At COWI we mitigate threats with several different initiatives, which are continuously assessed and prioritized with the aim of lowering our risk exposure. This way, our security capability is continuously improved to identify, protect, detect, respond, and recover across the organization.
Our security control environment is defined by policies, guidelines, internal processes, and organizational structures that provide the basis for carrying out internal controls across our organization.
Our information and communication systems are designed to meet the requirements applicable to our customers and according to international standards. Control activities include preventive and detective controls, general IT controls, IT application controls and information security controls such as segregation of duties and physical security. Controls are tested on an ongoing basis for compliance and improvements where relevant. As our security framework contains sensitive information related to our processes, controls, infrastructure, and systems, it is not shared externally.
COWI Executive Leadership Team (ELT) has the overall responsibility for Information Security at COWI.
Information Security is managed by our Chief Information Security Officer supported by our Information Security Team.
We have an Information Security Framework and an ISO27001 certified Information Security Management Systems (ISMS) built in accordance with ISO27001 and NIST. The framework contains all required policies, procedures, and processes to support the standards mentioned.
We have a policy for Risk Management. The document is classified ‘Internal use’, as it contains information which in the hands of a malicious person can be misused to impact COWI negatively.
We use our risk management processes to identify and assess threats to COWI and our customers. Threats are documented in a risk registry and assessed using documented matrixes and criteria. Threats with an assessed risk above our risk acceptance level are mitigated and reported to management.
Threats within our risk acceptance level are re-assessed minimum on a yearly basis, to ensure they are still within risk acceptance.
We perform Business Impact Assessments (BIA) on processes and projects to identify requirements for confidentiality, integrity, and availability (CIA). Our baseline security controls, which are always implemented, can be supplemented by additional controls based on the outcome of individual BIA’s.
If you as Customer have requirements for specific or unique Risk Management controls to be in place during the duration of the project with COWI, please provide the control(s) in written format.
We have a policy for Information Classification. The document is classified ‘Internal use’, as it contains information which in the hands of a malicious person can be misused to impact COWI negatively.
We classify information into five categories.
If you as Customer have requirements for specific or unique Information Classification controls to be in place during the duration of the project with COWI, please provide the control(s) in written format.
We have a policy for Access Management. The document is classified ‘Internal use’, as it contains information which in the hands of a malicious person can be misused to impact COWI negatively.
All COWI users are authenticated when accessing corporate IT systems. If working remotely Multifactor Authentication is required.
Multifactor authentication (MFA) is enabled on all external IT systems if the functionality is provided. If MFA is not possible, the IT system will only be allowed to contain non-critical (low risk) information and access to internal data sources will not be allowed.
Only known COWI devices can connect to our corporate IT network. Externals working from a COWI office can access the internet using our guest IT network.
If you as Customer have requirements for specific or unique Access Management controls to be in place during the duration of the project with COWI, please provide the control(s) in written format.
We have a policy for Asset Management. The document is classified ‘Internal use’, as it contains information which in the hands of a malicious person can be misused to impact COWI negatively.
All electronic devices (including computers and mobile phones) are registered and continuously patched and updated. If patching is not possible due to the device being out of band, access to COWI network will be revoked.
Storing of COWI or Customer data is not allowed on any private devices.
If you as Customer have requirements for specific or unique Asset Management controls to be in place during the duration of the project with COWI, please provide the control(s) in written format.
It is ensured that security patches to hardware and software are promptly implemented & the most secure configurations are applied throughout COWI IT infrastructure. Vulnerability scans are being run weekly against public facing COWI infrastructure, to ensure efficient vulnerability detection and mitigation of the possible threats.
We have a policy for Data Privacy. The document is classified ‘Internal use’, as it contains information which in the hands of a malicious person can be misused to impact COWI negatively.
COWI has appointed a Data Protection Officer (DPO). The DPO is responsible for the protection of data privacy in all internal processes and external projects.
Our policies and procedures for handling personal identifiable information is in accordance with the EU GDPR Act.
If you as Customer have requirements for specific or unique Data Privacy controls to be in place during the duration of the project with COWI, please provide the control(s) in written format.
