Cyber security

DSV’s business is reliant on successful operation of information technology and systems to fulfil its mission and deliver high-quality service to its customers. As a result, the organisation considers its information and information systems important assets that are crucial to its operational excellence. To protect these assets, DSV has established an Information Security Programme that follows information security best practices and is based on principles from leading international standards such as ISO 2700X series and the CIS Controls.

Information Security Policy
The Information Security Programme in DSV is underpinned by our corporate Information Security Policy, which is the top-level policy for the security of information and information systems in DSV that ensures that information security is an integral part of DSV’s business. The policy outlines top management’s direction and commitment to information security, sets objectives and principles for information security, and defines DSV’s approach to managing its information security in accordance with business requirements and relevant laws and regulations. The Information Security Policy applies to DSV globally, covers all types of information and information systems, and compliance with it is mandatory. 

Core Information Security Objectives and Principles 
In its information security efforts, DSV strives to support the corporate strategy and values as well as to ensure that appropriate safeguards are in place to preserve the confidentiality, integrity and availability of information. This enables DSV to maintain its information in a secure manner, lower risk and reduce impact of disruptive events, support business continuity, comply with laws and regulations as well as to ensure that our customers’ information is treated with utmost care and confidentiality.

As such, our core principles include the following:

• Effective governance with clear organisation and well-defined roles and responsibilities are key to maintaining information security throughout all levels of the organisation. We have dedicated resources to information security for both overall governance and day-to-day operational management of information security.
• Proactive risk-based approach to information security across the organisation. We work towards continuous identification, assessment, and remediation of information risks across the organisation, implement prevention technologies, and perform proactive monitoring of threats.
• Implementation of technical, procedural, and organisational information security controls in alignment with best practices and standardisation of the information security setup across the technical infrastructure.
• Resilience of our processing facilities and technical infrastructure to ensure availability of information systems.
• Collaboration with external information security partners to ensure that our security measures stay up to date and protect us from rapidly evolving cyber threats.
• 24/7 security monitoring by our Security Operations Centre to detect and respond to any type of a security event on our systems and contain it before it escalates into a serious security incident.
• Crisis response and major incident management capabilities to identify, report and contain incidents to prevent significant interruption to business activities.
• Clear business continuity and disaster recovery processes in case our defences are breached.
• Continuous improvement of our information security capabilities across the entire spectrum

Employee Awareness and Acceptable Use Policies
Our employees are our first line of defence for protecting DSV from potential information security threats and breaches. Therefore, we have launched a global information security awareness programme to foster a culture of information security and support the correct security behaviours among employees. This programme is aimed at everyone at the company. Our goal is therefore to make it accessible, understandable and engaging to all employees regardless of the area they work at. To do this, we create monthly newsletters and hold competitions, organise simulated phishing exercises, write intranet news articles as well as conduct mandatory e-learning covering various aspects of information security. Additionally, we have created and published an Acceptable Use Policy for our employees to ensure that they are aware of their responsibility when it comes to using and protecting the information of DSV and its customers.

Customer Assurance
We strive to communicate openly and transparently to our customers when it comes to information security. Therefore, we have engaged with our external IT auditors to validate that we deliver on our information security promises to our customers. The validation is performed through the internationally recognised ISAE 3402 Type 2 report that provides a unique insight into our information security practices. We are happy to share this report with our customers upon request.