Risk, design and requirements

The GDPR places particular emphasis on having a risk-based approach to privacy and security, and also on “privacy by design”. Privacy by design is a set of design- and architecture principles that broadly state that software should be designed from scratch with privacy in mind, and maintain and protect the users privacy when using the software.

We’ve taken this to heart, and made both risk assessments and privacy by design part of our production- and operational processes, in order to ensure that:

  • The level of security in our products and services are appropriate to the risk represented by the processing, and
  • The product or service has the necessary features and functionality with regards to privacy and data protection.

 

All our development processes, including with regards to operational security, are ISO9001- certified. 

 

The Security Self Assessment

The Security Self-Assessment (SSA) is the heart of privacy and security in Visma. The SSA consists of more than 70 requirements, questions and assessments that every product or service has to go through and achieve “Approved” status for.

Examples of items from the SSA are:

  • Attack surface interface: a detailed diagram showing all system components, integrations and connections, including personal data flows and any subprocessors (such as hosting providers).

  • Session management: for example, criteria for ending a user session and clearing the cache.

  • Access and authorisation controls.

  • Numerous security- specific things, like use of encryption, firewalls, etc.

  • The Privacy Self-Assessment, see below.

 

Other items are for example injection prevention, cross site scripting prevention, error handling and deployment review.

The SSA is very detailed and is continually updated and reviewed at least annually by every team, supported by its Security Engineer. The SSA is approved by a member of the Security Team.

The Security Self- Assessment must be completed and approved before the product roadmap is approved by product management. This ensures that we’ve done a risk assessment and given due consideration to privacy by design before we start coding.

 

The Privacy Self Assessment

The Privacy Self-Assessment (PSA) is a key component of the SSA, and consists of several items in the SSA specifically about privacy and data protection, and one or more risk assessments.

The risk assessments consists of two parts:

  • Data classification, detailing such things as data ownership, the types and categories of data processed in the system, where it is processed, how long it is stored for, and if any subprocessors (for example a hosting provider) are used. The classification also includes a three-tiered rating of the data’s confidentiality, integrity and availability.

  • Risk assessment, where the risk represented by the processing is evaluated for both the data subject and for Visma. The risks are reviewed by a member of the security team in conjunction with the security self-assessment, and also by the Data Protection Manager.

 

Risks are categorised as “Acceptable”, “Medium” or “High” according to criteria in the data classification. Medium and High risks are reported to the Group Product Development Manager or Development Director respectively, who approve the risk mitigation actions. (The Group Product Development Manager is responsible for a set of products.)

This ensures that the security-level in any given solution is based on a risk assessment that takes into account both technical aspects (such as a security vulnerability) and the potential impact of a data breach on anyone whose data is registered in the system. Further, it ensures that risk mitigation is a management responsibility.

In addition to the requirements in the SSA and PSA, every service is assigned a minimum level of security based on the data classification and other considerations, such as business criticality- please see the next two sections.

As a minimum, every service performs a risk assessment for Visma’s role as a data processor, but will also perform context-specific risk assessments, such as for new integrations or change of a hosting provider.

The second part of the privacy self-assessment is a section inside the security self-assessment dedicated to privacy. For example, we map all personal data types (name, email, IP-address etc) that is processed in the application, the ability to delete, return, correct and update personal data, and similar key requirements for processing personal data.

 

The Privacy Self- Assessment is approved by the Data Protection Manager. This means that we’ve separated approval for our services for processing personal data to separate and independent parties. 



The Security Maturity Index

There are several other requirements and policies for security- and privacy compliance, in addition to the SSA and PSA. These are for example manual and automated security tests, code scanning, time-limits for fixing critical issues and risks, as well as abiding by various industry best practices (such as for encryption).

All these metrics are aggregated in what we call the “Security Maturity Index” (SMI), which is a live index providing an overview of the security- and privacy compliance status of each product or service.

Products are assigned SMI- levels Bronze, Silver, Gold or Platinum based on the criticality of data in the service and strategic importance to Visma. Most of our major services, like eAccounting, are classified as Platinum by default, meaning that they must maintain a very high security-level.

Unlike the SSA and PSA, which are conducted at least annually, the SMI is a live status. This means that the the teams must perform certain actions regularly or continuously.
For example, critical issues must be fixed within a certain time period, and any security defects must be triaged continuously.
The SMI is not public, but any product or service that is listed here on the Trust Centre with status "GDPR I" or "GDPR II" fulfils the minimum criteria of the SMI. 
You can check this on the service information page.

"GDPR I and II"

Services that have an approved SSA, PSA and have achieved their assigned SMI-level, are labelled with “GDPR I” or “GDPR II”:

GDPR I is the minimum required level for processing personal data, and GDPR II is required for processing sensitive personal data, or where the product is of particular importance to Visma and our customers. You can see the status of each product on the service information page.

Any product at GDPR II- level must have the highest level of security maturity, and fulfil certain additional requirements in the SSA, primarily related to Privacy by Design:

For example, a GDPR I- rated product will have security event logging and may have tamper- proofed these logs, but a GDPR II- rated service will take additional steps to tamper- proof the logs.

Please note that if a product you use has the “GDPR I” or “GDPR II” label, that does not mean that you or your business is automatically “compliant” with the GDPR by using it:

It is you, our customer, who must be compliant with the GDPR as a “data controller”. What the GDPR- labels mean, is that Visma has made assessments with regards to privacy, security and functionality in our product, and taken actions based on those assessments. As a result of this, we believe that:

  • Our products and services meet the obligations we have as your service provider and data processor, and that

  • You as our customer and data controller may use the product in a compliant manner.

 

We’ve written up a general guideline over your responsibilities as a data controller under the GDPR, and some specific things you should think about when using our services. This is available here:

For customers.

 

You may also want to see our examples page for some examples of things we’ve added to or changed in our services as a result of the GDPR.