Information security involves protecting information assets with the overall goal of ensuring that the right person has access to the right information at the right time. SLU has a responsibility to adopt technical and organisational security measures for sensitive information based on risk assessments and in accordance with applicable legislation. SLU’s research and environmental monitoring and assessment data must therefore be managed to protect against unauthorised access (confidentiality), undesirable distortions (accuracy) and be accessible and usable based on the needs of the activity (accessibility).
The information-security management of research and environmental monitoring and assessment data must follow a systematic and risk-based process. The first step in the process is to classify the information using the SLU method of information-security classification. The primary purpose of the information-security classification is to determine the need for protection of information vis-a-vis confidentiality, accuracy and accessibility. The main principle is that data producers, such as researchers, are responsible for implementing the information-security classification. The head of department or equivalent manager of operations is responsible for the information-security classification of research and environmental monitoring and assessment data.
The information-security regulations of the Swedish Civil Contingencies Agency state that a public authority shall carry out risk assessments for its cognisance. The risk assessment identifies, analyses and evaluates undesirable events and consequences that may affect information security. Risk assessments can be carried out at different levels, for example for a research project or for a specific set of information. In addition, the General Data Protection Regulation (GDPR) requires an impact assessment to be carried out when a personal data processing operation’s risk to its data subjects is considered high. To support risk assessment work, SLU provides templates and instructions for risk management. The head of department or equivalent is responsible for integrating risk management as part of the information security of research and environmental monitoring and assessment data.
The results of the information-security classification and risk assessment are the basis for the selection and design of security measures. Guidance in choosing security measures can be found in SLU's policy document for levels of protection based on information-security classification (Swedish; pdf). The security measures implemented must be appropriate and continuously evaluated throughout the life cycle of the information.
More information and support on information security
For questions regarding information security, please contact firstname.lastname@example.org.