Information security

A complete description of roles and responsibilities in the university’s information security work can be found in the Information Security Management System (LSIS). The descriptions below are an excerpt of the most important factors. 

Managers

Managers of the university’s faculties, departments and other units such as research centres or libraries etc, are responsible for safeguarding information security within their own area of responsibility. 

The managers must ensure that unit activities comply with the university’s security strategy, adopted security objectives and acceptable risk criteria. 

Among other things, they are responsible for ensuring that information security is safeguarded in IT systems/services of which the unit is the system owner. 

Responsibility for the day-to-day compliance may be delegated to one or more employees. 

Duties 

Managers must: 

• Maintain an overview of information values and IT solutions for which the unit is responsible. 
• Make risk assessments 
  • of IT systems/services that the unit owns, the use of these and the use of IT equipment. 
  • of work processes as well as physical conditions that are of importance regarding information security. 
  • when purchasing IT solutions. 
  • in the event of significant changes in work processes, IT solutions or physical conditions. 
• Implement security measures when a risk assessment shows that information security is not satisfactory and report the action plan to the Chief Security Officer (CSO). 
• Ensure that employees are familiar with routines and have sufficient expertise to safeguard information security in their work. 
• Ensure that nonconformities and security breaches are notified and that the nonconformities are resolved. 
• Ensure that Privacy by Design requirements are met when purchasing IT solutions.  
• Ensure that data processing agreements are entered into with external actors to safeguard information security, and ensure that the terms are respected. 

System owner or system administrator 

System owner responsibility for the university’s IT systems has been delegated from the Rector to the managers of departments, faculties and units. 

The system owner is normally the senior manager of the department/unit that uses the system, and has overall legal and financial responsibility for this. 

The system owner may appoint a system administrator who has insight into the system in question and ensures compliance on a day-to-day basis. 

Responsibility for the university’s common systems is placed in staff and support functions. 

Duties 

The system owner or system administrator must: 

• Ensure that information security requirements are met in relation to system functionality. 
• Ensure that the system complies with laws, regulations, guidelines and other requirements within the relevant management area. 
• Ensure that the system complies with general guidelines and provisions at the university. 
• Follow up on procurement, development, maintenance and user support agreements with suppliers. 
• Make risk assessments of the system. 
• Establish security and operational routines for the system. If necessary, ensure routines for manual operation are in place so that services may continue in the event of any IT solution failures.  
• Provide training on the use of the system and applicable routines. 
• Provide non-technical user support for the system. 
• Detect and correct errors in the system and deal with nonconformities. 
• Clarify archive-related matters for the system with the university’s Head of Archives. 
• Carry out the role of ‘data controller’ as defined in the Personal Data Act (norwegian only). 
• Collaborate with other system owners through the university’s system owner forum. 

What does the IT department do? 

The IT department is responsible for the technical operation of the IT system when it is not outsourced to an external supplier. 

As a system owner or system administrator, you can expect that the IT department: 

• Is responsible for the operation of technical IT infrastructure, the highest possible uptime and correction of errors. 
• Conducts the technical implementation of solutions (such as installation, upgrades and customisation) according to agreements with the system owner. 
• Is responsible for technical IT support. 
• Is responsible for data backup according to agreements with the system owner. 
• Provides support to the system owner in the supplier contact. 
• Contributes to the implementation of risk assessments. 
• Is responsible for technical information security. 

Project managers in research projects 

As project manager in a research project, you are responsible for ensuring that information security is safeguarded in the project.  

You must ensure that the project complies with the university’s security strategy, adopted security objectives and acceptable risk criteria. 

Among other things, you are responsible for ensuring that information security is safeguarded in IT systems/services that the project uses. 

You can find more information regarding these responsibilities on the research support webpage. 

Duties 

The project manager in research projects must: 

• Report research projects to the Head of Research at Inland Norway University of Applied Sciences, and to the local data protection officer or the Norwegian Centre for Research Data if necessary. 
• Have an overview of the information values that are processed and IT solutions used in the project. 
• Ensure that risk assessments are made during start-up and in the event of significant changes to the project, including changes to IT solutions or physical conditions. Regular risk assessments should be carried out in long-term projects. The risk assessments should include the project’s use of: 
  • IT systems/services. 
  • IT equipment. 
  • Physical conditions that are of importance regarding information security in the project. 
  • Procurement of IT solutions in the project. 
• Ensure the implementation of security measures if the risk assessment shows that the information security in the project is not satisfactory, and report the risk management plan (action plan) to the Chief Security Officer (CSO). 
• Ensure that the project participants have the expertise to carry out their security tasks, are familiar with routines for processing information values in research, and procedures for reporting nonconformities and security breaches. 
• Ensure that nonconformities and security breaches are resolved and that the Chief Security Officer (CSO) is notified of security breaches when processing personal data that is to be reported to the Norwegian Data Protection Authority. 
• Ensure that Privacy by Design requirements are met when purchasing IT solutions. 
• Ensure that data processing agreements are entered into with external actors in research projects to safeguard information security. 

External partners 

The university collaborates with external actors in a number of projects. Partners are responsible for ensuring that information security is safeguarded in collaboration with the university. 

The responsibility involves complying with applicable routines and guidelines, and showing special care when processing information values and personal data.   

Duties 

• Report nonconformities in relation to adopted routines/guidelines and breaches of information security. 
• Assist in the planning, implementation or follow-up of specific security tasks if requested. 

Users (employees and students) 

All users have a responsibility to ensure that information security is safeguarded at the university. 

The responsibility involves complying with applicable routines and guidelines, and showing special care when processing information values and personal data.   

Read about how to avoid being hacked at sikresiden.no 

Take e-learning courses on security at sikresiden.no 

Duties 

• Report nonconformities in relation to adopted routines/guidelines and breaches of information security. 
• Assist in the planning, implementation or follow-up of specific security tasks if requested.