Information Security Management System

Here you will find Inland Norway University of Applied Sciences’ information security management system (LSIS), adopted by the University Board on 22 November 2018. 

Introduction

The core activity of Inland Norway University of Applied Sciences is (a) to collect and process information/data using scientific methods and (b) produce and disseminate knowledge of high international quality. 

This means that Inland Norway University of Applied Sciences largely makes a living from managing, refining and disseminating non-material values. 

Therefore, it is also crucial that all information that Inland Norway University of Applied Sciences manages in administration, research, teaching and public dissemination work is satisfactorily secured against breaches of: 

  • Confidentiality: prevent unauthorised persons from accessing confidential or sensitive information 
  • Integrity: prevent unwanted alteration, deletion or manipulation of information and 
  • Accessibility: ensure users gain access to information when they need it. 

Risk management 

Information security is about risk management. 

Risk management means that incidents that may lead to unauthorised access, alteration, loss or damage to information must be identified and assessed. Measures must then be taken to avoid adverse incidents that are considered to have the greatest risk. 

The purpose of risk-driven information security work is therefore to anticipate and prevent adverse incidents and nonconformities before they occur. 

Risk-driven information security work must be established at the senior management level. The work must be carried out by a security-oriented organisation with its own goals, strategies, work methods/tools and resources. 

Information security management system requirements 

The Personal Data Act with regulations, the Public Administration Act with regulations (e-administrative regulations) and the Health Research Act with regulations stipulate requirements for the introduction of information security management systems. These requirements also apply to Inland Norway University of Applied Sciences. 

In addition, other legislation, including the Freedom of Information Act and the Archives Act, contain important provisions regarding information security work at Inland Norway University of Applied Sciences. 

In the Ministry of Education and Research’s letter of allocation to Inland Norway University of Applied Sciences, requirements are stipulated regarding the introduction of an Information Security Management System (LSIS) built on the basic principles of recognised safety standards.  

In order to assist us in this work, the Ministry of Education and Research has given UNINETT a mandate to establish the HE Sector Secretary for Information Security. 

Inland Norway University of Applied Sciences will report to the Ministry of Education and Research how we use this internal service. The information security management system at Inland Norway University of Applied Sciences meets the requirements set by the legislation and the Ministry of Education and Research regarding information security work at higher education institutions. 

Delimitation of the management system 

Below is an exhaustive overview of which parts of the organisation at Inland Norway University of Applied Sciences are included in the information security management system: 

Geographical locations 

  • Campus Elverum 
  • Campus Lillehammer 
  • Campus Hamar 
  • Campus Rena 
  • Campus Blæstad 
  • Campus Evenstad 
  • Decentralised campus Oslo 
  • Decentralised campus Kongsvinger 

Organisational units 

Management 

  • Rector 
  • Vice-Rector 
  • Pro-Rector Education 
  • Pro-Rector Research 
  • Pro-Rector Innovation and Public Relations 
  • Director of Finance 
  • Director of Human Resources 
  • Director of Digitalisation and Infrastructure 
  • Dean - ALB 
  • Dean – AMEK 
  • Dean – DNF 
  • Dean - HHS 
  • Dean - HSV 
  • Dean - LUP 

Administrative Units 

  • Rector’s staff 
  • Communications and Marketing Department 
  • Centre for Lifelong Learning 
  • Department of Education 
  • University Library 
  • Section for Staff Salary 
  • Section for Accounts 
  • Section for Procurement 
  • Section for Financial Management 
  • IT Department 
  • Property Department 
  • Section for Archives/Records Office 
  • Research Administration 

Academic departments 

  • Faculty of Applied Ecology, Agricultural Sciences and Biotechnology 
  • Faculty of Audiovisual Media and Creative Technologies 
  • The Norwegian Film School 
  • Inland School of Business and Social Sciences 
  • Faculty of Social and Health Sciences 
  • Faculty of Education 

Information values 

Main types of digital data 

  • Personal documents 
  • Financial data such as accounts, project management and procurement. 
  • Legal documents such as contracts, agreements, protocols, minutes, admission letters, diplomas, appeals, etc. 
  • Research data, including things that are covered by the Health Research Act 
  • Strategic and commercial data such as plans, customer information and statistics. 
  • E-mail and voicemail 
  • Different types of databases. The main ones are: 
    • student registry 
    • staff registry 
    • accounts 
    • projects 
    • library data 
    • publishing data 
  • Research databases 
  • Personal and shared hard drives 
  • Backups and digital archives 
  • Encryption keys 

