Rules of procedure for the division of responsibilities and guidance related to security measures in information systems at Stockholm University

Responsible department: IT Services

Contact: Fredrik Bolinder

This document has been reviewed 2025.

1 Introduction

Stockholm University processes information and uses IT systems to carry out its education, research and collaboration activities. Stockholm University's information security policy governs the university's information and IT system protection, at a global level, and describes how the university must adhere to the requirements of MSBFS 2020:6. Stockholm University must comply with MSB's code of statutes for information and IT security and the management of IT incidents. The document describes how MSBFS 2020:7 must be implemented and adhered to in order to maintain relevant protection for information and IT systems.

2. Responsibility for information and IT security

Responsibility for the coordination, implementation and monitoring of systematic information security work is set out in the university's central decision-making and delegation rules of procedure. Responsibility for secure information management is an integral part of responsibility for the various activities within the university. This means that responsibility for information security is in keeping with the delegated responsibility for the different areas of activity, which means that the managers of these activities are also responsible for the secure management of the information relating to them. As information is managed in IT systems, this responsibility also includes the introduction of the IT security measures that are required to protect the information.

2.1 Responsibility for central IT and information security governance and management

In accordance with the Decision-making and delegation rules of procedure for Stockholm University, the Head of IT Services has express responsibility for matters concerning information and IT security:

• The Head of IT Services decides on matters concerning the university's information security. This decision-making right cannot be subdelegated.
  
• The Head of IT Services decides on matters concerning the university's IT security for university-wide services.

In accordance with Stockholm University's information security policy, the Head of Information Security assists with and monitors information- and IT security- related activities. This responsibility includes, for example:

• Providing governing documents and processes for the clarification of security requirements and the management of risks and incidents.
  
• Providing supporting materials and methods to assist the different areas of activity with the implementation of security measures of the right level.
  
• Coordinating the work done by other specialist teams, such as those specialising in data protection, physical protection and legal matters linked to IT and data protection.
  
• Developing, coordinating and assisting with the university's work on information security, so that the university complies with the relevant regulations, manages information security risks and establishes a sound security culture.
  
• Regularly reporting on the status of structured information security work to the President, University Director and Head of IT.

For the services that are delivered by IT Services at Stockholm University, the division is responsible for ensuring a minimum level of IT security.

IT Services is responsible for establishing rules for all the IT systems developed and managed by the division. This means that the areas of activity that benefit from services delivered by do not need to ensure themselves that the security measures in this document are introduced.

2.2 Responsibility for local IT

According to the Decision-making and delegation rules of procedure for Stockholm University, the head of each department makes decisions about IT-based systems within the department and is responsible for IT security and compliance with the rules. The heads of department also decide on software licences for the departments and are responsible for monitoring them.

Similarly, heads of division within the university management decide on, and are responsible for monitoring, software licences for the divisions in accordance with the Decision-making and delegation rules of procedure for Stockholm University. The heads of division also decide how the systematic data protection work will be coordinated, conducted and monitored within their own areas of activity, and decide, in collaboration with the Head of the Property Division, or Head of IT Services, how the systematic IT security work, including the information security work, is to be implemented, maintained and monitored within their own areas of activity.

The decision-making right can be subdelegated. However, the head of department or head of division will always have ultimate responsibility for ensuring that the relevant IT security measures are taken within the department or division. The term information owner therefore primarily refers below to the heads of department and division.

3. Approach to identifying security measure requirements

The steps involved in fulfilling responsibility for IT security are presented below. Note that these steps are completed by IT Services for common IT services.
In cases where an IT system is maintained, developed or managed by a local IT activity, the information owner must ensure that the relevant security measures are introduced, either themselves or through delegation. To find out which security measures are relevant, the following steps must always be carried out:

1. Conducting of an information inventory
2. Conducting of an information classification

a. The information classification must cover the security objectives confidentiality, integrity/accuracy and availability – also see Section 4 below, and other relevant rules that may be applicable.

b. If the information classification suggests a particular need for protection, a risk analysis must be carried out to identify additional security measures

3. The planning and introduction of security measures in accordance with guidelines or methodological support from MSB or any service providers and internationally recognised standards and frameworks, e.g. ISO27000, NIST CSF v2 or CIS Critical Controls v8.

An information classification must be carried out regularly, and at least every other year. To receive assistance with this process, the information owner can contact the Head of Information Security, or the information and IT security team, at the e-mail address informationssakerhet@su.se

4. Information and IT security requirements and principles

The university's information security policy states that information owners are responsible for managing the meeting by information and IT systems of the requirements of MSBFS 2020:7. The following must therefore be regularly carried out. The security objectives confidentiality, integrity/correctness and availability are often used to define how information and IT system protection is to be designed:

• Confidentiality – the need to protect information against unauthorised access.
  
• Integrity/Accuracy – the need to protect information against undue changes.
  
• Availability – the need to ensure that information, and the related IT systems, are available.

