Schibsted Security Policy

This is the Schibsted  Security Policy, stating the mandatory data security requirements for Schibsted, including its brands.
 

Purpose

Security measures shall be characterized by appropriate security and risk awareness, prevention, preparedness, and the ability to respond to and recover from, incidents and changes in the environment. The main drivers for data security are: 

  • Ensuring that customers’ expectations and business agreements are met 
  • Ensuring that the business strategies and objectives are not jeopardized due to security risks
  • Ensuring that laws and regulatory security-related requirements are complied with (legal compliance).
  • Protection of company reputation

Each Schibsted brand is responsible for complying with the Schibsted Security Governance Framework and associated security policies and guidelines.  Each Schibsted brand has legal and compliance obligations to ensure data security and privacy to protect the data and brand reputation. 

“Security in Schibsted – General Description” exists to address all the security How-toes for everyone in Schibsted and can be found in the document titled “Security in Schibsted – General Description”.

 

Principles 

The following principles shall apply to the activities under this policy 

  • Schibsted shall implement security measures to balance risk exposure, business value, vulnerabilities, and threats. 
  • To protect business and shareholder value, Schibsted shall implement security measures to protect assets such as personnel, customers, information, IT infrastructure, internal and public networks, office buildings, and technical facilities. 
  • Schibsted shall implement security measures to prevent and detect the disclosure of sensitive information to unauthorized parties. Particular attention shall be given to information affecting user privacy. 
  • Products, services, and key strategic and operational processes shall continuously undergo thorough analysis throughout their life cycle to identify risks and threats affecting our business. The analysis aims to guide decision-making and ensure the proper implementation of security measures to meet compliance and balance risk exposure. 
  • Schibsted shall not accept criminal activities or fraud. Appropriate measures, including data preservation, shall be in place to enable detection, prompt response, and forensics to security incidents and fraud. 
  • All Schibsted employees and line managers shall be obligated to report security incidents and fraud according to centrally established routines specified in  “Security in Schibsted – General Description”. 
  • Schibsted shall ensure that critical business functions will be available to customers and other stakeholders. Business continuity plans shall be in place for all business-critical services to maintain service resilience and recoverability according to business, legal and regulatory demands. 
  • Schibsted shall establish an incident and crisis management organization and corresponding plans and processes to ensure the ability to handle unpredictable events. 
  • Security audits shall continuously be conducted to ensure the implementation of corrective actions and compliance with policies, instructions, and legal/regulatory demands. 
  • These principles apply to the extent that they do not place Schibsted or its brands in violation of domestic laws and regulations. 

 

Roles and responsibilities 

Schibsted  Security Policy applies to Schibsted and its brands as their binding policy staff, including Executives, Members of the boards, Managers, Employees, Contractors, and Suppliers. In addition, Schibsted works toward policy sorting and adopting this policy’s principles and objectives in other associated companies where Schibsted does not have control but has significant influence.

Each Executive reporting to the CEO of Schibsted is responsible for ensuring that this policy is duly communicated and that the employees within their area of responsibility are familiar with and follow this policy. 

The objective of the Security Governance Framework is to protect the data and operations security of Schibsted’s brands, operations, and strategic goals. The Security Governance Framework will define the management and controls to safeguard Schibsted’s information and data. Schibsted maintains a  Security Framework through the  & Tech organization, where the Chief and Technology Officer is accountable, and the CISO is responsible. 

The CISO is accountable and responsible for “Security in Schibsted – General Description”. 
 

Breaches against policy 

Any Schibsted employee (including those in Schibsted brands) who suspects violations of the Code of Conduct or this Policy must speak up and raise the issue primarily to their line manager and secondly to the Human Resources department (Group Compliance Officer) or through the Speak-Up Line.

Schibsted expressly forbids any form of retaliation for people who speak up. 

Violations against this Policy may lead to disciplinary action. Non-compliance with the Security Policy shall be reported to the Chief Information Security Officer.
 

Target group 

This policy applies to Schibsted and its brands as their binding policy. In addition, Schibsted works towards adopting this policy’s principles and objectives in all other operations in which Schibsted has ownership interests. 

The policy also applies to any third-party provider contracted with the abovementioned entities.