Permanent (archived) information values 

  • Personal documents 
  • Financial documents 
  • Legal documents 
  • Research data 
  • Strategic and commercial data 
  • E-mail archive 
  • Microfilm and other backup media 
  • Keys to safe/offices, other media and storage rooms 
  • Journals, magazines and books 

Actors 

All employees in research, teaching and administrative positions (permanent and temporary), all students enrolled at the institution, all guests at the institution (for example, guest researchers), all hired staff (for example, persons carrying out cleaning, maintenance, operational tasks etc.) and all external processors of information values (for example, data processors: USIT, UNINETT or commercial enterprises). 

Technical resources 

All technical systems and computer networks used to process the institution’s information values, such as IT systems, internal and external computer networks, databases/registries, manual personal registries, etc. 

Security objectives 

The following information security work objectives apply at Inland Norway University of Applied Sciences: 

  1. Information security work will contribute to the high quality management of all information used in administration, research, teaching and dissemination activities at Inland Norway University of Applied Sciences. 
  2. Information security work will contribute to ensuring that Inland Norway University of Applied Sciences fulfils its duties as a public administrative body and respects the rights of employees, students and participants in research projects. 
  3. Information security work will be in accordance at all times with the requirements stipulated in laws and regulations that apply to Inland Norway University of Applied Sciences, and will meet the information security requirements set by the Ministry of Education and Research. 
  4. Information security work will safeguard fundamental data protection considerations, including privacy, personal integrity and the quality of information, in all electronic processing of personal data. 
  5. Information security work will contribute to ensuring that everyone has confidence in the quality of the information communicated and disseminated by Inland Norway University of Applied Sciences, regardless of which channels are used. 
  6. Information security work will contribute to ensuring that Inland Norway University of Applied Sciences maintains its reputation as a professional and competent administrative body. 

Acceptable risk criteria 

Information security work will ensure that the information values at Inland Norway University of Applied Sciences are satisfactorily secured at all times against breaches of confidentiality, integrity and accessibility. In order to achieve satisfactory information security, the work will be based on the following acceptable risk criteria: 

Open information 

Priority will be given to the integrity and accessibility of publicly available information, regardless of whether it concerns research, teaching or administrative information. The integrity of the information should be prioritised ahead of accessibility considerations. 

Internal information 

High priority will be given to the confidentiality and integrity of information used in internal administration and case management or in ongoing or planned research/student research. 

This includes information that is exempt from public disclosure, unpublished article or book manuscripts, non-confidential research data that has not been approved for publication/public disclosure by the project manager, drafts of strategies/plans or unpublished research project proposals. 

Only minor breaches of the confidentiality and integrity of this information are accepted. Short interruptions in the accessibility of information are accepted. 

Sensitive information 

Particularly high priority will be given to the confidentiality and integrity of information that is particularly worthy of protection or that is subject to special legal regulation, such as confidential research data, information about individuals (personal data) or examination proposals/texts. 

  • Breaches of confidentiality or integrity regarding personal data are not accepted. This especially applies to sensitive personal data. Short interruptions in the accessibility of personal data are accepted. 
  • Breaches of confidentiality and integrity regarding confidential research data that has not been approved for publication/public disclosure by the project manager are not accepted. Short interruptions in the accessibility of the research data are accepted. 
  • Breaches of confidentiality and integrity regarding examination papers (texts/proposals) and examination answers are not accepted. The same applies to unfinished or submitted student theses (bachelor/master) and doctoral theses (PhD) that are not or have not been approved for publication/public disclosure. Short interruptions in accessibility are accepted if this does not complicate the implementation of examinations or submission and grading of examination papers, student theses (bachelor/master) and doctoral theses (PhD). 

