Skip to content

AI Connectors — Security Controls#

System: AI connectors Owner: SWV (Shwetha V) Status: Draft / Non Compliant Review cadence: Annually

SC.01 — IT Security: User and Password Management#

CTRL0537475 — SC.01.13: Protect privileged accounts and credentials#

Control Text: Protect privileged accounts and their passwords to the standard delivered by the Novo Nordisk Privileged Identity Management solution.

Applicability: There are users in the IT Solution or service. Mandatory add-on — must be implemented regardless of risk assessment outcome; compensating controls require CISO approval.

Additional Description

Privileged Identity Management (PIM) provides a protected vault for secure storage and management of passwords. Using PIM allows you to:

  • Avoid having to remember all passwords
  • Have a central repository with various access levels for employees
  • Automate password management (verify/change/reset passwords)
  • Keep an audit trail in one place for operations with accounts
  • Have password rotation

A PIM solution by Novo Nordisk standards must include the following security features (or equivalent compensating measures):

  • Access Control: Least Privilege Principle, Role-Based Access Control (RBAC), Access Approval Workflow
  • Authentication & Authorization: Multi-Factor Authentication (MFA), strong password policies, Single Sign-On (SSO) integration
  • Monitoring & Auditing: Session monitoring, comprehensive audit logs, anomaly detection
  • Account Management: Automated provisioning/de-provisioning, periodic review, password vaulting, encryption of sensitive data in transit and at rest

Detailed Description

Implementation Considerations

All privileged access to AI Connectors production and development infrastructure uses the NN PIM solution:

  • Separate ADMIN-XXXX accounts are required for all AWS console access (accounts 673034950531 prod and 094069622854 dev). Standard corporate accounts cannot access production infrastructure.
  • Time-limited passwords: ADMIN-XXXX account passwords are obtained from PIM and are valid for 8 hours, after which they expire automatically and must be re-checked out.
  • MFA enforced at every step: MFA (YubiKey primary method) is required to obtain the PIM password and to sign into the AWS console via AWS SSO.
  • Access via NovoAccess: Privileged account access is requested through NovoAccess and approved based on role and need. The current list of all privileged users is extractable from NovoAccess at any time.
  • Terraform infrastructure access additionally requires AWS access token profiles stored in SSM Parameter Store (encrypted), accessible only from the ADMIN-XXXX account — no static credentials on developer machines.
  • Service identities (ECS IAM roles) carry no passwords and cannot be assumed by humans — they are assumed by ECS tasks via instance metadata only.

Evidence: access-management.md §6, docs/compliance/controls/sc-01-access-management.md §SC.01.13.

CTRL0537477 — SC.01.17: Ensure proper approvals of user access#

Control Text: Ensure proper approvals of user accesses (for instance by line manager and/or IT System owner).

Applicability: There are users in the IT Solution.

Additional Description

It is recommended to use novoAccess if possible. User access must be granted only to authorised users and access rights must be properly approved and reviewed before granting access.

Guidelines for access authorisation are defined in Section 2.1 of the "Manage Users of IT Systems - Guideline" Q0355420 in Quality Docs.

Detailed Description

Implementation Considerations

AI Connectors enforces access approvals at two layers:

  • End-user access: Controlled by Azure AD enterprise application group assignment. The current assignment (3bb6cc78-2024-419a-a6af-42c28127e12f — all Novo Nordisk employees, excluding sanctioned countries) was provisioned via a ServiceNow RITM ticket. Any change to the assigned group (e.g. restricting to a department or pilot group) requires a new RITM ticket, approved via the standard RITM workflow by the line manager and/or IT Infrastructure Owner.
  • Operator access (AWS SSO): Requested via ServiceNow and approved by the IT Infrastructure Owner before any access is granted.
  • Azure AD app registration changes: Each app registration is provisioned via a dedicated ServiceNow RITM ticket. All RITM ticket IDs are maintained in access-management.md §3 for audit purposes (RITM1120011, RITM1121493, RITM1122136, RITM1122137, RITM1122483, RITM1122491, RITM1127247, RITM1127248).
  • CI/CD deploy roles: GitHub Actions OIDC roles are created via Terraform (reviewed in PR) — no human approval bypass is possible.

Evidence: access-management.md §3, docs/compliance/controls/sc-01-access-management.md §SC.01.17.

CTRL0537488 — SC.01.15: Ensure that passwords are kept secure#

Control Text: Ensure that passwords are kept confidential when entered, stored, and transmitted across any network with encryption/hashing methods considered best practice by Global Information Security.

Applicability: There are users in the IT Solution or services. Mandatory add-on — must be implemented regardless of risk assessment outcome; compensating controls require CISO approval.

Additional Description

Protecting passwords when entered: - Require strong, unique passwords not easily guessable or based on personal information. - The IT solution should not allow persistent disclosure of password in plain text (temporary view is acceptable). - Instruct users to follow IT code of conduct on password handling. - Two-factor authentication is in many cases a mandatory extra layer of security.

Protecting passwords in transit: - Never transmit passwords in plain text. - Apply end-to-end encryption via TLS in all web- and service-based communications. Support only TLS 1.2 and TLS 1.3; disable all other protocols.

Protecting passwords at rest: - Do not store passwords in clear text — store a salted hash value using a best-practice hash function. - Also encrypt the database where password hashes are stored. - Implement strong access controls to limit access to password hashes to authorized individuals only. - Monitor and log access to detect and prevent unauthorized access.

Recommended hashing algorithms: Argon2id, scrypt, bcrypt, blake2, or PBKDF2. These are computationally expensive by design, making them resistant to cracking. Use salting (unique random string per password) and optionally peppering (secret value not stored in the database) to further enhance security.

Detailed Description

Implementation Considerations

AI Connectors does not manage end-user passwords — all human authentication is delegated to Azure AD (Novo Nordisk's identity provider). For machine secrets (Azure AD client secrets), the platform enforces confidentiality as follows:

  • Encrypted at rest: All Azure AD client secrets are stored in AWS SSM Parameter Store as SecureString values, encrypted using the account-default AWS KMS key (aws/ssm).
  • Encrypted in transit: Client secrets are exchanged with the Azure AD token endpoint (login.microsoftonline.com) exclusively over TLS. All platform traffic is HTTPS (TLS 1.2 minimum; TLS 1.3 preferred).
  • Never in plaintext: Secrets never appear in source code, Docker images, ECS task definitions, CloudWatch logs, or GitHub Actions logs. Only the SSM ARN reference appears in the ECS secrets block — the value is injected by the ECS agent at container startup.
  • IAM-enforced access: Each MCP's execution role has ssm:GetParameter permission scoped to only its own two SSM parameters. No cross-MCP access exists; CI/CD pipelines have no SSM access.
  • Machine-generated: Azure AD client secrets are machine-generated by Azure AD at provisioning time via ServiceNow RITM — the AI Connectors team never sets or knows the secret value manually.

