Information security for different areas

This section describes what you, as a member of staff at KI, need to know, consider and follow to contribute to secure information management across different areas – whether digital, on paper or verbal.

Keep this in mind

  • Protect your login credentials; never share them with anyone else. You are personally responsible for all activities carried out via your user account.
  • All devices used for information management within KI’s operations must be kept up to date. These updates often include security patches that reduce the risk of various threats.
  • Never use the same password for KI services as you do for your private ones. This protects KI’s information from poor security in external services, which could lead to unauthorised access to KI systems.
  • Always lock or log out of your computer when leaving it unattended. Physical access to an unlocked computer is one of the easiest ways to access KI’s information. Also be aware of the risk of "social engineering", where attempts may be made to steal KI’s information or equipment.
  • Do not download files from the internet or open email attachments or links if you are unsure of their content or the identity of the sender.
  • Information belonging to KI must not be handled in private cloud services (that is those not procured or provided by KI) or on private storage media or devices.
  • As a member of staff at KI, you are responsible for ensuring that personal data is processed in accordance with GDPR requirements.
  • Misusing KI’s resources is prohibited, for example by placing an excessive load on network resources, hardware or software, or by using available resources for private or commercial purposes.

You may lose your access rights to KI's systems if you violate the applicable security rules. Suspected criminal activity will be reported to the police.

Illustration: Pixabay.

Handling sensitive information

When handling information that is classified as sensitive and requires protection, such as sensitive personal data, you must:

  • Only access the sensitive information necessary to perform your work.
  • If the information is in paper format, you must handle it securely in terms of storage and printing, so that no unauthorised person can access it.
  • Sensitive information must not be sent unencrypted via email.
  • Be aware of your surroundings when handling or discussing sensitive information, as there is a risk that unauthorised persons may overhear you.
  • Sensitive information may only be stored, processed, and transported in IT systems and solutions that are approved for this purpose.

In addition, the fundamental principles of data protection must be observed when processing personal data. Further guidance and detailed information on handling personal data at KI can be found under GDPR.

IT equipment and storage media

  • KI’s equipment must only be used for work-related purposes.
  • Only the guest network or Eduroam can be used to connect private devices. Further information can be found under Wireless Networks on Campus.
  • Sensitive information, such as sensitive and privacy-sensitive personal data and other information covered by confidentiality under the Public Access to Information and Secrecy Act, must not be handled on private devices.
  • KI’s central solutions for storing and sharing information should always be used as the first choice. Only in exceptional cases, when this is not possible, may information be stored otherwise – provided that information security requirements are met.
  • If local hard drives or portable storage media are used, they must be backed up. The main rule is to save information in KI’s central storage solutions.
  • Computers and mobile phones must be physically protected and must not be left unattended.
  • All computers, mobile phones, and tablets must always be protected against unauthorised access by using password protection, PIN codes, or equivalent.
  • Sensitive information must be encrypted when stored on computers, mobile phones, and/or storage media. See Accounts andPasswords.

Further information on IT security can be found here.

Mobile devices

The information stored on mobile devices must be protected so that it does not fall into the wrong hands, become manipulated, or be lost. The manipulation or loss of a mobile device used for work and connected to the organisation’s internal network could provide a gateway for further attacks on the organisation.

Therefore, keep in mind

  • The smartphones and tablets provided by KI are work tools. KI owns the equipment and any information stored on them. As an employee, you should be aware that the employer has the right to access all information on your device, including text messages, photos, and calendar notes.
  • Due to the principle of public access, it may be possible for external parties to request information from your phone or tablet.
  • Smartphones and tablets should generally be considered insecure storage locations. You must not handle confidential information on such devices unless a special security solution approved by KI’s central IT security team is used.
  • A wide range of applications are available for download to smartphones and tablets. Many of these may contain malicious code. To reduce this risk, you may only download applications from App Store or Google Play.
  • Smartphones and tablets must be protected by PIN codes, fingerprints or other authentication methods. Simple PIN codes such as 0000 or 1234 must not be used. Do not use the same PIN code as you do for other purposes, such as for bank cards.
  • Any updates announced by providers or phone manufacturers on your mobile device must be installed promptly.
  • Mobile devices must have tracking and remote wipe functionality.

Digital and remote work

Internet use

The internet connection provided by KI must be used for work purposes only. Private use is permitted only to a limited extent and as long as it does not affect your work.