Security strategy 

In order to realise the security objectives and ensure satisfactory information security, the information security work at Inland Norway University of Applied Sciences will be based on the following main priorities: 

All information security work must be based on risk assessments. No security measures, regardless of whether they are technical, organisational, physical or staff-related, are to be implemented without risk assessments showing that the measures are required. Risk assessments of IT systems and services, computer networks and infrastructure, work processes and physical conditions must be carried out every two years. The choice of security measures must be based on the overview of measures in ISO/IEC 27001: 2013 Annex A, cf. ISO/IEC 27002: 2013. 

The management team at Inland Norway University of Applied Sciences will allocate the necessary resources for the training and skills development of managers and employees who are delegated responsibility for information security at Inland Norway University of Applied Sciences, or who are required to perform specific work tasks. The training and skills development will focus especially on the work methods involved in risk-driven information security work and the practical use of specific work tools. 

Managers at Inland Norway University of Applied Sciences who are delegated responsibility for information security must ensure that resources are allocated for the planning, implementation and follow-up of required work tasks within their areas of responsibility. This includes implementing security measures that are necessary to achieve satisfactory information security. 

All users of the information values of Inland Norway University of Applied Sciences must be provided with information about routines regarding the secure processing of information values and threats to information values. They must also be informed about the nonconformity reporting system at Inland Norway University of Applied Sciences. In addition, they must be informed about the purpose and importance of reporting nonconformities/security breaches. 

Remote operation of Inland Norway University of Applied Sciences’ information values, such as the use of online services or other types of data processors, can only take place if the risk of security breaches meets acceptable risk criteria, and if the necessary agreements have been entered into and are complied with. Outsourcing of the operation and management of information with special security requirements, such as sensitive personal data or confidential research data, may only take place after particularly thorough assessments have been conducted. See the Ministry of Education and Research’s recommendation for common solutions in the sector. 

Information security work at Inland Norway University of Applied Sciences must be at all times based on recommended and recognised public sector information security management system standards, cf. DIFI’s reference catalogue version 3.1, item 2.16 (available at http://standard.difi.no/forvaltningsstandarder/referansekatalogen-html-versjon). 

UNINETT and the HE Sector Secretary for Information Security must be contacted for advice and assistance when necessary. 

Security organisation 

The following roles are included in the security organisation of Inland Norway University of Applied Sciences:  

  • The University Board 
  • Rector 
  • Director of Digitalisation 
  • CSO 
  • Information Security Forum 
  • Incident Response Team (IRT) 
  • Faculty, department, unit and project managers 
    • Department managers/directors in central administration 
    • Faculty management, central administration managers and other academic department managers 
    • Managers at other organisational units (e.g. research centres) 
    • Research directors and research project managers 
  • Director of Information Technology 
  • Property Director 
  • Users (employees, students, guests) 

Below is an overview of the responsibilities and work tasks that the various roles in the security organisation are required to perform. 

The University Board 

Authority: 

  • Processes and adopts the Information Security Management System at Inland Norway University of Applied Sciences and significant changes in the Management System. This applies especially to changes in security objectives and acceptable risk criteria. 
  • Can set requirements regarding further work on information security at Inland Norway University of Applied Sciences. 

Reporting: 

  • Must be informed annually about the information security work by the Director of Digitalisation. 
  • Must be informed about particularly serious security breaches by the Director of Digitalisation. 

The Director of Digitalisation 

Authority and delegation: 

  • The Director of Digitalisation has the overall day-to-day responsibility for information security at Inland Norway University of Applied Sciences. 
  • The Director of Digitalisation appoints members to the Information Security Forum at Inland Norway University of Applied Sciences. 
  • The Director of Digitalisation may delegate responsibility to the CSO regarding the performance of daily tasks, including the appointment of members to the Information Security Forum.  
  • The Director of Digitalisation must sign agreements with external suppliers of digital systems. 
  • The Director of Digitalisation must sign agreements with external actors (data processors) who process personal data on behalf of Inland Norway University of Applied Sciences. 
  • Approves the mandate for Inland Norway University of Applied Sciences’ incident response team (IRT). 

Operations and resources: 

  • Must ensure that the information security management system is introduced, put into operation and maintained. 
  • Must ensure that sufficient resources are allocated for information security work, including training and skills development. 

