Policy for Information Security

Information security is about ensuring confidentiality, integrity and accessibility to our information, and our goal is to protect our own data and our customers’ data. We achieve this by reducing the level of vulnerability on our PCs and avoiding security incidents relating to software that does not belong on a Bouvet PC. Here is some information about our procedures and things to consider regarding equipment and security, as well as a list of the requirements relating to devices that synchronise data from Bouvet.

Summary – the following are forbidden on devices that synchronise data fom Bouvet

  • Do not install or connect to a private VPN.
    • It is only permitted to use Bouvet’s VPN or, where applicable, the customer’s VPN.
  • All forms of P2P file sharing, piracy and crypto mining are forbidden.
  • It is not permitted to implement remote access on a PC with the intention of working from another PC.
    Remote access for support that you yourself have requested is permitted. We would like such cases to be reported, although you don’t need to wait for approval.
  • It is not permitted to install or operate games or gaming platforms (such as Steam, Epic Games Launcher and Origin).
  • It is not permitted to install security programs other than those that are administered by the IT department.
  • It is not permitted to complete an exam that uses so-called “remote proctoring”. In such cases, a dedicated exam PC must be used.
  • We do not use Mimikatz, Nmap and other “red team” tools.
    • We have guidelines for offensive testing on My Page.

Important points about equipment and information

Passwords and two-factor authentication

Do not use your Bouvet password for external services outside Bouvet, e.g. LinkedIn, Facebook etc.
We offer password management solutions to all our employees. These are to be used for customer- and project-related passwords and other credentials, unless the customer has chosen a different solution.

Passwords must never be stored in solutions other than those dedicated to managing such sensitive data.

When you leave your PC, it is important that you lock it. We recommend that you use biometric authentication because it means that it will only take you a second to unlock your computer again, and you won’t have to worry about whether anyone has used your PC while you were away.

You can find further information about changing your password on My Page.

Tablets and mobile phones

In order to connect a tablet or mobile phone to Bouvet’s systems, e.g. Microsoft 365, it must be encrypted and protected with a PIN or a more secure form of authentication.

You must be conscious of what apps you install, in order to minimise the attack surface – for example, we advise all our employees not to install unnecessary apps on devices that have access to Bouvet’s data or customers’ data.

For an example of such applications, see https://nsm.no/aktuelt/anbefaler-ikke-tiktok-eller-telegram-pa-tjenesteenheter

Be aware of phishing!

So-called “phishing” is becoming increasingly advanced and is currently the most used and successful form of attack. These attacks can be difficult to detect as they can be tailored to the recipient (you) and your organisation. Gone are the days when such attacks could be recognised by their poor grammar or spelling mistakes.

The aim is to trick you into surrendering information in one way or another, such as the username and password to various services, or information about Bouvet or Bouvet’s customers.
Phishing often plays on people’s impulsiveness. For example, attackers will attempt to engender fear and/or the sense that you must respond or act quickly.

Be aware of the following:

  • Who is the actual sender?
  • Are you expecting a message? Is it for you?
  • If there are links, where do they actually point to?
  • Are there any attachments? If so, why?

If you know or suspect that you have fallen victim to an attack, you must follow the procedures for a compromised device on My Page.

Are you on the move or travelling abroad?

You are free to work from home or from other locations with your Bouvet PC, but you must look after it and always use Bouvet’s VPN or a VPN provided by the customer. Guidance for setting up Bouvet’s VPN can be found on My Page.

Make sure you never lose sight of your PC. It is not permitted to travel with Bouvet equipment as checked luggage. It must always be carried as hand luggage.

Be aware that certain countries require you by law to provide information on electronic equipment or social media. Under no circumstances are you allowed to share passwords and/or confidential information with others, whether they are from Bouvet or a customer.

Bouvet’s guidelines for the use of equipment when travelling can be found on My Page.

Any customer’s policy for remote work or travel must always be followed

Have you lost your PC?

If equipment containing stored information associated with Bouvet or our customers (PCs, other storage media, mobile phones) is lost, you must immediately report a security incident at https://sir.bouvet.no.

Noticed anything suspicious?

If you notice something that could constitute a security risk, then you should report it as a security incident at https://sir.bouvet.no.

This could be anything from a breach of or lack of procedures, to a suspected attack, such as specifically clicking on a link that you shouldn’t have clicked on.

Storing information

The security instructions state:

5. Storage

All material, such as documents, source code, designs, data etc., that is created on behalf of Bouvet or Bouvet’s customers must be stored on Bouvet-administered or customer-administered IT solutions. Such material must not be stored on third-party solutions where Bouvet or the customer do not have administrative control over access and content, e.g. private Dropbox and Google Drive accounts.


This means that you must not store data on PCs, media or services that Bouvet or the customer does not control – i.e. you can ONLY use services approved by Bouvet.

Bouvet classifies the information it handles into three main categories:

  • Open

Information that is openly accessible to everyone, including parties outside Bouvet.

  • Internal

Information that, if it got into the wrong hands, could to some extent harm Bouvet, its employees or its customers. This is the default classification for all information we possess.

