Illustrasjonsbilde

Information security and data protection at UiT

UiT The Arctic University of Norway processes large volumes of information relating to research, education, dissemination og administration. It is crucial that we attend to the information security in a proper manner, not least safeguarding the integrity that UiT is reliant on as a research and education institution. This shall occur irrespective of whether the processing in question is physical or digital.
Do you wish to contact the Privacy and Information Security Office? Please send an e-mail to sikkerhet@uit.no

The Information Security Management System (“ISMS”) was adopted by the University Board, initially in 2015 and later revised. Through this management system, UiT shall have a comprehensive approach to information security so we can have governance and control of the information security at the university.


The management system consists of three parts: governance, implementation and control. The University Board is responsible for amendments in the governance part (Chapters 1-3), while the University Director has responsibility for amendments in the parts concerning implementation and control (Chapters 4-6, as well as the appendices).






Chapter 1: Introduction


Please note, this chapter has been updated and the below descriptions are no longer completely accurate. This will be remedied shortly, in the mean time please see the norwegian edition of this page for up to date information!


The University of Tromsø – The Arctic University of Norway (UiT) is a national and international centre of power for competence, growth and innovation in the High North. This shall amongst other things be demonstrated through the high quality of UiT’s knowledge management and information assets: research data, research results and information or knowledge that is included in teaching, research and dissemination.


Consequently, systematic and planned efforts to safeguard our information assets are a key part of UiT’s knowledge management. Internal and external actors – managers, employees, students, partners and the general public – must be able to rely on UiT being able to safeguard

  1. the confidentiality of the information – We protect sensitive or important information against unauthorized access or misuse,
  2. the integrity of the information – We protect sensitive or important information against modification or erasure, and
  3. the availability of the information – We ensure that all information is available to everyone who shall have access to it.

UiT is subject to a range of laws and regulations that require us to have satisfactory information security. This includes the Public Administration Act and its appurtenant regulations (the e-government regulations), the Personal Data Act and its appurtenant regulations and the Health Research Act and its appurtenant regulations. Furthermore, other legislation, including the Freedom of Information Act and the Archives Act, contains provisions of significance for the work involving the securing the information at UiT. A requirement in the letter of appropriation from the Ministry of Education and Research to UiT for 2014 was the establishment of a management system for information security based on the basic principles of recognized security standards. The Information Security Management System at UiT meets the statutory requirements and those stipulated by the Ministry for the work involving information security in the higher education sector.

The Information Security Management System shall ensure that UiT’s information assets are dealt with in a manner that is systematic, planned and satisfactory. The management system includes goals, strategies and organisation of the work involving information security, as well as descriptions of roles and responsibilities, an overview of information assets and guidelines.
 
The management system consists of three main elements:
  1. Governance – overarching policy, including security objectives and strategies, roles and responsibilities
  2. Implementation – risk assessments, as well as specific procedures and guidelines in the appendices
  3. Control – internal audits, reporting personal data breaches and other nonconformities and a review by management
Information security is a senior management responsibility. The operational responsibility and the practical work involved with attending to the information security may be delegated to the individual units at UiT, cf. the description of the security organisational structure including roles and responsibilities in point 3.
 
The Information Security Management System at UiT covers
  • all users of UiT’s IT resources [1]
  • all UiT’s campuses
  • all organisational units [2]
  • all technology [3]
  • all information assets
The term “information assets” means equipment, processes or data associated with information and which the organisation considers necessary to protect. How such information assets shall be protected depends on the results of risk assessments. Information security relating to data covers all media and formats and applies to information stored and used in mobile devices, CD-ROMs and on paper. It may be an IT system, e.g. an HR system, learning platform and records system, or a type of information, e.g. student information, patient information or data included in a research project.
 
[Footnotes]
[1] Students, employees, guests and partners, etc.
[2] Departments, faculties, centres, museums and data processors, etc.
[3] IT systems, data networks, databases and data registers, etc.

Two key concepts recur in the management system and legislation relating to data protection: controller and data processor. The data controller is the person, authority or agency etc. who decides the purposes and means of the processing of personal data. The data processor is the person, authority or agency etc. who processes personal data on behalf of the data controller. A written data processor agreement must always be entered into before external actors can process personal data for UiT, including on a small scale.


Chapter 2: Security strategies and acceptable risk


Good Information security shall contribute to UiT achieving its strategic goals and fulfilling its societal mission. Confidentiality, integrity and availability of UiT’s informational assets shall be taken care of in a unitary and systematic manner throughout the entire organisation. The Information assets shall be available to those who have access (availability), they shall be safeguarded against unintentional and unlawful modification (integrity), and they shall not be available to unauthorised persons (confidentiality).
 
