Skip to main content
Researchdata.se

Information security

Information security can be described as the technical, physical, and administrative security controls taken to preserve the confidentiality, integrity, and availability of information. Digital information security can be compared to the security of a physical archive where analogue information is stored.

Most higher education institutions have developed guidelines on information security based on the consequences of information being disclosed to unauthorized parties, altered, or becoming inaccessible. Based on an assessment of these consequences and the level of protection required, it is possible to implement appropriate security controls. These may include storage solutions with the appropriate security level, access controls, and rules for data transfer.  

Information security must be integrated early in your project planning. The level of protection required for project data affects the time and resources needed to establish or access sufficiently secure systems and procedures. In some cases, you may need to develop a customized solution in collaboration with your institution’s security and IT departments.

For more information about digital information security, see the material (in Swedish) from the Swedish Civil Contingencies Agency (MSB)Opens in a new tab and Information security from a GDPR perspective from the Swedish Authority for Privacy Protection (IMY)Opens in a new tab.

Information classification  

To establish the necessary and adequate protection, an assessment of the material’s required security level must be conducted. This is done through a process called information classification. Most higher education institutions and other organizations have classification procedures based on ISO standards for information security within the ISO/IEC 27000 series.

The basis for information classification is assessing the information’s value based on the potential consequences of inadequate protection for its confidentiality, integrity, and availability.  

Confidentiality refers to ensuring that information is accessible only to authorized individuals. Confidentiality is graded at different levels: information that can be shared openly has the lowest level of confidentiality, whereas information subject to special secrecy requirements has the highest level.

Integrity ensures that information is not altered by unauthorized individuals or by mistake.

Availability ensures that information can be accessed by authorized persons as needed. While limited access to research data may not always have a major impact, in certain cases – such as during fieldwork – it may be crucial to ensure information availability at a specific time and place.

The impact assessment is conducted based on the specific criteria of the organization. The consequences of inadequate protection can be categorized, for example, as “none/negligible,” “moderate,” “significant,” or “severe,” depending on the effects that disclosure, alteration, or lack of access can have for organizations or individuals.  

The processing of personal data in research must always be reported to the organization’s data protection officer. For more information on research involving personal data, see SND’s handbook for data containing personal informationOpens in a new tab (in Swedish).

Security controls

Information security is strengthened and risks reduced through security controls in three main environments:  

  • Technical controls: Storage solutions have an appropriate security level and are protected by firewalls, with established routines and guidelines for backups, encryption, and data transfer.
  • Physical controls: The rooms where computers and hard drives are stored have appropriate protection, or materials are kept in safes with sufficient classification.
  • Administrative controls: The information owner controls who has access to physical environments and who has read and write privileges in the systems.

Your organization should have guidelines on which technical solutions or services can be used for information at different classification levels, with particular focus on protecting confidentiality.  

For example, regulations may allow data with a low classification level to be stored on local hard drives or in cloud services, while data with a higher classification level must be stored on secure servers or even in isolated networks.  

Guidelines should also regulate data transfers. Data with a low security classification may be sent via email or shared through a cloud service, while data with higher classification levels must be protected by encryption during electronic transfer or when stored on removable media.

For highly classified data, more secure access control systems are often required. A low-security storage solution is typically protected by a username and password, whereas more secure storage may require multi-factor authentication or biometric verification.