Information Security

Dansk

 Information Security Information security management at AU (ISMS) Annual planning cycle: ISMS PLAN: Planning and risk assessment

Step 1: PLAN: Planning and risk assessment

AU’s information security policy sets out minimum requirements for the activities that must be carried out when implementing or evaluating a local ISMS.

In this stage, the year’s activities can be planned. We recommend basing the choice of activities on a risk assessment.

In the PLAN phase, the basic documents for information security work are prepared and maintained. Including risk assessment.

At least once a year, activities to increase awareness of information security should be planned. In a risk assessment, you identify the physical and virtual risks to which your area is vulnerable. Subsequently, you should document how you handle the individual risks in a risk management document.

The first step towards a local ISMS is thus identification and documentation of risks.

Find out more about how to perform a risk assessment. (Danish only)

Get off to a good start

Organisation and clarification

A clear division of responsibility is necessary when working with information security. The following roles must be clearly assigned:

  • The senior management team – which has approved the university’s information security policy
  • The information security department – which provides support for the implementation of ISMS
  • The manager of the unit – who is responsible for implementing the local ISMS
  • The system owner – who is responsible for the data contained in a specific system

Clarify your information security needs

To begin with, you must clarify what your ISMS must cover. What should the local ISMS contain - for example at a faculty, a department/school or an administrative unit.

  • Clarify what systems and information you have and what threats they face.
  • Document choices and initiatives in relation with the ???
  • Plan emergency response initiatives.
  • Prepare and approve a plan for managing information security risks.

Dealing with all risk at the same time is not necessarily a good idea. It may make more sense to focus on selected risks the first year and shift focus to others in subsequent years.

Document your activities

  • Adopt a file naming convention
  • Decide on acceptable file formats.
  • There must also be a process for reviewing and approving the documentation.
  • There must be an audit trail for changes to the documentation.

GOOD ADVICE

Make sure everyone understands their role and responsibility. Make sure you have the support of your immediate manager to ensure agreement on the division of responsibility and tasks.

Revised 21.07.2023
-
Webredaktionen, Universitetsledelsens Stab