Evidence: secrets-management.md §2, data-storage-encryption.md §2–3, docs/compliance/controls/sc-01-access-management.md §SC.01.15.

CTRL0537490 — SC.01.01: Shared user accounts (group accounts)#

Control Text: Shared user accounts (group accounts) can only be used if individual accounts are not possible, and only if implementing compensating controls such as physical access controls and logging of the use of the account.

Applicability: There are users in the IT Solution that are not managed through Active Directory.

Additional Description

If it is not possible to use individual accounts, follow these guidelines:

  • Use a Privileged Identity Management (PIM) Solution.
  • Restrict access to shared accounts through isolation and lock-down.
  • Use a local, restricted account which can only enter data or has limited display of data. Never use a generic CORP user account as a shared account.
  • Physically isolate the point of access to the shared account by placing the computer in a locked room or building.
  • Disable access to anything but the IT solution that the shared account is used for (e.g. remove email, internet access if possible).
  • Monitor and review the shared account regularly to detect any potential misuse.
  • Review transactions/logs for the shared account and consider using a usage-log to improve enforcement and provide individual accountability.
  • Increase frequency of password changes and implement more strict password management controls (e.g. define whether password should be changed when an employee with access to the account leaves the company).

System accounts are most often an integrated part of an IT system with extensive privileges, presenting significant risks. These risks should be identified and managed appropriately.

Detailed Description

Implementation Considerations

AI Connectors does not use shared user accounts at any level:

  • End users authenticate with their personal Novo Nordisk Azure AD identity. Every API call carries the user's individual oid (Azure AD object ID) and upn (email) claims, which are recorded in the immutable audit log per tool call. No shared credentials exist at the end-user level.
  • Platform operators (AWS account admins) use individual ADMIN-XXXX accounts obtained via PIM — no shared admin password exists.
  • Service identities (ECS IAM roles) have no login capability and carry no credentials. They are assumed by ECS tasks via AWS STS instance metadata; no human or shared identity is involved.
  • CI/CD pipelines use per-MCP GitHub Actions OIDC roles — no shared deployment credentials.
  • Azure AD client secrets (service account tokens) are bound to a specific MCP's app registration, stored in separate SSM paths per MCP, and never shared between MCPs.

Evidence: access-management.md §1, §8, docs/compliance/controls/sc-01-access-management.md §SC.01.01.

CTRL0537505 — SC.01.04: Review access rights for all users#

Control Text: Review access rights for all users on a regular basis and revoke rights that are no longer needed, for instance due to changing job roles or termination of employment.

Applicability: There are users in the IT Solution.

Additional Description

When performing an access rights review, it is important to review both:

  • The list of users that have access to the IT solution (do they still all need access?)
  • The specific roles and privileges assigned to those users (do users need all the permissions they have, or can they be reduced?)

It is up to the IT solution management to determine the appropriate frequency of access right reviews, depending on the risk profile of the IT solution. Minimum guidelines are defined in Section 3.2 and 3.3 of the "Manage Users of IT Systems - Guideline" Q0355420 in Quality Docs. For IT solutions with a higher risk profile, consider more frequent reviews.

Detailed Description

AI Connectors has three distinct access populations that are reviewed on different cadences and through different mechanisms:

  • End users — access is governed by an Azure AD group (3bb6cc78-2024-419a-a6af-42c28127e12f). The review assesses whether broad all-employee assignment remains appropriate, or whether it should be scoped to a specific group. Reviewed annually.
  • Platform operatorsAWS SSO assignments and IAM roles in both accounts. The review removes any roles or assignments that are no longer needed, including those for deprecated MCPs or departed team members. Reviewed annually.
  • Service identities — Azure AD app registration owners and CI/CD OIDC trust policies. Reviewed to confirm no unexpected owners or trust extensions were added. Reviewed annually.

Offboarding is handled automatically for end users (Azure AD account disable by NN IT) and manually for operators (IT Infrastructure Manager removes AWS SSO assignments).

Implementation Considerations

AI Connectors performs annual access rights reviews across all access categories:

What Frequency Responsible
End user group assignment (Azure AD enterprise app) Annually IT Infrastructure Manager
AWS account IAM roles, policies, and SSO assignments Annually IT Infrastructure Manager
Azure AD app registration owners Annually IT Infrastructure Manager
CI/CD deploy roles (GitHub Actions OIDC) Annually IT Infrastructure Manager

Reviews are also triggered by team member role changes or departures.

Automated offboarding: When a Novo Nordisk employee leaves, their Azure AD account is disabled centrally by NN IT. This immediately invalidates all active tokens — no manual action is required at the AI Connectors level. DynamoDB token cache entries expire automatically via TTL (~1 hour).

Operator offboarding: AWS SSO assignments for platform operators are removed by the IT Infrastructure Manager. This is reviewed as part of the annual access review.

Evidence: access-management.md §4–5, docs/compliance/controls/sc-01-access-management.md §SC.01.04, §SC.01.06.

CTRL0537509 — SC.01.14: Remote user access#

Control Text: For remote user access to any Novo Nordisk IT solution, data, or network from non-Novo Nordisk controlled devices or networks, apply an extra layer of authentication, such as one-time passwords, biometrics, or tokens, in addition to the username and password.

Applicability: There are users in the IT Solution. Mandatory add-on — must be implemented regardless of risk assessment outcome; compensating controls require CISO approval.

Additional Description

Implementing this control:

  • Requires use of a two-factor authentication mechanism approved by Global Information Security. Contact gsosecurityservices@novonordisk.com or see the Service Catalogue for approved options.
  • You may choose from one-time passwords, biometrics, or tokens — evaluate the benefits and drawbacks of each before deciding.
  • Once decided, implement across all IT systems, which may involve deploying new hardware/software or reconfiguring existing systems.
  • Inform all remote users of the new authentication requirements and provide clear instructions. Disable other authentication methods that could bypass the additional layer.
  • Use of a VPN connection to the Novo Nordisk network is considered a compensating control. Note that SC.02.03 on network connections between Novo Nordisk infrastructure and third parties requires CISO approval.

Detailed Description

Remote access — access from outside a physically controlled Novo Nordisk network boundary — requires an additional authentication factor beyond username and password. For cloud-hosted solutions accessible over the internet, all access is inherently remote. The second factor must be an approved mechanism: hardware token (YubiKey), authenticator app (OTP), or biometric — as approved by Global Information Security.

For solutions using Azure AD as the identity provider, MFA is enforced at the identity layer via Conditional Access policies, which applies uniformly regardless of where the user is connecting from.

