Issued 20 March 2012
Last updated 20 November 2018
This policy outlines high-level principles for the security of Norges Bank Investment Management (NBIM)’s assets and personnel. The purpose is to set security objectives appropriate to identified security risks.
This policy relates to employees, temporary personnel and consultants, hereby referred to as personnel, who have access to Norges Bank Investment Management’s premises, internal information or information systems. The key objectives for security are to ensure that NBIM's personnel, premises, financial assets, information including personal data, and information systems are protected, and that a strong security culture is embedded within processes and the behaviour of personnel. It shall further ensure that personnel can securely access premises and information relevant for their role, and that best practise security standards, where relevant, are met.
- Security risk management: A framework of managing security risk.
- Access control: Measures to ensure access to NBIM premises, physical assets, information or information systems is limited to authorised users, processes or devices.
- Physical security: Physical measures designed to protect against unauthorised access to premises, equipment and personnel, and to protect personnel and property from damage or harm.
- Personnel control: Measures designed to reduce the risk of personnel exploiting, or intending to exploit, their legitimate access to NBIM’s assets or premises for unauthorised purposes.
- Personal protection: Measures to protect the life and health of personnel, exposed to security risks through their role.
- Information security: Measures designed to ensure confidentiality, integrity, and availability (CIA) of information to reduce the risk of unauthorised access, use, disclosure, disruption, modification, or destruction.
- IT Security: Logical measures for defending information systems and the information processed on them, from damage, disruption and misdirection.
Security risk management
- Security risk management and incident handling shall be integrated within NBIM’s framework for operational risk and internal control including the risk tolerance set by the Executive Board.
- Security risks shall take into consideration an assessment of the asset, threat and vulnerability.
- Security risk shall be allocated to a risk owner who has authority and responsibility to initiate risk treatment actions.
- Security controls shall be proportionate to the risk to be mitigated, effective and measurable.
- Security roles and responsibilities shall be established and understood throughout the organisation and by third party stakeholders.
- All personnel shall receive regular security training which is appropriate for their role.
- An individual’s role and responsibility and security clearance shall form the basis for access for personnel.
- Access permissions shall be managed, based on the principles of least privilege and segregation of duties.
- Access credentials where applicable shall be unique and identifiable to personnel or a device.
- Identity and access management framework shall provide effective and consistent user administration, identification, authentication and authorisation.
- Access permissions shall be regularly validated to ensure they are correct.
- All access related events shall be logged and continuously monitored.
- Minimum physical security requirements applicable for all NBIM offices shall be established.
- NBIM offices shall be periodically controlled to ensure compliance with the physical security requirements with deviations corrected or accepted as part of the review.
- Physical security risk assessments shall be performed for new offices, during refurbishment, periodically and when changes to the threat environment are identified.
- Physical access to premises shall be controlled and continuously monitored.
- All new personnel shall be subject to a security approval process.
- Security requirements shall be included in the contracts for all personnel.
- Access rights are to be revoked immediately upon contract termination, after the agreed notice period, and all information or IT equipment returned.
- Specific arrangements for personnel shall be established to mitigate the security risks associated with business travel or other security risks as a result to their role.
- The physical work location for personnel together with details of their business travel shall be accurate and continually updated.
- Records of visitors to NBIM offices shall be maintained for emergency purposes.
- Security requirements shall be incorporated within the contractual agreements with third party providers with adherence verifiable.
- Providers who process personal data on behalf of NBIM, shall only process personal data in the way which is agreed in a data processor agreement with NBIM.
- Third party security risks shall be identified and managed in accordance with the operational risk management framework.
- In general, all information produced or handled as part of work activities is owned by NBIM.
- Information assets shall be inventoried and have an owner.
- Information shall only be shared with individuals who are authorised to receive it.
- The security classification scheme for labelling and handling of information assets shall be used throughout the lifecycle of all assets.
- Information assets, including personal data, shall be protected based on classification (CIA), with classification determining requirements for access, processing, distribution, storage and destruction.
- Information may only be, processed or stored using approved devices, systems or services.
- Personal data shall only be processed in accordance with applicable personal data protection laws and regulations.
- Physical devices, systems and services shall be inventoried and where relevant secured according to classification (CIA).
- IT systems and services shall be subject to security assessments during acquisition major change and at defined intervals, determined by classification (CIA).
- Security considerations shall form an integral part of solution architecture design.
- IT security control baselines shall be in place to measure control coverage and quality.
- IT systems shall have their current design, set-up and operating procedures documented.
- Changes to IT production systems shall be subject to a change management process.
- In-house systems shall be developed in accordance with a documented development lifecycle, which considers security best practise.
- Software shall be up to date on devices which process or store information.
- Monitoring and logging of information systems shall take place continually to identify security events and to verify the effectiveness of protective controls.
- NBIM shall establish processes and systems to ensure timely detection and response to incidents.