Control and reporting: 

  • Must have an overview of the information values processed by the institution, in particular the processing of personal data. 
  • Must keep themselves informed about the information security work that takes place. 
  • Must annually review the status of the information security work at Inland Norway University of Applied Sciences (management review). 
  • Must annually report the status of information security work to the University Board and inform the Board about particularly serious security breaches. 
  • Must, if necessary, propose Management System changes (security objectives, security strategy, acceptable risk and organisation) to the University Board. 
  • Must approve notifications of breaches of security when processing personal data of the Norwegian Data Protection Authority.  
  • Must approve notifications of breaches of security when processing personal data of the data subjects. 
  • Consult with Inland Norway University of Applied Sciences’ data protection adviser regarding issues related to information security in data protection contexts. 

CSO 

Authority and responsibilities:  

  • Must, on a daily basis, exercise the university management’s responsibility for information security at Inland Norway University of Applied Sciences. 
  • Must plan and lead the work that takes place in the information security forum at Inland Norway University of Applied Sciences. 

State and overview: 

  • Must have an overview of information values that are processed and IT solutions used at Inland Norway University of Applied Sciences. 
  • Must keep themselves informed about the state of information security at Inland Norway University of Applied Sciences, including receiving nonconformity reports from faculties, departments, other units, research projects and individual users (employees, students, guests, etc.). 
  • Update a general overview of security measures at Inland Norway University of Applied Sciences in accordance with reporting from managers who are responsible for carrying out risk assessments and establishing security measures. 

Audits and reports: 

  • Must ensure that audits are carried out of the information security work at faculties, departments, other units and research projects. 
  • Must prepare a report on the information security work for the university management’s annual review. 
  • Must report serious breaches of information security and other significant nonconformities to the Director of Digitalisation. 
  • Must notify the Norwegian Data Protection Authority and the data subjects in the event of security breaches that affect personal data (after approval from the Director of Digitalisation). 

Training, information and assistance: 

  • Must ensure that practical information security work training is given to managers, administrative and academic staff, project managers and if necessary, project participants in research projects. 
  • Must assist faculties, departments and research projects in the planning, implementation and follow-up of specific security tasks, in particular risk assessments, implementation of security measures and the entering into of agreements that are important for information security (SLA and similar). 
  • Must ensure that users are informed about threats to information security. 
  • Consult with Inland Norway University of Applied Sciences’ data protection adviser regarding issues related to information security in data protection contexts. 

Information Security Forum 

Authority and responsibilities: 

  • Must advise the university management on measures/initiatives that promote information security, including resource needs. 
  • Must coordinate the planning and implementation of information security measures/initiatives that involve the entire institution. 

Management and composition: 

  • The work is planned and led by the CSO. 
  • In addition, the forum consists of academic and administrative managers/employees.  
  • The forum meets at least once every semester or when necessary. 

Other tasks: 

  • Must keep informed about the state of information security, including new threats to Inland Norway University of Applied Sciences’ information values. 
  • Must review reported nonconformities and security incidents. 
  • Must review results from security audits. 
  • Must process any proposed changes to security objectives, security strategy, acceptable risk criteria and security organisation prior to the management’s review. 
  • Must propose specific information security work objectives for the next period (budget year) prior to the management’s review. 

Incident Response Team (IRT) 

Authority and delegation: 

  • Authority to independently implement necessary measures to protect networks and IT resources in connection with IT security incidents.  
  • Monitors network activity to prevent, detect, and manage technical security breaches. 

Primary tasks: 

  • Detect network irregularities using their own alarm systems or reliable notification from external actors. 
  • Assess the severity of alarms and notifications. 
  • Ensure the fastest possible handling of serious incidents and efficient handling of less serious ones. 
  • Assist in gaining an updated overview of threats. 
  • Follow best practices to protect oneself, and to some extent detect breaches of good practice.  
  • Maintain good and open contact with other security teams in Norway and abroad, including relevant authorities. 
  • Inform the IT Director and the CSO about technical security breaches in the processing of personal data that must be reported to the Norwegian Data Protection Authority and the data subjects. 

Faculty management, central administration managers and other unit managers (research centres, libraries, etc.) 

Authority and delegation: 

  • Must, after delegation from the Director of Digitalisation, exercise the day-to-day responsibility for information security within their areas of responsibility, including IT systems/services which they own. 
  • Must ensure that adopted security objectives, acceptable risk criteria and security strategies are followed up within their areas of responsibility. 
  • Can delegate the exercise of day-to-day responsibility for information security to one or more employees at the faculty, department or unit. 

