Information security management at AU (ISMS)

Information security is essential for Aarhus University's reputation, credibility and functionality.

Information and information assets are necessary and vital to Aarhus University. Therefore they must be protected and managed correctly to ensure that the university runs smoothly and that valuable data does not go missing or fall into the wrong hands such that it can be misused.

Anyone associated with Aarhus University can find out about the guidelines applying for information security in the information security policy. The guidelines reflect requirements in legislation and from relevant authorities such as the Ministry of Higher Education and Science, e.g. requirements to use the common information security standard, ISO 27001 (extract from the information security policy).

The steps towards complying with the overall information security policy are described in this document and are illustrated in an 'annual planning cycle', which describes the steps and responsibilities for different roles in work on information security.

Information security work can be divided into five maturity levels, depending on the organisation's work and culture, willingness to take risks and the information for which staff are responsible. The ISMS can take us up to maturity level 3 (Defined), which means that:

"Procedures are standardised, documented and communicated through training.

It has been announced that the procedures must be complied with, but it is unlikely that non-compliance will be discovered.

The procedures are usually a formalisation of existing practice. "

Information security work at Aarhus University is systematised through an information security management system (ISMS), which defines, documents and administers activities to ensure that the organisation adequately protects information and information assets against threats and vulnerabilities.

The central ISMS describes the minimum level of activity required in the local management systems, and who is responsible for establishing and using the management systems locally.

Ensuring information security at Aarhus University includes continuous improvement measures based on the ideas behind the PDCA cycle (The Deming Cycle). PDCA is short for PLAN-DO-CHECK-ACT and covers the following:

Figur 1 – The PDCA cycle 

1. In the PLAN phase, the basic documents for information security work are prepared and maintained.
2. The DO phase includes implementation and administration of these documents in practice.
3. In the CHECK phase, the status of activities and information security measures are evaluated and documented, and possible improvements are identified.
4. In the ACT phase, measures and improvements are launched.

The objective of an ISMS at Aarhus University is to describe how the requirements for information security are to be complied with, as well as the role of the university management and, in particular, the individual unit and user in protecting Aarhus University's information assets. The ISMS at Aarhus University focuses on making sure that everyone helps ensure that critical and sensitive information and information assets retain their:

1. Confidentiality: Only people with a legitimate need have access to information.
2. Integrity: Information must be consistent and in a form that can be trusted.
3. Availability: Information must be available to the right people at the right time. 

At Aarhus University, information security work is based on the requirements of ISO 27001 (common international information security standard), and the framework comprises the following:

• The information security policy
• A central ISMS
• Underlying policies on information security
• Templates and guidelines for local procedures

Information security policy: The information security policy at Aarhus University states that the central ISMS must be continuously adjusted and improved to reflect the threat landscape faced by the university.

Management system (ISMS): Information security work is a managerial responsibility controlled through the central ISMS at Aarhus University, and it applies to the entire university as well as all users of data, information and information assets belonging to the university.

Policies and procedures: In order for information security to work, information security activities must be integrated into the current organisation, taking into account existing work processes, organisation and allocation of responsibilities.

According to the information security policy at Aarhus University, the information security department prepares and recommends the overall objectives and measures for information security, which are then approved by the Central Information Security Committee (CISU) and the senior management team.

Figure 2 - Organisation of information security committees

Senior management team: The central ISMS is anchored with the senior management team, which

• is to be kept informed of the current risk landscape for information security in all units.
• is responsible for ensuring that the central ISMS is continuously adjusted and improved to reflect the threat landscape faced by the university.
• is responsible for ensuring that all units and users are informed about their responsibilities with regard to information security at Aarhus University.

Furthermore, the senior management team may delegate mandates and tasks to ensure that information security requirements are implemented locally and work in practice.

Head of information security: The head of information security in AU IT has overall operational responsibility for day-to-day management and coordination of information security measures at Aarhus University, including:

• maintenance of the central ISMS and documentation
• follow-up on activities, standards, guidelines, checks and measures related to information security on behalf of the senior management team, and that these are complied with and implemented.

Manager: Managers have overall responsibility for information security in their units, and activities include

• local awareness work throughout the year
• ensuring that all users in the unit have received the right information, training, etc.
• ensuring that the information security policy, the ISMS and the underlying policies, procedures, rules of conduct and all other central information concerning information security are communicated, implemented and complied with by all users in the unit, without exception
• developing and applying an adapted local ISMS that is complied with in practice and is at maturity level 3
• developing and implementing local policies and procedures.

