Schibsted protects its assets, such as personnel, information, IT infrastructure, internal and public networks, as well as office buildings and technical facilities.
Special attention is given to information affecting user privacy. Information security is vital for Schibsted in ensuring the appropriate protection of information during its whole lifecycle. Schibsted has measures to set appropriate levels of protection for its assets and to prevent and detect disclosure of sensitive information to unauthorized parties.
Information classification is the basis for security-related work. Knowing the criticality of information and its security class makes it possible to define the protection level needed for the information and design appropriate protection mechanisms efficiently.
Information assets are to be classified based on legal, contractual, and business requirements by using Schibsted’s security classification model and protected accordingly, taking into account threats and risks.
Three security characteristics (security triad) described below are to be considered when classifying the information and when defining the protection level for the corresponding IT solution:
- Confidentiality: Protecting the information in such a way that it is not available for or disclosed to unauthorized or unintended users/parties.
- Integrity: Defining necessary protection against unauthorized modification, deletion, repetition, or loss of information. It also provides functionality to verify or trace modifications.
- Availability: Defining the necessary protection for making Information and Services accessible and usable upon demand by an authorized entity within an agreed maximum duration of unavailability.
Schibsted uses four confidentiality levels: Public, Internal, Confidential, and Secret, in order to increase security levels and provide the required security objectives for the corresponding classes.