This page presents NTNU’s policy for information security.

Norsk versjon: Politikk for informasjonssikkerhet

About Policy for information security

• Type of document: policy
• Managed by: Director of Organization and Infrastructure
• Approved by: Director of Organization and Infrastructure
• Applies from: 12.06.2023
• Next revision by: 12.06.2025
• Classification: Open
• Reference ISO: 27002:2022; 5.1, 5.2, 5.31, 5.35, 5.36
• Reference NSMs bacis principles of ICT-security: 1.1.1, 1.1.2, 1.3.3a
• Reference LOV/Rule: eGovernment regulations (eForvaltningsforskriften) §15 and § 20, personvernforordningen artikkel 5, 24, 32
• Reference internal documents: ICT Regulations Policies for Information Security and Privacy

Purpose

The purpose of the policy for information security is to establish the framework for the work on information security and digital security at NTNU. The policy is indented to facilitate the protection of NTNU’s information assets in compliance with relevant laws, regulations, and government directives. The work on information security and digital security should enable NTNU to fulfil its societal mission in a way that maintains trust from employees, students, partners and society at large.

The work regarding information security at NTNU overlaps with the work on digital security. A significant portion of the assets processed and stored at NTNU consists of information, or the areas, systems and individuals that store or process information. These are structured as either primary values or secondary values. The primary values pertain to information processed and managed through NTNUs research, education, innovation and administration. The secondary values include the tools we use, and the competence of those who use the tools. This includes employees, students, locations, organization structures, hardware, software and networks.

The information security policy is subject to the ICT regulations and superior to topic specific policies for information security. Together, these constitute the management system for information security, forming the basis for NTNU’s work on information security and serving as an integral part of NTNU’s comprehensive corporate governance. The management system provides the framework for a systematic and holistic practice between the governing, implementing and controlling aspects of information security work.

Applies to

NTNU’s policy on information security, digital security and privacy applies to all individuals who has access to, store, process, or transmit information assets through NTNU or its affiliated activities.

Definition

Information assets are information that can cause harm to individuals, organizations, or society if it is compromised, lost, or altered. Information assets are structured as either primary or secondary value. Primary value pertains to information processed and managed through NTNU’s research, education, innovation, and administration. Secondary values relate to the tools we use and the competence of those who use the tools. This includes employees, students, locations, organization structures, hardware, software, and networks.

Information security refers to the protection of information against unauthorized access, ensuring its availability when needed, and safeguarding it against unwanted alterations. Information security is concerned with how the confidentiality, integrity, and availability of information are maintained.

Confidentiality – Ensuring that specific information is not disclosed to unauthorized individuals and that only authorized personnel have access to it.

Integrity – Ensuring that information processing is complete, accurate, valid, and the result of authorized and controlled activities.

Availability – Ensuring that a service meets specific stability requirements so that relevant information is accessible when needed.

These are the same definitions used in the «Nasjonal Strategi for informasjonssikkerhet» (National Strategy for Information Security).

Overarching Principles

The overarching principles define the framework for all work related to information security, digital security, and privacy at NTNU. The management has established the following overarching principles:

a. The work on information security should support NTNU in fulfilling its social mission and maintaining trust in society.

b. NTNU shall work systematically, methodically, and purposefully with information security to balance risk with openness.

c. NTNU shall protect its information assets and digital infrastructure through complementary security measures in multiple layers that prevent or limit harm in case of undesired events for NTNU, partners, individuals, or society.

d. NTNU shall uphold confidentiality, integrity, and availability though security measures where value and actions are balanced by being as open as possible but as closed as necessary.

e. A risk owner cannot accept risks that extend beyond their own risk domain or that may cause harm to NTNU, individuals, society, partners, or others.

Security Goals

The management at NTNU has adopted the following goals and priorities for information security:

a. NTNU shall have an overview of information assets that are processed and managed, as well as risk-reducing measures implemented to protect them

b. NTNU shall have a resilient and defensible digital infrastructure designed to adequately protect information and infrastructure, as well as detect, handle, and mitigate harm from undesired events.

c. All individuals with a user account associated with NTNU shall have a conscious understanding of information security and privacy and contribute to securing NTNU’s information assets by adhering to principles and requirements of information security.

d. NTNU shall utilize security incidents, deviations, and audits for systematic and continuous learning, improvement, and targeted actions, enabling the organization to effectively address risks and the current threat landscape.

Strategy for Information Security

The strategy describes how NTNU will achieve its goals for information security by focusing on three core areas. The first area is the implementation of risk management by the organization and its leaders, the second is the development of a security culture, competence, and attitudes, and the third is maintaining a robust infrastructure that safeguard digital security.

Risk management and control of information security are the responsibility of the management and are part of the regular organizational governance and internal control. Leaders should have a good understanding of risks and an overview of the information assets they are responsible for, enabling them to make informed decisions and prioritize the implementation of security measures.

The work on security culture and training should be a systematic and continuous improvement process. Increased competence should empower employees and students to secure NTNU’s information assets through a risk-based approach.

