Åsa Borin: Actions taken in response to the internal audit

The University Board held its most recent meeting on 28 April. In addition to the important decision on the Vice President for the next six years, two internal audit reports were discussed at the board meeting. These concerned department reviews conducted by the internal auditors in 2024 as well as a review of the university’s IT security.

With regard to the department reviews, three recommendations were made to the Senior Management Team regarding measures at the university-wide level – the reporting of secondary employment, personal data processing, and information security. Each year, teachers at Stockholm University must log into Primula and report whether they have any secondary employment. Even if they do not have secondary employment, they need to confirm that they read the information and do not have any secondary employment. The internal audit has shown that there are deficiencies in compliance with the university’s rules on secondary employment. The internal auditors also found deficiencies related to the processing of personal data. Just before Christmas, the President approved a comprehensive set of rules for the implementation of data protection at the university, as well as rules of procedure for dealing with the rights of data subjects. This systematic work now needs to be implemented. The next step is for all departments to establish a record for registering processing activities as specified in Article 30 of the GDPR by 30 September 2025. The administration has created support material to facilitate this work, and further possibilities for support measures are being developed. As regards information security, it is also important to establish and develop the systematic work here, which is also linked to measures related to IT security.

In the audit of IT security, the internal auditors concluded that the internal governance and control at the university is unsatisfactory and contains serious deficiencies that need to be addressed. The deficiencies identified are found in all parts of the university’s IT operations. The critical vulnerabilities identified in the audit are to be addressed immediately, and a long-term plan to raise the level of IT security work and ensure a good IT security environment is to be drawn up. The President also recently approved a new governing document, Rules of procedure for the division of responsibilities and guidance related to security measures in information systems at Stockholm University, which clarifies responsibility for IT security and follow-up. It is always the weakest link that poses the greatest threat. Here we need to join forces to take steps for a real shift in IT security work.

If we are to succeed in making the changes required to comply with laws and regulations without too much administrative overload, it is important that all parts of the university recognise and assume their own responsibility, and that we work together to tackle these issues.

This text is written by Åsa Borin, University Director. It appears in the section ”Words from the University’s senior management team”, where the management team take turns to write about topical issues. The section appears in every edition of News for staff.