Improving cybersecurity 2024-2027

Protection of confidential and sensitive information in research projects to be improved through better classification of individual research projects and by ensuring that necessary security measures are taken both in and around the project.

Focus area owner:  Søren Broberg Nielsen, division manager, AU Research Support

New initiatives:

• All unit management teams to prepare an overview of the unit's most important information assets.
• A threat catalogue to be created to support the owners of these information assets.
• Data classification to be assessed and possibly adapted to reflect AU's risk tolerance for research.
• Description to be prepared of which joint AU solutions researchers can use to meet the information security requirements for the different classification levels.
• Which security measures need to be taken depending on the threat level and the data being used to be defined.

Sensitive and confidential information about AU students and employees to be protected through technical measures and by controlling access to this type of information.

Focus area owner: Anna Bak Maigaard, deputy director, AU Student Administration and Services

New initiatives:

• All collections of personal data for students and employees to be classified according to AU's current criteria - Read more about classification of data.
• Access to student administration systems and administrative systems with critical data to be restricted as far as possible.
• Two-step verification to be implemented on all central administration systems.
• Roles and access rights to e.g. study administration systems to be reviewed and consolidated. A documented process for ongoing maintenance and monitoring of compliance with access control requirements to be implemented - read more in AU's access management policy.

To protect sensitive and confidential information, employees and students must be familiar with and accept the need for security. It is also important that employees and students are aware of threats to information security in their daily work and show good judgement when handling information and using the internet.

Focus area owner: Thomas Kaaber, head of information security, AU IT

New initiatives:

• Training managers at all five levels of management to know about cyber and information security.
• Increase in the general level of knowledge by developing and implementing training activities adapted to the function and work tasks of employees and students.
• Develop and implement awareness campaigns that address more specific topics such as phishing, passwords and data classification.
• Develop central and local systems that can handle the ongoing implementation and development of training and awareness activities - Download awareness material.

The threat from cybercriminals is high, which is why AU must develop, implement and maintain recovery and restoration plans for critical assets or systems that may be affected by a cyberattack or crash.

Focus area owner: Peter Herning, team leader, AU IT.

New initiatives:

• Documenting how data is currently backed up at AU, both in AU's own systems and in outsourced and externally operated systems. Current backup practices to be assessed and a plan for improvement needs to be prepared, if necessary.
• Recovery plans to be updated for all critical systems and the order in which they need to be recovered to be prioritised.
• Coherent contingency plan to be developed for restoring IT infrastructure in the event that AU is affected by a major outage or cyberattack.

It is necessary to increase security, but it is also important to maintain flexibility in terms of how researchers can use AU's network. This particularly applies to researchers who need to use specific components or equipment without compromising other parts of IT security. Additional initiatives centred on the safe transfer of data by researchers are also necessary.

Focus area owner: Henrik Badstue, team leader, AU IT.

New initiatives:

• Software Defined Network (SDN) and Software Defined Access (SDA) technologies to be implemented to segment access to systems and equipment based on needs and rights.
• Network employees and IT supporters to be trained in the use and operation of SDA technology.
• A transparent network structure is to be established that can support the need for rapid, automated deployment of new capabilities and integrations. This activity will allow the end user to order basic network services themselves, unlike today, where the network infrastructure requires a lot of manual labour.
• Researchers and their complex requirements for components and equipment to be supported without compromising security of other researchers or projects. This will be by registering components that can log into the lab network.
• Guidelines and communication material to be prepared to ensure correct use of networks by users.

Experience with cyberattacks in the research and education sector shows that cybercriminals often succeed by exploiting weaknesses in IT infrastructure and the inability to detect attacks early. AU must therefore significantly improve its ability to prevent and detect attacks

Focus area owner: Jacob Hedegård, team leader, AU IT.

New initiatives:

• Capacity of AU’s Security Operation Centre to be expanded.
• Use of AU’s Security Incident Event Management System (SIEM) to be increased.
• Use of vulnerability scans of IT systems to be increased and be made more consistent.
• Use of penetration testing to be Increased.
• Collaboration with cybersecurity organisations, including DK-CERT and DeiC to be increased.
• Access to local administrator rights on employee computers to be restricted.
• Travel policy.
• Conditions for accessing AU's networks and systems to be tightened.

Good governance is a fundamental prerequisite for the success of the other security measures. Without clearly defined roles and responsibilities, it will not be possible to comply with and implement the necessary organisational and technical security measures. Therefore, AU must clearly define roles and responsibilities and follow up on them.

Focus area owner: Thomas Kaaber, head of information security, AU IT

New initiatives:

• Roles, tasks and division of responsibilities between the Central Information Security Committee (CISU), local information security committees (FISU) and managers to be described.
• Information security management systems (ISMS) to be implemented at all levels at AU. Read more about ISMS.
• Information security officers to be appointed for relevant units. The officers will be responsible for managing and coordinating security initiatives at unit level and liaising with the FISU and the CISU.
• Information security risk management system to be implemented at all management levels to identify risks and document and manage these risks. It is up to the faculties themselves to decide how to organise this task. For example, deciding whether the information security officer should cover multiple departments.