Security and Access Control for Mediebank

Security is important for NTB, and all systems and content have several layers of security and backup. Our service and operating partner is Crayon AS and cloud services and storage is taken care of by Amazon Web Services. NTB's systems are central in the Norwegian media landscape and must be available 24/7. They have to be extremely stable, and downtime is at a very low level.

1 IT Policy

  • Mediebank is developed, maintained and operated in accordance with “Best practice” and “Plan - Do - Check - Act "with guidance in ISO 27001: 2017 and NSM (Norwegian NSA) “Basic Principles for IT-Security” (BPIS).
  • As a media company, NTB is dependent on the trust of our customers and the public. The integrity of NTB as a company as well as the individual employee is critical to maintain this confidence in the market.
  • The purpose of NTB's IT policy is to minimize the risk associated with information security in a controlled manner through a risk management system.
  • IT Policy covers employees and contracted personnel, internal equipment and work methods at all NTB's locations.

2 Crayon and Netsecurity

  • Crayon AS, Sandakerveien 114, 0484 Oslo, is NTB's operating partner, for Mediebank.
  • Netsecurity AS, Strandveien 35, 1366 Lysaker, is and has been NTB's data security partner for several years. NTB is planning to enter into a contingency agreement with Netsecurity, which will ensure even higher preparedness in relation to data security and handling of any security incidents.

3 Operations

  • Servers for Mediebank are operated by Crayon on Amazon AWS Europe region eu-north-1, over 3 AWS Availability Zones. This is to ensure maximum availability for the services, even if an entire zone should fall due to an error in AWS.
  • The applications run on ECS Fargate, for smoother deployment, system administration and automatic scaling. With multiple pods in multiple availability zones.
  • AWS services in use include EC2, S3, EFS, RDS, Lambda, Rekognition, SQS and Glacier.

4 Support & SLA

  • NTB offers a 24/7 hotline for critical errors or incidents. For non-critical errors or incidents, errors are reported via email to NTB's ticket system, for further follow-up in accordance with the SLA.
  • NTB offers an uptime guarantee of 99.9%

5 Backup

  • Backup of S3 (image data) is set up against the AWS Glacier in the AWS Europe region eu-west-1. AWS is responsible for carrying out backups in relation to setup and securing of data.

6 Basic data security

  • Encryption
    • All data traffic between the frontend and the backend, traffic between the application modules (microservices) and integrations with third-party systems use https and/or sftp.
    • At rest data is encrypted using AES-256, both for data (KSM) and pictures storage (SSE-S3). Data between database replicas is encrypted by default in AWS.
  • Patching
    • All container images are continuously scanned for vulnerabilities using AWS inspector enhanced scanning, including the need for patching.
  • Security testing
    • There is an automated process to build and deploy code (cicd) for all environments, this process is triggered by a merged pull request. There is automatic linting of code. Per review, approval of pull requests and unit testing to reduce the possibility for vulnerable code.
    • Penetration tests once a year, conducted by our selected security partner (currently Netsecurity AS). Next pentest, and the first for Mediebank on new architecture, is scheduled for January 2023.

7 System Access

  • The solution is using a zero-trust approach. Different components have only access to parts of the solution. Personnel have roles with minimal access, only access to what is necessary to perform the work duties. Data is encrypted at rest and in transit to customers. Security awareness integrated with all aspects of the application development journey.
  • The internal accounts for AWS services, is authenticated using Google Workspace identity. This also follows multi factor authentication. The solution is using the zero trust principle, therefore access is limited

Logging and monitoring of security incidents

  • The platform is using AWS security hub, to have a centralised overview of multiple security services used (GuardDuty, CloudTrail, Cloudwatch, Config, SCP, Inspector, Access analyzer). The solution collects information and logs for all running services, actions, changes and incidents. It is planned that all endpoints will be monitored with an EDR solution by the end of Q1 2023.
  • Applications log internally to Sentry, code errors, access errors, http errors. Use google MFA for access
  • Media storage system logs downloads, edits, and deletes.
  • All AWS platform logs are stored for 3 years.