It is not permitted to

  • Visit websites containing violence, racism, pornography, criminal activity or other content deemed ethically inappropriate. Exceptions may be made for work or research purposes, but only with the approval of your immediate manager.
  • Download files or programs that are not work-related (including music or films).
  • Use the internet in a way that could damage KI’s reputation – all internet use leaves digital traces.

Email

The use of email at KI is regulated by the email guidelines. In addition to these guidelines, keep in mind:

  • Email is a common method for spreading malicious code and for sending messages that attempt to trick recipients into revealing login credentials. Be cautious when receiving emails from unknown senders or emails with suspicious content. If you are unsure, contact your immediate manager or try to verify the sender's identity before taking any action.
  • Sensitive information, information covered by confidentiality, privacy-sensitive information, and sensitive personal data should generally not be sent by email. However, if it is deemed necessary in exceptional cases, an encryption solution must be used to ensure that the information does not reach unauthorised parties.
  • Report spam or phishing emails directly via the “Report Message” function in Outlook under “Message” and “Protection”. You can also report the incident as a security breach for statistical purposes.
  • If you receive an email containing threatening messages: save the email, contact your immediate manager, and report the event as an information security incident. Read more about serious incidents and personal threats.
  • KI may close individual email accounts if there is suspicion of crime or violation of internal security rules.

It is also not permitted to

  • Send or store offensive content, such as violence, pornography, and discriminatory words or images.
  • Send or forward spam or chain letters.
  • Open, send, or forward program files that are not work-related.
  • Automatically forward email to an external, non-approved email address.
  • Provide a private/external email address as contact information on KI’s public web pages.
A woman sits with her back to the camera in front of a laptop.
Photo: Unsplash.

Remote work

  • Access to KI’s network from outside the office is only permitted via approved remote access solutions. Read more about the VPNservice.
  • Only equipment that meets KI’s security requirements may be connected to KI’s internal network.
  • Sensitive information must be handled and stored securely, in accordance with the relevant security requirements.
  • Sensitive information must always be encrypted when stored on portable storage media such as laptops, USB drives, or mobile phones.

Digital meetings

Sometimes it is appropriate to replace physical meetings with digital ones. When doing so, consider information security by:

  • Deciding which elements and information are suitable for digital meetings.
  • Only using tools recommended by KI, such as Teams and Zoom.
  • Following the rules for handling sensitive information/sensitive personal data.
  • Using technical settings to reduce the risk of unauthorised access to the digital meeting. This is especially important for meetings expected to include sensitive information.
  • Conducting digital meetings in suitable environments and protecting your screen from view.

Read more on digital meetings.

Social media

The use of social media within KI should primarily serve organisational purposes, such as reaching different target groups. Keep in mind:

  • The private use of social media during working hours is only permitted as long as it does not affect your work.
  • KI email addresses must not be used for services intended for personal use.
  • Never communicate sensitive information related to your work via social media.
  • Publishing personal data on social media must comply with GDPR requirements.
  • Passwords used for authentication to social media must not be the same as those used for KI systems.

The same rules apply as for internet use and email use. See also KI’s social media guidelines.

Access and user identity

As a user, you are responsible for how you handle information and for any activities that occur while you are logged in to a system with your user identity.

Your user identities, passwords, and access cards are personal and must never be lent to anyone else. Lending these details may mean that you are held accountable for activities carried out in your name. Similarly, you must not work using another person’s user identity.

Immediately report to IT support if you suspect that someone knows your password or if you have lost your access card.

Everything is logged

Keep in mind:

  • All internet use is logged.
  • For all IT systems containing sensitive data, all user activities are logged – that is, everything we do within the IT system.

The purpose of logging is to ensure that only authorised persons have accessed relevant information and to investigate potential incidents or suspicions of irregularities or criminal activity. Log reviews are conducted regularly.

Reporting incidents

It is important to know what constitutes an incident and how and where to report it.

You can help by

  • Reporting incidents that may affect KI’s operations as soon as possible: Report if something has happened.
  • Promptly reporting incidents involving personal data.
  • Also reporting suspected incidents promptly.

Examples of information security incidents

  • Incorrect, unlawful or harmful handling of information that may have a negative impact on KI.
  • Information that has fallen into the wrong hands.
  • Theft of equipment or physical documents containing sensitive information.
  • Data breaches.
  • Malicious code (such as viruses) or harmful software.

If an incident involves personal data, it is classified as a personal data incident. Under GDPR, KI’s Data Protection Officer is obliged to report these to the supervisory authority.

Report information security and personal data incidents.