Sjova has its headquarters in the capital of Reykjavik, but service to customers near and far is provided through a network of nearly 60 tied agents around the country. Sjova currently employs 180 people.

Increased requirements for data security

With software and computers becoming ever more powerful, and with the growing number of network connections and increased Internet access, the need for secure data and equipment keeps growing. At the same time, great strides have been made in developing the security of information systems, a fact evidenced by emerging international standards in the field over recent years. Legislative requirements in this field have also increased, especially regarding the handling of personal information.

THE ROLE OF SJÓVÁ
Sjóvá’s role is to insure items of everyday personal value. In doing so, the company wishes to play its part in creating and supporting the quality of life that people seek.

The principal goals and policies of Sjóvá are:

• Superior services
• Straightforward and economical operation
• Energetic and enterprising employees
• International operation

Data security is a key issue at Sjóvá
Sjóvá places considerable emphasis on security and confidentiality in the acquisition and handling of personal data. The information obtained by the company is used only when assessing insurance claims, settling claims for compensation, providing information to customers and in the ordinary course of the company’s operations. Information is never released to a third party without the consent of the customer, except where provided for by law or a court ruling.

“As a leading insurance company, information security is of the greatest importance to us. Our goal is to provide exceptional services to the company’s customers and to safeguard the information they entrust to us. Surveys among users of the company’s services reveal that 98% are pleased with what we offer - and that, in our opinion, is a good result.” Þór Sigfússon, CEO of Sjóvá.

Encryption of electronic communications.
The SSL Standard, an approved security standard, is used when confidential information is sent over the Internet. Under this standard, all communications between the user and sjova.is are encrypted, thus ensuring that no-one can access data sent to the company.

Surveillance authorities lay down requirements.
Surveillance authorities establish requirements that insurance companies and other entities holding personal information must meet to ensure data security. The Financial Supervisory Authority issues guidelines to companies in the financial sector regarding information security, and the Data Protection Authority requires companies using personal information to safeguard data, prepare risk assessments in the processing of information, have processes and rules of procedures written and presented in an organised manner and, lastly, prepare business continuity plans, or so-called emergency plans.

The management of Sjóvá reacted immediately to the guidelines issued by the Financial Supervisory Authority and the Data Protection Authority for the implementation of information security in accordance with the Information Security Standard BS 7799. The company decided to seek cooperation with Stiki with regard to the implementation of information security.

The simultaneous implementation of information security and a quality system
The decision was made to implement a quality system in accordance with the ISO 9001 standard at the same time. The first step was the preparation of a web-based organisational manual merging the quality and security manuals. Sjóvá had a substantial amount of material already prepared, and possessed the professional knowledge, while Stiki consultants provided assistance in converting procedural rules and processes into practical forms and providing the specific processes for the requirements stipulated by the standards.

Business continuity plans
An important part of the operation of an insurance company is the availability of business continuity plans. Sjóvá had already prepared contingency plans which were intended to restore company operations following a potential operational disaster. In contingency plans, the emphasis is always on the information assets of the company in question and their protection. The representatives of Sjóvá were given a presentation by Stiki employees concerning their methodology in the preparation of business continuity plans, and an improved contingency plan was updated in accordance with the templates and documents designed by Stiki.

Risk assessment using RM Studio ®
A risk assessment was prepared for Sjóvá’s information processing. An effort was made to expose all aspects affecting the security of the systems falling within the scope of the assessment. The Stiki OutGuard (now RM Studio®) software was used. The software was developed by Stiki and is intended to perform risk assessments in accordance with the requirements of the BS 7799 (now ISO 27001) Security Standard. The risk assessment was performed under the guidance of consultants from Stiki during work meetings. The Sjóvá safety officer recruited other Sjóvá employees as needed.

Proper project management is a prerequisite for success
On the part of Stiki, the project was managed in accordance with PRINCE2 methodology and used the document templates this method provides. The risk assessment was prepared during work meetings chaired by a consultant from Stiki. Consultancy, management and procedures provided by Stiki were exemplary, as was the professionalism of its employees, as well as their attitude and services during the processing of the project. Account was taken of the special needs of the company in the analysis of procedures and in the preparation of manuals and plans. The project was on budget, although it exceeded the timetable slightly owing to the annexes to the organisational manual. Stiki deserves high praise for its part in the preparation of the organisational manual, risk assessment and the business continuity plans at Sjóvá.