The goal with KI’s information security work is to ensure that information is not disclosed to unauthorized people, that it is always reliable, accurate and complete and that it is available when needed.
Information is one of KI’s most important assets, therefore it’s of great importance that everyone at KI works actively, efficient and continuously with information security. Information security is about protecting the confidentiality, integrity and availability of the information, regardless the format of the information.
- Confidentiality – that the information only available to authorized persons. For example, to protect exams, research results and research data from unauthorized persons before publication.
- Integrity – that information is reliable, accurate and complete. For example, to protect research data and grades from being manipulated.
- Availability – that information is available to authorized persons when needed. For example, to ensure that our IT-systems is available for us to perform our work.
Information security for you as an employee at KI
Technical solutions alone are not enough to protect KI’s information, our employee’s actions and behavior are just as important for achieving a good level of security. Our level of protection can never get better than the weakest link, thereby it’s important that all types of security controls, both technical and administrative, works together against our common goal – to secure our information.
Information security is mainly based on common sense and good judgement, where every individual’s actions is crucial. For the purpose of increasing the information security awareness and knowledge KI’s information security department has put together 10 things that you should bear in mind in your daily work, and an e-learning.
10 things to keep in mind:
- Protect your credentials (username and password) and never share them with anyone. You are responsible, and could be held accountable, for the actions that are made with your account.
- Keep your equipment and software updated. New updates often include security updates that will fix known vulnerabilities. This applies to computers as well as smartphones and tablets.
- Never use your passwords to work related systems and services for private purposes. This is to reduce the risk of jeopardizing passwords to KI’s system if a service, with lacking security, gets a data breach.
- Lock or log out from your workstation when you leave it. Physical access to an unlocked computer is the easiest way to get a hold of KI’s information.
- Avoid sending sensitive information by email. If you do, it has to be encrypted. Contact KI’s IT department for help with encryption.
- Do not download files or open attachments in emails or from internet if you are not sure what they contain or who the sender is. Malicious code often transmits through attachments.
- Keep in mind the environment you are in when you are handling and speaking about sensitive information.
- Make sure that your information is backed up, regardless if it is stored on a stationary computer or on portable media. Contact your local IT support for help.
- It’s not allowed to store KI’s information in private cloud services or on private storage medias.
- As an affiliate of KI, you are responsible that personal data is being processed in accordance with GDPR.
If you are uncertain on how to securely handle information or have any questions, do not hesitate to contact KI’s information security department at email@example.com.
We all have a responsability!
To maintain an adequate level protection for our information and IT-systems we must work together and continuously. You’ll need to comply to our security rules whether you’re an employee, student, affiliated or a consultant at KI. Violations of these rules may result in loss of access rights to KI's IT systems. This can be done by a decision of the Head of department in consultation with the Chief Security Offices (CSO). More serious cases of abuse or other similar breaches are reported to the CSO for further processing. Suspicions of criminal activity will be reported to the police.
Information security education to continue this fall
During the spring of 2019 KI started a new information security awareness program that replaced the previous e-learning. The new program will consist of multiple short lessons that are sent to your e-mail periodically. The lessons only take 2 - 5 minutes to complete and cover a number of different topics.
The online course gives all personnel/co-workers an understanding of the basics of information security. It also provides knowledge that is highly useful outside of work. The course is intended for all personnel/co-workers at KI and is also to be used as an introduction for new employees and consultants.
Information security management system
KI is currently introducing a set of rules and systematic procedures for matters relating to information security (LIS). To systematically work with information security, and to handle our information in a secure matter is a vital pre-requisite to achieve our mission – to improve human health through research and education.
The rules establish a basic level of information security that KI is to attain through gradual introduction of certain measures.
The management system in currently going through an update, the current version can be found in the document section of this page.
Guidelines for information security at KI
These guidelines will describe the rules and requirements that you, as an affiliate at KI, are responsible to comply with. In order to contribute to KI information security, you’ll need to be aware of, and to comply, with this. More detailed information and guidelines can be found in KI’s information security management system.
Handling of sensitive information
When handling sensitive information, you must keep in mind that:
- You may only access sensitive information that you need in order to be able to perform your work
- Sensitive information on paper must be locked away when not in use, as with unlocked computers, the easiest way for an authorized person to get information from KI is through physical access
- Sensitive information may only be sent in encrypted form if sent by email
- Sensitive information must never be discussed in a public place or where there is a risk that unauthorized persons may gain access to the information. This also applies to phone calls.
- Sensitive information may only be stored and handled in IT-systems that has been approved for the purpose of handling sensitive information.
Processing of personal data
Personal data shall be processed in accordance with, at the time, applicable data protection rules. For an example, GDPR, and the ethical review act for research. When processing personal data, keep in mind that:
- The processing must have a purpose and be based on one of the bases for lawful processing in GDPR.
- Every processing activity regarding personal data must be reported to KI’s central record over processing activities. To report, and for instruction on how to report, go to KI’s GDPR page.
- Personal data may only be processed in IT-systems that has been approved for the purpose of handling personal data.
- Sensitive data, or data that can impact the personal integrity of a person, shall be processed in accordance with the specific rules on how to handle sensitive personal data
All processing activities must also comply with the principles of processing personal data and KI’s guidelines on how to process personal data. For more information, see KI’s GDPR page.
