IT Security Policy

The security policy must at all times support Aider Danmark's values and vision as well as the strategic goals in the IT strategy.

The purpose of the security policy is also to communicate to everyone who has a relationship with Aider Danmark that the use of information and information systems is subject to standards and guidelines.

Aider Danmark therefore wishes to maintain and continuously develop an IT security level in line with the requirements outlined in 'The common national standard for information security' (DS 484 basic requirements). The requirements are tightened in well-defined areas where there are special legal requirements, contractual conditions or any special risk (identified by a risk assessment).

Maintaining and expanding a high level of security is an essential prerequisite for Aider Danmark's credibility both nationally and internationally.

To maintain Aider Danmark's credibility, it must be ensured that information is treated with the necessary confidentiality and that there is complete, accurate and timely processing of approved transactions.

IT systems are considered Aider Danmark's most critical resource, after employees. Therefore, emphasis is placed on operational reliability, quality, compliance with legal requirements and that the systems are user-friendly, i.e. without unnecessarily cumbersome security measures.

Effective protection against IT security threats must be created so that Aider Danmark's image and employee security and working conditions are safeguarded in the best possible way. Protection must be directed against natural, technical and man-made threats. All persons are considered as possible causes of security breaches; i.e. no group of persons shall be above the security regulations.

The goals are therefore to:

• achieve high reliability with high uptime percentages and minimized risk of major breakdowns and data loss - ACCESSIBILITY
• Achieve correct functioning of systems with minimized risk of manipulation and errors in both data and systems - INTEGRITY
• Achieve confidential processing, transmission and storage of data - CONFIDENTIALITY
• achieve mutual security around the parties involved - AUTHENTICITY
• Achieve security of mutual and documentable contact - INFRINGIBILITY

The above goals must be concretized in Service Level Agreements (SLAs) and contracts with business partners.

Rules and guidelines from the information security policy must be continuously incorporated into the relevant applicable rules in the area of personnel policy.

The security concept includes the following:

• An Information Security Policy approved by the Executive Board based on the recommendation of the IT Committee.
• An information security handbook, which elaborates on the information security policy, established by the IT Committee.
• Security instructions and procedures formulated by the IT Committee

The policy applies to all Aider Denmark information-related activities, regardless of whether these are carried out by employees of Aider Denmark or by business partners.

This includes, for example, all personnel data, financial data, all data that contributes to the administration of the company, production data and plant data, as well as information entrusted to Aider Danmark by others. This data may be factual information, records, registrations, reports, planning assumptions or other information for internal use only.

The Information Security Policy applies to all employees of Aider Danmark and all use of Aider Danmark information assets.

The delegated security-related responsibility and authority lies with the persons designated by the partner group.

Disasters are avoided through well-planned physical security and monitoring of buildings, technical installations and IT equipment. The scope of these measures is decided based on a weighing of risks against security costs and implemented in SLAs.

Aider Danmark's contingency plan is agreed with bluepipe a/s and incorporated into its overall contingency plan. This must clearly specify Aider Danmark's and the partners' responsibilities for backups and emergency plans.

The contingency plans must include:

• Damage mitigation measures
• Establishment of temporary emergency solutions
• Re-establishment of permanent solution

The contingency plans must be updated and tested continuously - and at least once a year.

Employees who violate the applicable information security regulations in Aider Danmark may be subject to disciplinary action. The detailed rules on this are determined in accordance with the applicable personnel policy.