Securing information

Know what constitutes valuable information
– so that you can protect it

Woman working on a laptop computer. Foto: Thomas Ekström/sikresiden
Woman working on a laptop computer. Foto: Thomas Ekström/sikresiden
Icon representing securing information– document with a padlock

Securing information

Know what constitutes valuable information
– so that you can protect it

Woman working on a laptop computer. Foto: Thomas Ekström/sikresiden
Icon representing securing information– document with a padlock

Securing information

 

Securing valuable information

Ask yourself:

  • How valuable is the information to me, my place of study or work, or others?
  • What is the cost of creating the information, and how difficult or expensive is it to recreate it?
  • How damaging (loss of trust, reputation, money) would it be if it falls into the wrong hands, and how can the information be misused?

The value of information may change over time. Examination question papers, for example, must be safeguarded before the examination has been arranged, but are openly available afterwards.

How important is it that the information does not fall into the wrong hands?
Examples of information that requires a high degree of confidentiality include health information, examination question papers before the examination has been arranged and research results before they have been published.

How important is it that the information is not modified by unauthorised persons or by accident? Integrity is important for all information. We need to be able to trust that it is correct. Examples include grades, admission to study programmes, research data and application deadlines.

How critical is it to lose access to the information for a period of time, or to lose it completely? Examples of information where accessibility is important include electronic systems during critical phases of the admission process or in connection with examinations, major student assignments or research work, examination answer papers and research data.

How the information is to be protected may be stipulated by law, by an agreement with cooperation partners or may be derived from a risk assessment.

Different institutions have different models for classifying information when it comes to confidentiality (for example, open, internal and confidential information), integrity and accessibility. Familiarise yourself with the procedures at your place of study or work.

Read more in UNINETT’s guide to classification of information (NO).

Classification of information

The higher education institutions have different models for classifying information in terms of confidentiality, integrity and accessibility. You must familiarise yourself with how this is done at your place of study or work. Below we have described the classification model which most institutions have agreed to use.

 

Confidentiality categories

The confidentiality categories describe the degree of protection required for information.

Examples of information where confidentiality is important are health information, examination question papers prior to the examination and unpublished research results.

This classification model describes four categories of confidentiality. The three lowest categories Open, Internal and Confidential are the ones that are most frequently used. The categories Confidential and Strictly Confidential are in accordance with the Norwegian Document Protection Instruction (NO) (Instructions for processing documents that need to be protected for other reasons than those mentioned in the Security Act and its regulations).

 

Open (Green): Information may be available to anyone without special access rights.

Examples of such information are a web page presenting information about a department or study material for a course that is openly available, but which is subject to a specific license or copyright.

 

Internal (Yellow): The information must have some level of protection and may be accessible to both external and internal personnel with controlled access rights. This category is used when there is a possibility for causing certain damage to the institution or a cooperation partner, if the information becomes known to unauthorized persons.

Examples of such information are certain work documents, information exempt from public disclosure, personal data, grades, larger student assignments, examination answer papers, research data and research work.

 

Confidential (Red): This category is used when there is a possibility for causing damage to the public interests, the institution, an individual or a cooperation partner, if the information becomes known to unauthorized persons. The information must thus have strict access rights.

Examples of such information are certain strategy papers, large amounts of sensitive personal data, health information, examination question papers prior to the examination, certain types of research data and research work.

 

If you need a fourth and higher level of confidentiality, you can use the category

Strictly Confidential (Black) and make a distinction between this category and the Confidential category. Strictly Confidential is used when there is a possibility for causing significant damage to the public interests, the institution, an individual or a cooperation partner, if the information becomes known to unauthorized persons. The information should have the highest level of access rights.

Examples of such information are information about individuals who have address barrier code 7 or who are in need of other kinds of special protection. It also includes highly confidential research data and research work.

 

Integrity categories

How important is it that the information cannot be altered by unauthorized persons or by accident? If there is a requirement that the information should not be altered by unauthorized persons or by accident, the information must be particularly secured. Possible security measures may be special login requirements in order to alter the document, write protection or digital signing of documents.

 

Examples of protection requirements for document integrity:

Low integrity requirements

One-factor authentication

 

Medium integrity requirements

Two-factor authentication.

