Information security and data privacy

With more and more digital services, a growing number of users, and increased amount of connected devices to access data, accurate security arrangements are key for protecting the integrity of personal and business-critical information. At Tieto, we see information security and data privacy as a fundamental part of our business, and vital for maintaining our customers’ trust.

Information security in general covers confidentiality and integrity as well as availability of IT services and data. Confidentiality means protecting information from unauthorized access and disclosure. Integrity refers to safeguarding the accuracy and integrity of information and processing methods. Availability means ensuring that information and associated services are available to authorized users when required. 

As one of the largest IT services providers in Northern Europe, we recognize that unauthorized use or access to customer data, or interrupted user-critical IT services, could cause serious damage to our customers as well as Tieto as a company. This is why we have implemented all the requirements described above in our Information Security Management System (ISMS). The ISMS is integrated in our Group-wide business system Tieto Way, and explains the company’s information security rules and organisation. It also provides the mandatory information regarding security processes, which are regularly benchmarked.

Our Security Policy and Data Privacy Policy help to manage information security and data privacy throughout our business operations. We also have an Information Asset Classification Rule to assure that the confidentiality, integrity, and availability of information assets are protected and that the information is handled, stored and disposed of correctly. 

To comply with the European data privacy and information security regulations as well as local laws, our solutions, services and internal processes are continuously monitored. In addition to this, we adhere to industry standards as well as specific quality and integrity requirements set by customers and other stakeholders. At the end of 2014, 35% of our employees were covered by ISO 27001 certifications based on such specific needs. The certificate covers the office sites of our Managed Services and Product and Development Services business, as well as data centres operated by Managed Services.

Despite careful security arrangements and a proactive approach, incidents may occur due to unexpected events. Our Major Incident Management (MIM) process supports efficient management of incidents and aims at minimizing the impact on customers and end-users by restoring business-critical IT services, and keeping the various internal and external stakeholders constantly informed about the situation and progress of restoring activities. Based on our internal measurements for initiation and communication of the MIM process, this process was further improved during 2014.

Our aim is to maintain close dialogue on information security and data privacy issues with different stakeholders in society at large. We actively work towards establishing common regulations, which are necessary to facilitate the cooperation and encourage the exchange of information and communication with the public in the event of an IT-incident. We cooperate continuously with various authorities, for instance, by sharing information on intrusion attempts. Through these means, we also benefit from information that enables us to proactively prevent incidents.

In Tieto, Group-level responsibility for security and data privacy arrangements is managed by our Chief Security Officer and Chief Risk Officer, who heads our central risk management function. Unit-level resources are allocated based on local customer needs. Information security awareness among employees is mainly maintained by means of Intranet articles, e-learning courses and other training programs, as well as through manual feedback questionnaires and conferences. Managers are responsible for creating awareness and implementing the ISMS in their own units.

During 2014, no substantiated complaints regarding breaches of customer privacy and losses of customer data were reported.