Information security and data privacy

The new IT landscape, with data stored in the cloud and increasing number of users and connected devices, sets new requirements on security arrangements for protecting the integrity of personal and business-critical information. At Tieto, we see information security and data privacy as a fundamental part of our business, and vital for maintaining our customers’ trust.

As one of the largest IT services providers in Northern Europe, we recognize that any disturbances in IT infrastructure or IT systems involving our customers can have an immediate impact on a large number of users, whether in their professional or private lives. This is why information and cyber security must be part of any process, delivery or work we do. Our security arrangements aim at predicting, preventing, responding and detecting different type of attacks and incidents.

Information security in general covers confidentiality and integrity as well as availability of IT services and data. Confidentiality means protecting information from unauthorized access and disclosure. Integrity refers to safeguarding the accuracy and integrity of information and processing methods. Availability means ensuring that information and associated services are available to authorized users when required. All these requirements are implemented in our Information Security Management System (ISMS), which explains the company’s information security rules and organisation. It also provides the mandatory information regarding security processes, which are regularly benchmarked. The ISMS is integrated in our Group-wide business system Tieto Way.

At Tieto, we see information security and data privacy as a fundamental part of our business, and vital for maintaining our customers’ trust.

Our Security Policy and Privacy Policy help to manage information security and data privacy throughout our business operations. We also have an Information Classification Rule to assure that the confidentiality, integrity, and availability of information assets are protected and that the information is handled, stored and disposed of correctly.

To comply with the European data privacy and information security regulations as well as local laws, our solutions, services and internal processes are continuously monitored. We also adhere to industry standards as well as specific quality and integrity requirements set by customers and other stakeholders. At the end of 2015, 48% of our employees were covered by ISO 27001 certifications based on such specific needs.The coverage of the ISO27001 certificate is fulfilling the business needs and customer requirements.

Despite careful security arrangements and a proactive approach, incidents may occur due to unexpected events. Our Major Incident Management (MIM) process supports efficient management of incidents and aims at minimizing the impact on customers and end-users by restoring business-critical IT services, and keeping the various internal and external stakeholders constantly informed about the situation and progress of restoring activities. In 2015, a Security MIM process was defined and implemented. 

During 2015, no substantiated complaints regarding breaches of customer privacy and losses of customer data were reported.

Taking active part in developing security and data privacy issues in society

Our aim is to maintain a close dialogue on information security and data privacy issues with different stakeholders in society at large. We actively work towards establishing common regulations, which are necessary to facilitate the cooperation and encourage the exchange of information and communication with the public in the event of an IT-incident. We cooperate continuously with various authorities, for instance, by sharing information on intrusion attempts. Through these means, we also benefit from information that enables us to proactively prevent incidents.

Risk management, business continuity, awareness and well-functioning security services are all important building blocks for establishing good cyber security resilience. At Tieto, Group-level responsibility for security and data privacy arrangements is managed by our Chief Security Officer and Chief Risk Officer, who heads our central risk management function. Unit-level resources are allocated based on local customer needs. Information security awareness among employees is mainly maintained by means of Intranet articles, e-learning courses and other training programs, as well as through manual feedback questionnaires and conferences. Managers are responsible for creating awareness and implementing the ISMS in their own units.