Security and Privacy principles in Jyske Bank
Protecting our customers’ information and assets is among our top priorities. We continuously strive to improve our security level to protect data that are trusted with us as well as securing any communication activity between us and our customers and stakeholders, respectively.
Security as an integral part of our work culture
We integrate security measures into all our processes when customer- and personal data are involved. We focus on building and maintaining a strong culture within all employees to aid their attention to keeping data safe. This is obtained through scheduled awareness and targeted training against relevant segments of our organization, i.e. developers shall have fundamental training, which enables them to produce secure products that protect customer and personal information. Our training material spans multiple topics, including e-learning covering IT security, handling of personal information, AML and more. The aforementioned topics are mandatory for all employees to complete within an annual to bi-annual cycle. Further, the Board of Directors and Executive Board execute oversight on security compliance via quarterly reporting, which is created by the IT security function.
Our management commitments to stay secure
The Board of directors have mandated the IT security function in the Group to oversee compliance and enforce implementation of the Group’s IT security policy at all organizational levels. This also entails requirements towards the executive board to provide sufficient resources to develop and maintain a robust, fast adaptable and effective IT security level. Among other, the Board of directors oversee that the executive board prioritizes and enables:
- Ambitious objectives for the continued high security level in the group
- Resources and strategies that ensures Jyske Bank to be at the forefront with regards to IT security in the Nordics
- Implementation of best practice methods, standards and technology, respectively for securing data and assets. Such standards involve NIST CSF framework, CIS18, IS027001 and 27002 and various other practices.
- Conduct of trustworthy data ethics that respects human rights. This implies that our data processing must never be used in ways that are harmful and discounts human rights. These principles are defined in our Data Ethics Policy, an extract is available on our website. Our processing of personal data is described in our Data Protection Policy, see below. Personal data is treated in confidence and the processing is done in accordance with data protection rules and our Data Ethics Policy.
- Proper conduct and attentive management of privacy and security risks in the group, including critical and important third parties.
- Training and education of staff within management of data privacy and critically important IT assets
While we regard our personnel as being the most critical asset in terms of protecting us against cyber threats and avoiding data breaches, we maintain safeguards that are comprised of physical, digital and procedural measures.
All employees in the group attend mandatory security learnings sessions on a 1-2 years basis. Selected staff members may have extended requirements in terms of security training. Ie. Software developers are obligated to maintain certain certifications and at training courses on secure application development.
Physical security comprises secure and safe buildings, all featuring access control. Some facilities employ multiple levels of access control for various sections of a building as well as monitoring.
Our overall framework for managing the IT security level and the security measures is depicted below. The framework is anchored at Board of Directors’ level and enforced by the IT security function, headed by the Group’s CISO. Each “box” within the “Arrow” unfolds to multiple rules, procedures and instructions in terms of how security must be managed in the Group. The framework, including underlying procedures, and compliance to it, is subject to annual internal audit objectives.
“Cyber defense” contains objectives, requirements and procedures for electronic and digital safeguards. They consist of elementary security infrastructure and security architectural principles laid out in a defense-in-depth implementation strategy. They are, for instance (non-exhaustive), perimeter firewalls, firewalls surrounding various network enclaves, employed security technologies such as AV, web filters, NAC, intrusion detection, malware detection, vulnerability management, attack surface surveillance systems etc. Within our cyber defense we also employ a 24/7 active security operations centre, which monitors cyber threats and anomalies that indicate compromise. The security operations centre is TF-CSIRT certified and are therefore committed to deploying and following strict and efficient procedures to monitor, detect and respond to cyber incidents/attacks and data breaches. This also includes training of security personnel, so they are continuously alert and capable of respond to existing and new types of cyber attacks.
“Infosec and IT risk management” contains objectives, requirements and procedures for our It security management system and IT risk management procedures. Procedural measures to leverage security are comprised of a wide palette of best practice IT operations procedures and development practices that include mandatory test phases and security & risk assessments.
All procedures follow ISO27002:2022 and controls follow ISO27001. An ISA3402 auditors declaration is provided annual on the adherence to the ISO27001 requirements. Suppliers that are processing personal data are required to provide an annual ISAE 3000 declaration
“Control and verify efficiency” contains our control framework and control plan which must ensure that we are always able to manage our control environment. We carry out strict processes to select assets and verification control methods to ensure that our controlling and testing assure us with a realistic assessment of the adequacy and efficiency of our control and security measures.
Collaborations in the Nordic Sector to enable IT security synergies
Jyske Bank is a member of the Nordic Financial CERT, a security alliance among financial institutions in the Nordics. This membership further boasts the security posture of our company enabling us to share fraud indicators, threat intelligence and collaborate in the event of suspicious patterns or cyber attacks.
Data security, privacy policies and organizational enforcement
Subject to financial legislation and data protection legislation, our adoption of regulatory requirements and our frameworks for enforcing these are laid out in a set of internal policies which are supported by business procedures, guidelines and rules. Two policies set the frame for data security and privacy – they are the IT Security Policy and the Data Protection policy.
Read more about our security and privacy related policies:
The policies are enforced and implemented via a three lines of defence structure as depicted here:
Diagram depicting organizational bodies which are responsible for security and privacy
Further reading about security and data privacy
- Data Protection officer responsibilities
- Internal and external audit responsibilities
- Process for data breach handling