NTNU shall ensure the protection of information assets through the systematic implementation of the requirements outlined in the policies based on the control points in ISO 27002:2022. Requirements for information security and privacy shall be incorporated in the design, procurement, development, management, and disposal of information systems and digital infrastructure. The Norwegian National Security Authority’s (NSM) Basic Principles for ICT Security Version 2 are used as a target for the minimum acceptable level of basic security for digital infrastructure. Additionally, incidents and discrepancies are actively utilized to measure achievement within the various requirements.

The work on information security is a continuous process and can be divided into three parts:

a. The governing part sets principles and goals, policies, and delegated responsibilities within the work on information security. This is defined through the information security management system.

b. The executing part consists of training and implementing the requirements in the information security management system. At a higher level, this involves having an overview of information assets, performing value assessments, establishing ownership, identifying risks to information assets, and implementing risk-reducing measures to an accepted level of risk.

c. The controlling part includes incident management, deviation management, reporting, auditing, and management review.

As a comprehensive university with a technical and scientific profile, NTNU contributes to the development of Norway by creating value and forming the technological foundation for the future global society. NTNU’s long-term research mission requires trust in the integrity of research data and results, ensuring that they are preserved and can be verified and built upon in the future. The work on information security supports this by safeguarding integrity, ensuring that information intended to be open is accessible, and securing confidential information.

The work on security culture and training supports NTNU’s goals in terms of career and competence. NTNU aims to ensure that students have competence in information security and privacy through training programmes and the use of technology that equips students at NTNU to meet social challenges with knowledge and good habits for protecting information assets. Through the training of students and employees, NTNU contributes to enhancing societal security. Targeted training for leaders and other key roles aims to raise awareness of information security and ensure the right competence in support functions.

To achieve good and sustainable solutions for workspaces, learning environments, laboratories, and infrastructure, trust must be gained from those who will use the solutions. Information security and privacy must be integrated into service development, space development, and digitalization to achieve this. It is also necessary to successfully adopt new enabling technologies that enhance teaching, research, and administration.

Roles and Responsibility

The work with information security affects the organization at all levels. Responsibility and authority for information security should follow the regular line of responsibility.

Leaders who are responsible for goals, tasks, services, and processes should also be responsible for associated information processing and information security. Furthermore, certain roles are specified through the information security management system and are given specific responsibilities for defined areas.

Board

• Is ultimately responsible for information security and should be informed annually about the work on information security
• Is responsible for conducting internal audits of information security at NTNU

Rector 

• Is the overall data controller for the processing of personal data at NTNU
• Should provide annual updated to the Board of Directors regarding the work on information security and privacy.

Director of Organization and Infrastructure

• Is responsible for ensuring that the requirements in the information security policy are implemented in the organization through a functioning information security management system
• Should ensure the development of action plans that ensure systematic and continuous work on information security
• Should ensure adequate funding for the work on information security
• Is responsible for collecting and reporting to the management’s annual review of the work on information security to the Bord of Directors
• Should ensure that relevant parties are notified in the event of serious breaches of information security
• Is responsible for implementing necessary measures to ensure appropriate handling of deviations from information security
• Should ensure that the Data Protection Officer regularly attends meetings with the Rector and meetings with the Deans
• Is responsible for revising the Information Security Policy every two years to ensure the desired effectiveness and efficiency in the work on information security

Pro-rectors, Directors and Section Managers in the Joint Administration

• Are responsible for compliance with information security requirements, including requirements for the processing of personal data at the unit
• Are responsible for ensuring compliance with legislation, regulations, and approvals, and for closing any deviations
• Are responsible for maintaining an ongoing and updated overview of ICT systems used and the processing of personal data at the unit.
• Are responsible for ensuring that employees in the unit have sufficient training in information security and can fulfil their duty to assess risks in new projects and processes, as well as report deviations from information security
• Are responsible for ensuring that all employees within the unit have access to services and materials that enable them to protect NTNU’s information and information systems
• Are responsible for conducting a systematic review of data processor agreements and other agreements of significance to information security work, as well as reviewing deviations within the department on at least an annual basis
• Are responsible for ensuring that internal control in information security work functions within the unit

Dean/Museum Director

• Is responsible for compliance with information security requirements, including the processing of personal data, at the faculty/science museum
• Is responsible for ensuring that all department heads are familiar with current procedures and policies in information security work
• Is responsible for establishing necessary local procedures as needed
• Is responsible for ensuring compliance with legislation, regulations, and approvals, and for closing any deviations
• Is responsible for maintaining an ongoing and updated overview of ICT systems used and the processing of personal data at the faculty/science museum
• Is the research manager according to the Health Research Act for their own faculty and should have an overview of the research portfolio at the faculty
• Is responsible for ensuring that employees in the unit have sufficient training in information security and can fulfil their duty to assess risks in new projects and processes, as well as report deviations from information security
• Is responsible for ensuring that students at NTNU receive necessary training in information security
• Is responsible for ensuring that all employees within the unit have access to services and materials that enable them to protect NTNU’s information and information systems
• Is responsible for conducting dialogues with respective sub-units to assess whether the allocated resources are sufficient for carrying out the information security work, including the follow-up of procedures and deviations, on at least an annual basis
• Is responsible for ensuring that internal control in information security work functions within the faculty/science museum.

