Dear staff and students at Aarhus University,
Information and data play a crucial role in our daily work. This applies for digital platforms such as those with emails, teaching schedules and research databases. It also applies for the data we store on paper, on dictaphones, or in blood-sample test-tubes.
The information must be accessible when we need it, but we must also all help to protect it, so that society can be confident that we process the data they entrust to us with respect and consideration.
In other words, information security is a vital factor in ensuring that our routines function well and not least that we can continue our work and deliver our important contributions to society.
Information security is not just about technical aspects such as anti-virus programs, firewalls and two-step authentication. It is equally about how we each behave when we are working with information and data. In other words: A football match is not only decided by the systems each of the teams play. It is just as much about how the players behave on the pitch.
With respect to information security, scepticism and common sense will take us a long way. Therefore, as a university, we have a good starting point. However, I would urge everyone to familiarise themselves thoroughly with our information security policy. These are the guidelines for information security, and you have a duty to know and comply with them, no matter whether you are a student or an employee, and regardless of whether you work in research, education, consultancy or administration. By complying with the guidelines, we can each contribute to ensuring that data and IT systems at Aarhus University are secure, and, not least, that they are accessible when we need them!
Brian Bech Nielsen
Aarhus University's information security policy has been approved by the senior management in February 2022.
This policy forms the overall framework for information security at Aarhus University on the basis of the university's overall strategy 2025:
Aarhus University is a strong university that is internationally recognised for the high quality of its research, research-based degree programmes and public sector government consultancy, in addition to value-creating collaboration with private businesses, public sector institutions and civil society. The curiosity-driven creation of knowledge rooted in strong disciplines to benefit society is the university’s reason for existing.
Maintaining confidence in Aarhus University requires that critical information is protected with measures to ensure the necessary level of information security. Our work is based on three cornerstones:
Anyone associated with Aarhus University can find out about the guidelines applying for information security in the information security policy. The guidelines reflect requirements in legislation and from relevant authorities such as the Ministry of Higher Education and Science, e.g. requirements to use the common information security standard, ISO 27001.
The information security policy covers all of Aarhus University's information assets, i.e.:
Examples of information assets are:
The information security policy applies for:
The senior management team has decided that:
The following responsibilities apply with respect to protecting Aarhus University's information assets:
If an employee or student discovers threats against or breaches of information security, the employee or student must inform the Information Security Department.
Exemptions from following the information security policy may be granted in exceptional cases by sending a request for exemption to the Information Security Department at email@example.com, which will submit the request to the Central Information Security Committee.
Infringements of the information security policy will be treated as a security incident with corresponding sanctions.
Aarhus University's information security policy is approved by the rector on the basis of recommendations from the Central Information Security Committee.
As part of overall security management, on the basis of the ongoing management reporting of the risk landscape, the senior management team will review the information security policy at least once a year.