Information security and data privacy

Today’s increasingly complex IT landscape sets new demands on information security and data privacy arrangements for protecting personal and business-critical information. Cyber security resilience is a fundamental part of Tieto’s business, and vital for maintaining our customers’ trust. To be ahead of development, we are constantly updating our processes and training our employees.

As one of the largest IT services providers in Northern Europe, Tieto recognizes that any disturbances in IT infrastructure or IT systems involving customers could have an immediate impact on a large number of users, whether in their professional or private lives. This is why information and cyber security must be part of any process, delivery or work we do. Our security arrangements aim at predicting, preventing, responding and detecting different types of attacks and incidents.

Tieto’s Information Security Management System (ISMS) covers our information security rules and organization, as well as provides the mandatory information regarding security processes. In general, information security deals with confidentiality, integrity, and availability of IT services and data.

Three-year cyber security plan established.

To comply with the European data privacy and information security regulations (GDPR) and local laws, Tieto’s solutions, services and internal processes are continuously monitored. Furthermore, we strive to increase information security awareness among employees by e.g. organizing e-learning courses, conferences and training programmes. For instance, the e-learning modules were updated in 2016 to better cater for the coming GDPR regulations.

During 2016, Tieto also conducted a cyber security maturity model assessment and related benchmarking. The findings served as a basis for devising a three-year cyber security plan. The aim is to improve overall cyber resilience for Tieto, and the plan will be reviewed and updated on an annual basis. Implementation will start in 2017. 

Risk management, business continuity, awareness and well-functioning security services are all important building blocks for establishing good cyber security resilience. At Tieto, Group-level responsibility for security and data privacy arrangements is managed by our Chief Security Officer and Chief Risk Officer, who heads the central risk management function. Internal and external audits are also regularly followed up in the Tieto Leadership Team and Board of Directors’ Audit Risk Committee.

Tieto’s Security Policy and Privacy Policy help to manage information security and data privacy throughout all business operations. Tieto also has an Information Classification Rule to assure that the confidentiality, integrity, and availability of information assets are protected and that the information is handled, stored and disposed correctly. In addition, the Data Transfer Rule specifies the terms and conditions for transferring any personal data of Tieto’s customers outside the EU and EEA areas, the European Commission standard contractual clauses are used as contractual safeguards when transferring personal data from EU to non-EU countries.

For unexpected incidents, Tieto has a Major Incident Management (MIM) process in place. It supports efficient management of incidents and aims at minimizing the impact on customers and end-users by restoring business-critical IT services and maintaining constant communication with affected stakeholders. In addition, Tieto’s Security MIM (sMIM) process is used for security related incidents, defining communication and mitigation actions based on sensitivity and criticality of the incident. This model will also be used in relation to the GDPR requirements of timely breach notification.

48% of employees certified by
ISO 27001.

At the end of 2016, 48 per cent of our employees were certified by the ISO 27001 Information security management standard, meeting both business needs and customer requirements. Tieto also conducts annual ISAE 3402 audits, which describe and document the adequate internal controls for information security and financial reporting. This audit is carried out for data centres and infrastructure services.

During 2016, no substantiated complaints regarding breaches of customer privacy and losses of customer data were reported.

In addition to maintaining our active dialogue on cyber security issues with stakeholders on a societal level, Tieto will continue its fervent work with the topics internally. Specific actions include continuing the implementation of the GDPR programme, as well as organizing a special Security Awareness programme as part of our three-year cyber security plan.