This policy describes the purpose and guidelines of LTS information security policy, as well as the related responsibilities and organization.
Last updated: July 12, 2021
In this policy, “information security” refers to ensuring the confidentiality, integrity and usability of information regardless of its presentation method. This policy determines basic requirements for information security, and lays the foundation for the planning and implementation of operations in line with the policy. In addition, more specific instructions for various areas of information security are prepared to support the implementation of the policy.
Information security is implemented and developed with a risk-based approach, using appropriate and cost-effective solutions. Kesko Group’s IT Management Steering Group assesses annually whether the information security policy is appropriate.
Combined with LTS value and the risk management, security and data protection policies, the information security policy is an integral part of corporate governance at LTS.
The primary purpose of information security is to ensure the continuity of LTS’ operations under all circumstances. Appropriate and effective information security ensures the accessibility of IT solutions and the integrity of the information used in processes and services, as well as confidentiality, with regard to LTS’ operations under all circumstances in all operating countries. This policy lays the foundation for ensuring the security of LTS’ information systems and data processing.
At LTS, protecting customer data, as well as the data generated and processed by other digital functions, is an essential part of responsible operations, which both our customers and partners expect from LTS. The growth of digitalization means that information security is also increasingly regulated by means of legislation. Each LTS employee in all operating countries must comply with the information security policy and its supplementary principles and instructions, as well as applicable laws.
Information security risks are assessed and analyzed regularly based on their business impacts. Risks must also be assessed in the specification phase of new systems and in connection with significant changes affecting the criticality of operations.
LTS has an information classification method in place governing how information shall be classified, as well as determining information security controls for processing information in various classes.
The data protection policy and instructions determine how personal data is processed at LTS.
LTS’ system and application development processes include work phases to analyze the data protection requirements applicable to the purposes of use of personal data. The applicable data protection requirements vary depending on the purpose of use of the personal data and information collected. The technical implementation is designed so that it corresponds to the risk level of the processing. Based on the risk level, management methods and information security practices suitable for the situation are selected to manage risk levels and achieve compliance.
LTS’ information security requirements determine the minimum level of information security required from contractual partners. The required level of information security can be verified through audits, when necessary.
LTS has several regularly implemented measures in place to improve employees’ awareness of information security. These include online training, phishing message simulations and intranet news, for example. In addition, selected groups are provided with targeted information security training.
Improving and maintaining the level of information security require systematic and continuous automatic monitoring of information systems. The persons responsible for control are legally bound by confidentiality in terms of the information they process at work.
The status of information security is reported in connection with normal internal control, as well as internal and external audits. Technical information security is assessed continuously, and separate information security audits are conducted in the most significant environments.
LTS has procedures and services in place for detecting information security incidents. There are determined operating models for processing and reporting any information security incidents.
Non-compliance with the information security policy and instructions is regarded as an information security breach. LTS has determined procedures for situations involving breaches.
The information security policy is approved by LTS’ Board of Directors.
The information security policy covers the operations of LTS companies in all operating countries. LTS personnel must comply with the policy. LTS companies and units are responsible for implementing the policy and for ensuring sufficient resources in their operations.
The President and CEO is responsible for ensuring that LTS has effective information security in place as part of its risk management system. In implementing information security, the President and CEO is supported by the Group’s IT and risk management functions. The Risk Management Steering Group, which also includes division representatives, processes and monitors the Group’s information security risks and the implementation of risk management measures.
Responsibility for the implementation of information security lies with the management of business operations and common operations. IT coordinates and develops information security processes and is responsible for reporting and practical implementation in cooperation with service providers, as well as identifying information security risks and determining management measures together with the business operations and common operations. Each member of LTS’ personnel must recognize risks related to information security and react to such risks.
The information security steering model is part of LTS’ Risk Management steering model. In accordance with its rules of procedure, the Audit Committee of LTS’ Board of Directors monitors and assesses the effectiveness of LTS’ internal control, internal audit and risk management systems, among other aspects. The Audit Committee reviews the Group’s most significant information security risks.