CSC is a reliable partner whose data centres have been granted an ISO/IEC 27001 certificate for their information security management systems. Security culture and certification are integrally connected to CSC's business.
The information security management system, certified based on the international ISO/IEC 27001 standard, ensures that the organisation possesses the capacity to manage, govern and continuously develop the information security of its services and operations. The certification was performed by Inspecta Ltd.
Security Policy and Best Practices
CSC has approved a security policy and also follows best security practices. This description is a public summary of those. For CSC's customers, providers and staff there can be more detailed security guidelines. Many items in our security policies and guidelines refer to external compliance requirements. CSC has also procedures for risk and security management.
The objective for our security measures is to secure CSC services, systems and data to be able to successfully complete our corporate mission. We want to protect the services of our customers. By keeping our services available and secure we can earn the trust of our customers and other partners.
CSC security policy is approved by our management and covers all staff and our relations with customers and partners.
Our Security Management is based on catalogues of operational resources to be protected, business continuity and disaster recovery plans, security agreements with customers and partners, a security awareness and skills training program, security guidelines, and an incident response procedure. Security is led by the role Head of Security.
Our HR Security is based on a security clauses in terms of employment, regular security training, mitigating risks related to key roles, and screening, all this respecting privacy laws and best practices.
Our Physical Security is based on classification of premises, access controls and monitoring.
Our Network Security is based on classification of networks, defense-in-depth, legal controls, vulnerability scans, access controls, encryption, and monitoring.
Our Computer Systems Security is based on security requirements, access controls and monitoring, continuity planning, securing best practices in systems administration, and security guidelines.
Our Systems Development Security is based on an internal security guideline for best practices in systems development.
Our Documentation Security is based on legal requirements by the government and principles for classification, storing and changing data, as described in an internal documentation security guideline.
Our Operational Security is based on a wide array of procedures securing daily operations, such as access controls, use of accounts, controlling privileged use, classification, monitoring, and in change, capacity, incident and problem management.
Our Access Controls are based on an internal policy on how to implement best security practices and security principles in CSC environments.
Our Compliance Controls are based on laws, agreements and regulations wich affects CSC and standards CSC complies to. The major security standards CSC complies to are ISO/IEC 27001:2013 and the Decree on Information Security by Finnish Government.
For capacity services (ICT platforms) and certain customer services CSC complies with the raised information security level as defined by the Finnish Government.
For specific functions CSC also complies with regulations by FICORA (Finnish communications regulatory) and the OAIS (Open Archival Information System) reference model.
CSC security procedures are regularly reviewed in internal and external audits and in management reviews.
Urpo Kaila, Head of Security, (09) 457 2253