Implementation Considerations

MFA is enforced for all human access to AI Connectors through the Novo Nordisk Azure AD tenant (fdfed7bd-9f6a-44a1-b694-6e39c468c150) Conditional Access policies. No additional MFA configuration is required at the AI Connectors application level — MFA is inherited from the central NN policy:

  • End users: MFA is required by Azure AD Conditional Access before any token is issued to an MCP enterprise application. Users cannot authenticate to any MCP without completing MFA.
  • Privileged access (ADMIN-XXXX / PIM): ADMIN-XXXX account passwords are obtained from PIM, which requires MFA (YubiKey primary method) before checkout. Signing into AWS via AWS SSO (federated through Azure AD) also requires MFA at the Azure AD layer.
  • Azure AD portal access: MFA is required by Conditional Access for any Azure AD admin operation.

Reference: Novo Nordisk MFA policy.

Evidence: access-management.md §7, docs/compliance/controls/sc-01-access-management.md §SC.01.14.

CTRL0537510 — SC.01.18: Maintain a list of current users#

Control Text: Maintain a list of current users and their access.

Applicability: There are users in the IT Solution.

Additional Description

It is recommended to use novoAccess if possible. Maintaining an up-to-date list of users and their access rights is an important component of access control — without it there is a risk of granting access to unauthorised users or failing to revoke access rights when they are no longer required.

Guidelines for creating/updating access rights are defined in Section 3.1 of the "Manage Users of IT Systems - Guideline" Q0355420 in Quality Docs.

Detailed Description

An authoritative, up-to-date list of who has access to the IT solution — and at what permission level — is a prerequisite for effective access management. Without it, revocation of access on offboarding or role change cannot be reliably executed, and periodic access reviews have no baseline to work from.

The user list must be kept current in real time (not only at review time) and must be accessible for audit purposes.

Implementation Considerations

AI Connectors maintains current user lists at each access layer:

  • End users: The Azure AD enterprise application group assignment is the authoritative access list. The assigned group (3bb6cc78-2024-419a-a6af-42c28127e12f) and its members are managed and auditable in Azure AD at any time by the IT Infrastructure Manager.
  • Platform operators (privileged): The list of all privileged users with AWS account access is maintained in NovoAccess and can be extracted on demand.
  • Tool-level activity trail: Every MCP tool call is recorded in the immutable audit log (Kinesis Firehose → S3 NDJSON), including user_oid and user_upn. This provides a complete activity record for any user at any time, queryable via the /check-audit-logs skill.
  • Annual access reviews: The current user lists are reviewed annually by the IT Infrastructure Manager and documented in access-management.md §4.

Evidence: access-management.md §4, §6, logging-monitoring.md §2, docs/compliance/controls/sc-01-access-management.md §SC.01.18.

CTRL0537524 — SC.01.06: Check for inactive accounts#

Control Text: Check for inactive accounts on a regular basis. Disable any accounts that are inactive.

Applicability: There are users in the IT Solution.

Additional Description

To implement this control:

  • Define the maximum amount of time an individual can be inactive before the account is disabled, based on the risk and sensitivity of the data being protected.
  • Implement account management processes that check for inactivity and disable accounts that exceed the defined maximum time period.
  • Ensure that all users are aware of the maximum time period for inactivity and the consequences of exceeding this period.

See Section 2.3 of the "Manage Users of IT Systems - Guideline" Q0355420 in Quality Docs.

Detailed Description

Inactive accounts — accounts that have not been used for an extended period — represent an attack surface: they may belong to former employees, unused service integrations, or forgotten test users, all of which could be exploited if compromised. Regular review and automated inactivity detection reduce this risk.

The maximum inactivity period before disabling must be defined based on the sensitivity of the system. For systems with access to corporate data, a shorter inactivity period (e.g. 90 days) is appropriate.

Implementation Considerations

AI Connectors handles inactive accounts through a combination of centrally managed Azure AD lifecycle and automated token expiry:

  • End users: Azure AD account lifecycle is managed centrally by NN IT. When a Novo Nordisk employee is offboarded or their account becomes inactive, it is disabled by NN IT — this immediately invalidates all active tokens and removes MCP access. No separate process is required at the AI Connectors level.
  • DynamoDB token cache: OAuth token cache entries carry a TTL attribute (~1 hour). DynamoDB automatically deletes expired entries — inactive sessions are cleaned up without manual intervention.
  • Platform operators: AWS SSO session tokens expire according to the AWS SSO session duration policy. No persistent credentials exist for human operators — access is obtained on demand via PIM (8-hour time-limited admin passwords). Operator access is reviewed annually and removed promptly on role change or departure.
  • Annual access review: Inactive operator accounts and unused IAM roles are identified and removed as part of the annual access review documented in access-management.md §4.

Evidence: access-management.md §5, docs/compliance/controls/sc-01-access-management.md §SC.01.05, §SC.01.06.

SC.02 — IT Security: Network Security and Architecture#

CTRL0537486 — SC.02.01: Design or use networks with adequate controls#

Control Text: Design or use networks which adequately protect data and segregate solutions in scope of this risk assessment. Implement and maintain sufficiently segregated network architecture by use of network security controls such as firewall technology, proxies, IPS, etc. under the requirements set by the Novo Nordisk Network Security Standard.

Applicability: The IT Solution is connected to a network.

Additional Description

Novo Nordisk segregates and differentiates between Novo Nordisk networks and non-Novo Nordisk networks. Between those two, a centrally operated firewall device should be placed.

The internal network is to be configured and operated based on best practice principles. Internal segregation is in most cases mandated by isolating systems not meeting Novo Nordisk General network standards (patching, non-GISP operating systems, etc.).

The NN Network Security Standard (located in the Network Security Toolbox) specifies how to design and operate a network according to a set of security principles. Security controls such as IPS and IDS are technologies used to inspect traffic and stop malicious activity.

An effective intrusion detection and prevention system should be implemented on systems facing the internet in order to monitor the network for successful or unsuccessful intrusion attempts from external parties.

Detailed Description

Implementation Considerations

CTRL0537511 — SC.02.02: Ensure that the implemented network controls are effective#

Control Text: Ensure that the implemented network security controls are managed and maintained according to agreed best practice and anchored in relevant operational agreements or SLAs.

Applicability: The IT Solution is connected to a network.

Additional Description

The NN Network Security requirements (located in the Network Security Toolbox) specify how to design and operate a network according to a set of security principles.

To assure that all security-related network components are well functioning and that changes are under control, it is advised to use a central monitoring system that:

  • Tracks the status of these controls at all times
  • Ensures all changes to these controls are authorised and documented

Due to the criticality and impact that a malfunctioning or End-of-Life network security device could cause, it is important to have a clear picture of the SLA/contracts that components should live up to.

Detailed Description

Implementation Considerations

CTRL0537526 — SC.02.04: Separate environments (production / non-production)#

Control Text: Separate environments (production, development, test, validation, sandboxes) physically, logically, or in time.