In order to manage these security objectives, information owners are responsible for the conducting of an information classification in accordance with Section 3.2 above.
Information owners are also responsible for introducing security measures to protect information and IT systems, and thereby ensure the maintaining of the security objectives. Below is a global review of the most basic requirements and principles relating to information and IT system protection. Note, however, that MSBFS 2020:7 must be taken into account in its entirety; see Appendix 1 for more information.

1. External monitoring and risk assessment
   External monitoring procedures must be introduced to clarify the need for IT system upgrades, changes and developments. A risk assessment must be carried out if upgrades are required that collide with other operational priorities.
   Risk assessments must also be regularly conducted as part of IT system management.
2. Documentation
   All the IT systems and the management procedures/processes used must be documented so that both the IT systems and processes can be restored in the event of a major disruption. Note that the documentation itself may contain sensitive or critical information and may therefore need to be protected.
3. Development, procurement and outsourcing/offshoring
   Relevant protective measures must be identified and documented in the event of any development, procurement or outsourcing. The documentation produced must be managed and updated along with the IT system to meet any future need for developments or changes. The decommissioning of IT systems may require special management to prevent unauthorised access to information and/or IT systems. Information or IT systems in production environments should not be affected by information or IT systems used for development and/or testing.
4. Operation and management
   IT systems must be operated and managed based on documented procedures and by people with relevant knowledge and experience. Industry standards and service providers' recommendations must be complied with, to the extent that they don't conflict with guidelines, rules or directives from Stockholm University. The management of changes to IT systems must be documented and a risk analysis must be conducted if large changes are to be made. All IT systems must be subject to protection against malware where this is technically possible.
   The use of encryption to protect information against undue access must be subject to special procedures and guidelines to ensure that secure encryption methods are used and that key management procedures are established.
5. Digital identities, authorisations and authentication
   Only authorised users should have access to IT systems and information, and the people responsible must design security measures to ensure this based on an information classification. If particularly sensitive information is managed in the IT system, or if the IT system itself is operation critical, a risk analysis must be carried out to identify any need for enhanced security measures. The people responsible must identify the activities in connection with which personal data are used and stored, through the regular information inventory and information classification. A particular need to protect information may be identified through the classification of personal data, and this may affect the methods that may be approved to identify the identities that are permitted to access them. Digital identities must be established by following the procedures for the on- and off-boarding of employees and consultants at Stockholm University. Note that IT systems may also have digital identities that need to be authenticated to gain access to other IT systems and/or services.
   
6. Continuity planning
   Information and IT systems must be covered by procedures that ensure that both the information and the IT system can be restored in the event of an incident. Relevant security measures, such as backups, recovery tests, and similar, must therefore be introduced for this purpose. The information and IT security function assists the different areas of activity with the clarification of availability requirements by providing specialist expertise and support. This also includes assisting them with the identification of relevant security measures that may need to be implemented in IT systems.
   

5. Introduction of security measures in IT systems

When an information classification is conducted, information is classified according to one of four levels. See Appendix 2 for a more detailed description of the various classification levels. For the two lowest information classes, minimum security measures must be introduced. A global summary of these security measures is provided in MSBFS 2020:7.

• If an information classification identifies information assets that are classified at a maximum level of two for one of the three security objectives, the minimum level of IT security should be introduced in the IT system in question.
  
• If the information class of one of the security objectives is higher than two according to the information classification, a risk analysis must be conducted to identify how the greater need for protection might best be met. The information classification may also identify personal data and its processing. All personal data processing must be managed in accordance with the Rules for the organisation and implementation of data protection at Stockholm University. The information and IT security function assists activities with the clarification of appropriate security measures for the protection of personal data.
  

5.1 Security requirements on the purchase of products and services

Products and services that are purchased through central functions within the university are subject to checks to clarify the information security requirements. These requirements must be regularly validated by the person responsible for procurement. If the services and/or products will be used for purposes other than those stated during the procurement process, new security requirements may arise; a risk analysis must be conducted to identify such cases.

5.2 Management of security requirements in IT projects

When a project is launched, the project manager is responsible for ensuring that a risk analysis takes place, in order to identify specific security requirements and circumstances that mean that specific security requirements may arise. Identified security requirements must be managed like formal project documentation and be continually updated.

5.3 Management of security requirements in research

The information and IT security function works with the Research data team and other teams to assist researchers with the identification of security requirements and appropriate solutions for managing research data in an appropriate way.

5.4 Exemptions from security requirements

If a security measure for an identified security requirement cannot be introduced, for technical reasons, for example, the information owner will be responsible for ensuring that a risk analysis is conducted in order to identify security measures that will reduce the identified information security risks. The information owner must document any deviations from the security requirements and inform the Head of Information Security of the identified risks and the identified security measures.

Appendix 1 - MSBFS 2020:7

The document in pdf-format Pdf, 147.6 kB.