Among other things, the purpose of NSD's information security is to secure the data's
- confidentiality – that the data are not accessible to unauthorised persons/systems.
- integrity – that the data are not changed or destroyed by unauthorised means.
- accessibility – that the data or data resources are available for use when required.
In order to achieve this goal, NSD has established procedures for:
Access control – office premises
At all hours, access to NSD's premises requires the use of an access card and code.
Doors to rooms where confidential information is kept are locked with a manual key or keycard lock.
All workstations (PCs) where personal data are processed are automatically locked by means of a screensaver (with a password).
Access control – premises with critical ICT components
Access to computer rooms is based on a 'need-to-use' principle and is granted/approved by the ICT management.
At all hours, access to computer rooms requires the use of an access card and code.
External parties who need to enter the computer room (IT service, upgrading personnel) are at all times accompanied by NSD's personnel with authorised access to the computer room.
Bringing food/drink into the computer room is not permitted.
Access to the relevant ICT systems is granted on the basis of role-base access criteria.
NSD keeps an updated overview of who has access to relevant ICT systems.
NSD has effective procedures that identify and correct access rights to the various systems in connection with the distribution of new roles, changes in the organisation/ work tasks and the termination of employment relationships.
NSD requires all employees/users to sign the necessary declarations and to be given an introduction to NSD's security guidelines and the consequences of breaching the guidelines before they are granted access to an activated user ID for NSD's ICT systems.
The responsible manager ensures that users undergo the necessary training and receive documentation on how the relevant ICT systems must be used and how NSD's information assets are to be handled and secured, and that this competence is maintained.
Declaration of secrecy
All employees, consultants, partners etc. who are to have access to personal data and/or IT systems that NSD is responsible for are required to sign the company's declaration of secrecy.
All members of the organisation must sign a new/updated declaration of secrecy every third year (in writing or electronically).
NSD backs up the personal data processed in accordance with the requirements made of accessibility.
NSD labels the storage media used for the backup so that they can be found quickly in connection with a recovery.
NSD takes backup copies of other information needed to restore normal use (e.g. system data, db configurations, OS, support systems etc.)
NSD keeps the backup copies separate from the operating equipment/computer room in a locked and fireproof cabinet (external location).
To avoid physical wear and tear on tapes/disks/storage media, incremental backups are replaced at expedient intervals. Backup cassettes are used for five weeks.
After each period, a complete backup copy is transferred to a secure external location.
Maintenance of archived data
All new data sets shall, if possible, be documented and stored in Nesstar Publisher to ensure that the data are also available for reuse in future. (Nesstar is owned and developed by NSD.) Data that cannot be saved in Nesstar are stored in the most forward compatible format available for the data type in question.
Every other year, NSD reviews the data collection to check and, if relevant, update the file formats.