Last updated: July 12, 2021

In this policy, “information security” refers to ensuring the confidentiality, integrity and usability of information regardless of its presentation method. This policy determines basic requirements for information security, and lays the foundation for the planning and implementation of operations in line with the policy. In addition, more specific instructions for various areas of information security are prepared to support the implementation of the policy.

Information security is implemented and developed with a risk-based approach, using appropriate and cost-effective solutions. Kesko Group’s IT Management Steering Group assesses annually whether the information security policy is appropriate.  

Combined with Lotus TS value and the risk management, security and data protection policies, the information security policy is an integral part of corporate governance at Lotus TS.  

Purpose of the information security policy

The primary purpose of information security is to ensure the continuity of Lotus TS’ operations under all circumstances. Appropriate and effective information security ensures the accessibility of IT solutions and the integrity of the information used in processes and services, as well as confidentiality, with regard to Lotus TS’ operations under all circumstances in all operating countries. This policy lays the foundation for ensuring the security of Lotus TS’ information systems and data processing.

At Lotus TS, protecting customer data, as well as the data generated and processed by other digital functions, is an essential part of responsible operations, which both our customers and partners expect from Lotus TS. The growth of digitalization means that information security is also increasingly regulated by means of legislation. Each Lotus TS employee in all operating countries must comply with the information security policy and its supplementary principles and instructions, as well as applicable laws.

Implementation of information security

Risk assessment

Information security risks are assessed and analyzed regularly based on their business impacts. Risks must also be assessed in the specification phase of new systems and in connection with significant changes affecting the criticality of operations.

Data classification and processing

Lotus TS has an information classification method in place governing how information shall be classified, as well as determining information security controls for processing information in various classes.

Processing of personal data

The data protection policy and instructions determine how personal data is processed at Lotus TS.

Lotus TS’ system and application development processes include work phases to analyze the data protection requirements applicable to the purposes of use of personal data. The applicable data protection requirements vary depending on the purpose of use of the personal data and information collected. The technical implementation is designed so that it corresponds to the risk level of the processing. Based on the risk level, management methods and information security practices suitable for the situation are selected to manage risk levels and achieve compliance.

Information security requirements

Lotus TS’ information security requirements determine the minimum level of information security required from contractual partners. The required level of information security can be verified through audits, when necessary.

Information security training

Lotus TS has several regularly implemented measures in place to improve employees’ awareness of information security. These include online training, phishing message simulations and intranet news, for example. In addition, selected groups are provided with targeted information security training.

Control and monitoring

Improving and maintaining the level of information security require systematic and continuous automatic monitoring of information systems. The persons responsible for control are legally bound by confidentiality in terms of the information they process at work.

The status of information security is reported in connection with normal internal control, as well as internal and external audits. Technical information security is assessed continuously, and separate information security audits are conducted in the most significant environments.

Processing of information security incidents

Lotus TS has procedures and services in place for detecting information security incidents. There are determined operating models for processing and reporting any information security incidents.

Information security breaches

Non-compliance with the information security policy and instructions is regarded as an information security breach. Lotus TS has determined procedures for situations involving breaches.

Responsibilities and organization

The information security policy is approved by Lotus TS’ Board of Directors.

The information security policy covers the operations of Lotus TS companies in all operating countries. Lotus TS personnel must comply with the policy. Lotus TS companies and units are responsible for implementing the policy and for ensuring sufficient resources in their operations.

The President and CEO is responsible for ensuring that Lotus TS has effective information security in place as part of its risk management system. In implementing information security, the President and CEO is supported by the Group’s IT and risk management functions. The Risk Management Steering Group, which also includes division representatives, processes and monitors the Group’s information security risks and the implementation of risk management measures.

Responsibility for the implementation of information security lies with the management of business operations and common operations. IT coordinates and develops information security processes and is responsible for reporting and practical implementation in cooperation with service providers, as well as identifying information security risks and determining management measures together with the business operations and common operations. Each member of Lotus TS’ personnel must recognize risks related to information security and react to such risks.

Information security steering model

The information security steering model is part of Lotus TS’ Risk Management steering model. In accordance with its rules of procedure, the Audit Committee of Lotus TS’ Board of Directors monitors and assesses the effectiveness of Lotus TS’ internal control, internal audit and risk management systems, among other aspects. The Audit Committee reviews the Group’s most significant information security risks.