Security strategy
The Strategy for Information Security (2019–2021) was adopted by the University Board on 13 March 2019. This contains security goals and assessments relating to acceptable risk.
(Please note: In addition to the above-mentioned document, there is a base document containing a greater degree of detail, including which measures may be implemented. This is not publicly available but anyone with a service-related need can gain access by contacting the Unit for information security and privacy at security@uit.no)


Chapter 3: Classification of information


A prerequisite for being able to comment on acceptable use as, well as the need for security measures, is carrying out a classification of the information. The classification forms the basis for the assessment of the degree of security (IT technical, organisational and physical) the information shall be subject to. Moreover, the classification will contribute to obtaining an overview of the information assets that UiT manages.
The classification will also provide those who shall process the information with a specific indication and guidance about how it shall be handled and protected.
You will find the Guidelines for classification of information here (/Content/626159/cache=20191504144130/Retningslinjer%20for%20klassifisering%20-
%20vedtatt%205-4-19.pdf%20).

Which services can you use for different types of data?



Chapter 4: Roles, responsibilities and tasks


Here is a description of the responsibilities and tasks allocated to the various roles:

Please note, this chapter has been updated and the below descriptions are no longer completely accurate. This will be remedied shortly, in the mean time please see the norwegian edition of this page for up to date information!


  • shall consider and adopt the Information Security Management System at UiT
  • can make demands concerning the future work involving information security at UiT
  • is data controller for all personal data, including determining the purpose of processing personal data, as well as having a documented record of these
  • is responsible for information security at an overarching level, including allocating sufficient resources to work involving information security, as well as training and skills development
  • is responsible for the implementation and maintenance of the Information Security Management System, as well as for the organisation of the security work undergoing an annual internal audit, cf. Section 6.1
  • shall conduct an annually review of the status of the work involving information security [8]
  • shall appoint members of the Information Security Forum
[Footnotes]

[8] cf. review by the management

  • is responsible for information security and has the administrative responsibility for information security at UiT
  • has instructional authority over all other units at UiT in matters relating to information security
  • shall ensure that attitude and awareness programmes are implemented
  • shall exercise the IT Director's authority in matters relating to information security
  • shall be an adviser to the line organisation in matters relating to information security
  • shall lead the Computer Security Incident Response Team (CSIRT) and the Information Security Forum
  • shall compile and maintain an overall ICT contingency plan
  • shall follow up personal data breaches and other nonconformities at the overarching level and ensure that these are channelled to and followed up by the affected units
  • shall conduct information activities, guidance and training relating to information security
  • shall maintain overarching Information Security policies and procedures
  • shall initiate and participate in audits and risk assessments as required
  • shall compile the report of the management’s annual review
  • shall maintain an updated overview of data processing agreements entered into at UiT
  • shall assist the system owner with designing the requirements for information security during the procurement of new systems
  • is responsible for the operation of the IT systems, and shall attend to satisfactory information security on IT infrastructure on the basis of risk assessments
  • shall compile a continuity and contingency plan on the basis of risk and vulnerability analyses that covers critical and important information systems and infrastructure
  • shall document systems/infrastructure and associated security measures
  • shall compile and maintain security policies, guidelines and procedures for the technical infrastructure
  • shall monitor significant changes in threats against UiT’s information assets
  • shall ensure that security of access to buildings, rooms and areas is in line with the criteria for acceptable risk
  • shall assist units with risk assessments of physical security and implementation of necessary physical security measures
  • are responsible for satisfying requirements relating to information security at their unit
  • shall conduct risk assessments
  • shall implement any measures necessary to attend to information security at their unit
  • shall report the results of risk assessments including an action plan and personal data breaches and other nonconformities to the Information Security Advisor
  • shall follow up reported personal data breaches and other nonconformities at their unit and ensure that these are resolved
  • shall inform employees at their unit about the applicable procedures and guidelines, and ensure the requirements of the management system for their unit are followed
  • shall establish and maintain procedures to attend to the security objectives
  • shall, in consultation with the Department of Information Technology, make demands concerning information security in the procurement, development and maintenance of information and the information system
  • shall ensure that access is provided when a service-related need arises, terminated when the need ceases, and that necessary training is provided
  • shall, in consultation with the Information Security Advisor, ensure that data processing agreements are entered into
  • shall conduct risk assessment of the system in accordance with Section 4, and document that such risk assessments have been conducted
  • shall implement any necessary measures on the basis of the risk assessments
  • are obliged to familiarize themselves with and follow the applicable security procedures and guidelines relating to secure handling of information assets and personal data
  • are obliged to prevent and report personal data breaches, as well as to report any such incidents via the designated systems if these occur
  • shall implement, or order the implementation of, any measures deemed appropriate to avert damage to UiT’s IT systems and data
  • shall report on security incidents, the potential for and extent of damage and any measures implemented to the IT Director
  • shall provide advice about measures/initiatives to promote the information security
  • shall coordinate the planning and implementation of measures/initiatives relating to information security that cover the entire institution
  • shall review reported personal data breaches and security incidents and ensure that these are resolved
  • shall review the report of the management’s annual review
  • shall contribute to the implementation of the management system in the organisation
  • shall review the Information Security Management System and its associated documents and general allocation of responsibilities on a regular basis, as well as assess the need for changes

Chapter 5: Risk assessment


Risk assessments are intended to reveal any undesirable incidents/threats that may lead to a breach of the information security at UiT. Consequently, the risk assessments have a central place in the work to ensure safe and secure processing of UiT’s information assets. In addition to revealing what can go wrong, the assessments shall reveal what we have done and what more we can do to prevent the occurrence of undesirable incidents and reduce the consequences of any incidents that do occur.

