Information security and data privacy

Today’s increasingly complex IT landscape sets new demands on security for protecting personal and business-critical information. Cyber security resilience is a fundamental part of Tieto’s business, and vital for maintaining customers’ trust. Tieto is constantly updating its processes and training employees to achieve superior security performance.

As one of the largest IT service providers in Northern Europe, Tieto recognizes that any disturbances in IT infrastructure or IT systems involving customers can have an immediate impact on a large number of users, whether in their professional or private lives. For this reason, information and cyber security must be part of any process, delivery, or work the company does. Tieto's security arrangements aim at predicting, preventing, responding and detecting different types of attacks and incidents.

Tieto’s Information Security Management System (ISMS) covers the company’s information security rules and organization, and provides the mandatory information regarding security processes. In general, information security deals with confidentiality, integrity, and availability of IT services and data.

To comply with the European data privacy and information security regulations (GDPR) and local laws, Tieto’s solutions, services, and internal processes are continuously monitored. Furthermore, the company strives to increase information security awareness among employees by various means, such as organizing e-learning courses, conferences and training programmes. For example, in 2017 Tieto launched new security e-learning modules, a separate security awareness campaign, continued with the internal GDPR program and related information security activities, and upgraded the Governance, Risk Management and Compliance (GRC) platform.

Cyber capability maturity  assessment conducted on an annual basis

During the year, Tieto also conducted a cyber capability maturity assessment, and implemented a three-year cyber security plan, which aims to improve Tieto’s overall cyber resilience, and this is reviewed and updated on an annual basis.

Risk management, business continuity, awareness and well-functioning security services are all important building blocks for establishing good cyber security resilience. At Tieto, the group-level responsibility for security and data privacy arrangements is managed by our Chief Security Officer and Chief Risk Officer, who heads the central risk management function. Internal and external audits are also regularly followed up in the Tieto Leadership Team and the Board of Directors’ Audit and Risk Committee.

Tieto’s Security Policy and Privacy Policy help to manage information security and data privacy throughout all business operations. The company also has an Information Classification Rule to assure that the confidentiality, integrity, and availability of information assets are protected and that the information is handled, stored and disposed of correctly. In addition, the Data Transfer Rule specifies the terms and conditions for transferring any personal data of Tieto’s customers outside the EU and EEA areas. These European Commission standard contractual clauses are used as contractual safeguards when transferring personal data from EU to non-EU countries. All policies are reviewed annually.

For unexpected incidents, Tieto has a Major Incident Management (MIM) process in place. It supports the efficient management of incidents and aims at minimizing the impact on customers and end-users by restoring business-critical IT services and maintaining constant communication with affected stakeholders. In addition, Tieto’s Security MIM (sMIM) process is used for security related incidents, and defines communication and mitigation actions based on the sensitivity and criticality of the incident. This framework will also be used in relation to GDPR requirements for timely breach notification.

Tieto implemented a three-year cyber security plan

Tieto uses different international standards as reference where applicable. For instance, the ISO 27001 standard is used for Information security, the ISO 31000 standard is used for risk management, while the Information Security Forum’s Standard of good practice is used for information security, and of course Tieto fully implements the New EU GDPR regulation. Tieto also conducts annual ISAE 3402 audits, which describe and document the adequacy of internal controls for information security and financial reporting. This audit is carried out for data centres and customer specific infrastructure services.

During 2017, no substantiated complaints regarding breaches of customer privacy and losses of customer data were reported.

In addition to maintaining its active dialogue on cyber security issues with stakeholders on a societal level, Tieto will continue with GRC platform developments and concentrate further on refining business continuity management. The plan for 2018 also includes further improvements to Tieto’s security incident management and audit follow-up.