Issued 20 March 2012
Last updated 3 August 2020
This policy outlines high-level principles for the information security management in Norges Bank Investment Management (NBIM). The purpose is to set information security objectives appropriate to identified information security risks.
This policy relates to employees, temporary personnel and consultants, hereby referred to as personnel, who have access to Norges Bank Investment Management's premises, internal information or information solutions. The key objectives for information security are to ensure that NBIM's financial assets, information including personal data, and information solutions are protected, and that a strong information security culture is embedded within processes and the behaviour of personnel. It shall further ensure that personnel can securely access information relevant for their role, and that best practise information security standards, where relevant, are met.
- Information security: Measures designed to ensure confidentiality, integrity, and availability (CIA) of information to reduce the risk of unauthorised access, use, disclosure, disruption, modification, or destruction.
- IT security: Logical measures for defending information solutions and the information processed on them, from damage, disruption and misdirection. These are a subset of information security.
- Access control: Measures to ensure access to NBIM physical assets, information or information solutions is limited to authorised users, solutions or devices.
Information security risk management
- Information security risk management and incident handling shall be integrated within NBIM's framework for operational risk and internal control including the risk tolerance set by the Executive Board.
- Information security risks shall take into consideration an assessment of the asset, threat and vulnerability.
- Information security risk shall be allocated to a risk owner who has authority and responsibility to initiate risk treatment actions.
- Information security controls shall be proportionate to the risk to be mitigated, effective and measurable.
- Information security roles and responsibilities shall be established and understood throughout the organisation and by third-party stakeholders.
- All personnel shall receive regular information security training appropriate for their role.
- Information produced or handled as part of work is owned by NBIM unless otherwise explicitly agreed.
- Information assets shall be inventoried and have an owner.
- Information shall only be shared with individuals who are authorised to receive it.
- A security classification scheme for labelling and handling of information assets shall be used throughout the lifecycle of all assets.
- Information assets, including personal data, shall be protected based on classification (CIA) determining requirements for access, processing, distribution, storage and destruction.
- Information security control coverage and maturity shall be measured against a baseline.
- Information may only be processed or stored using security-approved devices or solutions.
- Personal data shall only be processed in accordance with applicable personal data protection laws and regulations.
- Information shall be protected for personnel on travel.
- Physical devices and solutions shall be inventoried and where relevant secured according to classification (CIA).
- IT solutions shall be subject to security risk assessments during acquisition, major change and significant changes in threat landscape.
- Information security considerations shall form an integral part of solution architecture and design.
- IT solutions shall have their current design, setup and operating procedures documented.
- Changes to IT production solutions shall follow a defined change management process.
- In-house solutions shall be developed in accordance with a documented development lifecycle, which considers information security best practise.
- There shall be processes in place to detect and remediate IT security vulnerabilities.
- Monitoring and logging of information solutions shall take place continually to identify security events and to verify the effectiveness of protective controls.
- Processes and solutions shall be in place to ensure timely detection and response to security incidents.
- Infrastructure hardware shall be physically protected.
- Information security requirements shall be incorporated within the contractual agreements with third-party providers, and adherence with the requirements shall be verifiable.
- Providers who process personal data on behalf of NBIM shall only process personal data in the way which is agreed in a data processor agreement with NBIM.
- Third party information security risks shall be identified and managed in accordance with the operational risk management framework.
- Providers processing sensitive and critical information on behalf of NBIM shall be subject to continuous monitoring of their security posture.
- An individual's role and responsibility and security clearance shall form the basis for access to information and information solutions.
- Access permissions shall be managed, based on the principles of least privilege and segregation of duties.
- Access credentials where applicable shall be unique and identifiable to personnel, a solution or a device.
- Identity and access management framework shall provide effective and consistent user administration, identification, authentication and authorisation.
- Access permissions shall be regularly validated to ensure they are correct.
- All access related events shall be logged and continuously monitored.
- Access rights are to be revoked immediately upon contract termination, after the agreed notice period, and all information and IT equipment returned.