The term information assets refers to anything that contains information, such as data in an information management system, software, physical assets, services, people and intellectual property.
Information security is a matter of preventing data from being lost, corrupted or leaked, regardless of whether it is being processed electronically, physically or verbally between colleagues. Good information protection involves processing procedures, physical security measures and technical solutions.
When starting a new project
As the information owner, every time you start a new project you should:
• Classify the information you will be processing based on the level of security it requires. Information classification is a good basis on which to choose and procure IT services and develop security procedures.
Login to see a customized template.
• Conduct a risk and vulnerability analysis to describe the vulnerabilities, threats and risks associated with handling your information physically or electronically. A risk analysis must always be performed before a new IT service is commissioned.
What you need to consider as an employee
As an employee, you need to know how to deal with the information you use and come across while performing your duties. Regardless of which security level you are operating at, the following measures always increase information security:
- Safeguard your computer and phone passwords and always lock your door.
- Make sure you back up your data and install antivirus software and updates on your computers and mobile devices. Old versions of software may have security vulnerabilities
- Think about where you are and who is around you when you handle information, whether in conversation, printouts or on screen.
- Be alert to attempts to trick you into divulging personal information via fraudulent emails or online forms – so-called phishing. The University's IT staff will never ask you for your password in an email.
- Exercise good judgement when online. A single visit to a certain website may be enough to infect your computer or mobile device with malware. Report any incidents to firstname.lastname@example.org – they will also be happy to offer advice and support..
- Never store personal data or other sensitive information in cloud services and never send sensitive information by email.
- Notify the University's Data Protection Officer if you are processing personal data email@example.com
- Ensure that any information you need to save is archived. Prepare for archiving as soon as you start collecting data.
To learn more about information security, you can attend MSBs course for digital information security. You will find the course here. (only available in swedish)
What you need to consider as an information owner
Each information asset should have the right level of security, regardless of whether it is being processed for research purposes, in courses and programmes or central administration. As the information owner, this implies that you must ensure that the information for which you are responsible is correctly documented and processed. Umeå University has an information security policy describing how this work is to be conducted.
Identify the right level of security
The level of protection should be adapted to the nature of the information, so that it is not overly complicated or expensive. The aim is to have the right protection in place, not necessarily the highest possible level of security. For example, if the information is not classified as confidential, there is no need to employ expensive solutions or complex procedures to protect it from leaks. When working with information security, there are three aspects to consider:
• Confidentiality – only authorised users have access to the information.
• Integrity – the information is accurate and uncorrupted.
• Accessibility – the information is available when you need it.
As the information owner, it is up to you to assess the information in question based on these three aspects, and to adapt protection accordingly. As an example, the University's evacuation plan contains information that places high demands on accessibility and integrity, but that is in no way confidential.
Roles and responsibilities
The University Board and the Vice-Chancellor
Information security manager
Dean, head of department or head of office
Systematic information security management
How this work is to be conducted is described in our Information Security Policy and information security management system. Among other things, the Information Security Policy describes the University's procedures and the division of roles and responsibilities.
The University conducts risk and vulnerability analyses of its systematic information security management. This risk and vulnerability analysis presents various risk scenarios covering:
1. risks of relevance to achieving the desired results from the information security management system as a whole; and
2. risks associated with information security and personal data processing related to confidentiality, integrity and accessibility, the likelihood of these risks being realised and the likely consequences for the University's operations and organisation.
The risk and vulnerability analysis is the basis for the Information Security Action Plan.