Wikier

Policy for information security

This page presents NTNU’s policy for information security.

Norsk versjon: Politikk for informasjonssikkerhet

About Policy for information security

  • Type of document: policy 
  • Managed by: Director of Organization
  • Approved by: Rector 20 June 2018
  • Classification: open
  • In force from: 20 June 2018
  • In force: until revision
  • Exempt from public disclosure: no
  • Reference ISO: 27001; 5.1.1, 5.1.2
  • Legal reference Act/Regulation: Section 15 and Section 20 of the eGovernment regulations; articles 5, 24 and 32 of the GDPR
  • Reference internal documents: The policy for information activities is governed by the ICT regulations. The policy provides overall guidelines on information security.

Purpose

The purpose of the policy for information security is to safeguard the information assets that are developed, processed and managed through NTNU’s research, education, including artistic development work, dissemination, outreach, innovation and administration, and compliance with the legislation and regulations in effect. The policy for information security establishes goals and strategy for information security in the organization, and provides a foundation for the activities to safeguard NTNU’s information assets and for the digital security of NTNU’s ICT infrastructure. An information security management system forms the basis for NTNU’s work with information security and is an integral part of NTNU’s overall management system.The management system is intended as the framework for systematic and coherent practice between the governing, implementation and control sections of the information security activities.

Who NTNU’s policy for information security applies to 

NTNU’s policy for information activities applies to

  • All employees at NTNU
  • All students at NTNU
  • Everyone who has access to and/or processes and manages information through NTNU’s ICT infrastructure  

Key laws and regulations on information security

  • The Personal Data Act (personopplysningsloven) (and the General Data Protection Regulation - GDPR) provide rules for the protection of natural persons in connection with processing of personal data, NTNU’s duties as a controller for processing of personal data, use of a data protection officer and rights of the data subject.
  • The Public Administration Act (forvaltningsloven) (and the eGovernment regulations, eForvaltningsforskriften) – requirements for administrative procedures, documentation and responsible conduct, as well as requirements for internal control and information security. 
  • The Freedom of Information Act (offentleglova) – requirements for NTNU as a public-sector organization to provide open access to information while protecting information from access where the Act allows or requires this. 
  • The Public Archives Act (arkivloven) – includes rules about which documents must be filed and requirements for archival. 
  • The Health Research Act (helseforskningsloven) – requirements for organization, roles and responsibilities in health research. 
  • The Act on Personal Health Data Filing Systems (helseregisterloven) and the Health Personnel Act (helsepersonelloven) – rules about the processing of patient data and duty of confidentiality for health workers.
  • The Act on Ethics and Integrity in Research (forskningsetikkloven) – rules that research must be conducted in accordance with recognized research ethics standards, for the researcher and the institution. 
  • The Copyright Act (åndsverkloven) – includes rules about intellectual property rights and the use of images. 
  • The Information Protection Instructions (beskyttelsesintruksen) and the Security Act (sikkerhetsloven) – impose requirements for classification and handling of information. 
  • The Export Control Act (eksportkontrolloven) – provides rules on the control of and prohibition of exports of strategic products, services and technology, including prohibition of illegal transfer of knowledge. 

Other laws and associated regulations may also be relevant: the Electronic Communications Act (ekomloven), the Act relating to Police Records (politiregisterloven), the Act on Biobanks for Therapeutic Purposes (behandlingsbiobankloven), the Health Records Act (pasientjournalloven), and others. 

Definitions

Availability: Availability involves ensuring that information and information systems are available as needed within the availability requirements that have been specified. 

Confidentiality: Confidentiality means ensuring that the information is not disclosed to unauthorized persons, but that information and information systems are available only to those who have an official need for them.

ICT infrastructure: NTNU’s ICT infrastructure refers to all equipment, digital information, information systems and services used for information processing and communication.

Information assets: Divided into two categories:

Primary assets involve what we do and how, and the information we use 

  • operational processes and activities 
  • information

Secondary assets involve the tools we use and the skills of those who use the tools:

  • hardware 
  • software 
  • network
  • employees
  • locations
  • organizational structures

Information security: Information security involves securing information in terms of confidentiality, integrity and availability.  