We have a policy for Incident Management. The document is classified ‘Internal use’, as it contains information which in the hands of a malicious person can be misused to impact COWI negatively.
Our Incident management processes are based on ITIL, and individually documented and monitored.
If you as Customer have requirements for specific or unique Incident Management controls to be in place during the duration of the project with COWI, please provide the control(s) in written format.
We have a policy for Business Continuity Management. The document is classified ‘Internal use’, as it contains information which in the hands of a malicious person can be misused to impact COWI negatively.
Business critical processes/projects requiring high availability, are required to have a documented and tested Business Continuity Plan.
If you as Customer have requirements for specific or unique Business Continuity controls to be in place during the duration of the project with COWI, please provide the control(s) in written format.
We have a policy for IT Disaster Recovery. The document is classified ‘Internal use’, as it contains information which in the hands of a malicious person can be misused to impact COWI negatively.
Any systems supporting business critical processes/projects requiring high availability, are required to have a documented and tested IT Disaster Recovery Plan.
If you as Customer have requirements for specific or unique IT Disaster Recovery controls to be in place during the duration of the project with COWI, please provide the control(s) in written format.
We have a policy for Awareness & Training. The document is classified ‘Internal use’, as it contains information which in the hands of a malicious person can be misused to impact COWI negatively.
COWI acknowledges that the best protection is knowledge of what to expect, so all employees are trained regularly via COWI Academy. Training includes topics on general physical and cyber security, as well phishing and other topics, so that they are familiar with corporate security standards and practices. Besides the mandatory training, individual training sessions are also provided to functions where local threats are identified.
If you as Customer have requirements for specific or unique Awareness controls to be in place during the duration of the project with COWI, please provide the control(s) in written format.
We have a policy for Physical Security. The document is classified ‘Internal use’, as it contains information which in the hands of a malicious person can be misused to impact COWI negatively.
All COWI offices have CCTV monitoring, and access is controlled. Access cards are personal, and sharing is not allowed.
Physical access to server rooms is restricted to essential personnel only. Access is logged and monitored.
If you as Customer have requirements for specific or unique physical security controls to be in place during the duration of the project with COWI, please provide the control(s) in written format.
We have established several data backup systems, securing our data across multiple platforms and applications. Software provided to COWI as a service (SaaS), is protected by backup under the responsibility of each of our suppliers.
What backup systems are we using?
What systems are being backed up?
How often do we run the backup?
How far back can we go with restore?
How do we secure our backups?
In general, we aim to utilize the industry best practice "3-2-1 Backup Rule" or better.
COWI uses internal and outside IT auditors, regularly review IT security policies and practices to ensure they are current, including penetration and vulnerability testing of networks and systems. Risk Assessments are used for evaluating feasible risk for specific work or events that are done as well.
ISO27001
COWI Group IT is ISO27001 certified. Latest date of certification: 2023-11-03.
Scope: COWI Group IT organization delivering operation, services and infrastructure to production systems, back-office systems, supporting systems, and IT infrastructure to COWI business, supported by Human Resource, Facility Management and Procurement organization in accordance with the Statement of Applicability version 1.0 dated 22.08.2023. Copy of the certificate can be provided by request to security@cowi.com.
UK Cyber Essentials
COWI UK is Cyber Essentials certified. Latest date of certification: 2023-10-18.
Certification Number: 653cffd4-3208-42f7-b67b-d24bc4734488
Scope: The UK operation of COWI Group (COWI UK ltd.), meaning all computers, laptops, servers, mobile phones, tablets, and firewalls/routers that can access the internet and are used by COWI UK ltd. to access business information. Copy of the certificate can be provided by request to security@cowi.com.
ISAE3000
COWI Group has a ISAE3000 Assurance report. Latest date of report: March, 2023.
Scope: Handling of personal data, as part of project execution, in accordance with the COWI standard data processing agreement with customers. Copy of the report can be provided by request to security@cowi.com.
If you discover a problem within COWI processes or have questions regarding information security, we want to know. Feel free to contact us if you have any questions related to cyber and information security via security@cowi.com.