At Danske Bank Group, we consider it important that our suppliers address security matters in a controlled and structured way on the basis of recognised standards and best practices, such as the ISO 27000 series of standards.
Suppliers must have a documented control environment, ensure segregation of duties where necessary and allow access to auditor statements etc. that document security levels and practices.
Security requirements vary according to the service supplied
Our security requirements always form part of the agreement with the individual supplier, but the requirements vary according to the IT service or activity to be supplied. The following security requirements are general and are based on the Group’s security policy and requirements for data security. Each agreement contains further specific requirements, such as an inspection of the company’s production facilities and premises. We also expect suppliers to be able to document compliance with our requirements.
General security requirements
Danske Bank’s suppliers must do the following:
- Comply with statutory requirements, relevant executive orders and instructions as well as applicable orders from government regulators, such as the Danish Financial Supervisory Authority and the Danish Data Protection Agency. This includes giving such regulators free access when they want to make inspections – also in case of unannounced visits.
- Observe professional secrecy in respect of all the Group’s systems and data. This also applies to any subcontractors and business partners. Suppliers must sign a declaration of confidentiality that will remain in force after the termination of the business relationship. In certain situations, the individual supplier’s employees must also sign a separate declaration of confidentiality.
- Take the necessary technical and organisational security measures to prevent personal data from being accidentally or illegally destroyed, lost or impaired, from coming to the attention of any third parties, from being subject to unauthorised use, or from being processed contrary to applicable laws on data protection, including the Danish Act on the Processing of Personal Data. At our request, suppliers must provide adequate information to enable us to determine whether the requirements are complied with.
- Be able to document all security aspects relating to the Group’s systems and data. At our request, suppliers must provide the Group with the necessary documentation.
- Regularly report all security incidents relating to the Group’s systems and data. Suppliers must report any criminal activities or breaches of security immediately.
- Inform the Group of any matters relating to the Group’s systems and data that have implications for auditing.
- Use best practices for secure programming in relation to software applications.