Information security - CIA

Information security aims to secure that risks, disturbances and threats directed towards university information resources are identified and handled to minimize negative consequences regarding confidentiality, integrity and availability (CIA).

On this page you will find

FAQ and advice

Guidelines

Web based education

Data storage

Other information

IT security

1. Guidance and answers to information security questions

FAQ - frequently asked questions regarding information security.

Every employee has a responsibility when it comes to the information security at the workplace. There are for some also responsibilities connected to their roles and occupations. The links below show checklists relevant to various categories.

• Employees/co-workers
• Head of department
• Researcher
• Purchasers/personnel taking part in the procurement of IT-systems and IT-services
• Technical personnel (system developers / operating staff)
• Project leaders, system owners, "e-områdesansvarig"

2. Guidelines and procedures

A comprehensive guide can be found here (nanolearning)

Risk and threat scenario analyses (rev. 2018-02-13).
Risk analyses gives the opportunity for a structured analysis of factors that might cause disturbances, as well as help selecting alternative methods to reduce risks. 

• Instructions to evaluate information classes (PDF) Bilaga 2 (Rev. 2018-02-08). Information classification is the bases of all information security. To know how to protect the information one must know what information is being processed. See also our short nanolearning on information classification and analysis or the presentation from our workshop (2018-03-08)
• Current state analysis/Kravanalys (Excel). Bilaga 3 (Rev. 2018-02-20)
• Konsekvensanalys (word). Bilaga 1 (Rev. 2018-01-24)
• Riskanalys (Excel) Bilaga 4 (Rev. 2018-02-12)
• How to handle identified security gaps (word) - previously "Action plan" . Bilaga 5 (Rev. 2018-06-15)
• Template for information classification (word). Bilaga 6 (Rev. 2018-02-13)
• Flow chart for the steps in information classification and reporting (PDF). Bilaga 7 (Rev. 2018-02-12) 
• Standard classification of basic information (Word) - Bilaga 6a (Rev. 2018-04-24)

Rutiner för säker informationshantering (Rev. 2018-09-17) - safe information handling, also in cloud services (Swedish only)

Rutiner för anskaffning och drift av IT-system (Rev. 2019-01-09), inklusive outsourcing / drift i leverantörs regi

Further guidelines and procedures for IT- and information security can be found at the university rules and regulations web site (mål- och regelsamlingen)

3. Web based courses (nanolearning), information regarding security related courses

• Information security for travelers (online nanolearning)
• In need of a loaner device (if travelling outside the EU)? Contact security@uu.se
• Check list, travel security (PDF)
• All security related courses, including web based ones

Encryption and signing - To send e-mail more securely you can sign your message and encrypt your data. Encryption can be used to communicate sensitive information. You can encrypt your e-mail (see help section about encryption of e-mail), or only encrypt the attachment where the information is available (see help section on encrypted attachments).

4. Data storage

We cannot give an all encompassing recommendation as the demands can differ quite a lot from case to case. Secure storage of research data is a priority at the University, and work is ongoing to develop solutions. In many cases there is a need to share infoformation with a third party. How such a sharing should take place differs from case to case and needs to be discussed. Presently, the following alternatives may be used:

• A central storage solution named Allvis is in a preliminary phase. See https://mp.uu.se/web/info/forska/datalagring for information, and contact servicedesk@uu.se to declare your interest in this solution.
• Rudbeck IT offers well developed services also available to non-Rudbeck laboratory staff. See https://my.rudbeck.uu.se/guides/Storage, Hints and Guides for more information.
• SUNET Box has been classified with CIA 222, and can be used for information classified 222 or lower (221, 122 and other combinations). See information classification above.
• Your campuses or Department may have their own solutions on offer. Contact them directly for more information.

Contact the Security and safety division for advice, support etc.

5. Other information

GDPR and information security

• Intro to GDPR, aimed at departments (PDF rev. 2018-05-29)
• Presentation from workshop (PDF rev. 2018-04-20)
• The university page on GDPR 

IT security: Information regarding technical security, system configurations, how to protect your computer, malware, how to report IT security incidents etc.

Information - written, spoken, in electronic form, all kinds of research data, examinations etc - is an asset that, like physical properties and personnell is vital to to maintain the university activities.

Content owner: Veronika Berglund 27 november 2019