Integrity: Integrity means ensuring that information is accurate, valid and complete and cannot be changed accidentally or by an unauthorized person.

Internal control: Systematic governance and control measures designed to ensure that the institution’s activities are planned, organized, executed, secured and maintained in accordance with requirements stipulated in or provided for in law, and governing documents. 

Management system: The information security management system at NTNU complies with the ISO 27001 standard and refers to systematic work based on a set of governing documents and process descriptions with specified roles and allocation of responsibility, active internal control and improvement loops. In practice, the management system functions in a three-part relationship between the governing part (management element), the implementing part (the line management structure, including users and process owners) and the controlling part (continuous internal control, internal and external auditing).  

Process owner: A process owner is a leader in the central university administration, who is responsible for cross-cutting administrative processes at NTNU. The process owner is responsible for common procedures and guidelines as well as for managing, improving and following up the cross-cutting processes in his or her area of responsibility.

Risk management: Risk management refers to a coordinated set of activities and methods used to govern an organization and to control the many risks that can influence achievement of goals.

Risk owner: A risk owner is a leader who has been designated as responsible for achieving one or more goals for the organization and for ensuring that the related tasks are carried out. The risk owner’s responsibility follows the line management structure. In other contexts, the risk owner may be referred to as the manager responsible for goals and performance, the task owner or the process owner. 

System owner: A system owner is a manager who is responsible for developing, managing and/or operating an information system on behalf of NTNU. The system owner often uses a designated system manager as the person with operational responsibility for the tasks for which the system owner is responsible. 

A person who stores data can also be regarded as a system owner. This will apply when the following criteria are met:

  • the information belongs to or is subject to NTNU’s regulations 
  • the information is used, transported or stored on
    • IT systems
    • opersonal devices
    • other media where NTNU IT or the line manager is not the system owner

System owner of common system: The system owner of a common system is responsible for developing, managing and operating an information system used by several risk owners in the organization.

Overall principles

NTNU creates, communicates and manages information assets on behalf of society, employees, students and partners. NTNU must take care of the confidentiality, integrity and availability of information assets in accordance with applicable laws, regulations, policies from the authorities, our social mission and the information owners’ interests. 

NTNU must have an overview of its information assets, and what personal data is being processed. For the processing of personal data, the regulatory framework (the Personal Data Act) specifies requirements for information security. For the processing of personal data, breaches of confidentiality and integrity are not accepted. 

Information security is a cross-cutting risk area that must be handled within all NTNU’s areas of activity. Work with information security is to be based on processes for continuous improvement. NTNU must safeguard information security as an integral part of its enterprise management through systematic quality work. 

Risk management and acceptance of risk is a management responsibility. All information processing involves a risk of breach of confidentiality, integrity and availability. Risk acceptance and measures must be proportional to the likelihood and consequences of security breaches. Residual risk is to be accepted by management. 

As far as appropriate, internal control and security work should be integrated across internal control areas. Security audits must be conducted to verify that the requirements of NTNU and external authorities for information security are met and work according to their purpose. Security audits must be conducted every two years.

Security objectives

NTNU has decided on the following goals for information security:

  • Information security must be an integrated and natural part of all processes, services and systems at NTNU. 
  • Information assets processed within NTNU’s activity areas of research, education, innovation, dissemination and administration must be assessed and handled in such a way that the information is secured and privacy is not breached. 
  • The confidentiality, integrity and availability of the information assets must have the appropriate level of security based on classification and risk assessments. The rights of data subjects, including the rights of research participants, must be safeguarded. The public’s right of access under the Freedom of Information Act must be respected. 
  • All employees, students, and others who have access to, and/or process and manage information through NTNU’s ICT infrastructure, must be familiar with and comply with NTNU’s requirements for information security.

Security strategy

The information security management system at NTNU is designed and implemented according to the ISO 27001 standard. Appropriate adaptations are made to ensure that information security activities comply with relevant laws, regulations and best practices in the field in a way that will function for NTNU as an organization. Work with information security should be put into operation through a coherent workflow between a governing, implementation and control part: 

The governing part specifies requirements, guiding principles, organization and roles for information security work. These are specified in detail through the governing documents for information security: the ICT regulations, the policy for information security and underlying guidelines.

