Issued 20 March 2012
Last updated 12 June 2024
This policy is based on NBIM Policy Management Framework and Financial Reporting and the COBIT good practice framework for information and technology governance, adapted to our operational model for IT services. It is divided in four main IT governance areas. Plan and organise (2.1 to 2.5), Build, acquire and implement (2.6 to 2.8), Deliver and support (2.9 to 2.13), and Monitor and evaluate (2.14).
Policy
Information Technology (IT) is in this policy referred to as data, systems, services and technologies that together provides Norges Bank Investment Management (NBIM) with information, electronic communication and efficient business process execution capabilities.
Strategy and technology direction
- The information technology strategy shall describe strategic objectives, tactical plans and direction for information technology, security, solutions and services. It shall be based on an evaluation of current information technology risks, performance and contribution.
- The information technology strategy shall have its foundation in the overall strategy plan.
- Technology direction shall ensure standardisation and consolidation of solutions and technologies.
- NBIM will foster business innovation by actively pursuing opportunities enabled by emerging technologies.
Architecture
- Data architecture, solution architecture, security architecture and technical architecture are part of the overall architecture represented in NBIM's Management Framework.
- An overview of the current state architecture shall be available at all times.
- Architecture compliance for new and existing solutions and technology shall be defined through principles with a foundation in this policy, strategy and technology direction.
IT processes, organisation and relationships
- IT processes, organisation and relationships shall be defined as part of the Management Framework.
- All information technology processes shall be managed to ensure quality and compliance with control requirements.
Operational risk, quality assurance and security
- IT and IT-security risk shall be managed in accordance with the operational risk framework.
- All solutions shall have a set of business criticality and information security requirements that are monitored and improved regularly.
IT projects
- Major changes to architecture and solutions shall be implemented through projects. All projects shall have a foundation in our strategy plan.
- Governance and the management of projects should scale with the size of the initiatives.
Procurement, development and decomissioning
- Identification and procurement of new solutions shall follow general procurement rules in accordance with the procurement process.
- The procurement and development process shall ensure that architectural, security, quality and operational aspects are considered for all new solutions.
- Business requirements and business case evaluation shall be the basis of acquiring or developing solutions.
- Technology choices shall be based on solution requirements and technology direction.
- Data and technology assets shall be properly disposed of and decommissioned when they are no longer in use.
Development
- Solutions development, configuration and maintenance shall follow the defined development and coding standards across the organisation.
- We shall encourage distributed solution development to enable implementation of innovative and differentiating ideas in support of core activities.
- Governance requirements for development shall scale based on risk.
IT change management
- All changes within the production environment shall be managed through a risk based change management process.
- The change management process shall cover release and deployment, change, configuration, validation and testing as well as change assessment.
Service level management
- An overview of services and solutions shall be maintained. The overview shall include service definitions, service levels, criticality classification, solution ownership and responsibility.
- Services shall be cost efficient. A cost picture including direct and indirect cost shall be maintained for all services. All costs should be followed up on a regular basis in accordance with NBIM Policy Management Framework and Financial Reporting.
Systems portfolio management
- All systems shall have a system owner which represents the business areas drawing benefits from the system.
- All systems shall have a system manager who supports the system owner as required, and ensures that necessary support, change, control and training processes are in place.
- Provider management shall follow general rules in accordance with service provider management principles.
Data management
- We shall ensure efficient provisioning and distribution of data.
- Management of data shall be prioritised according to business value and materiality.
- Data and information elements shall be defined and classified in a central repository.
Service request, incident and problem management
- NBIM shall have timely and effective processes to handle incidents, problems and service requests.
- Root cause analysis shall be done for high impact incidents.
IT security and business continuity
- IT security and business continuity controls and procedures shall be in place to ensure information security risk related to information, IT systems and IT infrastructure is within acceptable levels.
- IT security measures shall take into account confidentiality, integrity and availability classifications of the solutions and data to be protected.
- Disaster recovery for information systems and services shall follow general business continuity management processes.
- IT disaster recovery procedures shall be established and tested on a regular basis.
Monitor and evaluate
- Reporting shall ensure transparency and understanding of IT cost, benefits, strategy, policies and service levels in accordance with requirements.
- Reporting shall be based on agreed upon targets for processes and performance.