We need to sharpen our information security work at Stockholm University on multiple levels. This is especially relevant given the current security policy situation. Information and information technology are very important strategic resources for the university’s activities. On several occasions, internal audits have identified shortcomings in our information security work. Most recently, these shortcomings were identified in audits carried out by the internal management and control at some departments and one office within the administration, where a recurring observation was that the internal management and control needs to be strengthened in terms of systematic information security work and compliance with the General Data Protection Regulation (GDPR) and that we must ensure that the competence of employees is developed in these areas.
Regulations from The Swedish Civil Contingencies Agency (MSB) set requirements for developing and maintaining the competence of the staff regarding information security through training, information initiatives and exercises. The General Data Protection Regulation also requires that all employees be trained in data protection. To ensure that all employees have basic knowledge of what information security is and what they need to consider in their daily work, the university offers online training in information security. There is also an online training in data protection to raise the general awareness of employees concerning the requirements for handling personal data.
On 12 May, the President decided that these courses will be compulsory for all employees. At present, the courses are unfortunately only available in Swedish, but work is underway to ensure that they will also be available in English. According to the President’s decision, all employees must have completed the training no later than 1 November 2022. This deadline will be extended if necessary to account for the English version of the training.
In addition to the requirements to develop employee competence in information security and data protection, work is underway to establish systematic information security work through the ESIR project, which I discussed in my latest editorial. The ESIR project has been implemented at a number of pilot departments and will be implemented at all departments and within the administration at the university. However, based on changing conditions in the world, we have had to concentrate our resources on work with IT security this spring, and the broader introduction of ESIR will resume in the autumn.
We all need to take joint responsibility for strengthening information security at the university.
Read more on courses in information security (In Swedish).
The text is written by Åsa Borin, University Director. It appears in the section ”Words from the University’s senior management team”, where different members of the management team take turns to write about topical issues. The section appears in every edition of News for staff which is distributed to the entirety of the University staff.