Information security is essential for Aarhus University's reputation, credibility and functionality.
Information and information assets are necessary and vital to Aarhus University. Therefore they must be protected and managed correctly to ensure that the university runs smoothly and that valuable data does not go missing or fall into the wrong hands such that it can be misused.
Anyone associated with Aarhus University can find out about the guidelines applying for information security in the information security policy. The guidelines reflect requirements in legislation and from relevant authorities such as the Ministry of Higher Education and Science, e.g. requirements to use the common information security standard, ISO 27001 (extract from the information security policy).
The steps towards complying with the overall information security policy are described in this document and are illustrated in an 'annual planning cycle', which describes the steps and responsibilities for different roles in work on information security.
Information security work can be divided into five maturity levels, depending on the organisation's work and culture, willingness to take risks and the information for which staff are responsible. The ISMS can take us up to maturity level 3 (Defined), which means that:
"Procedures are standardised, documented and communicated through training.
It has been announced that the procedures must be complied with, but it is unlikely that non-compliance will be discovered.
The procedures are usually a formalisation of existing practice. "
Information security work at Aarhus University is systematised through an information security management system (ISMS), which defines, documents and administers activities to ensure that the organisation adequately protects information and information assets against threats and vulnerabilities.
The central ISMS describes the minimum level of activity required in the local management systems, and who is responsible for establishing and using the management systems locally.
Ensuring information security at Aarhus University includes continuous improvement measures based on the ideas behind the PDCA cycle (The Deming Cycle). PDCA is short for PLAN-DO-CHECK-ACT and covers the following:
Figur 1 – The PDCA cycle
The objective of an ISMS at Aarhus University is to describe how the requirements for information security are to be complied with, as well as the role of the university management and, in particular, the individual unit and user in protecting Aarhus University's information assets. The ISMS at Aarhus University focuses on making sure that everyone helps ensure that critical and sensitive information and information assets retain their:
At Aarhus University, information security work is based on the requirements of ISO 27001 (common international information security standard), and the framework comprises the following:
Information security policy: The information security policy at Aarhus University states that the central ISMS must be continuously adjusted and improved to reflect the threat landscape faced by the university.
Management system (ISMS): Information security work is a managerial responsibility controlled through the central ISMS at Aarhus University, and it applies to the entire university as well as all users of data, information and information assets belonging to the university.
Policies and procedures: In order for information security to work, information security activities must be integrated into the current organisation, taking into account existing work processes, organisation and allocation of responsibilities.
According to the information security policy at Aarhus University, the information security department prepares and recommends the overall objectives and measures for information security, which are then approved by the Central Information Security Committee (CISU) and the senior management team.
Figure 2 - Organisation of information security committees
Senior management team: The central ISMS is anchored with the senior management team, which
Furthermore, the senior management team may delegate mandates and tasks to ensure that information security requirements are implemented locally and work in practice.
Head of information security: The head of information security in AU IT has overall operational responsibility for day-to-day management and coordination of information security measures at Aarhus University, including:
Manager: Managers have overall responsibility for information security in their units, and activities include
The central ISMS at Aarhus University states the minimum requirements for the local management systems to be established and used by managers.
For a more detailed description of activities and the steps towards maturity level 3 at local level, see establishment of local security management.
'PLAN' - planning (ISO27001 reference: sections 4, 5, 6 and 7)
The PLAN phase covers the activities below. The manager is responsible for:
'DO' - operation (ISO 27001 reference: section 8)
In this subsequent implementation phase (the DO phase), the manager must:
'CHECK' - evaluation (ISO 27001 reference: section 9)
The manager is responsible for ensuring that information security measures are continuously evaluated (in the CHECK phase), including:
'ACT' - improvement (ISO 27001 reference: section 10)
During the ACT phase, the manager focuses on measures and improvements (identified in the previous phase), and these are ensured by:
Kristian Thorn
, University Director
, The Rectorate
Thomas Kaaber
, Information Security Manager
, AU IT - Information Security
Anders Møller
, Professor, Deputy Head of Department
, Department of Computer Science
Peter Bruun Nielsen
, Deputy director
, AU IT - AU IT Staff
Søren Broberg Nielsen
, Head of Research Data Office
, AU Research Support - Research Data Office
Mads Rasmussen
, Head of IT
, Health Administrative Centre - Health IT Support
Kim Mannemar Sønderskov
, Professor
, Department of Political Science
Brian Vinter
, Vice-Dean
, Dean's Office, Technical Sciences
The faculties and the administration also has local Information Security Committees (FISU).