectionofinformationindataanddatatransmissionsystems
1. Introduction
2. Nontechnicalsecuritymeasures
3. Technicalsecuritymeasures
4. Accreditation
5. Computerhardware
6. AnnexA:Definitions
e. AnnexK
i. Abbreviationsandacronyms
29
Industrial security manual
ANNEX 3
1. Generalobservations
a. PurposeoftheGuide
b. Authorisation
c. Securityclassification
d. Applicability
e. Concepts
f. Detailedrecommendationsandinstructionsforclassification
g. Instructionsfordowngradingthesecurityclassification
h. Otherinstructions
i. Markinginstructions
j. Updatingtheschedule
2. Otherissues(e.g.identificationandprotectionofprojectelements/componentsrequiring
classification)
30