  • Sensitive

Information that, if it got into the wrong hands, could seriously harm Bouvet, its employees or its customers. Such information may only be stored in dedicated systems or in document libraries that have their own security regimes.

For further information, see: “Classification of information in Bouvet’s ISMS”.

Backing up data

We regularly make backup copies of SharePoint rooms and our employees’ OneDrive accounts.

You are free to use your personal OneDrive account to back up personal data, holiday pictures and such like, but remember: if you upload sensitive personal data, it will end up in our backup system.

Backups of OneDrive accounts will be deleted 180 days after cessation of employment.

Access rights and equipment used on assignments

Project managers are responsible for giving project participants sufficient access when they join a project and for removing such access when the participants no longer need it.
This applies to all our operations, e.g. areas such as Current, Jira, Wiki, source code systems and other project-related areas.

In the event that an external party leaves the project, the project manager must also ensure that any PCs and other equipment that is the property of Bouvet or the customer is returned.

If there is no dedicated project manager, this is the responsibility of the delivery manager.

At the office

All visits must be registered, and visitors must wear a visitor’s badge clearly visible on the chest.

Visitors must not be left unsupervised when on the premises.

In order to prevent the leakage of information, photography, video or audio recording for the purpose of publishing is only allowed in specified locations. Otherwise, when taking pictures or videos or making audio recordings, take care that you do not unintentionally “leak” customer data or personal data or photograph people who do not want to be photographed.

Please contact CISO if you have any questions.

As long as they are on Bouvet’s premises, all Bouvet employees must wear a Bouvet ID card with photo and name clearly visible around the neck. This enables us to effectively identify any non-employees on the premises and treat them appropriately.

If you lose your ID card, you must report it to
https://sir.bouvet.no as soon as possible.

Access to sensitive information must be limited to those parties who need such information in order to perform their tasks.
You must therefore remove/delete any information that could be available to parties other than those requiring access to such information. This particularly applies to whiteboards, flip charts etc. when work or a meeting is concluded in a room and before a new meeting starts in the same room.

Delivering equipment

PCs and other equipment that have storage capacity and that you no longer intend to use must be delivered to the IT department for data deletion.

Before any equipment changes hands, data on the device must be deleted. This applies even if the equipment is being transferred from one employee to another.

Automatic forwarding of emails

Automatic forwarding of emails to other domains is not permitted.

You can read more about the use of email at Bouvet on My Page.

Requirements relating to devices that synchronise data from Bouvet

Software on PCs from Bouvet

Bouvet or the customer must provide a licence for the software you require. If you find free software online, you must make the necessary investigations beforehand. You must check the following:

  • Does the software provider allow you to use the software on a company-owned PC without paying for a licence?
    • You are responsible for reading the terms and conditions of the licence (“EULA”).
    • Here are some examples of software that can only be used on private PCs, even though the software is free:
      • CCleaner
      • Malwarebytes
  • Is unwanted software included when you install the free version?
    • In such cases we recommend that you upload the installation file to virustotal.com in order to check for malware.
    • Example of a program that includes unwanted software:

All software that you install on your PC must be updated frequently.

Any program installed on a device increases the attack surface, so you should consider whether you really need to install it. Is a browser-based version available that has the same functionality?
The IT department encourages all employees to uninstall software that is not being used and to reinstall it if/when it is required again.

It is not permitted to install games or gaming platforms (such as Steam, Epic Games Launcher and Origin). It is not permitted to install security programs other than those that are administered by the IT department. You are not permitted to use your PC for “mining” or P2P file sharing.

Mimikatz, Nmap, malware and other “red team” tools must not be installed on your PC. If our surveillance services detect such programs, this will trigger an alarm in our internal systems and the PC will be isolated from the network. If you need to use tools that would not usually be installed on your PC, please contact the IT department beforehand and we will find a solution.

Are you working from a private PC?

You must never work from a private PC/Mac as we will be unable to ascertain whether the security of the device complies with our standards.

We are obliged to comply with our customers’ requirements not to use PCs that are not under the control of Bouvet or the customer. We have previously had incidents connected with working from private devices. There is an example of this on My Page.

You are also not permitted to register a private PC in Bouvet’s security systems, as these collect a high volume of data through the activity on the PC. Doing so also creates a lot of unnecessary noise in the logs and additional work for the IT department.


Regulations for using VPNs

It is only permitted to use Bouvet’s VPN or, where applicable, the customer’s VPN.

In other words, you must never log in with your Bouvet account when you are connected to a private VPN service, e.g. NordVPN, ExpressVPN, Proton VPN.
This applies to all types of devices – mobile phones, private PCs etc.

Remember that mobile phone apps are constantly synchronising data. You are therefore not permitted to have a private VPN service on your mobile phone when you have set up synchronisation of email, for example.

If you log in from such a service, your account will be automatically blocked

High-risk equipment

High-risk equipment such as publicly available PCs (lobby PCs, library PCs etc.) cannot be controlled by either you as a user or Bouvet, i.e. whether traffic is monitored, whether your keystrokes are logged or monitored, or whether someone is standing behind you watching you.

Thus, from an overall perspective, there is a very high risk associated with using such equipment.

It is therefore not permitted to log in to Bouvet’s or a customer’s account from this type of equipment.