Information Security and Privacy Policy

Introduction

Edita Prima operates in a business environment where trustworthiness and reliability in processing clients´ information are highly business critical success factors. Due to that, information is the most valuable asset for the company’s business.

In this policy the Edita Prima Management Team determines the foundation for both information security and data protection (later: information security) in the company.

Edita Prima maintains its Information Security Management System (ISMS) to ensure that strategic goals and targets for quality and information protection are achieved. The Management Team is committed to continually improve the ISMS and support the entire organization in achieving the information security requirements.

Detailed level policies, regulation and instructions are derived from this policy.

This policy is based on following direction:

  • Requirements defined by the ISO/IEC27001 standard, especially clauses 5.2 and 5.3.

  • Information Security Management System (ISMS) Scope document.

  • Edita Prima’s business environment and requirements of interested parties described in the company Intranet

  • Information security risk management results.

Scope

This Policy is the most meaningful and directing document of company’s ISMS, and having the very same scope. This policy applies to all types and forms of information including personal data.

This policy is targeted for every employee of Edita Prima as well as partners and other interest groups handling information owned or managed by Edita Prima.

This information security and privacy policy is publicly available in Edita Prima’s web site www.editaprima.fi/en. Other information security documentation is available in Edita Prima’s internal communication channels according to access control policy.

Terminology

Edita Prima follows the terminology used in the ISO 27000 standard family. As an option, in this policy only the most essential terms are described using other words.

Information Security

All administrative, technical and other means to protect information in any format. Information Security in Edita Prima consists of following characteristics or ‘corner stones’:  

  • Confidentiality  Information is available only to authorized persons, systems or services.

  • Integrity  Protecting the completeness or accuracy of information. No unauthorized changes made to information due to human (intentional or unintentional) reason or technical failure.

  • Availability Information is available (accessible, usable) when an authorized person, system or service demands access.

  • Non-repudiation  Provides undeniable proof that an event or action actually happened and it was actually carried out by a particular entity and a certain time.

Data Protection (Privacy)

A fundamental right to safeguard the rights and freedoms of an individual (data subject) when personal data is processed. The purpose of data protection is to define when and under what conditions personal data can be processed. Detailed description of Privacy at Edita Prima is provided in the Privacy Notice Privacy Notice | Edita Prima.

Information Security Management System (ISMS)

Management system which describes and demonstrates the company’s approach to information security. The ISMS consists of processes, documentation, organization and other means to maintain and continually improve the company’s information security.

Risk Management

Systematically managed and coordinated activities and methods used to manage risks and uncertainty affecting Edita Prima’s objectives. Risk management processes produce valuable input to other elements of the ISMS, especially objective setting.

Business Continuity Management

All administrative, technical and other means to ensure Edita Prima’s business is capable of producing its services and products under normal and exceptional circumstances and when a disruptive incident, failure or error occurs.

Objectives and Measurement

Edita Prima’s Management Team is fully committed to continually improve the ISMS and its processes and practices to support the entire company in achieving its business, and information security objectives. As part of continuous improvement, the Management Team has set, and is responsible for regular reviewing, the following general objectives.

Edita Prima:

  • continually improves its ISMS and information security processes and controls

  • is compliant to ISO/IEC27001 and ISO/IEC27701 within the agreed scope

  • protects all information processed in the company (including customer information and personal data)

  • fulfills customers’ requirements and expectations concerning information security

  • information security goals are in line with its business objectives and strategy

  • ensures that its employees, property and functions are protected and secured

Detailed level information security objectives are derived from the general objectives and described in Edita Prima's internal communication channels.

Compliancy towards requirements is ensured by monitoring and measuring appropriate processes and controls.

Implementation

The CISO and DPO lead implementation of information security controls within the scope of the ISMS.

Information security is implemented and maintained according to management practices described in the ISMS aiming continual improvement. Essential in this is that company has capabilities to maintain its ISMS as well as its security culture based on following principles:

  • The Management Team leads information security work in a systematic and active manner.

  • Continual awareness and training practices are in place to maintain knowledge and motivation of entire personnel.

  • Business environment is monitored actively, and business and security objectives updated accordingly.

  • Risks and threats are regularly assessed, and necessary actions taken accordingly.

  • Incidents and disruptions are responded proactively by maintaining, testing and exercising appropriate business continuity and recovery plans and the incident management process.

Organisation

Information security belongs to every individual in Edita Prima. The company demonstrates that by describing roles with their responsibilities and mandates in this chapter. Detailed level descriptions are available in Edita Prima's internal communication channels.

Principles in granting responsibilities and mandates are that:

  • they are primarily granted to organisations or roles instead of individuals.

  • opportunities for unauthorized or unintentional modification or misuse of company’s assets are minimized.

The Management Team ensures information security meets the set objectives and enables the Edita Prima organisation to participate in and improve information security continually. Additionally each Management Team member is in charge of information security in their own responsibility area.

Full and part time information security roles conform to the Information Security Team. The team assists the Management Team and supports the entire organization in implementing information security into the company's daily operations as well as achieving the agreed objectives.

Support functions are in charge of their special areas to support Edita Prima in business operations and they are responsible to ensure information security objectives and requirements are met on their support function.

Every employee shall follow the guidance and instructions given by the company. Additionally employees are responsible for reporting occurred or potential incidents, risks, weaknesses and requirements to the Information Security Team (information.security@edita.fi).

Acceptable use of information and information systems

Information, information systems, equipment and other assets of the company are provided for the personnel for work purposes. Limited and reasonable amount of personal use is allowed unless it has a negative effect on one's tasks or to the company. The use of these assets for any illegal or unethical purposes or against the company values or unauthorized disclosure of confidential information are strictly prohibited.

Only authorized persons in Edita Prima and the Group-IT representatives are authorized to make changes to Edita Prima’s ICT environment.

Violations against the principles and requirements defined in this policy, or elsewhere in Edita Prima, may lead to e.g. disciplinary actions, sanctions and/or to termination of the employment.