Prison and Probation Administration, Iceland

Prison and Probation Administration, Iceland is a governmental agency under the supervision of Ministry of Justice. The office stores sensitive information regarding its clients. To ensure security of information the office conducts risk assessment regularly using Stiki OutGuard.

„Stiki OutGuard proved to be a pleasant surprise for us. This program makes work on preparing risk assessment a lot easier.

The program is developed by professionals in the field and the needs of companies and institutions seem to have been well looked after. It makes it easier to gain an overview of these issues and it should be easier to follow up on activities.

Stiki' s reputation, as well as the experience that our institute has had from working with them, is that of a responsible company that has been successful in its field.

It is very important to protect sensitive personal information to guard the rights of individuals and it is also very important that information is handled correctly and processed carefully and accurately.“

Hafdis Gudmundsdottir
Office manager of Prison and probation administration, Iceland

Social Services of the Municipality of Reykjavík

Following the passing of Act No. 77/2000 based on EU directive 95/46 on the Protection and Processing of Personal Data, the Social Services of the Municipality of Reykjavík decided to place an even greater emphasis on ensuring security in the treatment of personal information. The Social Services deal with a large amount of sensitive information regarding personal matters of individuals and there has always been a strong emphasis on the need for handling such information correctly and ensuring its security.

In 2004, work began on preparing a risk assessment in connection with an audit that the Icelandic Data Protection Authority decided to make regarding the security of information at the Social Services, according to the act on the protection and processing of personal data. In connection with that work it was decided to contact Stiki, since employees of the Social Services had been introduced to Stiki' s operations in a course where it became apparent that the services of Stiki covered the issues that the Social Services were dealing with.

„The co-operation with Stiki has been exceptionally good and the Stiki OutGuard program has proved very useful for this work. The Social Services decided to rent the program and it has been used for continuing work on risk assessments for more operating units.

Its use has been a great advantage for the Social Services since it is easy to use and very extensive so that it is also suited for operations other than public services. Using the program saved a lot of time and ensured that the work was performed systematically. The services of Stiki were therefore an important part of ensuring information security at the Social Services of the Municipality of Reykjavík.“

Helga Jona Benediktsdottir
Supervisor Legal department of Social Services of the Municipality of Reykjavik

Ministry of Health and Social Security Department of Health Centers, Hospitals and Ageing

Stiki has for several years developed and implemented RAI systems and a system which is apre-admission evaluation of the elderly applying for admission to elederly homes. The system is one of three systems developed by Stiki for the health sector.

„ The knowledge, integrity and sespect which Stiki' s employees have shown to the project is unique. The genesis of these electronic aid has not only improved the tendance of elderly but beeing spread out to other services. May the ministry' s successful cooperation with Stiki continue.“

Hrafn Palsson
Ministry of Health and Social Security former Head of Department of Health Centers, Hospitals and Ageing

Kreditkort - Mastercard

Kreditkort hf. handles the issuing of international MasterCard credit cards and Maestro debit cards and acquiring for MasterCard, Maestro, Amex, Diners and JCB cards. The company' s card management system is the foundation of its operations. Due to the nature of these operations, the company stores a great amount of personal information in its information systems. It is therefore very important to Kreditkort hf. to ensure the security of its information systems and the professional treatment of the information stored therein.

„When looking for the best way to ensure that the organisation of information technology within the company (e.g. the security of information systems, the treatment of personal information and the handling of such matters) complied with laws and official regulations, the company decided to implement an information security control system based on the ISO/IEC 27002:2005 security standard. The company sought expert assistance from several parties for the job and Stiki ehf. was selected from that group.

Kreditkort hf. has therefore received expert assistance from Stiki in the implementation of the ISO/IEC 27002 security standard. That work has resulted in a security manual for Kreditkort hf. on a web-based format, a risk assessment for the company' s information assets and a plan for business continuity. All prepared using the format and software of Stiki ehf. Kreditkort hf. has had a very good cooperation with Stiki.

The implementation of the security standard includes preparing a risk assessment for information assets. In the process of this work, the company was able to use Stiki' s specialised software, RM Studio. RM Studio ensures conformity between the requirements in the security manual and the controls that are implemented to control the risk that has been analysed and assessed, since both are based on the ISO/IEC 27002 standard.

In the opinion of Kreditkort hf., RM Studio is a very powerful tool for performing a task of the complexity such as that of a risk assessment for information assets.