Mapping, risk assessments and measures: 

  • Must have an overview of the information values and IT solutions that the unit is responsible for, including the research data that is processed. 
  • Must ensure that regular (every two years) risk assessments are carried out of: 
    • IT systems/services owned by the units. 
    • Use of external IT systems/services (remote operation). 
    • Use of IT equipment. 
    • Work processes (research, teaching, dissemination and administration). 
    • Physical conditions that are of importance regarding information security. 
    • Procurement of IT solutions. 
    • In the event of significant changes in work processes, IT solutions or physical conditions. 
  • Must ensure that security measures are implemented if risk assessments show that information security is not satisfactory, including ordering technical and physical security measures from the IT or Property Department. 
  • Report the risk management plan (action plan) to the CSO. 

Informing and training: 

  • Must ensure that administrative and academic staff who are responsible for specific security tasks and project managers/participants have the expertise to carry out their information security tasks. 
  • Must ensure that all users in their unit are familiar with the routines that apply at all times to the processing of information values in administration, teaching, research and dissemination. 

Nonconformity notification and nonconformity management: 

  • Must ensure that all users in their unit are familiar with the procedures that apply at all times to the notification of routine nonconformities and security breaches. 
  • Must ensure that all nonconformities and security breaches in their unit are resolved, including requesting assistance from the IT or Property Department when handling technical or physical security breaches if necessary. 
  • Must inform the CSO about security breaches in the processing of personal data that must be reported to the Norwegian Data Protection Authority and the data subjects. 

Procurements, agreements and audits: 

  • Must ensure that the CSO receives the necessary assistance when carrying out security audits. 
  • Must ensure that Privacy by Design requirements are met when purchasing IT solutions.  
  • Must ensure that data processing agreements or other agreements are entered into with external actors to safeguard information security (e.g. SLA), and ensure that the terms of the agreements are respected. 

Head of research and project manager in research projects 

Head of research 

Authority and delegation: 

  • The Pro-Rector for Research is responsible for research and is primarily responsible for information security in research projects and is legally responsible for the processing of personal data in research projects. 
  • The Pro-Rector for Research delegates the exercise of their responsibility for information security in research projects to the academic management at faculties or equivalent units (dean or pro-dean for research). 
  • The Pro-Rector for Research must annually review the status of information security work in research projects at Inland Norway University of Applied Sciences (management’s review).  

Overview and compliance: 

  • Must at least have an overview of the research projects that process personal data and which are carried out at Inland Norway University of Applied Sciences. 
  • Must ensure that adopted security objectives, acceptable risk criteria and security strategies are complied with in research projects. 

Project managers in research projects 

Authority and responsibilities:  

  • Must ensure that adopted security objectives, acceptable risk criteria and security strategies are complied with.  
  • Must report research projects to the Head of Research at Inland Norway University of Applied Sciences. 
  • Must, if necessary, report research projects to the local data protection officer or to the Norwegian Centre for Research Data. 

Mapping, risk assessments and measures: 

  • Must have an overview of the information values and IT solutions that are processed or used in research projects. 
  • Must ensure that risk assessments are carried out at the start of research projects and regularly in long-term projects. The risk assessments should include the project’s use of: 
    • IT systems/services – internal and external – used in the projects. 
    • IT equipment. 
    • Physical conditions that are of importance regarding information security in the research project. 
    • Procurement of IT solutions in research projects. 
    • In the event of significant changes in the research project and changes in IT solutions or physical conditions. 
  • Must ensure that security measures are implemented if risk assessments show that information security is not satisfactory, including ordering technical and physical security measures from the IT or Property Department. 
  • Report the risk management plan (action plan) to the CSO. 

Informing and training: 

  • Must ensure that project participants (not respondents) have the expertise to carry out their security tasks, for example by asking the CSO for assistance in training/skills development. 
  • Must ensure that all project participants are familiar with the routines that apply at all times to the processing of information values in research. 