The implementation part consists of implementation of the requirements in the governing documents by line managers, process owners, system owners and users. At an overall level, this relates to classification of information, risk assessments and risk mitigation measures in the respective areas of responsibility. 

The control part includes dealing with nonconformities, reporting, internal/external auditing and review by management.

NTNU will achieve its information security goals by focusing on three core areas. The first is managers’ implementation of risk management in the units, the second is the development of a security culture, skills and attitudes, and the third is development of a robust infrastructure that protects digital security:

  1. Governance and control of information security are management responsibilities and part of ordinary enterprise management and internal control. Managers need to have a clear understanding of risk and an overview of the information assets that the unit handles, so that they can make informed choices and set priorities for the introduction of security measures. 
  2. Work with security culture and training must be a systematic and continuous improvement process. Increased competence will enable staff and students to classify the information they process, conduct risk assessments and choose necessary measures to protect the information in the work processes. 
  3. NTNU must secure the ICT infrastructure through systematic implementation of the requirements in the guidelines drawn up according to the controls in ISO 27001, Annex A. Requirements for information security and privacy must be addressed in the design, procurement, development, management and disposal of ICT systems and infrastructure. 

Roles and responsibility

Work with information security affects the institution at all levels. Responsibility and authority for information security follow the ordinary line responsibility.

All ICT systems at NTNU must have a system owner.

Managers with responsibility for goals, tasks, services and processes will also have responsibility for the associated information processing and information security. In addition, some roles are specified in detail through the information security management system and are assigned special responsibility for defined areas. 

The Board

  • has the top-level responsibility for information security and must annually be informed about the work on information security•is responsible for ensuring that an internal audit of information security at NTNU is conducted

Rector

  • is the top-level controller for processing of personal data at NTNU
  • must annually inform the Board about work on information security and privacy 

Director of Organization

  • is responsible for ensuring that the requirements of the policy for information security are met in the organization through a functioning information security management system 
  • must ensure that action plans are developed enabling systematic and continuous work on information security 
  • must ensure adequate funding of information security work
  • is responsible for collection and reporting for management’s annual review of information security work
  • must ensure that relevant parties are notified of serious breaches of information security
  • is responsible for taking the measures necessary to ensure adequate management of nonconformities or incidents in connection with breaches of information security 
  • must ensure that the data protection officer is regularly invited to participate in meetings with the Rector and the council of deans 
  • is responsible for ensuring that the policy for information security is revised every two years to ensure the desired effect and effectiveness of information security work 

Pro-Rectors, directors and division managers in the university administration 

  • are responsible for compliance with requirements for information security, including requirements for processing of personal data at the unit 
  • are responsible for checking that legislation, procedures and approvals are followed, and that nonconformities are closed
  • are responsible for maintaining an ongoing and up-to-date overview of ICT systems that are used and the processing of personal data at the unit
  • are responsible for ensuring that employees at the unit have adequate training in information security and can fulfil their duty to assess the risk of new projects and processing, as well as to report nonconformities in the event of information security breaches
  • are responsible for ensuring that all employees at the unit have access to services and material so that users can protect NTNU’s information and information systems 
  • are responsible for a systematic review of data processor agreements and other agreements important to information security work, and review of nonconformities in the department, at least once per year
  • are responsible for ensuring that internal control in the information security work is functioning at the unit

Dean/Museum Director 

  • is responsible for compliance with the information security requirements, including the processing of personal data, at the Faculty/NTNU University Museum
  • is responsible for ensuring that all Heads of Departments are familiar with the procedures and guidelines in effect in the information security work 
  • is responsible for determining necessary local procedures as needed•is responsible for checking that legislation, procedures and approvals are followed, and that nonconformities are closed
  • is responsible for maintaining an ongoing and up-to-date overview of ICT systems that are used and the processing of personal data at the Faculty / NTNU University Museum
  • is the person responsible for research under the Health Research Act (helseforskningsloven) for his or her own faculty and must have an overview of the research portfolio at the Faculty 
  • is responsible for ensuring that employees at the unit have adequate training in information security and can fulfil the duty to assess the risk of new projects and processing, as well as for reporting nonconformities in the event of information security breaches
  • is responsible for ensuring that students at NTNU have necessary training in the requirements for information security
  • is responsible for ensuring that all employees at the unit have access to services and material so that users can protect NTNU’s information and information systems 
  • is responsible for conducting dialogue with respective underlying units about information security work, including the follow-up of procedures and nonconformities, at least once per year
  • is responsible for ensuring that internal control in the information security work is functioning at the faculty / NTNU University Museum