RM STUDIO:

• Is accessible, managed the project well and led the company through the preparation of the risk assessment.
• Provides the user with a large amount of data.
• Ensures that the knowledge of individual employees is captured and recorded.
• Provided a good overview of security issues in the company.
• Ensured that the task was performed efficiently.

Stiki RM Studio also returns a clear result in an accessible format which makes it easy for both the company and the regulators to see the status of the company in this area as well as fitting well into the company’s internal auditing system. Since Kreditkort hf. works with both Icelandic and international auditors it is a significant advantage to be able to choose whether the risk assessment is in Icelandic or English.

Nanna Huld Aradottir
Former Head of Internal Auditing MasterCard - Kreditkort hf. Iceland

Glitnir Bank

„Stiki has been working in the area of software development for Glitnir Bank for many years. The cooperation between Stiki and Glitnir Bank has been very successful. The bank is effectively using Stiki risk management software RM Studio. The work process of the software follows the information security standard ISO/IEC 27001:2005 which is very important for the bank. The software is very user friendly and it is a great advantage how easy it is to change between languages in the software. It is vital for Glitnir Bank to work with a company like Stiki, where there is a good and vast knowledge of employees regarding information security.

Gisli Heimisson
Head of Information Technology branch at Glitnir Bank, Iceland

Iceland' s Directorate of Health

Stiki ehf. has provided the Directorate of Health with consultation on security matters for some time. The co-operation with Stiki has involved forming and presenting a policy on information security and implementing it through security rules. The security rules were presented in a security manual that took effect on 1 July, 2001. The security manual is created according to the ISO/IEC 27002 and ISO/IEC 27001 security standards.

Since the security manual is intended as a guide for the employees of the Directorate of Health, especially those employees that are responsible for information protection, great emphasis was placed on making it accessible. The manual was therefore installed as a web-based manual on the Directorate' s intranet so that every employee could access it from the desktop of their workstationSince the security manual is intended as a guide for the employees of the Directorate of Health, especially those employees that are responsible for information protection, great emphasis was placed on making it accessible. The manual was therefore installed as a web-based manual on the Directorate' s intranet so that every employee could access it from the desktop of their workstation.

„Since the first version of the security manual was issued it can said to have undergone continuous development and review. Stiki has guided and consulted us in that development.

The Act on the Protection and Processing of Personal Data states that all businesses and institutions that work with personal data are required to ensure the security and quality of that information and, amongst other things, undertake regular risk analyses of information security. Late in 2004 the Directorate of Health prepared a complete risk assessment of their whole information system using the Stiki OutGuard software.

The Directorate of Health finds that Stiki OutGuard has created a suitable framework for the evaluation as well as providing support information that facilitated, expedited and co-ordinated the preparation of the assessment. The assessment then returned a thorough summary of the status of information security that will be used for planning the implementation of controls in the near future.

The image of the Directorate of Health is linked to professionalism in all its operations, confidence, trust and integrity in communications with individuals and organisations. Since collection of data and processing of sensitive personal information is one of the principle roles of the directorate, it is a key issue that all treatment of this information is as effective as possible. The cooperation with Stiki has ensured that the Directorate of Health has constant access to the most current specialisation and consulting in security issues and enabled the Directorate to comply with laws, regulations and recognised standards in information security.“

Sigridur Haraldsdottir
Head of Division - Health Statistics Iceland' s Directorate of Health.

Landspitali - National University Hospital - Pathology Laboratory

Pathology Laboratory stores DNA samples. These information is obviously very sensitive and need proper protections. It was therefore a priorty at the laboratory to inmplement Information Security Management System to ensure the safety of the data the laboratory holds in its posession.

„Following a decision to implement an information security management system at the pathology laboratory of the National University Hospital, a risk assessment was made under the guidance of Stiki. Stiki' s OutGuard software was used for preparing the risk assessment and it proved to be a convenient system that shortened the assessment process greatly. It is a great advantage to get a summary of the assessment and thereby see the status of the laboratory in a clear and simple manner every time. It is important for the pathology laboratory to scrutinise its security issues and take a conscious stand on those issues. The employees of Stiki were very professional in the implementation of the security standard, and Stiki can be very proud of the work that they performed for the laboratory.“

Vigdis Petursdottir MD, PhD
Specialist at the pathology laboratory of the National University Hospital

Landspitali - National University hospital - Office of Engineering and Information Technology

As part of implementing the Iceland Health Network, a project dedicated to establishing a secure gateway for electronic communications between parties in the healthcare services in Iceland, Stiki has been involved in implementing information security according to the ISO/IEC 27001 and ISO/IEC 27002 standards in Icelandic healthcare organisations, including the IT division of the National University Hospital.

