Policy for compliance (A.18)

All relevant legislative statutory, regulatory, contractual requirements and the organization's approach to meet these requirements shall be explicitly identified, documented and kept up to date for each information system and the organization. (A.18.1.1)

Appropriate procedures shall be implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products. (A.18.1.2)

Unit managers at Aarhus University are responsible for identifying and registering applicable requirements, typically via the system owner, including acts, ministerial orders, external and internal requirements and contractual requirements. Examples of statutory requirements are GDPR, tendering and archiving obligations, the Danish Web Accessibility Act, the Danish Public Administration Act and the Access to Public Administration Files Act. The unit must also ensure methods and appropriate measures to comply with the requirements.

Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements. (A.18.1.3)

Ensuring registrations includes documentation of the storage plan for, e.g. accounting and database registrations, transaction and audit logs as well as operational procedures in accordance with risk assessment. A list of the sources of such information must also be maintained.

Privacy and protection of personally identifiable information shall be ensured as required in relevant legislation and regulation where applicable. (A.18.1.4)

Different rules and acts may apply, but as a minimum, relevant legislation in this area must be taken into account.

Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations. (A.18.1.5)

In the context of access to confidential information, compliance must be assessed in relation to prescribed or indirect access for local authorities to information that is encrypted by hardware or software. The guidelines must always comply with statutory requirements in the Access to Public Administration Files Act or the Danish Public Administration Act, for example.

A number of initiatives have been planned and established centrally in order to comply with the above requirements: Re. A.18.1.2 Intellectual property rights: Internal requirements also concern special requirements for system owners.   Re. A.18.1.3 Protection of registrations:  Storage plan includes storage, processing and disposal of registrations and information, as well as the storage period, see the guidelines (LINK + to be prepared)  Re. A.18.1.4 Protection of privacy and protection of personal data: Locally in the individual units, you may be subject to special statutory requirements and guidelines, but there are also the following general rules and regulations: Danish Access to Public Administration Files Act Danish Public Administration Act General Data Protection Regulation Rules for the educational area AU's rules for collaboration AU's collaboration with public sector authorities, including guidelines for research-based public sector services Guidelines on the duty of confidentiality and GDPR   Special contractual requirements This means that if you keep your critical, confidential or sensitive information stored in the solutions offered centrally, the above compliance is ensured by Aarhus University.   If you have other needs based on your risk assessment, this must be ensured locally.

The organization's approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) shall be reviewed independently at planned intervals or when significant changes occur. (A.18.2.1)

Applicable ISMS must be updated at regular intervals or when necesssary.

Managers shall regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements. (A.18.2.2)

The documented information must be updated annually or when necessary to be accurate and current.

Information systems shall be regularly reviewed for compliance with the organization's information security policies and standards. (A.18.2.3)

Unit managers responsible for information systems, including research systems, must ensure that such systems are regularly checked for compliance with the organisation's information security policies and standards, as well as other statutory requirements.

Systems and services provided by AU IT must be covered by a management agreement that must be complied with by the respective parties. The management agreements must ensure compliance with relevant information security policies and standards as well as other statutory requirements.

The above requirements also apply to any systems for which the unit/manager has ownership responsibility. In this situation agreements must be set up, and these must not reduce the overall level of information security at Aarhus University.

A number of initiatives have been planned and established centrally in order to comply with the above requirements: Re A.18.2.2 Alignment with security policies and security standards: See AU’s ISMS  This means that if you keep your critical, confidential or sensitive information stored in the solutions offered centrally, the above compliance is ensured by Aarhus University.   If you have other needs based on your risk assessment, this must be ensured locally.