Nonconformity notification and nonconformity management: 

  • Must ensure that all project participants are familiar with the procedures that apply at all times to the notification of routine nonconformities and security breaches. 
  • Must ensure that all nonconformities and security breaches are resolved, including requesting assistance from the IT or Property Department when handling technical or physical security breaches if necessary. 
  • Must inform the CSO about security breaches in the processing of personal data that must be reported to the Norwegian Data Protection Authority or the data subjects. 

Procurements, agreements and audits: 

  • Must ensure that the CSO receives the necessary assistance when carrying out security audits of research projects. 
  • Must ensure that Privacy by Design requirements are met when purchasing IT solutions. 
  • Must ensure that data processing agreements or other agreements are entered into with external actors to safeguard information security (e.g. SLA), and ensure that the terms of the agreements are respected. 

Specifically for project managers in medical or health-related research projects 

  • Must follow the special approval and case management rules that apply during the start-up, implementation and conclusion of medical and health-related research projects. 
  • Must follow the recommendations in the Code of Conduct for information security and data protection in the healthcare and care services, especially with regard to securing research data/research files, scrambling keys and key files. 
  • Must carry out a risk assessment and consult with INN University’s data protection officer; NSD and the Data Protection Officer for research and/or REK if an assessment of data protection consequences is to be carried out pursuant to Article 34 of the General Data Protection Regulation. 

Director of Information Technology 

Authority and delegation:  

  • The Director of Information Technology has the same responsibility for information security within their department/area of responsibility as other managers in central administration, see instructions above for faculty management, managers in central administration and other unit managers. 
  • The Director of Information Technology must ensure that adopted security objectives, acceptable risk criteria and security strategies are complied with when investing in and operating IT solutions. 

Registration and documentation: 

  • Must register and document authorised and attempts at unauthorised use of Inland Norway University of Applied Sciences’ IT solutions containing personal data. 
  • Must register and document all security incidents/breaches pertaining to Inland Norway University of Applied Sciences’ IT solutions. 

External assistance and agreements:  

  • Must assist units or research projects in risk assessments of technical security (internal and external IT solutions) when asked to provide such assistance. 
  • Must assist units or research projects in the design and implementation of IT technical security measures. 
  • Must assist units and research projects in the management of technical security breaches. 
  • Must be informed of security breaches detected by the incident response team (IRT) and which must be reported to either the Norwegian Data Protection Authority or the data subjects. 
  • Must ensure that data processing agreements or other agreements that are of importance regarding information security are entered into with external actors (e.g. SLA), and ensure that the terms of the agreements are respected. 

Property Director 

Authority and delegation: 

  • The Property Director has the same responsibility for information security within their department/area of responsibility as other managers in central administration, see instructions above for faculty management, managers in central administration and other unit managers. 
  • Must ensure that adopted security measures and acceptable risk criteria are complied with in relation to new buildings or changes to buildings that are of importance regarding information security. 

Physical security: 

  • Must ensure that the securing of access to buildings, rooms and areas is in accordance with acceptable risk criteria. 

Assistance and agreements: 

  • Must assist units and research projects in risk assessments of physical security and when implementing necessary physical security measures. 
  • Must assist units and research projects in the management of technical security breaches. 
  • Must inform the CSO about physical security breaches that affect personal data and which must be reported to the Norwegian Data Protection Authority or the data subjects. 
  • Must ensure that data processing agreements or other agreements that are of importance regarding information security are entered into with external actors (e.g. SLA with security companies), and ensure that the terms of the agreements are respected. 

Role of system owner 

Purpose 

This part of the document defines the responsibility of the system owner at the university, and defines the relationship with the IT Department. 

Who is the system owner? 

The Rector is the senior system owner of all IT systems at the institution. 

Seeing as responsibility for the institution’s processes and administrative areas via a delegation structure is delegated to departments, faculties and units, it is natural that system ownership also follows the same structure. 

In practice, it will therefore be department directors, deans and unit managers who exercise system ownership of individual systems. In this document, the term ‘system owner’ will be used for this group. 

System ownership is placed at the lowest common user level in line management. 

The system owner is normally the senior manager of the department/unit that uses the system, and has the overall legal and financial responsibility for an ICT system. 

Responsibility for the university’s common systems is placed in the responsible staff/support functions. For example, the Chief Financial Officer is the system owner of the institution’s financial system. 