Applicability: Basic IT security requirement.

Additional Description

The main objective of environment separation is to ensure that production environments are reliable and that patients always have access to their medicines.

From an information security perspective, environment separation:

  • Protects the availability and stability of production by ensuring configuration and application changes are first tested in development/sandbox environments
  • Restricts the number of user accesses to production
  • Reduces the risk of accidental or malicious changes to live systems

At least one non-production environment (such as a validation environment) should have configuration and security controls identical to the production environment. The separation can be achieved through dedicated hardware, virtualised environments, or time-based promotion (an environment is promoted to production and can no longer be used for validation). Once an environment is in production, all security controls must be applied and followed.

Detailed Description

Implementation Considerations

SC.03 — IT Security: Data Protection#

CTRL0537482 — SC.03.01: Protect information using defined controls#

Control Text: Protect information by using data protection tools and techniques, such as encryption, when transmitted over open lines (including lines shared with other companies). Use cryptographic algorithms according to industry standards and best practices.

Applicability: Basic IT Security Requirement.

Additional Description

When sending or receiving data:

  • Always encrypt over open lines.
  • For strictly confidential data, always encrypt.
  • All NN data shared over any network (including CORP and closed lines) should be encrypted.

IT solutions must protect data in accordance with its classification as defined in "Protecting and Handling Information" (Q190751).

Encryption in transit: - Use TLS for data transmission. Default to TLS 1.3 (with TLS 1.2 as fallback); disable all other protocols. - Follow GIS recommendations on the "TLS Guidelines for Novo Nordisk" page. - When transmitting over the internet, use only HTTPS, SFTP, or SSH.

Protecting PII: Consider data masking, pseudonymization, or anonymization techniques to hide sensitive data such as PII. When using these techniques, verify that data has been adequately protected. Refer to the NIST guidance on De-Identification of Personal Information and the Information Classification and Protection toolbox.

For guidelines on approved algorithms and key sizes, refer to "Guideline for Use of Cryptography in Novo Nordisk".

Detailed Description

Implementation Considerations

CTRL0537516 — SC.03.02: Protect information at rest#

Control Text: Protect information at rest by using data protection mechanisms, such as encryption, masking, or storage area restriction policies. Consider data lifecycle planning including deletion policies and data redundancy in multiple geographical locations. Use cryptographic algorithms according to industry standards and best practices.

Applicability: Basic IT Security Requirement.

Additional Description

Data at rest must be stored using protective measures in accordance with its classification as defined in "Protecting and Handling Information" (Q190751).

Confidential and Strictly Confidential data must be: - Stored on drives or databases with controlled access and permissions. - Encrypted at rest using industry best practices. Consult "Guideline for Use of Cryptography in Novo Nordisk" for approved algorithms and key sizes. - Destroyed in a way that ensures it cannot be restored. - Subject to additional procedures for external access (see Q190751).

Apply protection at multiple layers: Avoid excessive trust in the IT service provider's ability to protect data at all times. Ensure a sufficiently layered security model is implemented. For example, lack of database encryption can expose data to application supporters, DBAs, OS administrators, storage administrators, and backup administrators. Assess where and how to implement encryption as part of the IT solution architecture review.

End-user considerations: The solution manager should evaluate whether specific end-user guidance is needed (e.g. acceptable use policies), such as informing users they are not allowed to email information extracted from the system.

Consult the Cryptography Toolbox for further recommendations on using encryption in Novo Nordisk.

Detailed Description

Implementation Considerations

CTRL0537494 — SC.03.03: Disposing of data-carrying media#

Control Text: When disposing of data-carrying media (for instance disks and USB drives) ensure that data is deleted and cannot be restored. If deletion of data is not possible, destroy the data media.

Applicability: Basic IT Security Requirement.

Additional Description

Equipment containing strictly confidential or confidential data on non-encrypted media must be physically destroyed. Full re-encryption of encrypted media is considered equivalent to destruction.

  • Follow NIST SP 800-88 or other recognised information deletion methods for other geographical areas.
  • For Novo Nordisk-managed hardware, refer to the Secure Computer Disposal page. In Denmark, equipment can be dropped off at the IT Recycling Centre, which ensures correct data disposal.

Detailed Description

Implementation Considerations

CTRL0537531 — SC.03.04: Address the need for additional data protection#

Control Text: Address the need for additional IT security controls due to IT System specific regulatory requirements and add those to the IT security control requirements.

Applicability: The supported business process is subject to other regulatory requirements.

Additional Description

IT solutions may be subject to additional requirements not covered by the IT Risk Assessment tool. These could include local regulatory requirements (e.g. GDPR, HIPAA) or controls related to the specific business process area the IT solution supports.

The IT Risk Assessment tool has a built-in section specifically dedicated to documenting these additional requirements or controls.

Detailed Description

Implementation Considerations

CTRL0537502 — SC.03.07: Store secrets such as private keys securely#

Control Text: Store secrets such as private keys, sensitive configuration data, API keys, and cryptographic materials in a secure location with strict access controls, such as a secure key vault, a cloud-based secrets manager, or a hardware security module (HSM). Implement mechanisms to rotate secrets at defined intervals or upon certain triggers.

Applicability: Basic IT Security Requirement.

Additional Description

The secure storage and management of secrets is a critical aspect of IT security. Key principles:

  • Use a secure location with strict access controls. Approved solutions include the Novo Nordisk Privileged Identity Management (PIM) solution and native cloud services such as AWS Secrets Manager or Azure Key Vault.
  • Adhere to industry standards for cryptographic key lifecycle management. Consult the "Guideline for Use of Cryptography in Novo Nordisk" for approved algorithms and key sizes.
  • Automate the creation, distribution, rotation, and revocation of keys and secrets to the extent possible.
  • Validate the proper usage of certificates regularly. Automate renewal well before expiry to avoid service disruptions. The Novo Nordisk PKI supports this.
  • Alert on upcoming certificate expirations and automate the purging of expired certificates.
  • Ensure new certificates are validated and deployed seamlessly without manual intervention.

This control applies to both on-premise and cloud environments and is technology-neutral.

Detailed Description

Implementation Considerations

SC.04 — IT Security: Vulnerability and Patch Management#

CTRL0537503 — SC.04.01: Define which parts of the IT system require patching#

Control Text: Define which parts of the IT Solution should be regularly assessed for vulnerabilities.

Applicability: Basic IT security requirement.

Additional Description

The first step in vulnerability management is determining which parts of the IT solution need to be assessed or scanned. Consider, for example:

  • Is it relevant to scan the operating system, or only the application layer?
  • Are only certain parts of the application in scope?
  • If the solution is on the CORP network, some parts may be automatically updated by Global IT Operations (GITO) — for more information see the IT Hub article on centralised IT security updates.

