Policy for organization of information security (A.6)

On this page you will find the current policy for organising work related to information security at Aarhus University.


Objective

The objectives of AU's policy for information security policies are:

  • to establish a management framework to initiate and control the implementation and operation of information security within the organization
  • to ensure the security of teleworking and use of mobile devices 

Internal organization (A.6.1)

All information security responsibilities shall be defined and allocated. (A.6.1.1)

The senior management team has overall responsibility for information security at Aarhus University.

The Central Information Security Committee has been formed to decide the objectives and frameworks for information security. Permanent committees have been appointed at the faculties and the administration to ensure collaboration between the university's units.

The senior management team has delegated overall responsibility for information security at a unit to the unit manager. The unit manager is thereby responsible for ensuring and complying with the requirements and objectives in the information security policies for the university and the units.

Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorised or unintentional modification or misuse of the organisation's assets (A.6.1.2)

Appropriate contact with relevant authorities shall be maintained. (A.6.1.3)

Appropriate contact with special interest groups or other specialist security forums and professional associations shall be maintained. (A.6.1.4)

Information security shall be addressed in project management, regardless of the type of the project. (A.6.1.5)

A number of initiatives have been planned and established centrally in order to comply with the above requirements:

  • Re. A.6.1.1 Roles and areas of responsibility:
    • Overall responsibility for information security at Aarhus University lies with the senior management team and is further organised so that responsibility for implementation and management of information security is divided between the unit management teams at the area level of the line organisation (corresponding to the department/school).
  • Re. A.6.1.3 Contact with the authorities:
    • In connection with any breach of security, a process has been set up for how the units are to report such breaches. This process ensures that the relevant authorities are contacted, for example the Danish Data Protection Agency.
  • Re. A.6.1.4 Contact with special interest groups:
    • Interdisciplinary security forums have been established, called the CISU forums, in which Aarhus University participates with the other Danish universities, and there is close collaboration with DKCERT under DeiC and management participation in the CFCS forum.
  • Re. A.6.1.5 Project management: 
    • If Aarhus University’s project model is used, it has built-in mechanisms for handling security assessments before, during and after a project.

Mobile devices and teleworking (A.6.2)

A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices. (A.6.2.1)

A policy and supporting security measures shall be implemented to protect information accessed, processed or stored at teleworking sites. (A.6.2.2)

A number of initiatives have been planned and established centrally in order to comply with the above requirements:

  • Re A.6.2.2 Remote workplaces:
    • AU IT offers remote access to much of the university's information and to many of its systems, through VPN access.
    • A separate policy regarding remote workplaces is being prepared

QUESTION GUIDE

Consider the question guide as a tool to navigate the requirements of the policy:

  • Has the management team assigned roles and responsibilities for local information security activities?
  • How can we ensure and document that functions and responsibilities are kept separate? (for example to ensure that rights cannot be abused.)
  • How is suitable communication with relevant authorities, interest groups and similar ensured and documented?
  • How is information security ensured and documented in connection with project management?
  • How is it ensured and documented that the management team follows up on and makes decisions on inadequate measures?

Information Security at Aarhus University is defined as the overall measures to ensure the Confidentiality, Integrity and Accessibility of the university's information, information assets and data.