Figur som viser ansvarsfordeling med rektor på toppen, deretter systemeier, systemansvarlig og superbruker 

The system owner can appoint named operational representatives (called system administrators) who attend to the subject field on a daily basis and who often have detailed insight into the system the ownership encompasses. In addition to the system administrator, it may be relevant to have superusers for certain IT systems. 

Superusers are particularly skilled users of an IT system who help system administrators provide training and user support. 

System owner responsibilities 

The system owner is primarily responsible for an IT system’s content and use in the organisation, including: 

  • Responsibility for ensuring that the needs of the relevant administrative area are met through the application of the system. It is required that the system owner has system administrators who know the system well and can carry out the work of getting the system to solve the tasks related to individual subject areas. 
  • Assess the professional need for, assess the benefits of, realise gains from, and establish guidelines for the use of systems within one’s own area of responsibility. 
  • Determine system functionality requirements and assess the need for functional changes. This includes necessary data exchange with other systems. 
  • Responsibility for ensuring necessary data quality in the system. 
  • Responsibility for system errors that are not due to errors in technical infrastructure, as well as reporting and follow-up in relation to the supplier. 
  • Follow-up of procurement/development agreements, maintenance and user support. The system owner is the supplier’s main contact and is responsible for maintaining dialogue with the supplier regarding relevant cases. 
  • Responsibility for training in use and routines, as well as the organisation of this.  
  • Responsibility for information security, focusing on the organisational aspects of security work. Implement routines in relation to the internal control system for information security, including risk assessments, nonconformity management, security and operational routines. The system owner carries out the role of ‘data controller’ as defined in the Personal Data Act. 
  • Non-technical user support. 
  • Responsibility for compliance with legislation, regulations, guidelines and other provisions related to the use of the system in the relevant administrative area. 
  • Responsibility for deciding which users should have access and what access they should have. 
  • Financial responsibility for procurement, maintenance, user support, consulting and project costs. This can also include infrastructure costs related to local or specialised needs that the IT Department does not normally handle. 
  • Responsibility for clarifying archive-related matters for the system with the university’s Head of Archives. 
  • Responsibility for business continuity by ensuring that relevant services continue to run, usually through manual routines, in the event of any IT solution errors.  
  • Assist in cases of doubt by clarifying whether there are errors in the infrastructure or in the system. 
  • Collaborate with other system owners. Participate in INN University’s system owner forum. 
  • Comply with general IT management structures determined by the Director of Digitalisation/Rector. Examples of such framework conditions may include architecture, data definitions, integrations, information security policy etc. 

What does the IT Department do? 

IT departments are responsible for the technical operation of the IT system in cases where operations are not outsourced to third parties/external suppliers. Technical operational responsibility includes: 

  • Responsibility for the operation of technical IT infrastructure. This also entails responsibility for errors and the correction of errors in the infrastructure. 
  • Responsibility for upgrades by agreement with the system owner in cases where the IT Department has expertise in this. 
  • Responsibility for the highest possible degree of continuous uptime. 
  • Responsibility for ensuring that competent staff are available during error situations and in system work. 
  • Responsibility for data backup. The system owner may stipulate requirements regarding data backup in each individual case. 
  • Responsibility for technical IT user support. 
  • Assist in cases of doubt by clarifying whether there are errors in the infrastructure or in the system. 
  • When natural to do so, provide technical IT support with technical assessments and advice throughout the entire process, from planning and specification of requirements to the decommissioning and phasing out of a system. This includes cost calculations of technical infrastructure regardless of who provides the funding. 
  • Carries out the support function in the supplier contact and can, where appropriate, also follow up on cases and parts of the dialogue in understanding with the system owner. 
  • Technical implementation of solutions, such as installations, upgrades and customisations. 
  • Responsibility for technical information security. Carries out the role of ‘data processor’ as defined in the Personal Data Act. Contributes to the implementation of risk assessments. 
  • Responsibility for reviewing system management responsibilities and tasks together with new system owners and system administrators. 

Users (employees, students, guests, etc.) 

Responsibility: 

  • All users must comply with the routines and guidelines that apply at all times to the secure processing of information values and personal data. 

Tasks: 

  • All users must report nonconformities in relation to adopted routines/guidelines and breaches of information security. 
  • Employees must assist in the planning, implementation or follow-up of specific security tasks if requested.