IT Services

The summary of the policy

Metropolia’s information security policy

This policy describes Metropolia's responsibilities and objectives for information security and how we manage and approach information security. 

The Metropolia Information Security Policy is a continuously maintained and updated set of policies.

The policy is only written in Finnish, but there is a summary on this page of the information security policy, which contains the most important aspects of it.

Information security policy and its objective

Metropolia's activities are guided by existing government legislation that provides guidance on ensuring the appropriate availability, accessibility and integrity of documents and information systems and the data they contain. These policies must be continuously developed, monitored and improved where necessary. These developments are carried out in cooperation with all Metropolia departments.

The growth of digitalisation means that information security is increasingly regulated by legislation.

The aim of the Information Security Policy is to provide Metropolia's staff, students and stakeholders with a clear and up-to-date description of how we manage and approach information security.

Information Security Responsibilities

• At Metropolia, the overall responsibility for operational security lies with the CEO-Headmaster and the Executive Vice President.
• The CEO-Headmaster is also responsible for information security, but the practical organisation of this is handled by the IT department.
• It is the responsibility of management and the IT department to provide staff and students with adequate guidance on data protection and information security.
• Students, staff, partners and stakeholders are responsible for complying with Metropolia's security guidelines and rules.
• The roles and responsibilities for information security are set out in the table at the end of the actual information security policy. The purpose of the table is to clarify the roles, functions and responsibilities of the different roles.

The objective of information security competence for staff and students

One of the priorities of the Metropolia IT Strategy is to create a culture of information security at Metropolia.

Our goal is that every member of staff has basic information security skills. Basic level means the level at which a person understands: 

• password security
• secure data handling
• protecting against malware and phishing messages

The basic level of staff information security skills will be maintained through security training on Moodle, as well as through separate training courses, bulletins and guidelines.

Students' security skills will be supported in the same way. The aim is also to create compulsory security training for students to be completed during their studies.

Implementing data protection and information security measures in the context of procurement

• EU’s General Data Protection Regulation (2016/679, GDPR), the Finnish Data Protection Act (1050/2018), and the Act on Information Management in Public Administration (906/2019) which entered into force on 1 January 2020, require organisations to control the introduction of new digital tools (IT systems, electronic services and software). 
• Digital tools may be introduced only in a controlled manner. Before a digital tool can be introduced, it is mandatory to conduct a risk management process.
• All purchases of computer software, mobile applications and IT systems must be subject to a procurement process, as decided by the Metropolia Management Team, to enable Metropolia to comply with the above risk management process as required by law.
• Legislation concerning personal data is listed on the Metropolia.fi website - in the Privacy Policy and GDPR

Maintaining information security and incident response

• The Chief Information Officer will report to management on information security incidents as part of normal business assessment and planning and whenever appropriate.
• This policy (i.e. the Information security policy) will be reviewed and updated as necessary once a year in accordance with the contingency plan.
• In the event of more extensive or long-lasting problems with the operation of networks and/or information systems, action will be taken in accordance with the Metropolia Contingency Plan.
• Users will be informed of major disruptions as soon as they are detected. After recovery, users will be informed of the success of the recovery and provided with a brief explanation of the cause of the disruption.

framework that includes a streamlined policy based on the core needs of the university (as outlined in this document), accompanied by associated guidelines and diagrams. In information security management, the responsibility as well as commitment of senior management are highlighted. It is crucial for the leadership to have a clear awareness of the role of security for the university’s vital functions, while simultaneously ensuring that the adopted IT strategy is sufficiently business oriented as per the needs of the university. Students, staff, partners, and stakeholders are accountable for compliance with the security rules. Additionally, every student and staff member must report any observed security risks, deviations, or hazardous situations, such as serious security incidents, to their supervisor or the IT Services. When public communication is needed, it is decided by Metropolia’s Management Group in cooperations with the Communication and Marketing department. Internal communication in respect of information security is managed by the IT Services. An IT violation is considered any action that breaks Metropolia’s rules regarding the use of ICT services, security principles, or any activity that is contrary to Finnish laws. Within the IT Services, the security-related principles and guidelines are reviewed yearly.

Metropolian tietoturvapolitiikka suomeksiMetropolian tietoturvallisuuspolitiikka