Hardware and portable media
When handling hardware and portable media, you must keep in mind that:
- KI’s hardware is to be used for work-related purposes
- Only hardware that is configured in accordance with KI defined security standards may be connected to the network. This includes updated antivirus, firewall and protection against unauthorized access. Sensitive information and sensitive personal data shall not be stored and processed on private devices.
- Information saved on the local hard drive on your computer or portable media must always be backed up. When possible, data should be saved in designated places (document management system, network disks, etc.)
- Information on computers, mobile phones and on paper must be protected, i.e. such items must not be left unattended
- Laptops must be protected with a password that meets KI’s rules for passwords and mobile phones and tablets. Use biometric authentication (such as fingerprint recognition), PIN code or equivalent.
Information on mobile devices shall be protected from unauthorized access, manipulation and loss. A work phone that is connected to KI’s intranet can be used as a stepping stone into our IT-environment and for attacks. Keep in mind that:
- Smartphones and tablets that provided by KI is to be seen as a work tool. These devices, and the information stored on them, is property of KI and KI thereby have the right to access this information.
- Because of the Public access and secrecy act information on mobile devices could, on demand, be disclosed to the public.
- Mobile devices are to be seen as insecure storage locations. Therefore, you shall not store confidential or sensitive information on these if you don’t use security features for these purposes that have been approved by the IT department.
- Applications for mobile devices could contain malicious code. To reduce the risk of getting infected you shall only download applications from known provides, such as App Store or Google Play.
- PIN codes, fingerprints or equivalent protection against unauthorized access must be used on mobile devices. When using PIN codes these shall not be easy to guess, such as 0000, 123 etc.
- Updates from Google or the phone manufacturer must be downloaded promptly.
- Mobile devices shall have features to remote wiping and tracing activated.
Use of the Internet
The Internet connection provided by KI is to be used for work-related tasks. Private use is only permitted to a limited extent and as long as it does not affect your work. It is not permitted to:
- Visit websites that contain violence, racism, pornography, criminal activity or other sites that for ethical reasons are judged not to be appropriate.
- Download files or programs that are not work-related (incl. music or movies).
- Connect a computer to the network while it is simultaneously connected to another network.
Use of email
The email system is for work-related tasks. Private use is only permitted to a limited extent and as long as it does not affect your work.
- Sensitive information must always be encrypted when it is sent by email. Contact KI’s IT department for help with encryption.
- Email accounts may be locked if there is any suspicion of crime or abuse
- Your email address should only be used in work-related contexts
It is not permitted to:
- Send or save offensive information such as violence, pornography and discriminatory words or images
- Send or forward spam or chain mail
- Open, send or forward program files that are not work related
- Automatically forward email to an external, unapproved email address
- Quote a private/external email address as contact information on KI’s public websites
Use of social media
The use of social media within KI is primarily based on the organization’s interests, e.g. to quickly reach various target groups. You should also keep in mind that:
- Private use of social media during work hours is only permitted to a limited extent, and as long as it does not affect your work
- KI’s email address may not be used for private login/communication
- Sensitive information must never be communicated through social media
- Passwords that are used to log into social media must not be the same as passwords used in KI’s internal network
Otherwise, the same rules apply as for the use of email. For further information on dealing with social media, see page Social media.
When teleworking, you must keep in mind that:
- Remote connections to KI’s network are only permitted through approved communication solutions for remote connection
- Only hardware that satisfies KI’s security requirements may be connected to KI’s internal network (does not affect access to online services, e.g. Contempus)
- Sensitive information must be stored and handled in a secure manner in accordance with current security requirements
- Sensitive information must always be encrypted when stored on movable media such as laptops, USB sticks or mobile phones
Access and user ID
Regarding access and user-id, you must keep in mind that:
- As a user, you are responsible for the handling of information and the activities that take place during the period when you are logged in with your user-id in a system
- Your user-id, passwords and badges are personal and may never be lent to anyone else
- You must immediately submit a report if you suspect that an unauthorised party is aware of your password or if you have lost your badge
Logging and audit of logs
With regard to logging and examining logs, the following applies:
- All use of the Internet is logged
- For all systems that contain sensitive data, logging takes place of all user activities, i.e. everything we do in the system
- The purpose of the logging is to make it possible to make sure that only authorised persons have had access to certain information
- Logs are examined on a regular basis
Report form for information security incidents & personal data breaches
From March 2020, this report form is to be used if you discover, or suspect, that an information security incident or personal data breach has taken place:
According to new rules on data protection set out in GDPR, KI must have procedures in place to detect and investigate potential personal data breaches. This new report form, which replaces earlier reporting procedures, is an important step in making KI better equipped for managing incidents. All reports sent in by users will be analyzed and dealt with in a systematic manner.
As a user, you need to:
- be familiar with the definitions of what constitutes a personal data breach and an information security incident respectively (descriptions can be found in the form’s introduction text – follow the link to the report form above)
- be aware that personal data breaches and information security incidents, from now on, are to be reported by using the form,
- be aware that you have a responsibility to file a report if you discover, or suspect, that an incident has occurred,
- as a rule, it is better to always report what you suspect to be an incident – rather than for potential incidents to remain undiscovered or unmanaged,
- if needed, KI’s Data Protection Officer will notify the Swedish Data Protection Authority (Datainspektionen) of personal data breaches.
KI's information security function is currently available via e-mail: firstname.lastname@example.org.