Detailed Description

Implementation Considerations

CTRL0537512 — SC.04.02: Define a process for routine assessment and patching#

Control Text: Define a process for routine assessment and remediation, mitigation or risk acceptance of vulnerabilities on the IT Solution.

Applicability: The IT Solution is not on CORP or PSNet, or not using centrally managed patching.

Additional Description

All IT solutions should ensure processes are in place (via scanning or assessment) to identify vulnerabilities across the solution. In addition, local processes should be established to keep track of published vulnerabilities for critical components, for example by monitoring news feeds from relevant vendors and communities.

If the IT solution is placed on CORP or PSNet networks, the vulnerability assessment service offering described in the IT Hub may be relevant.

Detailed Description

Implementation Considerations

CTRL0537499 — SC.04.03: Perform routine assessment and patching#

Control Text: Perform routine assessment and remediation, mitigation or risk acceptance of vulnerabilities on the IT Solution.

Applicability: The IT Solution is not on CORP or PSNet, or not using centrally managed patching.

Additional Description

When vulnerabilities are identified, assess the urgency and criticality of each and decide on appropriate action. Typically, appropriate action involves:

  • Configuration changes
  • Implementation of patches
  • Acceptance of non-critical vulnerabilities (must be anchored in a risk assessment of the vulnerability in the context of the IT solution)

Detailed Description

Implementation Considerations

CTRL0537514 — SC.04.06: Urgent vulnerabilities must always be patched#

Control Text: Urgent vulnerabilities must always be addressed as soon as possible after formal notification from DD&IT or Global Security Operations (GSO).

Applicability: Basic IT security requirement.

Additional Description

IT solutions should always be updated and patched as soon as possible when critical vulnerabilities are discovered. The expected response time and process should be defined as part of the control implementation (e.g. in the Operations & Maintenance document).

GITO and Global Security Operations (GSO) will publish formal notifications for critical vulnerabilities.

If the IT solution is delivered by a third-party vendor, a formal process must exist for the vendor to notify IT system owners/managers or Product Owners in Novo Nordisk. The notification contact and response time should be regulated in the contract between Novo Nordisk and the vendor.

Detailed Description

Implementation Considerations

CTRL0537483 — SC.04.09: Decide which components must be monitored#

Control Text: Unless otherwise decided by the CISO, decide which components must be part of a patch management process, and decide on the patch process, including frequency.

Applicability: Basic IT security requirement.

Additional Description

Establish a foundation for integrating patching into maintenance processes per component, covering:

  • Responsibility: Who is responsible for patch evaluation (e.g. IT solution manager, vendor, Global IT)?
  • Frequency: How often are patches evaluated (e.g. monthly, quarterly, yearly)?
  • Approach: How are patches applied (e.g. via release process, ad-hoc/emergency, infrastructure releases)?

If the solution is on the CORP network, some parts may be automatically updated by GITO. For more information, see the IT Hub article on centralised IT security updates and the Security Patch Management - Client PCs and Windows Servers - Guideline on the IT&Q Portal.

Detailed Description

Implementation Considerations

CTRL0537520 — SC.04.10: Evaluate security patches on a risk basis#

Control Text: Evaluate security patches on a regular basis and decide if they are relevant for the IT Solution and if they need to be approved by an IT supplier (for instance the IT Solution provider) before being implemented.

Applicability: Basic IT security requirement.

Additional Description

In accordance with the patch governance defined for the IT solution, patches should be evaluated as part of ongoing maintenance. The purpose is to identify and understand the benefits and risks associated with implementing a given patch.

IT solutions that are not security patched in a timely manner according to vendor recommendations should be effectively isolated from computer networks and the internet, where relevant.

If the solution is on the CORP network, some parts may be automatically updated by GITO. Refer to the Security Patch Management - Client PCs and Windows Servers - Guideline and the Database Security Patch Management Guidelines on the IT&Q Portal.

Detailed Description

Implementation Considerations

CTRL0537498 — SC.04.11: Implement relevant patches at a defined frequency#

Control Text: Implement relevant patches at the earliest convenient time. Before implementing the patch, assess or test the compatibility to avoid adverse impact on the business processes.

Applicability: Basic IT security requirement.

Additional Description

To reduce the risk of security vulnerabilities and ensure the solution remains up-to-date, implement relevant patches as soon as possible after they become available.

Before implementing a patch:

  • Test compatibility on a lower environment (e.g. dev or test) to identify potential issues.
  • Ensure patch implementation is included in the change management process.
  • Have a rollback plan in place in case of adverse impact.

If the solution is on the CORP network, some parts may be automatically updated by GITO. Refer to the Security Patch Management - Client PCs and Windows Servers - Guideline and the Database Security Patch Management Guidelines on the IT&Q Portal.

Detailed Description

Implementation Considerations

CTRL0537522 — SC.04.16: The processes for routine assessment must be documented#

Control Text: The processes for routine assessment and remediation, mitigation or risk acceptance of vulnerabilities on the IT solution and its components must include an assessment of vendor recommendations for timely deployment of changes. List of IT solution's components (incl. servers) in scope of potential patching and list of patches deployed must be maintained or producible on demand. If a patch has not been deployed in due time, the reason must be documented.

Applicability: Basic IT security requirement. Applies to components managed outside of central patch management processes.

Additional Description

The vulnerability management process must take supplier advisories and recommended deployment timelines into account.

Deviations from supplier recommendations are acceptable when supported by adequate risk-based justification. Justification can be made at the level of a single vulnerability or as a policy choice in the vulnerability management process. The key is demonstrating that deviations are deliberate, risk-informed decisions — not gaps in the security program.

Maintain a record of patches/changes applied per component (patch ID, dates, owner, test/rollback notes). For cloud solutions, include these requirements in vendor contracts and require vendors to produce patch evidence on demand.

Detailed Description

Implementation Considerations

SC.05 — IT Security: System Hardening and Configuration#

CTRL0537508 — SC.05.01: Disable or remove unnecessary services and features#

Control Text: Disable or remove unnecessary security risks by: (i) changing, deleting or disabling default credentials/passwords; (ii) removing unnecessary software and functionality; (iii) removing unnecessary usernames/logins; (iv) disabling or removing unnecessary services (such as Java and web services); (v) disabling network access to all unnecessary network resources, including the Internet.

Applicability: Basic IT security requirement.

Additional Description

These system hardening actions reduce the attack surface and minimise unnecessary security risks. If it is not possible to mitigate risks by performing the actions described above, implement compensating controls such as physical entry controls and/or network isolation.

It is recommended to implement acknowledged best-practice secure configuration as maintained by the software vendor, IT service provider, or other credible domain expert.

