The purpose of this policy is to set the high-level principles for security risk management in Norges Bank Investment Management (NBIM). The Policy covers management of security related to NBIM personnel, processes, assets and facilities.
Issued 20 March 2012
Last updated 13 December 2022
The key objective for managing security risk is to ensure that personnel and physical and digital assets are protected and secure, and that a strong security culture is embedded within processes and the behaviour of personnel.
Security risk shall be managed in conformity with applicable laws and regulations, and best practice. Security risk management shall include physical, administrative, technical, and organisational measures to ensure that security objectives are met. Security initiatives shall be anchored in the organisation and conducted using a systematic, continuous, and risk-based approach.
2.1 General requirements
- Security risk management and incident handling shall be integrated within NBIMs framework for operational risk and internal control and managed to ensure an appropriate security level within the acceptable risk tolerance limits set by the Executive Board.
- Metrics for monitoring of security risks and vulnerabilities shall be implemented and identified risks shall be documented and communicated to relevant stakeholders.
- Security controls and measures shall be an integrated part of internal control activities and be proportionate to the risk to be mitigated.
- Security roles and responsibilities shall be maintained and clearly communicated throughout the organisation.
- Only personnel with authorisation relevant for their role shall obtain access to NBIM assets and premises. Access permissions and user administration shall be revoked upon contract termination or when access is no longer required.
- Personnel with access to NBIM’s assets shall undergo security training relevant for their role.
- Relevant assets shall be inventoried, and subject to security assessments during sourcing and when subject to significant changes.
2.2 Physical security
- A minimum set of physical security requirements shall be maintained and implemented for all NBIM offices abroad and be subject to periodic controls.
- Physical security risk assessment shall be performed for all global offices when significant changes to location are made or if changes to the threat environment are identified.
2.3 Personnel security
- Personnel shall be subject to security approval process.
- Security approval may be waived if the security risk is deemed acceptable and the need for compensating measures have been considered.
2.4 Travel security
- Measures shall be established to protect the life and health of personnel who are exposed to safety and security risks on travel.
2.5 Information security
- NBIM information assets and IT solutions shall be classified in accordance with security classification framework, with requirements for access, processing, distribution, storage and destruction.
- Security considerations shall be embedded in development of IT solutions and technical procurements.
- Identity and access management framework shall provide effective and consistent user management, including identification, authentication, and authorisation.
- Security requirements shall be incorporated within the contractual agreements for personnel and third-party vendors.