The central ISMS at Aarhus University states the minimum requirements for the local management systems to be established and used by managers.

For a more detailed description of activities and the steps towards maturity level 3 at local level, see the annual planning cycle.

'PLAN' - planning (ISO27001 reference: sections 4, 5, 6 and 7)

The PLAN phase covers the activities below. The manager is responsible for:

• describing the unit's context/function, including identifying stakeholders and their requirements for information security
• establishing a local ISMS based on the central ISMS, which, as a minimum, complies with the requirements of ISO 27001
• showing leadership and commitment, developing policies and ensuring that the ISMS achieves the intended results, and for delegating and communicating roles, powers and responsibilities in this connection
• applying Aarhus University's risk management process for risk assessments, including system classification
• drawing up a list/document based on substantiated opt-ins and opt-outs on the basis of the risk assessment, for following up on checks of security measures (also known as a SoA document)
• planning contingency activities
• preparing and approving the plan for managing information security risks
• setting objectives for information security for the unit, with focus on confidentiality, integrity and availability
• ensuring that the necessary resources, competences and awareness are present, as well as communication and documented information.

'DO' - operation (ISO 27001 reference: section 8)

In this subsequent implementation phase (the DO phase), the manager must:

• plan, establish, implement, administer and comply with the local ISMS, as well as the policies, procedures etc. required
• implement plans to meet the objectives of information security
• store documented information to the extent necessary in order to confirm that activities of relevance to information security have been carried out as planned
• ensure that planned changes with potential significance for information security are managed, that the consequences of unintended changes are reviewed, and that actions are taken to mitigate any negative effects of changes
• ensure that any outsourced processes and sub-deliverables of relevance to information security are established and managed
• ensure that local assessments of information security risks are carried out at planned intervals (at least once a year), or when significant changes take place, including that these are consolidated and communicated to the senior management team via the information security committees
• ensure that plans and actions for managing information security risks are implemented, and that these are communicated to the senior management team via the information security committees
• ensure that ongoing local awareness activities are carried out so that all relevant people are informed about their tasks and responsibilities
• ensure implementation of measures from the risk management plan (technical as well as organisational), respond to security incidents at planned intervals and revisit the risk process.

'CHECK' - evaluation (ISO 27001 reference: section 9)

The manager is responsible for ensuring that information security measures are continuously evaluated (in the CHECK phase), including:

• that it has been determined what is to be monitored and measured locally to verify that information security measures are working
• that methods to monitor, measure, analyse and evaluate can provide valid results
• determining when local monitoring and measurement are to be carried out and by whom, including testing contingency plans
• that the results of monitoring and measurement are analysed and evaluated
• that appropriate, documented information is stored locally as evidence of the results
• that local internal audits are carried out at planned intervals to establish whether the unit is complying with Aarhus University's requirements for information security
• ensuring monitoring, measurement, analysis and evaluation of whether the ISMS and the information security measures are working as intended
• ensuring that internal audits are carried out, and external audits if relevant
• reviewing the ISMS at planned intervals to ensure that it is working as intended, including the results of monitoring and measurement, as well as audit results
• ensuring that the review includes decisions regarding continuous improvements and the need for changes in the ISMS
• storing documented information as proof of the review
• reporting to the senior management team (via the information security committees), so that the senior management team can be certain that the above is working satisfactorily in the local units.

'ACT' - improvement (ISO 27001 reference: section 10)

During the ACT phase, the manager focuses on measures and improvements (identified in the previous phase), and these are ensured by:

• managing specific local security incidents, and by reacting to these
• evaluating such incidents and, where necessary, after a local assessment, introducing appropriate corrective actions to prevent repetition of the incident
• local follow-up to ensure that the above is working in practice
• implementing local improvement suggestions, and discussing suggested improvements to the current central ISMS, then, if necessary, escalating these to the senior management team via the CISU.
• if/when non-compliance occurs, taking action to control and correct this, considering the consequences and removing the cause of non-compliance, so that it does not occur again (applies to both the ISMS and specific information security measures)
• storing documented information as proof of the nature of the non-compliance, any subsequent actions and the results of any corrective action
• implementing continuous improvements in the ISMS to ensure its continued suitability and that it works as intended.