Detailed Description

Implementation Considerations

CTRL0537517 — SC.05.02: Use a Novo Nordisk hardening guideline#

Control Text: Use a Novo Nordisk guideline for secure development or configuration of the specific IT Solution or component if such a guideline exists, or use a vendor or industry best practice.

Applicability: Basic IT security requirement.

Additional Description

For guidelines on managing IT solution development, see "Manage design and development of IT systems - Guideline" on the Development section of the IT&Q Portal. For Novo Nordisk coding best practices, see "SOP Computer Systems Coding Standard" on ITQ.

Additionally, refer to OWASP resources for best practices on various IT components.

Detailed Description

Implementation Considerations

CTRL0537532 — SC.05.04: Configure inactive sessions to time out#

Control Text: Configure inactive sessions to time out after a given time period.

Applicability: Basic IT security requirement.

Additional Description

IT solutions should enforce time-out functionality that balances the risks of unauthorized usage with the required operational flexibility. When determining the appropriate time-out period, consider:

  • User role and permissions: An end-user on a website poses less risk than an administrator on the same website.
  • Physical access controls: A computer in a production facility with strict access controls is less likely to be misused than a laptop used in a public location.
  • Operational flexibility: A device used in a sterile room where frequent re-authentication impairs operations warrants a longer time-out.

Novo Nordisk generally adopts a 15-minute time-out as a standard configuration.

Detailed Description

Implementation Considerations

CTRL0537521 — SC.05.06: Ensure that time is synchronised#

Control Text: Ensure that time is synchronised with a consistent and accurate time source, such as using the Novo Nordisk NTP standard.

Applicability: Basic IT security requirement.

Additional Description

Accurate timekeeping is important for both GxP-critical business processes and IT security forensics, which rely on accurate log timestamps to react to security events. Novo Nordisk requires use of a centrally managed time source for network-connected equipment.

Two primary synchronisation methods:

  • Windows Time Service: Used when a Microsoft server or workstation is joined to the domain. Time is updated automatically — no additional configuration needed.
  • NTP: Used for Linux, network devices (firewalls, routers, switches), and servers not joined to a domain. Must be configured manually. Contact the helpdesk of the infrastructure operator for the IP address and FQDN of the authorised NTP server.

For additional information, see "Time Keeping at Novo Nordisk - Guideline" on the Manage IT Risks section of the IT&Q Portal.

Detailed Description

Implementation Considerations

SC.06 — IT Security: Malware Protection#

CTRL0537534 — SC.06.05: Implement malware protection where relevant and possible#

Control Text: If relevant and possible, implement application whitelisting.

Applicability: The IT System is not on CORP or PSNet.

Additional Description

For servers outside CORP and PSnet, it is recommended to apply application whitelisting tools based on a risk assessment, using the technology suggested by the relevant IT service provider. Application whitelisting is implemented on the server(s) of the IT solution, and an application-specific policy is established to outline which software elements may be executed on the host.

For information on the current application whitelisting solution in Novo Nordisk, see the entry on the Service Catalogue.

Detailed Description

Implementation Considerations

SC.07 — IT Security: Logging and Monitoring#

CTRL0537487 — SC.07.01: Define the security monitoring and logging requirements#

Control Text: Based on risk, define the security events that must be logged and establish a process for review of these. Relevant events to consider include: (i) creation, modification, or deletion of data; (ii) system configuration settings; (iii) creation, change and cancellation of access authorisation; (iv) successful/unsuccessful login attempts including date/time and UserID; (v) activities performed by privileged users; (vi) use of temporary access keys/tokens; (vii) changes to cryptographic keys or other secrets.

Applicability: Basic IT security requirement.

Additional Description

As part of the risk assessment and system design, determine the purpose for which logs are created, what data is collected, and any requirements for protecting log data.

Each log event should include, as applicable: - User IDs, system activities, dates and times - Device identity, system identifier and location - Network addresses and protocols

Events to consider for monitoring unusual activities: - Successful and rejected system/data access attempts - Changes to system configuration and use of privileges - Files accessed and type of access, including deletion of important files - Creation, modification or deletion of identities - Activation/de-activation of protection systems (e.g. antivirus, intrusion detection) - Unusual or risky user activity (e.g. shift in activity pattern)

Log retention: The retention period should reflect identified risks. Note that incidents are empirically not discovered until after 6–8 months. The GID Log Collection service should not be considered a log retention service — IT Solution Managers remain responsible for ensuring log retention is agreed with the vendor managing the servers.

Detailed Description

Implementation Considerations

CTRL0537513 — SC.07.02: Review logs on a periodic basis#

Control Text: Review logs on a periodic basis according to the defined log requirements.

Applicability: Basic IT security requirement.

Additional Description

Once log requirements are defined (per SC.07.01), logs must be reviewed at the defined frequency. Document all log review activities, including: - Which logs were reviewed - Results of the review - Any incidents identified

Detailed Description

Implementation Considerations

CTRL0537527 — SC.07.04: Ensure that log files cannot be tampered with#

Control Text: Ensure that log files cannot be subject to unauthorised changes and that logs are available when relevant, preferably for a time period equal to that of the user review.

Applicability: Basic IT security requirement.

Additional Description

Users, including those with privileged access rights, should not have permission to erase or deactivate logs of their own activities. Controls should protect against: - Alterations to the message types that are recorded - Log files being edited or deleted - Storage capacity being exceeded, resulting in failure to record events or overwriting of past records

Techniques to consider for log protection: - Cryptographic hashing - Recording in an append-only and read-only file - Recording in a public transparency file

Note that event logs can contain sensitive data and PII — appropriate privacy protection measures should be taken.

Detailed Description

Implementation Considerations

CTRL0537515 — SC.07.06: Determine which IT components require monitoring#

Control Text: Determine which IT components and the type of log events which should be monitored, and how, in order to discover unauthorised activity in the IT Solution. Ensure events are monitored on a regular basis.

Applicability: Basic IT security requirement.

Additional Description

Event logging forms the foundation for automated monitoring systems capable of generating reports and alerts on security events. All systems should share the same time source to allow correlation of logs across systems during incident investigations.

To implement log monitoring in practice:

  1. Determine the IT components and log event types to monitor (see SC.07.01).
  2. Choose a log monitoring tool suited to the organisation's needs. On cloud platforms, consider using the platform provider's native monitoring service.
  3. Configure the tool to monitor the identified components and events, and set up alerts and notifications for suspicious activity.
  4. Act immediately on any suspicious activity detected — investigate and remediate (e.g. disabling user accounts, blocking IP addresses).

Detailed Description

Implementation Considerations

SC.08 — IT Security: Security Incident Management#

CTRL0537523 — SC.08.01: Set up a process to ensure that incidents are reported#

Control Text: Set up a process to ensure that relevant IT security incidents, or suspicion of IT security incidents, are urgently sent for verification to technical personnel responsible for operating the IT solution.