The risk assessment must be seen in the context of established risk acceptance criteria (cf. Section 2.3), and the acceptable risk must be determined before the risk assessment is conducted. If the risk of one or more undesirable incidents occurring is greater than what is defined as acceptable, this risk must be mitigated by implementing preventive measures.

Risk assessments must be conducted

  • when the risk level changes
  • prior to starting the processing of personal data
  • at the start of research projects
  • when establishing or changing ICT systems
  • when organisational changes are made that may affect the information security

All risk assessments must be documented in writing. If risk assessments reveal matters requiring follow-up, someone must be named who is responsible for stipulating relevant measures and plans for the follow-up of these. The risk assessment shall be submitted to the Information Security Advisor(s) who shall utilise these in the management’s annual review and ensure that the documents are filed in UiT’s archival system.

Read more about risk assessments (/om/informasjonssikkerhet#innhold_675410)



Chapter 6: Training


Training is intended to contribute to building a good security culture at UiT by raising awareness among employees and students of the importance of information security and to enable them to comply with UiT’s security policy in their day-to-day work. Consequently, training about information security must be included as a natural part of the training of students and employees at all levels of the organisation. System owners have a special responsibility for training in their respective systems.

Managers have the overall responsibility for ensuring that necessary information is provided to the employees and that time and resources are allocated for training. Information security shall be included in UiT’s management training to ensure that managers can comply with this responsibility. Furthermore, the University Director shall ensure that information security is a topic at suitable management forums at least once a year.

Information about information security at UiT shall be easily accessible to everyone via UiT’s website and other relevant channels.

Those assigned key roles and tasks in the work involving information security shall receive special training. External courses, seminars and relevant networks play an important role in ensuring the exchange of information and increasing the level of competence among these employees.



Chapter 7: Internal audit


The purpose of internal auditing is to check that the adopted Information Security Management System is implemented, operated and maintained in all parts of the organisation. This involves carrying out an annual systematic review of the university’s processing of information where there are requirements relating to confidentiality, integrity and availability. This audit shall identify any personal data breaches and other nonconformities and needs for adjusting the management system and/or the training. This includes checking the internal guidelines and whether these have been updated in accordance with the rules and practices in the organisation. Furthermore, compliance with the requirements of relevant legislation and regulations must be checked. The annual audit forms the basis for the management’s review.



Chapter 8: Dealing with incidents and personal data breaches 


Reporting of personal data breaches

Personal data breaches (and other nonconformities) entail breaches of legislation, regulations and internal regulations at UiT. Notification of such breaches is important as it enables us to identify the reason why it happens and implement any necessary new security measures to avoid similar breaches in the future. Consequently, breaches/nonconformities deal with quality and improvement.

Examples of breaches and nonconformities:
  • theft om computer equipment
  • misuse of IT services,
  • misuse of passwords
  • cyberattacks, e.g. by virus attacks or hacking,
  • data leakage,
  • weaknesses in IT systems or procedures at UiT,
  • sensitive information goes astray,
  • personal data goes astray, or
  • unauthorised access to data.
 
Procedures in the event of breaches/nonconformities:
  1. The person who discovers the breach/nonconformity shall report it via the designated system.
  2. The Information Security Adviser(s) shall investigate the reason(s) for the breach/nonconformity and implement corrective actions to remedy the situation.
  3. The Information Security Adviser(s) shall keep an overview of all reported breaches/nonconformities, which shall be included in the management’s annual review and be used in training across the organisation to prevent repetition.
Read more about reporting breaches/nonconformities here


Chapter 9: The management's review


Information security is a management responsibility on the same level as other key management tasks at UiT. The management has the overall responsibility for ensuring that UiT meets the obligated requirements for information security, and to ensure that the employees and students have adequate knowledge about information security. To enable the management to fulfil its tasks, a report that reviews the work involving information security shall be compiled annually.

The Information Security Adviser(s) are responsible for ensuring that this report is compiled.
 
The management’s review shall discuss:
  • the results of internal audits
  • the results of risk assessments
  • reported breaches/nonconformities and implemented measures
  • any necessary adjustments in the management system

Following the review, the management shall decide whether:
  • the allocation of responsibilities and tasks is appropriate
  • changes in the management system are required
  • there are special resource and training needs for the coming year

Various guidelines and procedures are included as appendices to the management system and thus form part of it:
 




See "About risk assessments"






About risk assessments


The management system stipulates that risk assessments shall be conducted:
  • when the threat level changes
  • prior to starting the processing of personal data
  • at the start of research projects
  • when establishing or changing ICT systems
  • when organisational changes are made that may affect the information security
 
Through the risk assessments, we assess possible undesirable incidents (threats), the probability of them occurring and the consequences if they do occur. The total of probability and consequence provides the level of risk for the threat in question. If this level is sufficiently high, measures must be implemented to reduce the risk level (either reduce the probability, consequence or both) before the processing, system, service, etc. starts/is adopted. There will always be a certain risk associated with the processing of information, the use of services, etc. The goal is to reduce this risk as much as possible. The “residual risk” one is left with must either be accepted, or a conclusion must be made that the risk remains too high for the planned processing to be implemented or service to be adopted, etc. It is important that this decision is made at the correct level (see below).
 
