Securing information

Know what constitutes valuable information
– so that you can protect it

Woman working on a laptop computer. Foto: Thomas Ekström/sikresiden
Woman working on a laptop computer. Foto: Thomas Ekström/sikresiden

Securing information

Know what constitutes valuable information
– so that you can protect it

Woman working on a laptop computer. Foto: Thomas Ekström/sikresiden

Securing information

 

Securing valuable information

Ask yourself:

  • How valuable is the information to me, my place of study or work, or others?
  • What is the cost of creating the information, and how difficult or expensive is it to recreate it?
  • How damaging (loss of trust, reputation, money) would it be if it falls into the wrong hands, and how can the information be misused?

The value of information may change over time. Examination question papers, for example, must be safeguarded before the examination has been arranged, but are openly available afterwards.

How important is it that the information does not fall into the wrong hands?
Examples of information that requires a high degree of confidentiality include health information, examination question papers before the examination has been arranged and research results before they have been published.

How important is it that the information is not modified by unauthorised persons or by accident? Integrity is important for all information. We need to be able to trust that it is correct. Examples include grades, admission to study programmes, research data and application deadlines.

How critical is it to lose access to the information for a period of time, or to lose it completely? Examples of information where accessibility is important include electronic systems during critical phases of the admission process or in connection with examinations, major student assignments or research work, examination answer papers and research data.

How the information is to be protected may be stipulated by law, by an agreement with cooperation partners or may be derived from a risk assessment.

Different institutions have different models for classifying information when it comes to confidentiality (for example, open, internal and confidential information), integrity and accessibility. Familiarise yourself with the procedures at your place of study or work.

Classification of information

The higher education institutions have different models for classifying information in terms of confidentiality, integrity and accessibility. You must familiarise yourself with how this is done at your place of study or work. Below we have described the classification model which most institutions have agreed to use. These classifications apply for instance to research data and administrative data. 

 

The different categories of information

This classification model describes four categories of confidentiality. The three lowest categories Open, Internal and Confidential are the ones that are most frequently used. The categories Confidential and Strictly Confidential are in accordance with the official Norwegian Document Protection Instruction (NO) (Instructions for processing documents that need to be protected for other reasons than those mentioned in the Security Act and its regulations).

Open (Green): Information may be available to anyone without special access rights.

Examples of such information may be a web page presenting information about a department or study material for a course that is openly available, but which is subject to a specific license or copyright.

 

Internal (Yellow): The information must have some level of protection and may be accessible to both external and internal personnel with controlled access rights. This category is used when there is a possibility for causing certain damage to the institution or a cooperation partner, if the information becomes known to unauthorized persons.

Examples of such information may be certain work documents, information exempt from public disclosure, personal data, grades, larger student assignments, examination answer papers, research data and research work.

 

Confidential (Red): This category is used when there is a possibility for causing damage to the public interests, the institution, an individual or a cooperation partner, if the information becomes known to unauthorized persons. The information must thus have strict access rights.

Examples of such information may be certain strategy papers, sensitive personal data, health information, examination question papers prior to the examination, certain types of research data and research work.

If you need a fourth and higher level of confidentiality, you can use the category
Strictly Confidential (Black) and make a distinction between this category and the Confidential category. Strictly Confidential is used when there is a possibility for causing significant damage to the public interests, the institution, an individual or a cooperation partner, if the information becomes known to unauthorized persons. The information should have the highest level of access rights.

Examples of such information can be large amount of health information used in research.

For more information, see UNINETT's Guideline for information classification (NO)

How to store different types of information

How information should be protected, and hereby stored, can be statutory, agreed to by cooperation partners or deduced from a risk assessment.

Different categories of information or data requires different storage. The requirements for the technical security of the data storage solutions are stricter for Red data (confidential). Green data may be stored on different types of equipment and data storage services. Some solutions will offer two-factor authentication, which makes a safer storage of data.

Institutions have different rules for storage of data. It is your responsibility as a student, researcher or employee to familiarise yourself with the specific rules applicable for you and your data at your institution. This depends on e.g. the classification of the information and your role in the institution. 

This means that you cannot send "red information" unencrypted in an e-mail, or store it in random cloud services.

Sharing in social media

What you share openly in social media is out of your control forever.

Ask yourself:

  • What role do I have? Do I represent others than myself?
  • Could the information I share about myself be misused by others?
  • Have I asked for people’s consent to post photos or other information about them?
  • Is the information confidential?
  • Does it contain criticism or claims that can be perceived as defamatory?
  • Am I authorised to publish this, or is it protected by copyright?

Read more about social media (NO) at nettvett.no.

How to use encryption

Different types of encryption is used to protect information that is stored or transferred. 

  • The hardware of the computer can be encrypted using different types of software, for example Microsoft’s BitLocker and Apple’s FileVault
  • Storage media may be encrypted in the same way as described above. 
  • Documents in Word, Excel and PowerPoint format can also be encrypted with a password. Go to the file menu. Select ‘Information’, ‘Protect document/workbook/presentation’ and ‘Encrypt with password’. Please note that an open document may be available for unauthorized persons if your unit has been hacked.
  • E-mail attachments can be encrypted with, for example,
    7-ZIP.
  • E-mail messages in Outlook can be encrypted via S/MIME (NO).
  • E-mail messages and attachments can be encrypted with OpenPGP.
  • The interconnection between your own computer and your place of study or work can be encrypted with the help of a VPN – virtual private network.

Check with the user support whether your place of study or work has dedicated encryption solutions.

Paper documents

Documents subject to high confidentiality requirements must:

  • be securely locked in a cupboard when not in use
  • be sent in sealed envelopes and secured based on the value of the information
  • not be discarded in the waste, but shredded or placed in locked containers for secure shredding
  • only be printed if necessary. Collect the printout immediately

Storage, filing and deletion

Information worth preserving shall be filed. This may include diplomas, grades, master’s theses and other documents of legal, historical or mission-critical value. Examples of such information are project archives or research data to be stored for verifiability purposes. You must always comply with the legislation that regulates the information you wish, or are instructed, to file or delete.

Working documents and information not worth preserving may after an assessment be discarded.

Information that must not fall into the wrong hands shall be deleted using dedicated eraser software so that it cannot be restored. Regular deletion is not good enough. Check what is used at your place of study or work.

Duty of confidentiality

Being subject to a duty of confidentiality means that you are obliged to prevent others from gaining access to or knowledge of confidential information.

Different types of information may be confidential by law or agreement, for example personal data or information of a technical, commercial or strategic nature.

When you sign a Declaration of Confidentiality, you commit to familiarise yourself with what that entails. Confidential information must be handled with care both orally, digitally and on paper.

The duty of confidentiality also applies after you have completed your studies or left your position.

Please note that you can be subject to duty of confidentiality by virtue of your position, even though you have not necessarily signed a declaration.

 

Learn more

Learn more

Last updated: 03. February 2023