Information security begins with you
The information security of Denmark’s five largest universities has received a critical evaluation from the Danish National Audit Office. Aarhus University welcomes this focus on improving information security, since the university is already taking measures to increase security at the organisational and technical level.
One of the main points of criticism in the National Audit Office’s review of information security at Danish universities is that employees are permitted to bring their own electronic equipment to work. Aarhus University policy is to give researchers the option of connecting their own computers as long as they comply with the requirements in the information safety policy. While some researchers have chosen to take advantage of this opportunity, the vast majority use computers provided by AU IT’s support team.
In addition to the option of connecting their own computers to the university’s network, employees have local administrator rights on their own and their AU computers, which allows them to download and use the software they find necessary for the performance of their work. Both policies have been adopted in order to enable researchers to conduct their research with the freedom to administer their digital tools themselves, but naturally with a duty to exercise this freedom responsibly and to comply with data security rules and regulations.
The university has set up a number of technical measures and security protocols concerning which equipment may be used.
“We are naturally receptive to the National Audit Office’s conclusion, but I would also like to note that we have launched a number of technical and organisational measures to improve our information security. We also know that there is a need to raise awareness of the rules in this area, both at the faculties and in the administration, and I will continue to focus on this task in 2019,” says University Director Arnold Boon.
He states that the university is critically dependent on the success of its efforts to protect valuable research data and prevent disruption of the IT infrastructure:
“We cannot compromise on this. Investments are therefore also planned in new technical infrastructure that will be implemented in the coming years. Against this background, I do not believe that there is reason to launch major national initiatives, as recommended in the National Audit Office’s report, because Aarhus University itself is far along in this work.”
Technical investment at AU
The Centre for Cyber Security (CFCS) and an internal analysis of the current security basis have both assessed that there is a rapidly increasing risk of cyber attacks. Since Aarhus University uses many IT systems and stores large amounts of digital data, there is a need for the university to upgrade its defences against data loss or theft, and against the disruption of IT systems.
AU already has a number of technical measures in place, including a whitelisting function that analyses all software downloaded to or run on machines connected to the university’s systems. This has proved to be very effective and, as a consequence, there has not been a single negative incident concerning software in the last three years.
It was recently decided by the university’s senior management team that DKK 32.7 million will be invested in improving information security during the 2018-2022 period. Furthermore, starting in 2023, DKK 7.2 million annually will be invested in continuous upgrades to information security.
“In overall terms, this is an organisational and technological effort to significantly increase the university’s security level in the immediate future,” says Deputy Director Peter Bruun Nielsen, who heads AU IT:
“The university is planning to intensify its security measures. We know where we need to take action and this is already underway. The new technical infrastructure will brings us up to the necessary security level. We will supplement this with an organisational track to ensure that the new IT tools are supported by improving our security processes and optimising our own behaviour.”
Initiatives will be taken in three overall focus areas in order to improve IT security.
1. To ensure that AU can protect itself effectively from external threats in the future, we will invest in tools that can automatically and proactively monitor the university’s IT networks and prevent access by units or persons who do not have the necessary security clearances or authorisations.
2. We are upgrading our information security activities, including by introducing annual risk assessments. In addition, all departments and schools must evaluate which local steps can be taken to improve information security. It is the management’s responsibility to follow up locally and to ensure that all employees are aware of how we protect our data.
3. Steps must be taken to ensure that employees know what they can do themselves to improve information security. This includes being alert to phishing mails or avoiding weak passwords that can increase the risk of cyber attacks with consequences for the entire university.