Head of Department

  • is responsible for compliance with the information security requirements, including the processing of personal data, at the department
  • is responsible for maintaining an ongoing and up-to-date overview of ICT systems that are used and the processing of personal data at the department
  • is responsible for ensuring that employees are familiar with relevant laws and regulations, as well as information security procedures and guidelines for research ethics
  • is responsible for ensuring that employees are in a position to fulfil their duties to assess the risk of new projects and processing, as well as for reporting nonconformities in the event of information security breaches
  • is responsible for ensuring that internal control in the information security work is functioning at the department/unit

Director of the Division for Governance and Management Systems

  • is responsible for ensuring that information security, as one of several areas of activity, is included in comprehensive internal control 
  • must be consulted when the policy for information security is revised to ensure integrated, coherent and effective internal control 

Director of the HR and HSE Division

  • is responsible for organizational development and change management in information security work; including ensuring that managers are familiar with and have adequate skills and understanding of risk to fulfil their responsibility to exercise risk management within the area of information security 
  • must be consulted when the policy for information security is revised to ensure a coherent and consistent approach to security and emergency preparedness at NTNU 

Head of the IT Division

  • is responsible for maintaining an ongoing and up-to-date overview of NTNU’s ICT infrastructure, and for ensuring that information security in and between the systems is safeguarded
  • is responsible for ensuring that all employees and students at NTNU have access to services and material so that users can protect NTNU’s information and information systems
  • is responsible for managing NTNU’s electronic enterprise certificate
  • must be consulted when the policy for information security is revised to ensure the desired impact and effectiveness of information security work

Head of the Digital Security Section

  • is responsible for implementing security requirements for NTNU’s ICT infrastructure 
  • must be consulted when the policy for information security is revised to ensure coherent and consistent approach to security and emergency preparedness at NTNU

System owner

  • is responsible for ensuring that the development, management and/or operation of the IT system meet the requirements for information security 

Project manager

  • has operative and internal control responsibility in the implementation of research projects and other projects, from planning to conclusion, including ensuring that requirements in relevant legislation, research ethics guidelines and internal guidelines are followed 
  • is responsible for taking care of necessary approvals and notifications, and for concluding agreements required to safeguard information security and privacy
  • is responsible for access control if there is a need for confidentiality, for example in connection with the processing of personal data, in the project 
  • is responsible for ensuring that relevant and necessary documentation requirements are met in the project

Project supervisor / student supervisor

  • is responsible for ensuring that students in student projects are familiar with NTNU’s procedures and guidelines and overall regulations in information security and processing of personal data

Data Protection Officer

  • must advise on how NTNU as data controller can best safeguard privacy interests 
  • must on request provide advice on a data protection impact assessment (DPIA) 
  • must check the implementation of data protection impact assessments•must verify compliance with the regulations •must keep informed about and follow up nonconformities in the event of a personal data breach
  • must be the point of contact for the Norwegian Data Inspectorate and the data subjects

Privacy protection adviser for research (Norwegian Centre For Research Data - NSD)

  • must advise on how NTNU as controller can best safeguard privacy interests in research projects 
  • must receive notification of processing of personal data in research projects and keep a record/overview of such processing in a message archive for this purpose

All users

  • are responsible for familiarizing themselves with relevant legislation for information security, including the Personal Data Act as well as the Health Research Act, the Copyright Act and the eGovernment regulations 
  • are responsible for familiarizing themselves with relevant guidelines for information security work related to using NTNU’s ICT infrastructure and in research projects and other projects•have a duty to report incidents and nonconformities (adverse events) in connection with breaches of information security and processing of personal data in accordance with guidelines in force for dealing with nonconformities when they become aware of these