Service Level Agreement NTB Mediebank

  1. Introduction
    1. In this Schedule:
      "New Functionality" means new functionality that is introduced to the Platform by an Upgrade or a Customisation;
    2. References in this Schedule to Paragraphs are to the paragraphs of this Schedule, unless otherwise stated.
  2. Helpdesk
    1. The Provider will make available, a telephone and email helpdesk facility for the purposes of:
      1. assisting the Customer with the proper use of the Platform; and/or
      2. determining the causes of errors and fixing errors in the Platform.
    2. Subject to Paragraph 2.3, the Customer must make all requests for Support Services through the helpdesk.
    3. The Provider will use reasonable endeavours to ensure that a member of its support staff can be reached by mobile phone outside Business Hours in the case of a critical or major issue.
    4. Critical or Major issues shall always be reported on telephone (+47) 415 30 303 and only by the Customers dedicated IT support staff or assigned staff.
  3. Response and resolution times
    1. The Provider will:
      1. inside Business hours, use all reasonable endeavours to respond to requests for Support Services made through the helpdesk; and
      2. inside Business hours, use all reasonable endeavours to resolve issues raised by the Customer; and
      3. outside Business hours, use all reasonable endeavours to respond to critical or major issues raised by the Customer, in accordance with the following response time matrix
      2. SeverityExamplesResponse timeResolution time
      CriticalService is unavailable (not responding)ImmediateImmediate and continuous work during Business hours, ASAP and continuous work outside of Business hours
      MajorMajor loss of function, part of service is unavailable, severe page load times or timeouts occur.0.5 hour during Business Hours, 1 hour outside of Business Hours.ASAP and continuous work during Business hours, ASAP outside of Business hours.
      MinorMinor loss of function, workaround solves problem1 hour during Business Hours1 Business Day
      Trivial/GeneralIssue not affecting functionality1 Business DayIn due time
    2. The Provider will determine, acting reasonably, into which severity category an issue raised through the Support Services falls.
    3. All Support Services will be provided remotely unless expressly agreed otherwise by the Provider.
  4. Charges for Support Services
    1. The Provider will charge for the provided Support Services and incurred costs in respect of any fault or error caused by:
      1. the improper use of the Service; or
      2. the use of the Service not in accordance with the Documentation.
  5. Upgrades
    1. The Customer acknowledges that from time to time during the Term the Provider may apply Upgrades to the Platform, and that such Upgrades may result in changes to the appearance and/or functionality of the Platform.
    2. The Provider will give to the Customer at least 14 days prior written notice of the application of any significant Upgrade to the Platform. Such notice shall include details of the specific changes to the functionality of the Platform resulting from the application of the Upgrade.
    3. The Customer shall not be subject to any additional Charges arising out of the application of the Upgrade.
  6. Uptime commitment
    1. The Provider shall ensure that the Hosted Services is available 99.9% of the time during each calendar month, subject to Paragraph 8.
    2. Platform uptime shall be calculated using the following methodology:
      Availability % = (Accumulated time in a given month – (Downtime – (Downtime subject to Paragraph 8) – (Downtime due to a Force Majeure Event)))/Accumulated time in a given month))*100
    3. The Provider shall arrange for the monitoring of the availability of the Platform, and shall send an availability report to the Customer promptly following the Customer's request.
    4. In the event that, during a calendar month entirely within the Term, the Platform fails to meet the availability commitment set out in Paragraph 6.1 then the Provider shall issue service credits calculated in accordance with Paragraph 6.5 to the Customer, such service credits to be deducted by the Provider from future Charges.
    5. Subject to Paragraph 6.6, the services credits referred to in Paragraph 6.4 and due in respect of a calendar month shall be calculated as follows:
      where:
      a = the actual percentage availability of the Platform during the relevant calendar month; and
      b = the Charges payable in respect of access to the Platform during the relevant calendar month (exclusive of NORWEGIAN VAT (MVA) and other taxes).
    6. The maximum service credits available to the Customer in respect of any calendar month shall be the total Charges payable in respect of access to the Platform during the relevant calendar month (exclusive of NORWEGIAN VAT (MVA) and other taxes).
  7. Back-up and restoration
    1. The Provider will make continuous back-up of the Customer Materials stored on the platform for Point-In-Time recovery, and will retain such back-ups for at least 30 days on an offsite location.
  8. Scheduled maintenance
    1. The Provider may suspend access to the Platform in order to carry out scheduled maintenance, such maintenance to be carried out outside Business Hours and such suspension to be for not more than 6 hours in each calendar month.
    2. The Provider must give to the Customer at least 10] Business days' written notice of scheduled maintenance, including full details of the expected Platform downtime.
    3. Platform downtime during scheduled maintenance carried out by the Provider in accordance with this Paragraph 8 shall not be counted as downtime for the purposes of Paragraph 6.