The assessment of probability and consequence is made on a scale of 1-4 (where 1 is lowest), and the criteria for these assessments are determined by the various scales of risk (https://universitetetitromso.sharepoint.com/:w:/s/informasjonssikkerhet/EefCiRAfyTxEtq61mavnafcB04VaZdRVLppKoAM4ztiQNQ?e=b7sUfC) (requires login).
 
UiT utilises the guidelines published by UNIT - Directorate for ICT and joint services in higher education and research. These are based on recognized standards. You will find further information on risk assessment of information security here: https://www.unit.no/risikovurderinger-informasjonssikkerhet
 
UNIT has also created specific guides for cloud services and administrative systems. You will find these and other guides at the bottom of this page: https://www.unit.no/risikovurderinger-informasjonssikkerhet
The management system stipulates that unit managers and system owners are responsible for ensuring that risk assessments are implemented. This does not mean that they must conduct the assessments personally, but they are responsible for ensuring the risk assessments are conducted. The same roles must accept the risk assessments and the measures that are necessary/must be implemented, as well as accept any residual risk.
 
If the processing involves high risk or services processing large amounts of information about many people (especially if this involves confidential information), the risk assessment should be elevated up the line, initially to the IT Director and in some instances to the University Director. The University Director has overarching responsibility for information security and exercises the authority of data controller pursuant to the provisions of the Personal Data Act.
 
Risk assessments cannot only be conducted once and that is the end of the matter. It is necessary to review these regularly to check whether the measures worked according to plan, whether the threat level has changed, etc. Have any of the premises for the assessments changed (new technology, etc.)?

It is extremely important that personal data breaches and other nonconformities are reported as quickly as possible. This is done as follows:
 
  • Security-related irregularities (e.g. passwords that have gone astray) that require rapid measures of a technical nature are reported to CSIRT.
  • Other information security-related nonconformities shall be reported to sikkerhet@uit.no.
The following details must be included in the notification (to the extent possible):
  • What has happened, where did it happen and how did it occur?
  • The date and time span of the breach/nonconformity
  • When it was discovered
  • Have unauthorised persons become aware of (or potentially become aware of) information?
  • If so, can you say something about this, e.g. the number of people, describe the situation (published on the internet, sent by mistake to one person, etc.)
  • Has the information been lost or unavailable for some time (did this create major or minor consequences)?
  • Has the information been changed (either by unauthorised persons or by accident)?
  • How many people are affected by the breach/nonconformity (approximately if you don’t have an exact answer)?
  • Who we can contact to get more information, if necessary?
 
If you don’t have a complete overview immediately, please send us a brief description to start with and follow up with more detailed information later. It is important that we are notified quickly. We will request more information if we need it.
 
Please note: If the notification contains confidential information (e.g. confidential data, sensitive personal data, etc.), please create the notification as a Word document in Office365, classify it as “confidential” and share it with Ingvild Stock-Jørgensen. Alternatively, you can send it via Ephorte.

(UiT has published courses entitled “Obligatory for everyone” in the course portal XtraMile. One of the lessons deals with how to classify files in Office365.)




UiT uses various services and it is important that these services are used for the purpose they are intended. In addition to ensuring that data is kept sufficiently “secret”, we must safeguard the availability (What happens if your data are lost and they were stored in a service without adequate backup? Or an examination is held digitally, and the service stops midway through the examination?) and the integrity (What happens if someone can change your research data without you knowing about it? Or their examination grade?) in an adequate manner.


Furthermore, we are subject to various laws that impose requirements about the quality and terms of the services we utilise, not least GDPR. We will publish information here about what the services are approved for (initially related to confidentiality requirements), as well as information about the degree to which you can use services other than those purchased by UiT.






[Skriv tittel her]


Other digital collaboration tools

  • The use of digital collaboration tools other than those offered by UiT via the Department of Information Technology is not permitted.
  • We are subject to various statutory provisions and, among other things, data processor agreements must be entered into (which are reviewed for quality assurance (see the checklist for Data processor agreements) and risk assessment, cf. The Information Security Management System Chapter 1, cf. Chapter 5 (https://UiT.no/sikkerhet(/sikkerhet)).
  • Major differences will often exist between the agreements UiT enters into, e.g. through sectorial cooperation, and those entered into by departments, which are often direct with contractors. This may be reflected in the terms for processing of data or where data is stored (USA instead of EU/EEA), etc.
  • If the existing digital collaboration tools do not meet the unit is requirements, please contact the Section for Digital Platform and Operation (VITE) the Department of Information Technology.
  • Please note: This does not apply to external meetings you have been notified of. If you plan to participate in a meeting with, for instance, UiO and you have received a link to a (virtual) meeting room using a tool that UiO utilises, of course you may participate.

