Security

Reliability is one the keys to CSC's success, and a tight grip on security is the cornerstone of reliability. It is important for CSC's customers that they can trust CSC to adequately protect and secure their data in its services. During the year under review, we identified growing cyber security risks and, correspondingly, stricter security requirements were imposed by both customers and the government.

The more stringent security requirements were manifested for CSC as security audits commissioned by customers as well as the central government’s efforts to bolster the security of Finnish society and, in particular, our critical infrastructure. Among other things, CSC participated in audits required under the Act on the Secondary Use of Social and Health Data (FINLEX 552/2019) to ascertain the security of the operating environment. In addition, CSC was issued with an official certificate of compliance with security class IV of the national security audit criteria (Katakri 2020) in the areas of security management and physical security.

Since 2013, CSC's information security management system has been awarded the prestigious international ISO/IEC 27001 certificate. Based on an international information security standard and reliable external evaluations, it proves that the company has the ability to control, manage and continuously improve information security in its services and operations. The certificate already covered CSC’s data centers, ICT platforms, digital long-term preservation, and IaaS cloud services. In 2021, its scope was extended to cover the eDuuni cooperation platform and maintenance of the Tiimeri platform.

CSC's security management system is based on the best international security practices and risk management planning, which takes into account the relationship between security requirements and business needs. The company's Board of Directors reviews the risk management principles annually. Both the Board of Directors and executive management regularly examine the company's risk terrain as part of their daily work. Any significant information security and data protection incidents are discussed in CSC's Management Group. We monitor service availability and service-related guidelines, responsibilities and classifications on the basis of our internal production catalogue. For a more detailed description of the management system can be found here.

CSC's data protection measures have been integrated into the company's day-to-day work, and major investments have been made in training to improve the personnel’s data protection competence. Among other things, certification training related to data protection competence was launched for the personnel, and training on assessing data protection risks was provided. In CSC’s user registration portal (myCSC), a functionality was implemented in which an applicant for computing capacity accepts an agreement on the processing of personal data. This reduces the risk of unauthorised processing of personal data in CSC's services.

As part of strengthening the company's information security competencies, extensive technical information security training leading to the prestigious international System Security Certified Practitioner (SSCP) certification was organised for twenty of CSC's key administrators. Tailored information security training focusing on managing vulnerabilities and weak configurations was organised for CSC’s developers and experts in agile development and continuous system integration.

In addition to incident management, managing vulnerabilities and weak configurations is a core process of operational security.  CSC collects and processes large volumes of data related to vulnerabilities and always strives to tackle them proactively.

Funet CERT observations

Proactive vulnerability management is a key element of information security. The Funet CERT service collects and communicates information on vulnerabilities and security incidents.

Scanned IP addresses

Funet CERT vulnerability scans scrutinised a large number of IPv4 and IPv6 addresses.

Neither instructions and agreements nor communications alone can guarantee that all stakeholders know what to do when investigating a security incident, which is why CSC regularly participates in information security exercises that also address data protection incidents.

CSC has carried out crisis exercises relating to the organisation's internal cooperation and ability to function in situations where the information security or data protection of the services is at risk.

Ultimately, it is up to CSC's management to ensure that the company's services are adequately secure. CSC’s management conducts regular security reviews, which also cover risk management. Strategic risks are discussed by CSC's Board of Directors.

Back to top Go to Corporate Responsibility Report