Technical and organisational security measures
The purpose of this document is to describe the principles of the technical and organisational data security measures of Tieto group companies ("Tieto"), which Tieto provides for all Customers as a standard in Tieto's products and services as required by the Regulation (EU 2016/679), the General Data Protection Regulation ("GDPR").
Tieto implements appropriate technical and organisational data security measures which are designed to meet the data protection principles in an effective manner, and ensures that appropriate safeguards are integrated into the personal data processing in order to meet the requirements of the GDPR and to protect the rights of data subjects as described below.
Product level security descriptions are available upon request if not agreed to be part of the agreement governing the processing of personal data. Customer specific security measures are agreed separately.
Tieto executes and documents risk assessment for each Tieto product or service. Data protection and security risks are registered and monitored in the Tieto risk databases.
Tieto executes the data protection risk assessment in order to decide which data security measures shall be implemented. The aim is to define the appropriate level of data security measures for each product or service. In all cases, Tieto has implemented at least the security measures described in chapter 3 below.
As a part of the Information Security Management System (ISMS) Tieto has public security and privacy policies, which are available for customers on request. The policies are supported with wide range of mandatory rules on different aspects of data protection and information security. Documents are subject to regular internal review process as well as an external third party verification on their appropriateness as well as the review process.
Tieto has certified its relevant operations utilizing the following international standards ISO 27001, ISO 9001 and ISO 14001.
With regard to physical and environmental controls in data processing facilities and security management, an external third party audit utilizing ISAE 3402 Type 2 standard is conducted annually. The annual report of the audit can be delivered to Tieto customer upon request. If agreed, Tieto can also provide a customer specific infrastructure ISAE 3402 Type 2 assurance report.
2.1 Security of personal data
Tieto is implementing the following measures based on requirements set out in "Security of processing" (article 32 of the GDPR):
(a) the pseudonymisation and encryption of personal data
Tieto is utilizing encryption and/or pseudonymization in its operations to mitigate data protection risks where appropriate. Encryption and pseudonymization techniques may vary between services upon the service requirements and data protection risk assessment. Details of the used measures are available upon request.
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
Protection of the personal data requires implementation of multiple security controls. Standard operational processes follow good industry practice framework ITIL. Standardized processes help to secure quality of service and safeguards personal data processing.
Tieto has a centralized system to manage administrative access to customer environments. To access a customer system, the employee must have a valid reason and access is only approved by utilizing a jointly agreed process with the customer. At minimum all access to customer environments requires an encrypted tunnel within Tieto network. Connections to customer environments are logged to provide full audit trail on administrative operations in customer environments. All remote access to Tieto services requires an encrypted connection and other possible measures (e.g. strong authentication) as required by the data protection risk assessment.
Unauthorized persons are prevented from gaining physical access to data processing facilities. Personal data is protected against accidental and unlawful destruction utilizing physical and environmental controls. Physical and environmental security controls in data processing facilities are subject to an annual independent third party ISAE 3402 Type 2 audit.
Tieto controls, monitors and audits all administrative connections, 3rd party access and file transfers which are deployed within Tieto infrastructure.
Tieto executes a framework for planning, executing and controlling customer business related operations. The organisational structure assigns roles and responsibilities to provide for adequate staffing and efficiency of operative capabilities. Tieto management established authority and appropriate lines of reporting for key personnel. As a part of the hiring processes education verification and background checks are conducted based on employee's position and level of access to Tieto processing facilities and systems.
Tieto maintains and controls the execution of the Tieto security policy, provides security training to employees, and performs application security reviews. These reviews assess the confidentiality, integrity, and availability of data, as well as conformance to the Tieto information security policy.
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
To restore the availability and access to personal data in a timely manner in the event of a physical or technical incident Tieto has backup and business continuity management processes and strategies which ensure rapid restoration of business critical systems as and when necessary.
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing
Tieto emergency processes, plans and systems are regularly tested to assess and evaluate the effectiveness of technical and organisational measures for ensuring the security of the personal data processing. Customer specific disaster recovery testing is agreed separately.
Tieto operations follow defined processes and are subject to internal and independent third party audits as a part of quality and security management certification (ISO 9001 and 27001).