Private licences
The use of private licences in a work context is not permitted; primarily because it involves processing UiT data (including about students and colleagues) in private context, but also with respect to what the license itself permits. Moreover, by definition, UiT loses control over the data and cannot fulfil its statutory requirements pursuant to GDPR, etc.

Licences via other Higher Education institutions

  • Do you have an employment relationship with another institution that has a service you wish to use in a teaching context, i.e. implement teaching activities that are under UiT under the auspices of UiT and involve UiT’s students?
  • This will require agreements between UiT and the relevant institution, e.g. a data processor agreement if it involves personal data, because the other institution would actually be processing data on UiT’s behalf. Furthermore, a risk assessment must be conducted to ensure that the data can be handled adequately in the relevant service.
  • Therefore, you must use the services you have access to via UiT directly.


Which services can you use for which content?


UiT has numerous systems and services that can and must be used. However, not all these are approved for all types of data. Based on the management system, all information at UiT is classified as either open (green), internal use (yellow), confidential (red) or strictly confidential (black). The types of data the various services and systems are approved for, and what is needed for this approval to apply, is determined through the risk assessments.

The table below shows an overview of which data can be processed where.

You will see that some systems/services have footnotes, which relate to the list below the table. These include key conditions for the approval to apply. However, using the service or system as specified in the guidelines, training etc. will always be one such condition. It is important to follow the guidelines, procedures, etc. because UiT uses such documents to implement measures are required for a given type of information to be processed in the system or service.

If you use the system or service in a manner other than described/stipulated, the information in the table does not apply and you must contact the system owner directly to clarify whether the use is allowed.

Are you wondering what the different categories mean? See the guidelines in Chapter 3 of the management system.

System/service Open/Green Internal/Yellow Confidential/Red Stricktly confidential/Black
Canvas OK OK Not approved Not approved
Ephorte OK OK OK OK
E-mail (Office 365) OK OK Not approved Not approved
EUTRO OK OK OK OK
Shared areas (F:\) OK OK Not approved Not approved
Felles studentsystem (FS) OK OK Not approved Not approved
Home drive (H:\) OK OK Not approved Not approved
Mediasite OK OK Not approved Not approved
Nettskjema / sikkert Nettskjema OK OK OK1 Not approved
OneDrive for Business (Office 365) OK OK OK2 Not approved
Request Tracker (RT) OK OK Not approved Not approved
Sharepoint (Office 365) OK OK OK2 Not approved
Skype for Business (via UH-Skype) OK OK OK3 Not approved
Sway5 (Office 365) OK Not approved Not approved Not approved
Teams (Office 365) OK OK OK2 Not approved
TopDesk OK OK OK6 Not approved
Tjeneste for sensitive data (TSD) OK OK OK OK
Yammes (Office 365) OK Not approved Not approved Not approved
WiseFlow OK OK OK4 Not approved

 

1 = The service “sikkert nettskjema” (secure online form) must be used for confidential information. Contact the Section for Digital Research Services (SDF) (/om/enhet/forsiden? p_dimension_id=88223). “Nettskjema (/om/enhet/Article?p_document_id=513952&p_dimension_id=88225)” (online form) is only for open and internal information.
2 = This is conditional on the following security measures being followed: classification of information, two-step verification is activated. Information that is subject to restrictions of processing in Norway (e.g. pursuant to the provisions of the Security Act) cannot be processed here either.
Please note: The chat function in Teams is not encrypted.
3 = Conversations on Skype are encrypted. For Skype meetings involving confidential content, we recommend activating the “lobby function” so that the meeting organiser must physically admit people wishing to join the meeting. Please note: A copy of the chat is stored in the e-mail client, so the security level of the e-mail will be decisive for these.
4 = Sensitive personal data (e.g. medical certificates) shall not be processed in WiseFlow. However, confidential information, such as examination question papers before the examination is held, can be processed in this service.
5 = Sway is only approved for open data. Please note that Sway stores all user data in +USA.
6 = If TopDesk shall be used for confidential data, prior approval is required (before the operator queue is established).

 


We are working on e-learning modules on information security and data protection. In conjunction with the National Cyber Security Awareness Month, UiT created its own courses on information security. You are encouraged to complete these! Go to https://app.xtramile.no/ and select the module “National Cyber Security Awareness Month”.

It is important that all units have detailed procedures for the handling of information security at their unit, e.g. handling of print outs of confidential information, procedures for conducting and approving risk assessments, etc. – adapted for your unit.

We will publish some guidance and information about what you need to be aware of on this page.






Working from home


Owing to the Corona virus, an extremely high number of UiT’s employees are now working from home. However, it is important that data protection and information security are still safeguarded, and you have an important responsibility in this respect.


UiT manages vast amounts of research data, as well as personal data about employees, students, research participants, guests, partners and others, and other information of great importance to the organisation. Failure here can cause significant harm to UiT and individuals. Attending to information security and data protection is your responsibility and is fulfilled by being careful, complying with relevant legislation, guidelines and procedures, and reporting any undesirable incidents you discover or experience.


