Information security policy

On June 1, 2023 the President of Stockholm University adopted the Information security policy. The policy replaces guidelines for Information Security at Stockholm University, Ref. no. SU FV-2.11.2-1923-16, Decision date 26 January 2017.

Responsible department: IT Services

Contact: Stefan Kvarnerås

1. Introduction

This policy is part of Stockholm University's information security management system. Its purpose is to lay the foundation for a systematic approach to information security that provides appropriate and balanced protection and quality of the university's information management. The policy describes the goals, organisation, overall roles and responsibilities related to information security.

Stockholm University is a public authority charged with conducting education and research, which means that its activities include the production, processing, storage and transfer of a large amount of information of various types in both physical and digital form.

Information security is partly about classifying all the information that the university handles and partly about ensuring that information based on classification is protected in the right way to prevent information from being leaked, corrupted or destroyed.

Work to ensure secure information management is based on laws, ordinances, regulations, own requirements and agreements that have been entered into. As a public authority, the university is obliged to comply with current legislation in the area, taking particular account of the Ordinance (2022:524) on the preparedness of public authorities (Förordningen (2022:524) om statliga myndigheters beredskap) and the Swedish Civil Contingencies Agency's information and IT security regulations (MSBFS 2020:6 and 2020:7).

The responsibility for secure information management is an integral part of the responsibility for the various activities within the university. This means that the information security responsibility follows the delegated operational responsibility, so that those in charge of activities are also responsible for the secure management of that activity's information. Information owner is a term used within information security. The role is mainly held by the head of department/director or head of office. Information ownership involves managerial responsibility in the same way as budget, quality and environmental responsibility. Information manager is also a term used in information security work, and refers to all employees, students, partners and other stakeholders who have access to the university's information.

1.1 Scope

The policy covers the entire university's information management and all information that the university owns, manages or conducts research on. The policy concerns all those who have access to the university's information in the form of personal responsibility. The policy shall also be applied when the university procures information management products and services.

1.2 The document's decision-making process, document manager and updating

The policy shall be reviewed annually. Decisions shall be made in accordance with the decision-making process for governing documents at the university. The information security manager is the document manager and is responsible for the annual review of the policy.

2. Information security policy

Stockholm University's information security policy is summarised in the following principles:

The university's policy is that information security work is to be conducted actively, systematically and with potential risks taken into account, and that the costs are to be weighed against the benefits and risks.
To ensure the right level and scope of protection, the university's information security shall be based on risk analyses. The risk analyses are based on current threats and provide support in the work of classifying the value of the information based on the university's adopted classification model.
The work follows operational responsibility. The information owner is responsible for ensuring that there is a documented picture of the information managed within their area of activity and that it is updated annually. The documentation must also specify the classification of the information and the rules for destruction and archiving.
The work shall be an integral part of the employee's responsibility for their own activities. The most important part of creating secure information management is always the employees' knowledge, awareness and motivation.
When collaborating with an external party and/or travelling abroad, the protective value of the information must always be assessed.
For the work, there must be information adapted to the target group and available instructions and templates. Information events that provide opportunities for dialogue regarding information security issues must be provided.

3. The university's information security goals

The following goals apply to the university's information security work and must be followed up by management:

There shall always be designated information owners who have a clear responsibility for their part of the university's information management.
Special consideration shall be given to information that is regulated by specific legislation.
The university shall have a developed security awareness and encourage the involvement of all employees and, in addition to following common rules, motivate them to participate in the continuous improvement of information management.
Employees or other information managers shall be trained and knowledgeable in information security in relation to their role.
Based on the classification level, the information managed shall always be protected against unauthorised access, it shall be accurate, accessible when needed, and, where necessary,

it shall be possible to determine who has had access to the information. This corresponds to the key concepts of information security: confidentiality, accuracy, availability and traceability.

4. Responsibility and organisation

Ultimate responsibility for information security lies with the President. This responsibility includes ensuring that there are governing documents for the information security work and the resources needed to implement what the governing documents prescribe. The President is also responsible for ensuring that there is systematic follow-up of the information security work at the university.

Each year, the President and Senior Management Team shall receive and updated status report on identified threats and risks that can or do affect the university's information management and thus the information security work. The President decides how these information security risks are to be managed.

Information security responsibility follows operational responsibility in accordance with the university's decision-making and delegation scheme, and includes how information security work is implemented and maintained within each area of responsibility. All information owners are responsible for their information management and thus also the application of information security within their own activities. The Deputy Vice Presidents and the University Director are responsible for and decide how the information security work is implemented and maintained within their respective areas and within administration.

The Head of Information Security is responsible for running, coordinating and supporting the university's information security work. This includes drawing up governing documents such as rules, procedures and other instructions. The Head of Information Security is responsible for ensuring that the President and Senior Management Team receive updated status reports on identified threats and risks that can or do affect the university's information management and thus the information security work. The Head of Information Security provides relevant documentation to the President for the follow-up activities.

5. Follow-up and reporting

The information security work shall be followed up annually by the President and the Senior Management Team.

Information security work shall be followed up in connection with the university's four-month follow-ups.

Coordination and management of information security issues with representation from core operations and specialist functions takes place within the framework of the IT steering group.
The main rapporteur on information security issues is the Head of Information Security.

Last updated: July 11, 2023
Page editor: Mia Söderbärj
Source: IT Services

Tell a friend

Contact

Governing Documents – Rules & Regulations

Please contact the Office of the President if you have questions concerning Stockholm University's governing documents.
Email: organisation@su.se

The rules and regulations found here in English consist of only a selection of the University's applicable rules and regulations. A complete collection can be found in Swedish by following the link www.su.se/styrdokument

In case of a discrepancy between the Swedish and the English version of the decision, the Swedish version will prevail.

Safety, security and irregularities