Cyber security

DSV’s business is reliant on successful operation of information technology and systems to fulfil its mission and deliver high-quality service to its customers. As a result, the organisation considers its information and information systems important assets that are crucial to its operational excellence. To protect these assets, DSV has established an Information Security Programme that follows information security best practices and is based on principles from leading international standards, such as ISO 2700X series and the CIS Controls, and other frameworks.

Information Security Policy
The Information Security Programme in DSV is underpinned by our corporate Information Security Policy, which is the top-level policy for the security of information and information systems in DSV that ensures that information security is an integral part of DSV’s business. The policy outlines top management’s direction and commitment to information security, sets objectives and principles for information security, and defines DSV’s approach to managing information security in accordance with business requirements and relevant laws and regulations. The Information Security Policy applies to DSV globally, covers all types of information and information systems, and compliance with it is mandatory.

Core Information Security Objectives and Principles 
In its approach to information security DSV strives to support the corporate strategy and values as well as to ensure that appropriate safeguards are in place to preserve the confidentiality, integrity and availability of information. This enables DSV to maintain its information in a secure manner, reduce the risk and potential impact of disruptive events, support business continuity, comply with laws and regulations as well as to ensure that our customers’ information is treated with utmost care and confidentiality.

As such, our core principles are as follows:

• Effective governance with clear organisation and well-defined roles and responsibilities is key to maintaining information security throughout all levels of the organisation. We have dedicated resources to information security for both overall governance and day-to-day operational management of information security.
• A risk-based approach to information security across the organisation. We work towards continuous identification, assessment and mitigation of information risks across the organisation, implement prevention technologies and perform proactive monitoring of threats.
• Implementation of technical, procedural and organisational information security controls in alignment with best practices and standardisation of the information security setup across the technical infrastructure.
• Resilience of our processing facilities and technical infrastructure to ensure availability of information systems.
• Collaboration with external information security partners to ensure that our security measures stay up to date and protect us from rapidly evolving cyber threats.
• 24/7 security monitoring by our Security Operations Centre to detect and respond to any type of security event on our systems and contain it before it escalates into a serious security incident.
• Clear business continuity and disaster recovery processes to minimise impact in case of a security breach.
• Continuous improvement of our information security capabilities across the entire spectrum.

Employee Awareness and Acceptable Use Policies
Our employees are our first line of defence for protecting DSV from potential information security threats and breaches. Therefore, we are running a global information security awareness programme to foster a culture of information security and support correct security behaviour among employees. The programme is aimed at all employees in the company. Our goal is therefore to make it accessible, understandable and engaging to all employees regardless of their work area. To do this, we create monthly newsletters and hold competitions, organise simulated phishing exercises, write intranet news articles as well as conduct mandatory e-learning covering various aspects of information security. Additionally, we have created and published an Acceptable Use Policy for our employees to ensure that they are aware of their responsibility when it comes to using and protecting the information of DSV and its customers.

Information Security Governance
We have established a DSV Security Board to oversee that our global information security priorities are in alignment with our business and IT strategies. The Security Board is chaired by our CFO with the purpose of setting the direction for information security and governance of our portfolio of security initiatives and risks. Furthermore, the Security Board evaluates and approves the necessary response based on the current information security threat landscape. The Security Board approves deadlines on security initiatives, defines security key controls and sets the direction of strategic information security priorities. Security Board meetings are held bi-monthly. Reporting to the Board of Directors (Audit Committee) on information security is performed three times per year.

Customer Assurance
We strive to communicate openly and transparently to our customers when it comes to information security. In DSV we have an internal IT compliance programme driven by Group IT Compliance which provides IT assurance globally on a risk-based approach. Scope and priorities are aligned with the Security Board – and findings are reported to the Security Board. Furthermore, we have engaged with our external IT auditors to validate that we deliver on our information security promises to our customers. The validation is performed through the independent and internationally recognised ISAE 3402 Type 2 report that demonstrates assurance and provides a unique insight into our information security practices. The assurance report is updated on an annual basis. The report can be shared with customers and collaboration partners for assurance purposes upon request.