If there are other people in your household, remember that your duty of confidentiality also applies to them. This can easily be overlooked if you leave papers lying around, your computer is unlocked or you lend it to your children or you conduct Skype meetings with others present in the room, etc.


Consequently, we would like you remind you of some rules that everyone must be aware of (whenever you are working from home, including post-Corona):

Basic rules
  • Work involving confidential (red) and strictly confidential (black) data shall only occur on equipment owned by UiT.
  • Papers and notes must be stored in such a way that others in your household cannot read them.
  • ICT equipment owned by UIT (e.g. computers and tablets) must not be loaned to others in your household, including children.
  • This is not only because they can gain access to confidential information, but they can also erase or share the information by mistake.
  • Moreover, we wish to minimise the risk of your device getting malware (which can steel or destroy information, e.g. a crypto virus), and one of the measures to achieve this is that only you use the device and only in a work-related context.
  • Private cloud computing services (e.g. Dropbox) shall not be used
  • You must lock your screen when you leave the computer unattended (even for short periods) if other people are home.
    • Learn to use the keyboard shortcut Win + L to lock your screen quickly: 
  • On UiT’s computers, you can activate a PIN code to avoid entering your password every time you need to unlock the screen. With newer computers face recognition can also be utilised.

 

Skype/video meetings
Communication tools like Skype, Teams and Adobe Connect, etc. will be widely used for meetings, teaching, etc. As confidential topics are often discussed (especially during meetings), it is important to be aware of your surroundings. This also applies to teaching, e.g. when you are holding seminars and tutorials. Students expect to ask questions and share their views with you, not you and your immediate family.

Please be aware of the following:

  • If others are present in the room, you must use a headset
  • We recommend this anyway as using a headset enhances sound quality and reduces background noise.
  • Be conscious of what you are say if others are present in the room.
  • We remind you about the duty of confidentiality.
 
VPN
Unless you need to reach services that require you to be connected to UiT’s network (e.g. Ephorte, PAGA, the home drive, etc.), you do not have to be connected to VPN.
 
The communication with Office 365 (e-mail, OneDrive, SharePoint, Teams, etc.) is encrypted and thus VPN is unnecessary.
  • Owing to the large number of people who are now working outside the campus, we ask that you are not connected to VPN if this is unnecessary.
  • VPN may be required for certain updates on your computer. We will publish a message here and as an operational message if you need to do something and, if so, how.
  • This does not apply to all updates, e.g. Microsoft (Windows/Office) updates will function normally.
 
 

 



How to avoid attempted scams and attacks


Experience from Norway and other parts of the world shows that criminals are already trying to exploit the upheaval caused by the Corona pandemic. There is a vast requirement for information, employees are working at different locations than usual (such as at home) and following different routines and there is rapid development and exchange of information about how to do this. Dishonest and criminal actors are trying to exploit this by hacking into IT systems, steal personal data and committing financial crime, etc.


Consequently, it is especially important to be careful during this period because we know that UiT can be exposed to purposeful attacks. It does not have to be an “IT attacks” where someone tries to hack into systems, but may be “social manipulation” where someone impersonates a person, company or organisation to create trust and entice you into divulging or changing information or accesses. They may also try to get you to install malicious programs (“malware”), which give them direct access to your computer and perhaps the systems, storage services, etc. you have access to at UiT.

Consequently, we will remind you of some of the things you need to be especially aware of. These tips are basically no different from those that apply at other times. However, as mentioned, we can expect additional activity during this period. As such, many of the examples deal directly with the Corona virus (COVID 19).

E-mail

  • We can expect phishing attacks to increase in volume.
    • Do you want to read more about phishing and how to discover it? See this lesson (https://app.xtramile.no/new/training/d2caa932-96ca-4566-8aa3- 3a3567ec81fb) UiT created in conjunction with National Cyber Security Awareness Month.
  • Be extra vigilant if you receive e-mail related to the Corona virus.
    • Naturally, you will receive some legitimate e-mail related to the Corona virus, but check the content, context and sender carefully. For information about how to check if an e-mail is legitimate, please send the link in the point above.
      • This involves knowledge and habits that are useful at other times too, both in a work and private context.
  • False/illegitimate e-mail will often try to
    • play on fear
    • deal with financial interests (such as “updated delivery info”, “amended payment details”, etc.)
    • get the recipient to act in haste (“Important!”, “Respond immediately”, “Urgent clarification required” etc.)
    • give the impression they are a public body/authority (such as WHO, FHI, etc.) or employer and encourage you to implement immediate action
      • UiT will provide messages about measures via en.uit.no/corona. We may send updates by e-mail, but the information in these will be reflected on https://en.uit.no/corona or in the official operational messages. If you don’t find it there and the e-mail asks you to log in to a website, open an attachment or install a program, take the time to check the content before you do anything further.
        • If you are in doubt, ask your manager or a colleague if this is genuine.
      • WHO does not send out e-mail that require you to log in to gain access to the information, attachments that you have not requested or information on pages outside the domain www.who.int.
    • get you to click on/open evil-minded links or attachments
      • If you are not expecting an e-mail, check that it is genuine, see the point above about phishing attacks.

