The University of Oslo manages large amounts of electronic information. There are many types of information resources, and a lot of this information is valuable, sensitive or in other ways in need of safeguarding. It must be managed in a proper manner to ensure that the information does not get lost or is compromised. It should also be ensured that the right people, and only those, have access to the information.
To ensure that this work is managed correctly, all involved parties have agreed upon concepts, framworks and procedures. This has been collected and formulated in the LSIS documents (in Norwegian).
Having this information security management system is ordered from the ministry and is therefore a part of the public authorities' work regarding social security.
What is information security?
Information security is securing and managing information resources. This work is related to subject areas such as management, law, audit, organization, administration and IT security. The goal, amongst other things, is to:
- fulfill the requirements for data processing provided in laws and regulations
- protect data against loss or unauthorized access
- help ensure the privacy of students and employees, as well as, for example, participants in research projects
- ensure that data and information do not get lost or misused
- ensure good governance, including access control and deletion
- collaborate with the Ministry of Education, The Norwegian Data Protection Authority (DPA) and others
Who should now this?
This is a part of everyday life for students and employees at the University. We have a common responsibility to protect our information. Information technology is an important component in this work, and USIT is participating with both legal and IT expertise.
What is in the documents?
The documents are meant to be an encyclopedia, where the different groups of users can find descpritions of how they can contribute to safeguard the University's information resoruces in the best possible way. Some of its contents is meant for managers, and some is meant for people with IT expertise.
The contents is split into three parts:
- The governing part deals with the basic principles for the work and is something many people need to be familiar with. This part should be read by managers.
- The executive part deals more in detail about what should be done and who should do it. In this part there is also some IT technical information. This part is first and foremost aimed towards managers and IT employees on all levels, but all employees working in admin, technical work, research and education may find this information useful.
- The controlling part describes how we can know that we are doing the right things, and that the information is correctly secured and managed. The target group for this part is first and foremost managers and IT employees on all levels.
The documents are based on guidelines from UNINETT and follows a number of standards and Best Practices from for example The Norwegian National Security Authority (NSM), and Agency for Public Management and eGovernment (Difi).