Why is information security needed? 

In order to carry out your work and duties as an employee, researcher or student, you both produce and have access to large amounts of information and data necessary for your particular role. It needs to be correct and accessible whenever you need it. If the University’s information security is lacking, you may experience problems or delays in your daily work. However, the consequences may be even greater than that. 

• We may experience major delays in research and teaching
• We risk producing incorrect research results
• We risk fines due to contravention of the General Data Protection Regulation (GDPR), for example
• We risk violating individuals’ privacy
• Research may miss out on funding and external collaborations
• We risk damaging trust in the University   


Systematic and risk-based information security efforts are therefore needed, both at management level and as a natural part of our daily routines.

Responsibility

Employees and students

•  You are responsible for handling information and data in a secure manner.
• You store your documents securely.
• You lock your computer and store it in a secure way.
• You do not talk loudly about sensitive information on the train.
• Information protection includes digital, written and spoken information. 


Management 

The University Board and vice-chancellor bear ultimate responsibility for information security. The vice-chancellor takes decisions on the University’s governance documents and management system for information security. These describe how the efforts are to be conducted and how risks are to be managed at the University. Roles and responsibilities must be clear, for example who can take decisions on risks, who owns different types of information and who is to implement and manage technical IT security measures and security on our premises. Management must regularly follow up on the information security efforts during the “management's review”.

CISO - Chief Information Security Officer

An independent role tasked with developing and managing information security efforts, e.g. setting requirements, coordinating, supporting, training and monitoring compliance. The CISO is to assist the management via regular reports, recommendations and guidance documents for decisions. 
The CISO-functions task involves regular collaboration with information owners, system administrators, lawyers, the data protection officer, IT services, the security division, building services, archive services, project offices and external authorities. 

Which laws apply?

 
The way information security work is to be conducted at the University, along with other requirements, is decided by the Swedish Civil Contingencies Agency. 

MSBFS 2020:6 Föreskrifter om informationssäkerhet för statliga myndigheter (Regulations on information security for public authorities) (External link. In Swedish. Opens in new tab)

MSBFS 2020:7 Föreskrifter om säkerhetsåtgärder i informationssystem för statliga myndigheter (Regulations on security measures in information systems for public authorities) (External link. In Swedish. Opens in new tab)

Read more on the Staff Pages about the Civil Contingencies Agency’s updated and new regulations published in October 2020. 
In addition, there are more than 20 laws that directly or indirectly require systematic and risk-based information security efforts to be made.