Information security policy

Introduction

This information security policy is the basic framework for information security at Aarhus University. On the basis of the continuous monitoring and reporting the University Management reviews the information security policy at least every two years as part of the overall security management.

The policy governs Aarhus University’s information at large, which comprises any and all information that belongs to the Aarhus University and in addition also information which is not owned by Aarhus University, but for which the University can be held responsible. This includes eg all data on personnel, data on financial matters, all data which contributes to the administration of the Aarhus University, and data entrusted to the University by third parties, including experimental and research data. These data can be factual information, notes, records, reports, requirements for planning or any other information  for internal use.

This policy covers all Aarhus University information, regardless of what form they are stored in and in which way they are disseminated.

Purpose

Information and information systems are critical to the Aarhus University, and information security is therefore vital to Aarhus University's credibility and ability to function.

The purpose of the information security policy is to define a framework for the protection of Aarhus University’s information and particularly to ensure that critical and sensitive information and information systems maintain their confidentiality, integrity and availability.

Therefore, Aarhus University management has decided a level of protection that is in accordance with risks, the importance of the information, and compliance with legal requirements and agreements, including license conditions. The Vice chancellor’s office will inform employees about accountability in relation to the Aarhus University information and information systems.

The purpose of the security policy is also to demonstrate to all who have a relationship with Aarhus University that the use of information and information systems are subject to standards and guidelines. This allows prevention of security problems, reduction of any possible damage and certainty of the recovery of lost information

Scope

This policy applies to all employees without exception, both permanent staff and people who are temporarily working for the Aarhus University. All these persons are here described as "employees".

The policy also applies to students who in connection with their studies use information assets belonging to Aarhus University.

In case of outsourcing partial or entire IT operations, or when involving external consultants, it must be ensured in collaboration with the service provider that Aarhus University’s security level is maintained. The service provider, its facilities and the employees who have access to Aarhus University's information must as a minimum comply with Aarhus University's information security level.

Security level

It is the Aarhus University's policy to protect its information and only allow the use, access and dissemination of information in accordance with the Aarhus University guidelines and taking into account the then-applicable law. 

Aarhus University sets, on the basis of a risk assessment and in accordance with the importance of such information, an appropriate security level. The determination of the security level shall in each case, take into account the practicality of the work and the economic resources available. 

The desire for a high level of security must be balanced against the desire for a practical and user-friendly access to information assets, and the fact that the university has a community role as a provider of freely available information. 

A risk assessment must be conducted at least annually a so that management can stay informed about the current risk profile. A risk assessment must also be conducted in connection with any major changes in the organization.

Security awareness

Information security relates to Aarhus University’s overall information flow, and implementation of an information security policy can not be made by management alone. All employees and students have a responsibility to help protect Aarhus University’s information and data from unauthorized access, alteration, destruction and theft. All employees and students should therefore receive adequate and continuous information on information security. 

As users of Aarhus University's information, all employees and students must follow the information security policy and the guidelines derived there from. Employees and students may use Aarhus University information in accordance with the work they perform for Aarhus University, and shall protect the information in a way that is consistent with the sensitivity of the information, its unique  and/or critical nature. 

Breaches of information security

If an employee or a student discovers information security threats or breaches then they must immediately notify the person(s) responsible for the daily management of information security. 

Employees and students who violate information security policy or guidelines may be subject to sanctions contained in the Aarhus University rules and personnel policies.

Information security folder - students

Information security handbook

 Informationssikkerhedshåndbog