Security

CSC's operations are based on good and transparent governance, compliance with data protection regulations and compliance with best security practices in service production and internal operations. Since 2013, CSC's information security management system has been awarded the prestigious international ISO/IEC 27001 certificate.

Since 2013, CSC's information security management system has been awarded the prestigious international ISO/IEC 27001 certificate.

Reliable certification based on external evaluations demonstrates that CSC has the ability to manage, manage and continually improve the information security of its services and operations. The certificate covers CSC's data centers, ICT platforms, digital long-term storage and IaaS cloud services. In addition, certain CSC customers have commissioned external evaluators to perform safety assessments of the services provided to them by CSC in accordance with the terms of the security agreements.

CSC's management system covers, among other things, management, human resources, communications, stakeholder relations, contractual matters, premises, risks and deviations, as well as the management of resources and access rights. Specific CSC internal guidelines related to data protection and transparency are the administrator's instructions, the privacy policy and the e-mail policy.

The instructions, responsibilities, classification and implementation of the availability of services related to CSC's services are monitored on the basis of CSC's internal production catalog. Significant security incidents are discussed in CSC's Management Team.

CSC's data protection measures have been integrated into CSC's day-to-day operations, thus seeking to ensure that the obligation to provide evidence is fulfilled throughout the organization in practice.

Responsibilities related to the services are agreed with the customer or supplier in service agreements and related security and data protection agreements. In addition to service quality, development needs and customer experience, feedback on service safety is regularly monitored with the customer.

CSC's data protection measures are integrated into CSC's day-to-day operations.

CSC's data protection measures have been integrated into CSC's day-to-day operations, thus seeking to ensure that the obligation to provide evidence is fulfilled throughout the organization in practice. The organization's contract portfolio has been reviewed and the data protection terms of the contracts have been updated. In order to verify the obligation to provide evidence, metadata describing the processing of personal data has been implemented in the contract register. The Description of processing operations has also been updated and a process has been created to ensure the continuous maintenance of the report.

The co-operation between the data security and data protection organization has been intensified by creating practices for handling data protection incidents. CSC has conducted crisis exercises aimed at training the organization's mutual cooperation and operational capacity in situations where the information security or data protection of the services is compromised. CSC has defined the roles and responsibilities of crisis communication and issued new crisis communication guidelines, which will improve our ability to operate in exceptional circumstances.

CSC's data protection organization actively advises and instructs staff, handles current data protection issues in CSC's management teams and arranges internal training for various target groups. The data protection training for procurement has been carried out by an external trainer.

The implementation of CSC's security and data protection guidelines and operating policy is described in more detail on the pages of company's security, privacy and, for example, data policy.

Back to top Go to Corporate Responsibility Report