Applicability: Basic IT security requirement.

Additional Description

IT solutions should, in their operational setup, include practices and processes for handling possible security events. Such processes should include:

  • Escalation of possible security events to the Global Information Security team or to the help-desk to facilitate further investigation.
  • Steps to prevent further proliferation of security compromises.

Possible security-related events should be sent to globalsecops@novonordisk.com as soon as possible.

Detailed Description

Implementation Considerations

CTRL0537528 — SC.08.02: If verified that an incident is occurring, take action#

Control Text: If verified that an incident is an IT security incident, ensure escalation to Global Security Operations for investigation.

Applicability: Basic IT security requirement.

Additional Description

Once a security incident has been verified, escalate immediately to globalsecops@novonordisk.com.

Detailed Description

Implementation Considerations

SC.09 — IT Security: Asset Management#

CTRL0537518 — SC.09.01: Maintain a list of critical components#

Control Text: Maintain a list of critical components of the IT Solution.

Applicability: Basic IT security requirement.

Additional Description

Establishing a basic inventory of technical components is fundamental for maintaining the IT solution and is an important input for security processes such as patch management, technical vulnerability management, and system hardening.

It is not necessary to document all components exhaustively — focus on identifying the critical components that need to be protected and managed. Examples of fields to document per component:

  • Type: Server, network device, etc.
  • Location: City, building, room, rack
  • Manufacturer / Model / Version / Serial Number
  • Hardware support status: e.g. EoL date, support contract in place
  • Software: OS and application versions
  • Host name / IP address
  • Point of contact: Name, email, phone number

For more information on hardware asset management, see the dedicated site on the IT Hub.

Detailed Description

Implementation Considerations

CTRL0537496 — SC.09.02: Add an overview of components and their dependencies#

Control Text: It is recommended to add an overview of system/network architecture and data flow in addition to the list of critical components.

Applicability: Basic IT security requirement.

Additional Description

Data flow diagrams and system/network architecture overviews help visualise the different system components and the data flows between them. This makes it easier to:

  • Identify confidential information that needs to be protected
  • Identify system components that may require additional security controls

Detailed Description

Implementation Considerations

CTRL0537491 — SC.09.04: Critical infrastructure documentation#

Control Text: Critical infrastructure, such as domain controllers, must not be physically located in geopolitically unstable regions or areas under international trade sanctions. Any existing or planned deployments in these regions must obtain prior authorisation from Global Information Security.

Applicability: The IT Solution is an infrastructure.

Additional Description

The purpose of this control is to ensure that Novo Nordisk's critical infrastructure (including domain controllers, firewalls, switches, and routers) is not exposed to increased risk due to geopolitical instability or legal restrictions arising from international trade sanctions.

Key requirements: - The list of sanctioned and high-risk countries is maintained in the Global Legal & Patents SharePoint site. When in doubt, consult the legal department. - A Type 2 exception from Global Information Security is required for any deployment in sanctioned or high-risk countries, and must be approved by the CISO before deployment. - If an exception is approved, additional security controls must be implemented (encryption, enhanced monitoring, access controls). - Contingency plans should include rapid relocation or shutdown of critical infrastructure. - Periodically review the geopolitical situation and international sanctions to ensure ongoing compliance.

The attestation response is "Yes" with a statement that the infrastructure is not placed in a geopolitically unstable zone, supported by a network diagram or similar.

Detailed Description

Implementation Considerations

SC.10 — IT Security: IT Recovery#

CTRL0537500 — SC.10.01.01: Determine adequate backup policy#

Control Text: Determine adequate backup processes of IT solution and data, reflecting the business requirements including RPO or agreed supplier metrics (KPIs), the security requirements and criticality of the information.

Applicability: Basic IT security requirement.

Additional Description

Understand the criticality of data and IT solutions by collaborating with business stakeholders to determine acceptable data loss (RPO — Recovery Point Objective). RPO refers to the maximum amount of data that can be lost from the point of a critical event to the most preceding backup. As a general rule: the smaller the RPO, the higher the cost of the solution.

Key steps: - If backups are managed by an external supplier, establish KPIs reflecting backup objectives within SLAs and regularly review supplier performance. - Document and communicate clear backup objectives that support business continuity requirements. - Choose appropriate backup methods (full, incremental, or differential) based on data volume and frequency of changes.

For more information, see "Manage backup and recovery of IT systems - Guideline" on the Manage Backup and Recovery section of the IT&Q Portal.

Detailed Description

Implementation Considerations

CTRL0537484 — SC.10.01.02: The backup process must be verified#

Control Text: The backup process must be tested on a regular basis to verify data integrity and availability. Evidence must be retained for verification.

Applicability: Basic IT security requirement.

Additional Description

Conduct routine tests of the backup process to confirm that data can be accurately restored and is available when needed. Keep records of these tests, including: - Dates of tests - Issues found during tests - Corrective actions taken

This evidence demonstrates the backup process's effectiveness and reliability.

For more information, see "Manage backup and recovery of IT systems - Guideline" on the Manage Backup and Recovery section of the IT&Q Portal.

Detailed Description

Implementation Considerations

CTRL0537476 — SC.10.02: Ensure that backups have sufficient retention#

Control Text: Ensure that backups have a sufficient level of physical security.

Applicability: Basic IT security requirement.

Additional Description

The information stored in a backup is just as critical to protect as the IT solution itself, and should be subject to similar physical security controls. Special consideration should be given to backups of critical information — ensure the backup is physically located in a separate location from the primary system.

For guidance on physical security controls, see the SC.11 — Physical and environmental security guidance page.

Detailed Description

Implementation Considerations

CTRL0537492 — SC.10.03.01: Ensure that an IT recovery plan exists#

Control Text: Ensure that an IT recovery plan is developed and maintained, identifying and describing how to restore the IT solution and data in alignment with the business recovery objectives, restoration priorities, and other metrics (e.g. RTO or MTD).

Applicability: Basic IT security requirement.

Additional Description

Create an IT recovery plan detailing the steps to recover systems and data after an incident. The plan should: - Align with the IT Solution's overall business continuity requirements - Include specific recovery objectives and priorities (e.g. RTO — Recovery Time Objective, the maximum tolerable downtime after a failure) - Be regularly reviewed and updated to reflect changes in the IT environment and business needs

As a general rule: the shorter the RTO, the higher the cost of the solution needed to achieve it.

For more information, see "Manage backup and recovery of IT systems - Guideline" on the Manage Backup and Recovery section of the IT&Q Portal.

Detailed Description

Implementation Considerations

CTRL0537480 — SC.10.03.02: Test the IT recovery plan on a periodic basis#

Control Text: Test the IT recovery plan on a regular basis and retain the evidence for verification.

Applicability: Basic IT security requirement.

