Secure system engineering principles

We use strong encryption during password transmission and storage in all services we develop.

Information included in application services transmitted over public networks must be protected against fraudulent and non-contractual activity and against unauthorized disclosure and alteration.

We use strong encryption and security protocols (eg TLS, IPSEC, SSH) to protect confidential information when it is transmitted over public networks in connection with the IT services we develop.

The general rules for secure development work have been drawn up and approved by the development managers. The implementation of the rules is monitored in software development in the organization and the rules are reviewed at least yearly.

The safe development policy may include e.g. the following things:

• safety requirements of the development environment
• instructions for secure coding of the programming languages used
• safety requirements at the design stage of properties or projects
• secure software repositories
• version control security requirements
• the skills required from developers to avoid, discover and fix vulnerabilities
• compliance with secure coding standards

Compliance with the rules of secure development may also be required of key partners.

Whenever new data systems are acquired or developed, pre-defined security rules are followed, taking into account the priority of the system. The rules ensure that adequate measures are taken to ensure the security of the data and data processing in the system.

The definition of security-critical code for the various services is maintained. New parts of the critical code are constantly being identified and new updates are being checked particularly closely for changes to the critical code. The aim is to keep the likelihood of security vulnerabilities to a minimum.