Legal

Cybersecurity Policy

Last updated: 19 May 2025
Effective date: 19 May 2025

1. Purpose

The purpose of this Cybersecurity Policy is to define the principles, responsibilities, and controls implemented by VRS ("VRS", "we", "us", or "our") to protect its information systems, data, and services from cybersecurity threats.

This policy supports:

  • protection of confidentiality, integrity, and availability of information;
  • the protection of personal data in accordance with our Privacy & Data Protection Policy and applicable laws, including the GDPR;
  • compliance with applicable laws and regulatory requirements;
  • protection of customer and company assets;
  • resilience against cyber threats and incidents.

2. Scope

This policy applies to:

  • all employees, contractors, and third parties with access to VRS systems;
  • all IT systems, applications, and infrastructure;
  • all data processed, stored, or transmitted by VRS.

3. Governance and Responsibilities

3.1 Management Responsibility

Senior management is responsible for:

  • approving this policy;
  • ensuring adequate cybersecurity resources;
  • overseeing risk management and compliance.

3.2 Information Security Responsibility

VRS shall:

  • define and maintain cybersecurity controls;
  • monitor threats and vulnerabilities;
  • ensure compliance with applicable standards.

3.3 Employees and Users

All users must:

  • comply with this policy;
  • protect access credentials;
  • report security incidents promptly.

4. Cybersecurity Principles

VRS follows these core principles:

  • Confidentiality – information is accessible only to authorized users;
  • Integrity – information is accurate and protected from unauthorized changes;
  • Availability – systems and data are available when needed;
  • Least privilege – access is granted only as necessary;
  • Defense in depth – multiple layers of protection are implemented.

5. Risk Management

We maintain a risk-based approach to cybersecurity:

  • identify and assess risks regularly;
  • implement controls to mitigate risks;
  • review risks periodically and upon significant changes.

6. Access Control

Access to systems and data is controlled through:

  • user authentication (e.g. strong passwords, multi-factor authentication where applicable);
  • role-based access control (RBAC);
  • regular review of access rights;
  • immediate revocation of access upon termination or role change.

7. Data Protection

We protect data, including personal data, through:

  • encryption of data in transit and, where appropriate, at rest;
  • secure storage within trusted environments;
  • data minimisation and controlled access;
  • implementation of retention and deletion practices in accordance with our Privacy & Data Protection Policy.

8. System and Network Security

We implement measures including:

  • firewalls and network segmentation;
  • endpoint protection and anti-malware tools;
  • secure configuration of systems;
  • patching and vulnerability management;
  • logging and monitoring of system activity.

9. Secure Development and Change Management

Where applicable, systems and applications are developed and maintained securely through:

  • secure coding practices;
  • testing and validation before deployment;
  • change management procedures;
  • version control and audit trails.

10. Incident Management

10.1 Detection and Reporting

All suspected or actual cybersecurity incidents must be reported immediately.

10.2 Response

VRS will:

  • investigate and contain incidents;
  • mitigate impacts;
  • restore systems and services.

10.3 Personal Data Breaches

Where an incident involves personal data, it will be treated as a personal data breach and handled in accordance with the Privacy & Data Protection Policy and applicable legal requirements, including notification obligations.

11. Business Continuity

We maintain measures to ensure continuity of operations, including:

  • backup and recovery procedures;
  • disaster recovery planning;
  • testing of recovery capabilities.

12. Third-Party Security

We ensure that:

  • third-party providers meet appropriate security standards;
  • data processing agreements include security obligations;
  • risks related to third parties are assessed.

13. Training and Awareness

Employees receive:

  • cybersecurity awareness training;
  • guidance on phishing, social engineering, and safe practices;
  • updates on emerging threats.

14. Monitoring and Compliance

We:

  • monitor systems for security events;
  • conduct periodic reviews and audits;
  • ensure compliance with internal policies and external requirements.

15. Policy Review

This policy is reviewed regularly and updated as necessary to reflect:

  • evolving threats;
  • regulatory changes;
  • business developments.

16. Contact

For cybersecurity-related matters, please contact:

contact@vrs.no
↑ Back to top