 

High integrity requirements

Two-factor authentication. Write protection. Digital signing. Logging.

 

Compliance with integrity is important for all information. Some examples of information where integrity is particularly important are application deadlines, grades and research data.

 

Availability categories

How long can you accept that the information is unavailable? Some systems or services are vital. Acceptable downtime may for some systems vary throughout the year. Some examples are information relating to examinations, the admission process, reports, etc.

 

Examples of downtime periods are:

1 hour, 1 day, 1 week or 1 month

 

One must also consider whether the information can be stored in the cloud. Then you depend on having internet access right up to the data centre that offers the cloud service.

Examples of information where accessibility is important are information provided by electronic systems during critical phases of the admission process and in connection with examinations, major student assignments or research work, examination answers papers and research data.

 

Read more in UNINETT's Guideline for information classification (NO)

How to deal with confidential information

Confidential, secret, classified and sensitive are different terms used to describe information that needs extra protection to ensure that confidentiality is maintained. It is important that the information does not fall into the wrong hands.

Information that must be protected to ensure confidentiality must:

  • not be stored unencrypted on private equipment or mobile storage media (memory sticks and external hard drives)
  • only be stored in systems secured for such information
  • not be transferred and stored unencrypted in cloud services that are not covered by the institution’s agreements
  • not be posted on open internet sites
  • not be sent by unencrypted e-mail. This also applies to personal ID numbers
  • be encrypted or erased before the computer is sent for repair
  • erased using a dedicated eraser programme before the storage device is discarded or destroyed

Contact the user support at your place of work or study to find good solutions adapted to your need for securing information where confidentiality must be maintained.

Online sharing

What you share online is out of your control forever.

Ask yourself:

  • What role do I have? Do I represent others than myself?
  • Could the information I share about myself be misused by others?
  • Have I asked for people’s consent to post photos or other information about them?
  • Is the information confidential?
  • Does it contain criticism or claims that can be perceived as defamatory?
  • Am I authorised to publish this, or is it protected by copyright?

Read more about social media (NO) at nettvett.no

Encryption

Encryption is used to protect information that is stored or transferred. Be aware that an open document is accessible to unauthorised persons if your device (mobile, computer, tablet) has been hacked.

  • Storage media can be encrypted using different types of software, for example Microsoft’s BitLocker and Apple’s FileVault.
  • Documents in Word, Excel and PowerPoint format can be encrypted with a password. Go to the file menu. Select ‘Information’, ‘Protect document/workbook/presentation’ and ‘Encrypt with password’. 
  • E-mail attachments can be encrypted with, for example,
    7-ZIP.
  • E-mail messages in Outlook can be encrypted via S/MIME (NO).
  • E-mail messages and attachments can be encrypted with OpenPGP.
  • Traffic between your own computer and your place of study or work can be encrypted with the help of a VPN – virtual private network.

 Check with the user support whether your place of study or work has dedicated encryption solutions.

Paper documents

Documents subject to high confidentiality requirements must:

  • be securely locked in a cupboard when not in use
  • be sent in sealed envelopes and secured based on the value of the information
  • not be discarded in the waste, but shredded or placed in locked containers for secure shredding
  • only be printed if necessary. Collect the printout immediately

Storage, filing and deletion

Information worth preserving shall be filed. This may include diplomas, grades, master’s theses and other documents of legal, historical or mission-critical value. Examples of such information are project archives or research data to be stored for verifiability purposes. You must always comply with the legislation that regulates the information you wish, or are instructed, to file or delete.

Working documents and information not worth preserving may after an assessment be discarded.

Information that must not fall into the wrong hands shall be deleted using dedicated eraser software so that it cannot be restored. Regular deletion is not good enough. Check what is used at your place of study or work.

Duty of confidentiality

Being subject to a duty of confidentiality means that you are obliged to prevent others from gaining access to or knowledge of confidential information.

Different types of information may be confidential by law or agreement, for example personal data or information of a technical, commercial or strategic nature.

When you sign a Declaration of Confidentiality, you commit to familiarise yourself with what that entails. Confidential information must be handled with care both orally, digitally and on paper.

The duty of confidentiality also applies after you have completed your studies or left your position.

 

Learn more

Learn more