Still in doubt? send a question about the e-mail to sikkerhet@UiT.no (mailto:sikkerhet@UiT.no)

More information:

 

SMS
There have been cases in Norway where employees have received an SMS that gives the impression that it is from the management. They were asked to install a specific tool to simplify the communication while they are working from home. That was an attempted scam and the “tool” in question was malware.

  • UiT would not provide this type of information via SMS.

More information about "smishing"

Example from Norway

 

Phone
You may also receive phone calls from scammers.

  • For example, “Microsoft” will be extra active at this time. Scammers claiming to be from Microsoft (sometimes they say they are calling from Windows) will call and say they have discovered a problem with your computer that they can help you with. Microsoft would not call anyone like this, so just hang up if you receive such calls.
    • The phone number they call from can be a Norwegian number, an overseas number or neither (just a collection of numbers). This is because they hide their real number and give the impression that they are someone else. The actual owner of the phone number has nothing to do with call and have not been hacked (the scammers have simply chosen a number, which they give the impression is their own number).
    • If you have followed the scammer’s instructions, in full or in part, please notify sikkerhet@uit.no immediately so we can help you.

 

Websites
Many false websites have been created to take advantage of the situation the society is now in

  • This includes a false “coronavirus map” that claims to be providing “live” information about the spread of the virus. It is actually malware.
  • These sites are usually based on the information and appearance of genuine sites and can be challenging to uncover.
  • “Fake news” is a recurring problem, including in this situation. Be vigilant and practice source criticism.
Examples:

 

More information/sources
Here are some links to more information. Please be aware that the advice to employees/users here is general. In a work-related context, please follow the advice given by UiT.
 
Does something look not quite right? Please contact sikkerhet@uit.no and we can have a chat about it.
 

 

 

 



Office 365


For research data, we recommend using SharePoint. OneDrive is personal storage that will be deleted automatically if the user leaves the institution.


Confidential information and personal data may only be stored on Windows computers administered by UiT. Privately owned equipment (laptops/computers, mobile devices), Mac or Linux are currently not approved. For further information about what type of data the various services in Office 365 are approved for, please see above (“Which services can you use for different types of information/data?”)


For practical information about how to classify your data and secure data processing in Office 365, please refer to IT support/Orakelet’s user instructions


UiT processes vast amounts of personal data, in many different contexts, in research, education og dissemination.

Do you plan to use personal data in research? Read more on this page (/forskning/art?dim=179056&p_document_id=604029).

It is extremely important to understand the roles various actors have in the processing of personal data.

This is necessary in order to know who has responsibility for ensuring the personal data is processed legally, who will make decisions about the processing and who those registered can contact to exercise their rights, etc.

  • Who is the data controller? Does UiT have this responsibility alone or is it shared with others? Does UiT utilise data processors? What is required for this to occur in a legal way?
  • Is UiT the data controller for others? What does this role involve?
  • If the data is transferred overseas, what must be in place for this to be legal?
  • Does UiT have external actors who perform duties for us that involve dealings with personal data although they are not a data processor?
 
UiT has a Data protection officer, who may be contacted at personvernombud@uit.no 





Definitions


Personal data
Personal data means any information relating to an identified or identifiable natural person, who can be identified, directly or indirectly, cf. Article 4 (1) of the General Data Protection Regulation (GDPR).
 
This can include name, telephone number, e-mail address, age, assessments, location data, examination answer papers, health data, video, photos, audio recordings and behaviour patterns, etc.
 
It is irrelevant whether the information is objectively verifiable, subjective, significant, trivial, publicly available, true or false. If the information can be associated with a person (directly or indirectly) then it is personal data.
 
Special categories of personal data
Certain categories of personal data are separated out in the GDPR, cf. Article 9. These are called “special categories of personal data” and cover processing of personal data revealing
  • racial or ethnic origin,
  • political opinions,
  • religious or philosophical beliefs, or
  • trade union membership,
  • processing of genetic data, biometric data for the purpose of uniquely identifying a natural person
  • data concerning health or
  • data concerning a natural person’s sex life or sexual orientation
Please be aware that special regulations are applicable for the processing of personal data relating to criminal convictions and offences, cf. Article 10.

Processing
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, cf. Article 4 (2) of the GDPR.
 
This can include collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, etc. In other words, everything that is done to and occurs with the data.
 
Whether different operations involving the same data (e.g. collection, storage, compilation, etc.) are considered as the same processing operation, or several operations, depends on the purpose. If all the operations are to achieve the same purpose (e.g. admission to a course) then it is considered as one processing operation.
 
Lawfulness of processing
For the processing of personal data to be lawful, various conditions must be met. One of these is that there must be a lawful basis for the processing. This can include consent, performance of a contract with the person(s), compliance with a legal obligation or legitimate interests, etc.
 
The lawful basis for the processing is stipulated in Article 6. For special categories of personal data, one must also meet the conditions of lawfulness pursuant to Article 9.
 
