Information security within your department

Responsibility for information security follows operational responsibility. Read more about roles and responsibilities of information security work within the department, research groups, research projects, and education.

Organising information security work

At KI, responsibility for information security follows operational responsibility. At most departments, this means that information security aspects must be considered throughout the organisation: by management, divisions, units, and research groups. Those responsible for an operational area must ensure that assessments are made and any necessary measures are taken within their area.

This involves considering potential risks and bottlenecks in operations, ensuring adequate protection of information, and implementing and following up on improvements from a risk-based perspective.

Any risks that could have major negative consequences for KI and cannot or should not be managed solely within one’s own area of responsibility, must be escalated to KI’s central management in accordance with the current risk management guidelines.

Use the checklists for information security work at the department.

Management 

During the department’s operational planning, management makes an overall assessment of risks from an information security perspective, based on input from the organisation. This input is submitted to KI’s internal follow-up of the status of information security, which is initiated by the Information Security Function at the Legal Department.

Division/unit

Those responsible at division and unit level keep updated on risks and planned measures within their part of the organisation and report to the department’s management on a monthly basis or as needed.

Research groups

Research groups are responsible for documenting and assessing the risk of business-critical information processing, and for implementing necessary improvements.

In research projects, risk assessments and information classification must be carried out to provide a risk-based decision basis for the project’s information processing. 

Photo: Pixabay.

If specific IT solutions, applications, mobile applications or other external IT solutions are developed for collecting, storing, and sharing data, the applicable internal information security guidelines must be followed.

Use the checklists below regarding information security work at the department.

Checklist: Overall information security work

Use these points to support your assessment of potential risks, deficiencies, and improvement needs related to the department’s most important and critical operations and information management.

  1. Compile an overview of:
    - the department’s most important and critical operational areas
    - any local IT environments, IT solutions, and applications within the department
    - critical dependencies on external suppliers and equivalents.
  2. Assess any risks, threats, bottlenecks, or similar related to the above.
  3. Assess the consequences for operations of any interruptions to critical IT deliveries.
  4. Plan and budget for any improvements related to the above.
  5. KI’s central solutions for processing, storing, and sharing information must be used as the first choice. If specific solutions need to be developed, KI’s information security guidelines must be applied (see "Anvisningar för tekniska miljöer och tekniska tillämpningar", "Vägledning för säker utveckling" and "Vägledning för säkerhetstester och granskningar").
  6. Maintain an up-to-date overview of the status of information security within the department that covers at least the above points.

For IT and Information management, this refers to what the department handles, in addition to what is provided by KI’s central IT Department and "Coordinated IT".

Checklist: Research groups and research projects

The points below can support the assessment of potential risks, deficiencies and improvement needs relating to the research group’s most important and critical activities and information management.

General

  1. Make sure that everyone in the research group is familiar with the relevant information security aspects of your work: see Information Security Guidelines.
  2. If you develop your own IT environments, IT solutions, mobile applications, etc., ensure information security. KI’s guidelines in these areas must be applied (see Instructions for Technical Environments and Applications, Guidance for Secure Development, and Guidance for Security Testing and Reviews).
  3. Ensure that any solutions are maintained over time so that critical updates are implemented.

Research projects

The points below clarify the information security aspects found under Research Data Management and Legal issues, Compliance & Ethics within research.

  1. Plan: Depending on the purpose, methods, implementation and collaborations of the research project, you should determine what needs to be done from an information security perspective. In principle, risks must always be assessed, including the sensitivity of the data you intend to work with, based on which you should decide how information should be managed and which IT solutions should be used. This can be documented in the document management plan.
  2. Create, collect, store and share information: Use KI’s central solutions to collect, store, and share the project’s research data. This ensures that the solutions meet information security requirements and are continuously monitored. Use file storage and sharing services as well as REDCap for data collection.

    Although KI’s central solutions should always be the first choice, there are situations that require exceptions. In such cases, the project must ensure information security. Remember that KI’s information security guidelines must always be followed. In some cases, special security tests must be carried out before a solution is put into use.

    For further dialogue, you should primarily contact the department’s liaison within the Business Relations and IT Research Support. You can also contact the Information Security Function.
  3. Collaborate, process and analyse: When collaborating with external parties, if KI is the principal investigator and/or data controller, the relevant data protection and information management requirements must be included in the contractual arrangements. KI’s contract templates include information security annexes. These must be reviewed to ensure they are appropriate for each research project.
  4. Publish and share: Ensure that the data you intend to publish does not contain sensitive personal data or other confidential information. See the section Publishing and Sharing Research Data – an Overview (KI University Library).
  5. Preserve, archive and report: Follow KI’s guidance on archiving research data, which is presented under Research Support on the staff portal. There are no additional information security considerations beyond this.

Educational activities

Staff and students should be able to focus on education and learning within a safe and secure digital pedagogical environment. As KI continues to develop its digital pedagogical solutions, it is important to ensure that information security requirements are met.

Information security aspects should also be considered when creating course content, especially when working with disclosed clinical information or research data containing special categories of personal data.

In general, risk-based information security work involves assessing risks, classifying information based on sensitivity, and then selecting appropriate security measures. The aim is to handle KI’s information securely, whether it is digital, on paper, or verbal. Always use KI’s central IT solutions for storing, sharing, or presenting data.

You particularly need to consider information security aspects in the following situations:

  • Specifying requirements for new digital educational tools before development or procurement.
  • Audits/reviews of digital educational tools or external suppliers.
  • Creating educational material based on clinical data or research data.