The data security policy of MPS Enterprises


Data security policy

Updated 9.5.2018.

This data security policy applies to all MPS enterprises while taking into account the operating environment and its laws and procedures.

Data security is defined as the safe processing of data regardless of its format. Therefore, data security also includes print-outs and other materials in addition to information systems. Data security ensures the confidentiality, integrity and availability of the data.

MPS Enterprises process highly confidential data that requires absolute confidentiality as well as data processing and storage that is safe and undisturbed. The security of data is actively monitored and incidents are dealt with using agreed methods.

The requirements and risks of business operations are taken into account when implementing data security measures. Data security is developed cost-efficiently and appropriately in regards to the specified requirements and risks. The operations always comply with legal requirements and contracts with customers and partners. When processing confidential personal data, special attention must be paid to the protection of privacy and the legislation concerning the processing of personal data.

This data security policy has been approved by the management team and the information management team of MPS Enterprises.

1 Responsibilities

Enterprises are responsible for specifying data security requirements and ensuring sufficient resource allocation. The management team of the enterprise is responsible for creating continuity plans for critical systems and processes. These plans must also be maintained and tested.

The chief information officer of MPS Enterprises is responsible for the shared systems of all enterprises and their data security. The role of the chief information officer and their organisation is to support and guide the data security of the enterprises. This is done by identifying potential data security risks and assessing whether the enterprise has properly prepared for these risks and whether the continuity plans are up-to-date. The information management team of MPS Enterprises is also responsible for ensuring that the level of data security is adequate through technical monitoring. The availability of the systems and data must always be taken into account when designing and implementing a data security solution so that data security solutions will not impede business operations.

All employees and partners are expected to familiarise themselves with the data security instructions and to follow them. If incidents, threats and new risks are detected, they must be reported to the persons responsible for the data security of the enterprise as well as the information management team of MPS Enterprises.

2 Data security practices

2.1 Risk assessment

The risks are assessed based on their potential impact on business operations. The criticality and confidentiality of data as well as the extent of damage if the risk becomes reality should be taken into account in risk assessment. The assessment must be carried out during the requirements specification phase of new systems and in connection with significant changes.

2.2 Access rights and access control
The owners of the systems specify the access levels and the grounds for granting access rights. The enterprises are responsible for creating user credentials and removing access rights. If possible, identity management will be carried out using a shared solution for all MPS Enterprises.

2.3 Categorisation and processing of information
MPS Enterprises uses a data classification policy. It specifies how data is classified and how the classification affects the processing of the data. Special attention is paid to systems containing confidential personal data and their access rights and they may be subject to separate and more extensive data security checks.

2.4 Use of information networks
Only devices belonging to MPS Enterprises or devices approved by the information management team may be connected to the information networks of MPS Enterprises. Only software approved by the information management team may be installed on the devices. A separate information network is available for outsiders’ devices.

2.5 Data security training
All employees are regularly informed about data security, and the employees must refresh their knowledge of matters concerning data security once a year.

2.6 Monitoring
The security of the data is constantly monitored using the agreed methods. The detected new risks and threats are reported to the persons responsible for data security. Systematic technical monitoring is carried out regularly for the existing systems. Testing is carried out in connection with the deployment of the system according to the criticality level of the system.

2.7 Management of incidents
Reports that include the description of the incident and the measures taken after the detection of the incident are prepared in the event of data security incidents. There are plans in place for dealing with incidents. These plans must be maintained and employees must practice putting them into action.

3 Data security breaches

All actions that infringe the data security policy are considered to be data security breaches. In the event of a data security breach, the extent and impact of the breach is assessed and the necessary measures are taken based on the assessment.