 Head of Department

• Is responsible for ensuring compliance with information security requirements, including the processing of personal data, at the institute
• Is responsible for maintaining an ongoing and updated overview of ICT systems used and the processing of personal data at the institute
• Is responsible for ensuring that employees are familiar with relevant laws, regulations, information security procedures, and research ethical guidelines
• Is responsible for enabling employees to fulfil their obligations to assess risks in new projects and processing activities, as well as reporting deviations in information security
• Is responsible for ensuring that internal control in information security work functions at the institute/unit

Head of Division for Governance and Management Systems

• Is responsible for incorporating information security as one of several areas in comprehensive internal control system
• Should be consulted when revising information security policies to ensure a holistic and effective internal control approach

Head of HR and HSE Division

• Is responsible for organizational development and change management in information security work, including ensuring that managers are aware of and have sufficient competence and risk understanding to fulfil their responsibilities for risk management in information security
• Should be consulted when revising information security policies to ensure a holistic approach to security and preparedness at NTNU

Head of IT Division

• Is responsible for maintaining an ongoing and updated overview of NTNU’s ICT infrastructure and ensuring the security of information within and between systems
• Is responsible for ensuring that all employees and students at NTNU have access to services and materials that enable them to protect NTNU’s information and information systems
• Is responsible for the management of NTNU’s electronic business certificate.
• Should be consulted when revising information security policies to ensure desired effectiveness and efficiency in information security work.

Head of Digital Security Section

• Is responsible for implementing security requirements for NTNU’s ICT infrastructure
• Should be consulted when revising information security policies to ensure a holistic approach to security and preparedness at NTNU  

System Owner

• All ICT systems at NTNU must have a system owner
• Is responsible for ensuring that the development, management, and/or operation of the ICT system meet information security requirements

Project Manager

• Is responsible for the operational responsibility and internal control during the implementation of research projects and other projects, from planning to completion, including compliance with relevant legislation, research ethics and internal guidelines
• Is responsible for obtaining necessary approvals and notifications and for entering into agreements required to safeguard information security and privacy
• Is responsible for access control in confidentiality is requires, e.g., in the processing of personal data in the project
• Is responsible for ensuring that relevant and necessary documentation requirements are met in the project

Project Supervisor/Student Supervisor

• Is responsible for ensuring that students involved in student projects are familiar with NTNU’s procedures, policies, and overarching regulations regarding information security and the processing of personal data

Data Protection Officer

• Should provide advice on how NTNU, as the data controller, can best safeguard privacy interests
• Should provide advice on assessing possible privacy consequences (DPIA) upon request
• Should verify the implementation of privacy impact assessments
• Should verify compliance with regulations
• Should stay informed about and follow up on deviations concerning privacy
• Should serve as a point of contact for the Norwegian Data Protection Authority and data subjects

Privacy Advisor for Research (Sikt Privacy Services) 

• Provides advice on how NTNU, as the data controller, can best safeguard privacy interests in research projects
• Receives notifications regarding the processing of personal data in research projects and maintains a record/overview of such processing in a separate notification archive

All Users

• Are responsible for familiarizing themselves with relevant legislation on information security, including the Personal Data Act, as well as the Health Research Act, Copyright Act, and eGovernment Regulations
• Are responsible for acquainting themselves with relevant policies for information security in the use of NTNU’s ICT infrastructure and in research projects and other projects
• Are obligated to report incidents (undesirable events) related to breaches of information security and the processing of personal data in accordance with the applicable deviation handling guidelines when they become aware of such incidents

Key Laws and Regulations

a. Personal Data Act (and General Data Protection Regulation – GDPR): Provides rules for the protection of individuals in connection with the processing of personal data, obligations for NTNU as the data controller, the use of a data protection officer, and rights for the data subject

b. Administrative Procedure Act (and eGovernment Regulations): Requirements for case processing, documentation, due diligence, as well as requirements for internal control and information security

c. Public access to information Act: Requires that NTNU, as a public institution, be open to scrutiny while allowing exceptions for access when permitted or required by law

d. Archives Act: Contains rules regarding the documents that should be archived and requirements for archiving

e. Health Research Act: Requirements for organization, roles, and responsibilities in health research

f. Health Registers Act and Health Personnel Act: Rules on the processing of patient data and confidentiality obligations for healthcare personnel

g. Research Ethics Act: Rules that research should adhere to recognized research ethical norms, for both the researcher and the institution

h. Copyright Act: Contains rules on intellectual property rights and the use of images

i. Protection Instruction and Security Act: Imposes requirements for classification and handling of information

j. Export Control Act: Provides rules for control and prohibition of the export of strategic goods, services, and technology, including illegal knowledge transfer

Additionally, other laws and regulations may be relevant, such as the Electronic Communications Act, Police Register Act, Biobank Act, Patient Records Act, etc.