Lånekassen therefore works in several ways to protect your rights and your data:
- Employees - we are working systematically to develop knowledge, attitudes and awareness in order to reduce human vulnerabilities.
- Technology – we are working to ensure that our systems are robust enough to withstand external cyber threats and reduce vulnerabilities that occur when interacting with third parties and when employees use the systems.
- Organisation – we are working to ensure that there are clear lines of responsibility, that risk management is an integral part of what we do and that procedures and guidelines are drawn up to ensure secure information management.
Our commitment to security also means that we regularly review factors such as risk exposure, available technologies, business needs and regulatory requirements. Overall, this contributes to ensuring that we have up-to-date and effective security measures in place to eliminate threats to your data and rights.
Below you can find a more detailed description of how we work and the measures we have established to protect your data.
When your data is transmitted over the internet by our services, it is protected by encryption, be it between your browser and Lånekassen’s services or between Lånekassen’s physical locations. This prevents unauthorised access to the data during transmission.
When we manage information about you (e.g. processing and storage), this is done in a dedicated separate network zone in our data centre, known as a secure zone. This is in line with the Norwegian Data Protection Authority’s guidelines on security architecture. In the secure zone, your personal data is isolated from the internet and from other administrative systems used by Lånekassen. Below you can find a description of some of the main security mechanisms that support this isolation.
Employees, consultants and external partners are legally obliged to observe confidentiality. Additionally, access will be granted only when there is a professional need. This involves creating different roles with different levels of access. Professional need will be assessed ahead of allocation in connection with a request for access. If the requested access provides access to sensitive data, two independent persons will verify that there is a legitimate professional need.
Lånekassen also performs an annual review of authorisations, in order to identify and, if necessary, correct any non-conformities.
Lånekassen’s IT infrastructure is divided into three security zones: secure, internal and external. The external zone contains all services that are exposed over the internet. The internal zone contains all administrative services, networks and PCs, while all customer data and Lånekassen’s core systems are in the secure zone. The secure zone is protected by layers of different security levels:
- The secure zone is not exposed directly to or directly from the internet
- Only authorised PCs are able to connect to Lånekassen’s network
- Only authorised users can access the secure zone
- A number of different network barriers and technologies are in place to prevent accidental or uncontrolled transmission of data from the secure zone to other zones
- By default, case officers and other authorised users cannot copy customer data or other information from the case processing system in the secure zone to one of the other zones, e.g. to a workstation in the internal zone
- Two-factor authentication has been introduced to reduce the risk of unauthorised access if usernames and passwords are compromised
- Our premises have physical perimeter security
- with best security practices (e.g. malware protection, encrypted hard disks, managed and administered through security policies, application control systems etc.)
Monitoring, detection and troubleshooting
Lånekassen has established mechanisms to monitor, detect and prevent intrusion and misuse of our solutions and services. These mechanisms serve multiple purposes and are designed to protect your data from external threats and prevent internal resources from misusing trust.
All logs used in connection with monitoring, detection and troubleshooting and that may be used to directly or indirectly identify individuals are stored in the secure zone and protected in the same way as personal data.
Incident management and continuity
Even with robust preventive measures in place, there will always be a residual risk. Lånekassen has therefore established procedures for dealing with such incidents. The purpose is to ensure that we can understand, limit, manage and replicate the situation in the event that such an incident occurs.
As a customer, you have a right of access to your data. For this reason, we have established processes for security backups so that services can be restored as soon as possible without the loss of data in the event of operational incidents.
To verify that the technical security measures we have implemented work as intended, Lånekassen regularly carries out penetration testing. Such testing is carried out by professional third parties and provides Lånekassen with an idea as to our vulnerability to external threat actors.