Facility security clearance vetting examines security arrangements
When conducting facility security clearance vetting, Supo examines the reliability of responsible individuals in the enterprise, its ability to discharge its commitments, and its security arrangements.
There are three aspects to facility security clearance vetting. The first stage is a background inspection of the enterprise and its responsible individuals. The second stage is an audit of security arrangements in the enterprise. The third stage follows up on any issues examined at the first and second stages throughout the lifetime of the facility security clearance.
Supo assesses the reliability and capacity of the enterprise and its responsible individuals for discharging their commitments. The assessment reviews:
- general details of business operations
- information concerning the owners of the enterprise
- details of the enterprise’s assets
- details of credit and distraint
- details of tax receivables
- penalties imposed on, and offences targeting the enterprise
- personnel security clearances concerning responsible individuals
Supo assesses whether the security arrangements of the enterprise satisfy the requirements imposed on them. This includes:
- auditing the administrative security of the enterprise
- inspecting the premises of the enterprise
- auditing the information system and communication arrangements (Traficom) where applicable
The Katakri information security audit tool is generally used as the basis for assessing security arrangements.
Facility security clearance vetting may also be conducted in part, for example by inspecting only the premises and background of an enterprise that does not process classified information in its information systems.
Time limits guide the facility security clearance vetting procedure
The facility security clearance vetting process proceeds in stages. Time limits have been set for intermediary stages, which the target company must agree to comply with before the clearance process begins. The target company provides its consent in writing in Appendix 1 of the facility security clearance vetting application.
The initiated facility security clearance vetting procedure may be terminated if the target company fails to complete the process stages within the deadlines specified. The Finnish Security and Intelligence Service will hear the target company before deciding to terminate the facility security clearance vetting procedure.
When the Application Arrives at Supo
0−1 months: A kick-off meeting is held, after which Supo decides whether to initiate the investigation. Supo invoices the customer only after the initiation decision has been made.
2−4 months: The customer submits the background check material and the first version of the self-assessment material to Supo within three months of the kick-off meeting. Supo verifies that the invoice has been paid within three months of the kick-off meeting.
5−7 months: The background check is completed, and the self-assessment is reviewed and corrected if necessary. The self-assessment must reach an acceptable level within six (6) months of the kick-off meeting.
7−8 months: A facility audit is conducted at the customer’s premises.
9−10 months: Any deviations identified during the facility audit are corrected. The audit must reach an acceptable level within nine (9) months of the kick-off meeting.
11−12 months: The customer submits an undertaking to Supo and receives a certificate of corporate security investigation in return.
Clearance may conclude with a security undertaking
To conclude clearance, Supo may require the enterprise to issue an undertaking to maintaining an
approved standard of information security, and to notify the authorities of any changes in this standard.
The facility security clearance certificate is issued when clearance is complete and the enterprise has signed the undertaking. The certificate may be withdrawn if the enterprise no longer satisfies the requirements or if a responsible individual fails to discharge obligations, and the enterprise fails to rectify its shortcomings within a prescribed period.