Following the publication of the Swedish National Audit Office’s report Information security at higher education institutions – management of research data requiring protection, the topic of information security surrounding research data has been in the spotlight. We spoke to Johan Fihn Marberg, Head of IT at SND, about SND’s role in this work, and Anders Qvist, Chair of the information security network within SUHF, about the ongoing work on information security.
Last December, the Swedish National Audit Office presented its review of information security at higher education institutions. The report revealed many deficiencies in the HEIs’ information security efforts – the institutions often lack knowledge both about what needs to be protected and how it should be protected. However, despite the largely critical content of the report, Johan Fihn Marberg, Head of IT at SND, still sees it in a positive light.
Raising awareness of what needs to be done
“Sure, it may be tough to be audited, but it also provides an opportunity to highlight the deficiencies that are pointed out and direct them to a higher level. Perhaps the management of more HEIs have become aware of what needs to be done. After all, the goal is for everyone to come out of the process stronger,” says Johan.
Taking the Swedish National Audit Office’s audit as a starting point, SND has held a number of activities on the theme of information security. In January, SND organized a webinar on the Swedish National Audit Office’s audit and information security was also in focus on one of the days of this spring’s network meeting in Gothenburg.
What is SND’s role in the university-wide work with information security?
“The responsibility is with the HEIs and putting it bluntly, SND has no role in this. But we’ve seen that it’s an engaging and important topic. In addition to the activities we’ve already organized, we will also address the issue at the next IT Forum in autumn,” says Johan.
“We’re all in the same boat.”
Someone who has information security on their agenda daily is Anders Qvist. In his everyday work, Anders is the Chief Information Security Officer at Chalmers University of Technology, but he is also a member of SUHF’s expert group for property and security issues and the Chair of the information security network within SUHF.
The information security network was established when SUHF made an inventory of the HEIs’ information security in autumn 2023.
“When the Swedish National Audit Office released its rather scathing, but still fair and illustrative report, it was good timing that this network was already underway. Because we truly are all in the same boat in this.”
The information security network consists of 31 members from Sweden’s higher education institutions. The network organizes digital meetings and also exists as a Teams group.
“The purpose is to have a space for industry-wide issues where we can quickly and easily get help from each other. If one institution has solved a problem, the rest of us can benefit from it,” says Anders Qvist.
How do you think institutions should proceed with their work on information security?
“My pet project is information classification. Conducting an analysis and examining the type of information you have. Only then can you provide it with the proper protection.”
Johan Fihn Marberg also mentions information classification as an important part of information security work.
“It would be helpful if we could harmonize information classification so that researchers collaborating between different institutions have the same model. The assignment for harmonization needs to come from the institutions, and who should be responsible for it will then become clear. Here, SND might play a role in that work,” says Johan.