This policy describes Metropolia's responsibilities and objectives for information security and how we manage and approach information security.
The Metropolia Information Security Policy is a continuously maintained and updated set of policies.
The policy is only written in Finnish, but there is a summary on this page of the information security policy, which contains the most important aspects of it.
Information security policy and its objective
Metropolia's activities are guided by existing government legislation that provides guidance on ensuring the appropriate availability, accessibility and integrity of documents and information systems and the data they contain. These policies must be continuously developed, monitored and improved where necessary. These developments are carried out in cooperation with all Metropolia departments.
The growth of digitalisation means that information security is increasingly regulated by legislation.
The aim of the Information Security Policy is to provide Metropolia's staff, students and stakeholders with a clear and up-to-date description of how we manage and approach information security.
Information Security Responsibilities
- At Metropolia, the overall responsibility for operational security lies with the CEO-Headmaster and the Executive Vice President.
- The CEO-Headmaster is also responsible for information security, but the practical organisation of this is handled by the IT department.
- It is the responsibility of management and the IT department to provide staff and students with adequate guidance on data protection and information security.
- Students, staff, partners and stakeholders are responsible for complying with Metropolia's security guidelines and rules.
- The roles and responsibilities for information security are set out in the table at the end of the actual information security policy. The purpose of the table is to clarify the roles, functions and responsibilities of the different roles.
The objective of information security competence for students and staff
One of the priorities of the Metropolia IT Strategy is to create a culture of information security at Metropolia.
Our goal is that every member of staff has basic information security skills. Basic level means the level at which a person understands:
- password security
- secure data handling
- protecting against malware and phishing messages
The basic level of staff information security skills will be maintained through security training on Moodle, as well as through separate training courses, bulletins and guidelines.
Students' security skills will be supported in the same way. The aim is also to create compulsory security training for students to be completed during their studies.
Implementing data protection and information security measures in the context of procurement
- EU’s General Data Protection Regulation (2016/679, GDPR), the Finnish Data Protection Act (1050/2018), and the Act on Information Management in Public Administration (906/2019) which entered into force on 1 January 2020, require organisations to control the introduction of new digital tools (IT systems, electronic services and software).
- Digital tools may be introduced only in a controlled manner. Before a digital tool can be introduced, it is mandatory to conduct a risk management process.
- All purchases of computer software, mobile applications and IT systems must be subject to a procurement process, as decided by the Metropolia Management Team, to enable Metropolia to comply with the above risk management process as required by law.
- Legislation concerning personal data is listed on the Metropolia.fi website - in the Privacy Policy and GDPR
Maintaining information security and incident response
- The Chief Information Officer will report to management on information security incidents as part of normal business assessment and planning and whenever appropriate.
- This policy (i.e. the Information security policy) will be reviewed and updated as necessary once a year in accordance with the contingency plan.
- In the event of more extensive or long-lasting problems with the operation of networks and/or information systems, action will be taken in accordance with the Metropolia Contingency Plan.
- Users will be informed of major disruptions as soon as they are detected. After recovery, users will be informed of the success of the recovery and provided with a brief explanation of the cause of the disruption.