Please be aware that several of the bases of processing pursuant to Articles 6 and 9 require supplementary legal basis in other legislation. This can include the Personal Data Act, the Act relating to universities and university colleges, the Working Environment Act or the Health Research Act, etc. In these instances, one must be able to state the precise supplemental authority that is utilised.
 
The data subject(s)
The data subject(s) is the individual person(s) the data deals with.
 
The General Data Protection Regulation
GDPR”. These regulations are implemented in Norwegian law through the Personal Data Act [Norwegian text].
 


Who is responsible?


Someone always has responsibility for the processing of personal data, a so-called “controller”. This responsibility may also be shared with others, “joint controllers”. See the menu below for further information


The controller determines the purpose of the processing, as well as the means to be utilised, cf. Article 4 (7) of GDPR. This may be “a natural or legal person, public authority, agency or other body”. The controller is responsible for ensuring compliance with the provisions of the Personal Data Act and the General Data Protection Regulation (GDPR).
 
In the assessment of who the controller is, the actual conditions are decisive (who actually conducts the assessments and makes decisions). Some assessments can be delegated to external actors (e.g. the data processor), while others must be conducted by the controller himself/herself.
 
  • Purpose: The determination of the purpose is extremely central to the processing of personal data and must be determined by the controller himself/herself - before collection of the data can commence. The purpose shall describe why it is necessary to process the relevant data, e.g. carry out admission to a programme of study, the goal of a research project, appointment of a new employee, etc.

    It is important to be conscious of what the purpose is, so that the data subjects (the people the data deals with) understand what the data is used for, as well as why any subsequent further processing of the data is subject to restrictions. For instance, the data cannot be further processed in a manner that is incompatible with the original purpose(s), cf. Article 5 (1) (b).

    The purpose(s) must be specified, explicit and legitimate.
 
  • Means: The term “means” covers more than simply which technical aids shall be utilised. Central assessments and decisions related to how the personal data shall be managed are also covered, such as:
    • Which data shall be processed?
    • Which third parties shall have access? Which data shall be erased (and when)
    • The choice of technical tools may be delegated to the processor, under certain conditions. However, the controller must ensure that the information security is safeguarded. Risk assessments cannot be conducted by the data processor alone (but they can assist)
    • The controller cannot delegate assessments as mentioned in the bullet points above to the data processor.
 
For the UiT, the University Director has the highest responsibility as the controller. In everyday life, the exercise of the processing responsibility is delegated in various areas, and these delegations appear in the regulations and guidelines stipulated by the University Director. For example, the project manager is responsible for ensuring that the statutory requirements for the relevant research project are fully met, including safeguarding of the information security (see guidelines for processing personal data in research projects).

Here we will gather information about some key security measures.

Several measures are needed to ensure the operation and information security of UiT's infrastructure, systems, and services, which include the processing of personal data. This is for employees, students, guests at UiT, and others with connections to the university. A typical example is logging.

These can not always be informed in detail, partly because details of safety measures can be a safety risk in themselves. But we will provide the information we can provide, and which we are obliged to provide.






Logging


(in progress)

According to the ICT regulations, any use of UiT's ICT resources can be logged, and this happens. However, it must take place under controlled conditions, and access to logs is strictly regulated. Furthermore, collection and use of logs (as well as other measures, whether it is for the maintenance of operation, security, or both) shall occur following the requirements of the privacy legislation (GDPR etc.).

The threat face UiT faces requires several security measures, not least logging. What must be logged (type of information, activity, and scope) will be more comprehensive. Still, there must be a proportionality between the intervention in the individual's privacy and the necessity and what UiT seeks to achieve.

Information about new measures that affect all users, such as Cisco Umbrella and Microsoft Defender for Endpoint, is announced via operating messages. Of other more comprehensive actions on the log page, UiT is connected to the Alert Service for digital infrastructure ("VDI"). VDI is operated by NSM and acts as a "digital burglar alarm." Some of the further details about VDI are exempt from public access, cf. § 21, and can thus not be shared, but a little more information about the service can be found here:

Notification system (VDI) - National Security Authority (nsm.no)



Multi-factor authentication


Multi-factor authentication is authentication or log in with more than one factor. This means that in addition to the username/password, an additional element is required to approve the login attempt. This is used extensively and is becoming more and more common as it is an effective and relatively simple safety measure. You are already using some form of login to browse the online bank and the Tax Administration's pages (BankID, MinID, Buypass). At UiT, we use two factors for several of our services, which will become more widespread. There are many methods to find out which password a person uses, so you can expect the password to go astray at some point. If it does, other people could log in directly to your account, but if you have a two-factor, this will be considerably more difficult.

You can use many methods, but the most common is a one-time code via SMS or an app on the phone. We will also introduce USB tokens ("hardware tokens") if you do not want or can use the app or SMS.

One of the services at UiT that requires a two-factor login is Office 365, and here you can read more about it.


Students will now also switch to 2-factor authentication. From 15 September 2021, this will be mandatory. As a student, you can activate 2-factor today by following this user guide:

https://uit.topdesk.net/solutions/open-knowledge-items/item/KI%201468/en_gb/


Information to come