Elisa Trust Center

In terms of individual services and products, Elisa has built information security into its service development and pays careful attention to information security requirements at various stages of the life cycle. Devices put on sale go through a thorough audit process. Also see the above section on development of security.

Elisa’s goal is to ensure business continuity and maintain trust. The process of systematically recognising risks, evaluating them and eliminating them ensures business continuity. At the same time, this protects people, procedures and property, while guaranteeing that we operate in the way required by legislation and regulations. Risk management is an important and essential part of Elisa’s general management system. We regularly analyse significant information security risks that could affect business continuity and develop strategies for detecting, preventing and minimising risks.

Find out more about Elisa’s risk management model on the sustainability risk management webpage.

Elisa continuously monitors general and operator-specific security and vulnerability updates from the authorities. We conduct continuous vulnerability scanning throughout our operating environment. We collect data about vulnerabilities and actively utilise it to identify weaknesses in our systems, services and networks. We analyse any detected weaknesses and manage them based on the risk they represent. Weaknesses that pose significant risks are eliminated or mitigated, and we update systems with vulnerabilities as soon as it is possible. Rectification of the most significant vulnerabilities is managed in a controlled manner following our major incident process. We have established a bug bounty programme to encourage white hat hackers to seek out any vulnerabilities in our network services. 

Based on legislation, regulations governing the sector and obligations imposed by the authorities, Elisa must prepare contingency and continuity plans. The systems, processes and services most critical for business continuity have been identified. Comprehensive continuity management plans have been prepared for possible exceptional circumstances, which take into account recovering services in a range of different conditions. We conduct exercises simulating exceptional circumstances, putting the lessons we learn into practice and updating our plans, as necessary.

Elisa’s own operations are audited in selected areas through security audits in accordance with the ISO 27001 standard. Elisa has four different ISO/IEC 27001 certificates. The information security management system comprises leadership, operating principles, procedures and instructions and the related operations that the organisation manages in order to protect its information assets. The ISO 27001 management system is comprised of various operations that the organisation uses to protect its or customer data. Passing an ISO 27001 audit requires not only qualified employees, but also employees who know and understand the currently valid information security policy. Elisians must follow information security principles and be aware that they should address and report any deviations.

Elisa regularly conducts security audits of external stakeholders, such as suppliers and subcontractors. Audit targets are selected based on risk, and the audits are based on the security requirements and regulations stipulated in the security agreement that has been agreed between Elisa and the supplier. Any necessary rectifications based on the audit findings are monitored regularly, and a specific metric has been established for monitoring supplier compliance.

In its operations, Elisa follows best practices for cloud services and operators. When using cloud services, we ensure that issues relating to security classification are taken into account. More demanding requirements for raised and special security levels are followed when agreed with clients. If necessary, we can implement e.g. the requirements of the Finnish Katakri national security audit criteria or PiTuKri cloud service audit criteria, instructions from the Finnish Public Sector Digital Security Management Board (VAHTI), or operating principles that comply with the ISO 27001 standard. For example, before adopting a cloud service, we audit both the service and the service provider and document the responsibilities and obligations. 

At Elisa, our core values include the confidentiality of personal information and communications and protecting our customers’ privacy in all our operations. We operate with a high level of data security in all our operations, and in developing services and products, we include data protection by default and by design. We pay careful attention to the protection of personal information by using appropriate technologies and information security solutions described on this webpage. This data security page describes the principles and practices that apply to the processing of personal information at Elisa. A description of the policies and practices we follow related to advertising and customer privacy can be found here (in Finnish).

We control access to Elisa’s and Elisa’s customers’ data. The general principle for access control is the principle of least privilege, ensuring that employees and systems only have the rights necessary to carry out procedures in line with their work tasks. We only give users and systems the usage rights that they need for their role.

Elisa employees are bound by confidentiality agreements and can only process information assigned to them in work assignments.

Elisa protects against denial-of-service (DoS) attacks at the application layer. We protect against DoS attacks at the system level with firewalls and load balancers. Packet scrubbing protects against malicious traffic, allowing the traffic load to be reduced to an appropriate level to ensure the service remains functional. 

Elisa’s network is designed flexibly and operates according to the Information Technology Infrastructure Library (ITIL) model. Network monitoring focuses on automation and predictive service management. As a consequence of our long-term work to develop quality and automation, the number of disturbances in Elisa’s network has fallen significantly, even though the use of services and the volume of traffic increase year after year.

As a Finnish producer of telecommunication and digital services, a broad spectrum of national and international regulation applies to Elisa’s operations. These include e.g. the Information Society Code and regulations issued under it by the Finnish Transport and Communications Agency (Traficom) with the goal of ensuring the security and continuity of services both under normal circumstances and in a variety of disturbances. This is visible to customers in the high level of security throughout the entire life cycle of our services.

Elisa completes reliability assessments with a Finnish security clearance for those roles where security clearances can be carried out in accordance with the Finnish Act on Security Clearances. The same security obligations, security clearances and information security training requirements that apply to Elisa employees also apply to employees of our partners who work for Elisa. A variety of identity and access control requirements are used in our systems and physical premises.