The purpose of this document is to describe the principles of the technical and organisational data security measures of Tietoevry group companies ("Tietoevry"), which Tietoevry provides for all Customers as a standard in Tietoevry's products and services as required by the Regulation (EU 2016/679), the General Data Protection Regulation ("GDPR").
Tietoevry implements appropriate technical and organisational data security measures which are designed to meet the data protection principles in an effective manner, and ensures that appropriate safeguards are integrated into the personal data processing in order to meet the requirements of the GDPR and to protect the rights of data subjects as described below.
Product level security descriptions are available upon request if not agreed to be part of the agreement governing the processing of personal data. Customer specific security measures are agreed separately.
1 Data protection risk assessment
Tietoevry executes and documents risk assessment for each Tietoevry product or service. Data protection and security risks are registered and monitored in the Tietoevry risk databases.
Tietoevry executes the data protection risk assessment in order to decide which data security measures shall be implemented. The aim is to define the appropriate level of data security measures for each product or service. In all cases, Tietoevry has implemented at least the security measures described in chapter 2 below.
2 Security measures
As a part of the Information Security Management System (ISMS) Tietoevry has public security and privacy policies, which are available for customers on request. The policies are supported with wide range of mandatory rules on different aspects of data protection and information security. Documents are subject to regular internal review process as well as an external third party verification on their appropriateness as well as the review process.
Tietoevry has certified its relevant operations utilizing the following international standards ISO 27001, ISO 9001 and ISO 14001.
With regard to physical and environmental controls in data processing facilities and security management, an external third party audit utilizing ISAE 3402 Type 2 standard is conducted annually. The annual report of the audit can be delivered to Tietoevry customer upon request. If agreed, TietoEVRY can also provide a customer specific infrastructure ISAE 3402 Type 2 assurance report.
2.1 Security of personal data
Tietoevry is implementing the following measures based on requirements set out in "Security of processing" (article 32 of the GDPR):
(a) the pseudonymisation and encryption of personal data
Tietoevry is utilizing encryption and/or pseudonymization in its operations to mitigate data protection risks where it has been deemed appropriate by Tietoevry. Encryption and pseudonymization techniques may vary between services upon the service requirements and data protection risk assessment. Details of the used measures are available upon request.
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
Protection of the personal data requires implementation of multiple security controls. Standard operational processes follow good industry practice framework ITIL. Standardized processes help to secure quality of service and safeguards personal data processing.
Tietoevry has a centralized system to manage administrative access to customer environments. To access a customer system, the employee must have a valid reason and access is only approved by utilizing a jointly agreed process with the customer. At minimum all access to customer environments requires an encrypted tunnel within Tietoevry network. Connections to customer environments are logged to provide full audit trail on administrative operations in customer environments. All remote access to Tietoevry services requires an encrypted connection and other possible measures (e.g. strong authentication) as required by the data protection risk assessment.
Unauthorized persons are prevented from gaining physical access to data processing facilities. Personal data is protected against accidental and unlawful destruction utilizing physical and environmental controls. Physical and environmental security controls in data processing facilities are subject to an annual independent third party ISAE 3402 Type 2 audit.
Tietoevry controls, monitors and audits all administrative connections, 3rd party access and file transfers which are deployed within Tietoevry infrastructure.
Tietoevry executes a framework for planning, executing and controlling customer business related operations. The organisational structure assigns roles and responsibilities to provide for adequate staffing and efficiency of operative capabilities. Tietoevry management established authority and appropriate lines of reporting for key personnel. As a part of the hiring processes education verification and background checks are conducted based on employee's position and level of access to Tietoevry processing facilities and systems.
Tietoevry maintains and controls the execution of the Tietoevry security policy, provides security training to employees, and performs application security reviews. These reviews assess the confidentiality, integrity, and availability of data, as well as conformance to the Tietoevry information security policy.
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
To restore the availability and access to personal data in a timely manner in the event of a physical or technical incident Tietoevry has backup and business continuity management processes and strategies which ensure rapid restoration of business critical systems as and when necessary. Tietoevry has defined continuity and disaster recovery plans for Tietoevry infrastructure supporting Tietoevry service delivery to Customers. These plans are regularly updated and tested and are subject to third party auditing. Customer specific continuity plans and procedures are agreed separately between Tietoevry and the Customer.
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing
Tietoevry emergency processes, plans and systems are regularly tested to assess and evaluate the effectiveness of technical and organisational measures for ensuring the security of the personal data processing. Customer specific disaster recovery testing is agreed separately.
Tietoevry operations follow defined processes and are subject to internal and independent third party audits as a part of quality and security management certification (ISO 9001 and 27001). Tietoevry conducts internal security testing and vulnerability scanning. For high risk environments Tietoevry utilize third party security testing services including penetration testing.
|