More about IT-security

IT security and cyber security are included as a component of the overall information security framework.

Cyber security aims to ensure that only trusted individuals and systems have the right to access information, data and communication via the Internet, internal systems and through telecommunications.

The IT-security is about protecting an organization's (corporate, government, etc.) valuable assets such as information, hardware and software.
IT security work concentrates on threats and protection associated with the use of information technology. An important part of the work with IT security is about understanding different threat scenarios, dealing with probabilities of being injured and balancing the cost of protection against the value of what you protect.

Controlling access to information

Many individuals, for example employees, students, contractors, consultants in the business and, to some extent, suppliers, have access to the university's information and information system. Therefore, methods and procedures should be in place to control all access to information, systems, networks and services. It is also important that everyone who has access to the university's information system takes into account the information security aspects and understands their personal obligations in the use of systems and the management of information. Access to information within the university must be controlled through administrative and technical safeguards. The "minimum rights" method should be followed, especially for system administrative accounts as well as systems containing sensitive information.

Access and login

In order to gain access to the university's network, general IT systems and business systems, your manager must, on your behalf, apply for access to the systems you need in your work. The application from your manager is the one that initiates registration of you as a user in the different systems. When it comes to network permissions and email, it is the IT department or equivalent that registers you as a user and then distributes usernames and passwords to you. For access to the enterprise-specific systems that you need access to, it is the administrative manager or equivalent for each system that registers you as a user. Before you are granted access to network, general IT systems and business systems, you need to read and sign regulations for employees' use of Luleå university of technology's IT resources, see link at the bottom of the page.

Password

The password associated with your username is to prevent unauthorized persons from accessing university information.
Passwords are personal and it is your responsibility to ensure that no one else knows your passwords.
You may not use the same password in university systems as the ones you use at home

Avoid documenting the password (on paper, in a data file or on a mobile phone). Many people use digital password managers today that encrypt the information on your digital device.

Read more about Password creation, switching and handling.

Privileged access

Keep in mind that when you use a user account that has high privileges to not always be logged in with this privilege, then the risk of unauthorized or malicious code may also be accessed. Use only these permissions if necessary to reduce exposure and the above risk. This is especially true for accounts that are not personal and have high permissions in many or sensitive systems. It is especially important to apply "minimum rights" to these accounts.

Permission for external users

External users, such as consultants, sometimes need access to networks and systems.In such cases, the client must make an application for permission for the consultant, who personally signs regulations for employees' use of Luleå University of Technology's computer, network and system resources. The consultant should not have access to more information than he or she needs for his or her assignment, called “minimum rights”. 

Personal privacy of the user

As a user of Luleå University of Technology's information system, network and equipment, you need to know how information about you can be used by the IT department or the corresponding function. Logs are stored in all systems and applications to maintain traceability. In the logs, for example, you can read when the user has been logged in, what changes they have made and at what time. The logs are regularly inspected to detect malfunctions. The object owner or equivalent decides how often and in what way the logs should be inspected.

In case of suspicion of misuse of the University's equipment, the manager may request to have the logs regarding the user or application the suspicion applies to. In case of suspected crime, the case is forwarded to the crime investigating authority, who may request content from the university's system, mail and home directory.

Mobile devices

Business information handled outside the University's premises must be protected with appropriate safeguards to counter the risk of loss of, or unauthorized access to, information. This includes, for example, laptops, mobile phones, USB flash drives, paper documents etc.

Storage media containing sensitive information or licensed programs must be physically destroyed or overwritten in a safe manner in connection with decommissioning or reuse. It is not enough to use standard features to erase data.

Storage

There are many different places to store information. Where you should store your information depends on what type of information it is. Some storage areas are more secure than others. You should therefore classify the information to determine where it should be stored. First and foremost, you as a user should use the university's supported services for storing information.
Generally, extra caution should be exercised when using external storage services such as Dropbox, Google Drive or similar.

Data media management

Computer media with sensitive information to be discontinued is handed over to service points that handle the disclosure safely. Computer media containing confidential / sensitive information should be encrypted / password protected.

Secure communication

Communicating between different parties and systems has the risk of unauthorized access to this communication and distorting it.

When using a computer remotely to access resources on the university's network, a secure communication channel such as VPN, SSH or HTTPS should be used.

You will find a link to more information about the central VPN connection service - Here!

Also, be sure to check when browsing a university resource and service that it really is a university address, especially at the time of login or when personal information or sensitive information is transmitted, to ensure that communication is secure. An example of secure communication is that the address is preceded by HTTPS: //, a padlock should appear at the address bar and your browser should not display any warnings of errors.