Additional Description

Establish a schedule for regular testing of the IT recovery plan. Key steps:

  • Develop a variety of test scenarios simulating different types of disruptions (minor technical issues through to major disaster).
  • Coordinate with all relevant stakeholders to ensure comprehensive testing and clarity of roles.
  • During the test, document any issues and evaluate the effectiveness of the recovery procedures.
  • After the test, hold a debriefing session to identify weaknesses and update the recovery plan accordingly.
  • Maintain detailed records of each test (scenarios, participants, outcomes, plan updates) and store this evidence securely for audit purposes.

Detailed Description

Implementation Considerations

SC.11 — IT Security: Physical and Environmental Security#

CTRL0537489 — SC.11.01–SC.11.02: Place components in physically secure locations#

Control Text: Place components, such as servers, computers acting as servers, firewalls, routers, switches and patch panels, in an appropriate physical location with appropriate security measures such as entry control, fire protection, cooling and protection against flooding.

Applicability: Basic IT security requirement.

Additional Description

Business-critical IT solutions and network equipment should be housed in secure areas protected by defined security perimeters with appropriate security barriers and entry controls. Information processing facilities should be protected from unauthorized access, damage, and interference at all times.

Key considerations: - Apply a combination of physical and logical access controls to protect IT equipment from unauthorised access. - Terminate cables directly at devices, avoiding patch connectors when possible, to mitigate malicious control over connections. - Access to data centres hosting clinical trial data should be controlled by two-factor authentication. - Where availability requirements are high, consider multiple physical data centres at sufficient distance from each other so that physical incidents (fire, flooding) do not affect all locations simultaneously.

Relevant standards and certifications for physical security best practices: ISO 27001/27002, ISAE 3402, SSAE 16 SOC2, Uptime Institute Tier III/IV, ANSI/TIA-942.

Ensure that the supplier renews their audit or certification annually. Audit reports or client versions should be provided to Novo Nordisk upon request, and Novo Nordisk must have the right to audit data centres where its data is stored.

Detailed Description

Implementation Considerations

CTRL0537525 — SC.11.03: Ensure similar protection for hosted/cloud infrastructure#

Control Text: Ensure similar protection if hosted at an IT supplier/cloud provider.

Applicability: The IT Solution is relying on IT supplier(s).

Additional Description

If the IT solution is hosted with a different vendor (cloud, "as a service" arrangements), ensure that appropriate physical security controls are included in a binding agreement with the supplier. The IT solution owner remains solely responsible for the physical security of the IT solution.

Relevant standards and certifications for physical security best practices: ISO 27001/27002, ISAE 3402, SSAE 16 SOC2, Uptime Institute Tier III/IV, ANSI/TIA-942.

Ensure that the supplier renews their audit or certification annually. Audit reports or client versions should be provided to Novo Nordisk upon request, and Novo Nordisk must have the right to audit data centres where its data is stored.

Detailed Description

Implementation Considerations

SC.12 — IT Security: IT Supplier Controls#

CTRL0537478 — SC.12.01: Ensure that risks to Novo Nordisk from suppliers are assessed#

Control Text: Ensure that the risks to Novo Nordisk IT Solution are appropriately mitigated and that the control environment in any outsourcing situation is comparable to internal control environments. This includes cloud solutions.

Applicability: The IT Solution is relying on IT supplier(s).

Additional Description

The control environment established with an external supplier (including cloud providers) should be comparable to the internal control environment that would be required if the solution were hosted and managed internally.

See the General Guidance section of the SC.12 page on IT Security Central for a more in-depth explanation of how to manage security when working with external suppliers.

Detailed Description

Implementation Considerations

CTRL0537519 — SC.12.02: Ask the supplier to account for their security controls#

Control Text: Ask the supplier to account for how their controls are equal to the controls defined in this IT Risk Assessment.

Applicability: The IT Solution is relying on IT supplier(s).

Additional Description

Use the example Request for Information (RFI) questionnaire (available on the SC.12 guidance page) when asking suppliers to document how their controls are equivalent to those required in the IT Risk Assessment tool.

Detailed Description

Implementation Considerations

CTRL0537497 — SC.12.03: Ensure that an assessment is performed for third-party access#

Control Text: Ensure that an assessment is performed in order to ensure that supplier risks are documented and addressed appropriately.

Applicability: The IT Solution is relying on IT supplier(s).

Additional Description

For information on how to assess suppliers, see "Assessment and evaluation of IT suppliers - Guideline" on the Manage Suppliers section of the IT&Q Portal.

Detailed Description

Implementation Considerations

CTRL0537533 — SC.12.04: Ensure that third parties with access are managed#

Control Text: Ensure that third parties with access to the Novo Nordisk IT Solution follow Novo Nordisk IT security requirements, including requirements defined by this document. Include a right to audit in the contracts.

Applicability: The IT Solution is relying on IT supplier(s).

Additional Description

For information on how to assess suppliers, see "Assessment and evaluation of IT suppliers - Guideline" on the Manage Suppliers section of the IT&Q Portal.

Relevant example documents available on the SC.12 guidance page: - IT security requirements specification for external IT suppliers - Contract appendix for non-Tier 1 IT solutions hosted/managed by IT suppliers - Contract appendix (Tier 1) for IT solutions with Tier 1 physical security requirements

Note: These example documents are based on a completely filled-out IT risk assessment and best practice. Not all controls in those example documents will be suitable or required for every outsourced cloud IT solution.

Detailed Description

Implementation Considerations

SA.01 — Sanctioned Areas#

CTRL0537479 — SA.01.01: All IT solutions intended for use must be sanctioned#

Detailed Description

Implementation Considerations

SU.01 — Manage Supplier#

CTRL0537501 — SU.01.01: Assess the supplier's ability to deliver#

Detailed Description

Implementation Considerations

PD.01 — Personal Data (GDPR)#

CTRL0537504 — PD.01.14: Retention and deletion of personal data#

Detailed Description

Implementation Considerations

CTRL0537493 — PD.01.15: Data breach reporting process#

Detailed Description

Implementation Considerations

CTRL0537481 — PD.01.17: Data Protection Appendix (DPA) with processors#

Detailed Description

Implementation Considerations

CTRL0537507 — PD.01.18: Transfers of personal data to third countries#

Detailed Description

Implementation Considerations

DI.04 — GxP Data Integrity: Data Output#

CTRL0537530 — DI.04.01: Automated transfer processes#

Detailed Description

Implementation Considerations

DI.05 — GxP Data Integrity: Data Access#

CTRL0537529 — DI.05.01: User profiles (roles) must be defined and enforced#

Detailed Description

Implementation Considerations

DI.06 — GxP Data Integrity: Residual Risk#

CTRL0537506 — DI.06.02: Assess and address identified residual risks#

Detailed Description

Implementation Considerations