Information Security - Digital Security Incidents and Deviations - Kunnskapsbasen
Information Security - Digital Security Incidents and Deviations
- How to know that I am exposed to a Digital Security Incident or Deviation?
- See also
Norsk versjon: Informasjonssikkerhet - Digital sikkerhetshendelse og avvik
On this page you can find information on how to notify of incidents and register deviations related to information security and privacy.
NTNU SOC is an operational emergency preparedness unit and they are working with detection, analysis, coordination and management of digital security incidents at NTNU. NTNU SOC is NTNU's registered incident management team (CSIRT / CERT) and collaborates with other security teams in the Higher Education Sector as well as national security teams.
If you have any questions, please contact NTNU SOC:
How to know that I am exposed to a Digital Security Incident or Deviation?
Digital Security Incident
A digital security incident can occur as a result of a cyber attack, technical failure, human error, etc. A digital security incidents related to NTNU's ICT systems and digital infrastructure must be reported to NTNU Security Operations Center (NTNU SOC).
Examples of security incidents:
- You have been exposed to scams via email / sms (Report suspicious email)
- You have been tricked into giving away information such as username, password, credit card
- Your ICT equipment has been lost or stolen
- You suspect viruses or malware on ICT equipment
Report digital security incident
It is important that NTNU SOC is notified before you make your own measures.
How to report a digital security incident with encrypted email
Confidential, or Strictly Confidential can be sendt to us in email if the message is encrypted with PGP (public key): 0xEFF99109C95AF4BF
Deviations in information security and privacy occur when we do not follow legislation, rules and NTNU’s internal documents governing the use of NTNU’s ICT infrastructure and processing of personal data. Deviations are mainly information security breaches in connection with the way that work is carried out and work practices. A deviation may have major, minor or no consequences.
Examples of deviations in information security and breaches of personal data:
- Email and attachments mistakenly sent to the wrong person, especially where they include personal data
- Collection of data in forms that makes the information searchable on the Internet, or in form tools for which NTNU does not have a data processor agreement
- Incorrect disclosure or incorrect publishing of information
- Errors in access rights, equipment or software that impair the availability of information, and which may in turn compromise security
- Procedures that are missing, do not work, or are not followed
- Information with a classification level that requires access control is open and accessible to unauthorised persons
- Lack of a basis or of an assessment of the basis for processing personal data
- A national identity number that is sent unencrypted by email to external parties (a single document containing a national identity number sent between employees is not a deviation because it does not leave NTNU’s computer network)
Report A Deviation
The deviation report must describe the deviation and where it took place. The report must not include personal data related to names or other types of information where confidentiality may be needed. Deviations must never be directed at a person, but at the element or action in the work process that led to the security breach. In other words, a deviation report must describe the action, not the person who performed it.
If you plan to report a deviation, be careful not to include sensitive information in the report. The deviation report must also describe what the possible consequences of the breach might be.
Why should I report deviations?
Everyone with access to NTNU’s ICT infrastructure is responsible for being on the alert for any security breaches and for reporting deviations. This way, everyone is contributing in building a strong culture for information security. Notification of deviation is necessary and desirable. Dealing with deviations creates learning and improvement that is very important for systematic work with information security and privacy. The deviation process is also an important part of NTNU's internal control.
What happens when I report a deviation?
Deviations related to information security and privacy is processed to the Digital Security Section. There, staff classify the deviation and consider whether the Norwegian Data Protection Authority must be notified. If there is a personal data breach, the assessment is done in a dialogue with the Division for Governance and Management Systems and the Data Protection Officer.
If immediate measures are necessary, action is taken in cooperation with those responsible for the service or the function concerned. The line manager will be involved and will be tasked with finding the root-cause and measures to prevent the same thing from happening again. This kind of assessment is often done in close cooperation with the Digital Security Section.
If information about people has been leaked and it is likely that this could have negative consequences, the people affected must be notified. Such notification is the line manager’s responsibility.
Managers at NTNU must address deviations classified as serious or critical in their management meetings and must use procedures for dealing with deviations as an important factor in the improvement efforts in their part of the operation.
- IT services for employees
- IT support for students
- Students: Report deviations - Speak up!
- Guidelines on whistleblowing and follow-up of issues of concern
- Retningslinje for avviksmelding og avvikshåndtering innen informasjonssikkerhet og personvern (Guidelines for reporting deviations and dealing with deviations within information security and privacy - PDF, in Norwegian)
- Retningslinje for behandling av personopplysninger (Guidelines for processing personal data) only in Norwegian.