Central Bank of Iceland policy on the security of employees, buildings, and information
The Central Bank of Iceland aims to guarantee the security of its employees, buildings, and information. Requirements on information security also extend to information that the Bank receives from related entities, supervised entities, and customers.
The Bank complies with statute law, rules, contractual agreements, and guidelines on information security management, which centre on ensuring confidentiality, integrity, and accessibility of information systems and data. The Bank sets quantifiable targets for security matters and ensures that it has appropriate measures in place to meet the targets. The Central Bank promotes active security awareness among employees, service providers, and guests. Its operations and work practices regarding security in the Bank must be exemplary.
The Central Bank conducts regular risk assessments and internal appraisals to determine whether special action is needed, and identifies opportunities for improvement.
The Bank’s employees and service providers shall comply with the Central Bank’s security policy and procedures in all respects, regardless of whether the work is carried out on the premises of the Bank or elsewhere; i.e., during on-site inspections, during travel, or at a home-based workstation. According to the Act on the Central Bank of Iceland, Bank employees are obliged to observe confidentiality concerning the affairs of the Bank’s customers; transactions and operations of supervised entities, related parties, or others; and the affairs of the Bank itself; as well as other matters of which they may become aware in the course of their work and which should remain secret in accordance with law or the nature of the case. The same applies to experts, independent contractors, and others who work for the Bank or on its behalf.
Bank employees and service providers are obliged to protect information systems and data from unauthorised access, use, alteration, disclosure, destruction, loss, or transfer.
The Bank’s employees, customers, and service providers shall notify the Chief Security Officer of any security incidents and deviations that may occur as soon as they become aware of such incidents, so that appropriate action can be taken without delay.
Each year, the Chief Security Officer compiles a report on the Bank’s implementation of this policy and other approved policies pertaining to the security of employees, buildings, information, and systems.
This policy shall be reviewed as often as is warranted, and at least every two years.
The Central Bank of Iceland complies with the Act on Accommodation, Hygiene, and Safety in the Workplace, no. 46/1980.
The Bank adheres to the ISO/IEC 27001 information security management systems standard, which is the foundation for structure and maintenance aimed at ensuring confidentiality, integrity, and accessibility of information systems and data as described in the ISO/IEC 27001 Handbook.