That work has included the creation of organisational manuals for the division. The manuals are web-based and include policies, procedures, operating rules and various instructions. Stiki has also led the preparation of risk assessment on the handling of information according to ISO/IEC 27001 using the RM Studio software.

The IT division has 70 employees and the operation is divided into 7 departments. Support services, technical services, helpdesk, telephone services, clinical solutions, administrative solutions and integration.

„Stiki employs well educated professionals that strive to understand the needs of the healthcare service in the field of information technology and security. Stiki' s risk assessment system, RM Studio, has proved easy to use and seems to fulfil all requirements for risk assessments according to the ISO/IEC 27001 and ISO/IEC 27002 international standards.

The IT division of the National University Hospital finds that Stiki has displayed both professionalism and knowledge in its work. We at the IT division of the National University Hospital are happy with the work of Stiki and believe that the implementation of information security has been successful and the Division aims to get a ISO/IEC 27001 certification this year thanks to the involvement of Stiki. “

Olafur Adalsteinsson
Former System Analyst Information Technology Manager Landspitali - University Hospital

Office of Engineering and Information Technology

Municipal offices of Gardabaer

Municipal offices hold sensitive data since social services are included in municipal services. The municipal offices of Gardabaer wanted to register and analyse all processes within the offices and at the samte time implement Information Security Management System based on ISO/IEC 27001. A part of that is risk assessment in the processing of information.

„Gardabær worked with Stiki on preparing a security manual and a security policy for the municipal offices of Gardabær in the year 2004. The work of Stiki was highly professional in all respects and its employees led us in a simple manner through the complex procedure of evaluating the operations with regards to security issues. Working with Stiki was very useful for us working in the municipal offices and increased our knowledge and understanding of the issue as well as providing us with the intended products.“

Gudfinna Kristjansdottir
Communications Manager of Gardabær

Municipal offices of Mosfellsbaer

Early in 2004, Mosfellsbaer began looking into internal and external security issues related to the operations of the municipal offices, i.e. the supervision of all administrative activities of the municipality.

It soon became apparent that the inside knowledge and experience necessary for mapping, organising and systematic recording of all the risks and all the organisational features that needed to be considered, didn' t exist inside the administrative structure of Mosfellsbaer and it was obvious that external parties needed to be brought in to help with the project.

Mosfellsbaer turned to Stiki  for consulting. Soon after the co-operation with Stiki, which consisted at first mainly of establishing and mapping the security issues of the municipal offices, began, the project grew and in the end it was decided not only to create a security policy and security manual for the municipal offices, but to implement a complete organisational manual for the entire administrative structure of the municipal offices.

„The organisational manual would include a security policy, access policy, quality policy, teleworking policy and rules on the handling of e-mail. The organisational manual would also include all other items, such as employees and security, access control, external security, etc.

For managing the risk assessment for the municipal offices especially, the Stiki OutGuard system is used, which has proved very good for that purpose.

The organisational manual itself is managed using Stiki's web-management system, which also has proved simple and convenient to use.

Shortly put, the co-operation with Stiki went very smoothly and, as previously mentioned, the project grew since the advise from the company were so targeted and easy to understand. It has already become clear that the implementation of the organisational manual for the municipal offices of Mosfellsbær, is, and clearly will be, the cornerstone of the future management of security and organisational matters in the municipal offices.

I can only give Stiki my best recommendations in the matters above, both for its professional workmanship and for employing excellent professionals in their fields.“

Stefán Ómar Jónsson
Town secretary and project manager of security and organisational matters in the municipal offices of Mosfellsbaer

Icelandic Securities Depository Ltd.

„When the Icelandic Securities Depository began implementing the ISO/IEC 27001 security standard, it was decided to enter into an agreement with Stiki due to the experience and knowledge that the company has in this area.

Information security and the implementation of the ISO/IEC 27001 security standard is a key factor in the operation of companies such as the Securities Depository, where the secure handling and storing of data is imperative.

The Stiki OutGuard software enables managers of the Securities Depository to assess risks in the operations of the company and to identify available actions for reducing that risk.

Our co-operation with Stiki has been very pleasant and successful and the work that Stiki has performed for us has been very professional.“

Sigurdur Olafsson
Office manager of the Icelandic Securities Depository Ltd.