We hear almost daily about threats from the surrounding world of intrusion, ransomware attacks* and spying.
Lund University is of course no exception regarding these threats and we need to equip ourselves better to withstand them. These threats are real for our University, too; several other universities have already been severely affected. Trust in Lund University and the entire sector is high and, to maintain that trust in relation to wider society, we must manage to live up to its demands. As a public authority, we are of course obliged to comply with the Swedish Civil Contingencies Agency regulations for IT security (MSBFS 2020:7).
The requirements for the IT solutions that we, as a university, are expected to provide come from several sides – from the organisation, from funding bodies, from our partner universities, from companies and public authorities with which we collaborate. They set requirements on us to have professional IT management.
Currently, some parts work excellently while other have serious shortcomings. We must collaborate and utilise all the expertise we have in the best possible way in order to succeed in this endeavour. And it cannot take 10 years to implement the change journey we are facing; we must act NOW!
The vice-chancellor has tasked the university director with reviewing the conditions and requirements for computer networks and clients, proposing various data storage solutions based on different levels of security and authorisation, and making an inventory of applicable vice-chancellor’s decisions in this area. The aim is to broaden the range of university-wide services that meet the requirements. The services are to be adapted to the needs of the organisation and produced in dialogue to meet the requirements set by the organisation. In some areas, research and teaching will require special solutions that push against the boundaries, but we must ensure that we solve these cases. The solutions must also be cost-effective!
This does not mean that we should centralise IT, but that we are to offer competitive solutions. In future, the faculties and departments will still have the option of managing their own IT. However, LU will set requirements on IT security that must be met and will require the faculties to report back.
The University’s work is already underway and we have a fairly good picture of the current situation, but it could be better. The task is not easy in what many people call Sweden’s ‟most decentralised university”. We are starting with an inventory (survey) to generate a picture of the current status which will form the basis for prioritising subsequent development work. The outcome of the inventory will form the basis for discussions in the University management, vice-chancellor’s management council and faculty management teams. I expect everyone to contribute by responding to the forthcoming survey.
We need to get over the University’s sluggish insight and unwieldiness in IT to make the far-reaching changes needed in the IT organisation to raise the level of IT security and quality of IT support.
A final point: I am well aware of the need for organisational units to have access to local IT user-support and this is something we must strive to preserve.
Now let’s roll up our sleeves and get to it.
/ Viktor Öwall
Swedish Civil Contingencies Agency regulations for IT security (MSBFS 2020:7) (in Swedish)
*Ransomware attacks are extortion software or extortion viruses, a kind of malware that aims to extort money, often by taking files hostage through encryption.
This text is published in LU News 1 - 2022