Requirements for security management
Why should institutions think about risk and security when it comes to international academic cooperation?
Recently edited : 16. October 2023The open threat assessments carried out by NSM, PST and the Norwegian Intelligence Service (in Norwegian) point out that the risk landscape for the security areas – national security, public security and emergency preparedness, as well as information security and data protection – is becoming more complex and that the dividing lines are being erased. Therefore, more and more people must constantly be aware of an expanded and complex risk landscape. The risk landscape can affect several values/assets, cover several security areas and entail the use of complex measures. This also applies to international cooperation.
For example, a threat actor may use a combination of economic, information-based and intelligence-based instruments to achieve a goal that may pose a threat to institutions ' information security, but also challenge Norwegian security interests. PST points to the mapping of potential sources as an adverse event that can affect international cooperation. It may start with a Norwegian researcher being paid well to write for a foreign think tank. They are then invited to attend conferences with all expenses paid. The relationship building continues in social contexts over time. In reality, the goal may be to get them to share sensitive information. This is one of several examples of threats to the institutions; see the threat assessments or this page for more information about the threat landscape.
The threat assessment point to specific areas (see What is the threat landscape and what should be kept in mind in international cooperation?) within the research and education sector as potential targets, where there is a present risk of adverse events occurring. International academic cooperation is not risk-free. By implementing measures that reduce risk based on good insight into the risk landscape and own vulnerabilities, good and important academic cooperations can continue.
Success is contingent on building a good security culture based on competence and trust between management and employees. Employees and students must feel safe to reach out about situations that give cause for concern. This is achieved through good security management and knowledge-based decisions, rooted in current legislation and recommendations for risk and vulnerability analyses, emergency and contingency plans and exercises.
How does international cooperation affect security management at the institutions?
The work on responsible international cooperation should be linked to the institutions' security management structures and form part of their overall risk management work. Security management is about the systematic activities necessary to protect the company's values/assets from adverse events. Risk assessment, risk management, security control and incident management are included in this work. This is a management responsibility, but in order to build a good security culture, employees at all levels must contribute.
All undertakings under KD are required to work systematically and comprehensively on security and emergency preparedness. The requirements follow from KD's Styringsdokument for arbeidet med sikkerhet og beredskap i Kunnskapsdepartementets sektor (2021) ('Governing document for the work on security and emergency preparedness in the Ministry of Education and Research's sector' – in Norwegian only). The policy is based on laws, regulations and instructions with guidelines for security work. Some institutions and cooperations will also have to deal with situation-specific requirements and orders imposed by legislation other than those mentioned here, such as cooperation and activities subject to the export control regulations.
What overriding requirements apply to security management for the institutions?
Requirements and guidelines follow from several laws, regulations and instructions. The most important overriding requirements and documents are listed below. The institutions must themselves consider what other laws and requirements they must comply with.
The Act relating to national security (Security Act)
All KD's subordinate undertakings are, in the same way as governmental, county and municipal administrative bodies, subject to the Security Act. Subcontractors, public or private, may also be subject to the Act.
The Act is intended to contribute to safeguarding Norway's security interests by preventing, detecting and countering activities which present a threat to security. This follows from the requirement for regular reviews of risk assessments, which forms the basis for the implementation of action plans to maintain an appropriate level of security. It is a requirement that roles and responsibilities are defined, that the necessary systems for security management are in place, and that the undertaking has adequate security understanding and expertise.
For KD's subordinate undertakings, the requirements related to the Security Act are summarised in the governing document:
All undertakings in the sector subject to the Security Act shall ensure:
Security management system
- Develop a security management system that must address:
- Risk management
- Security management
- Security organisation
- Security measures and procedures
- Relationship with other institutions
- Security follow-up
- Security documentation
- Coordinate the security management system with the management system for information security and corporate governance.
- Document the security management system in writing and revise if necessary.
Critical values/assets
- Assess, map and keep track of your institution's critical values/assets (defined as critical information, information systems, infrastructure or objects).
Security cleared and authorised personnel
- Maintain an overview of the institution's employees who have security clearance and/or are authorised pursuant to the Security Act. The overview must be updated at all times.
The Regulations relating to the protective security work of undertakings (the Security of Undertakings Regulations)
The Regulations relating to the protective security work of undertakings stipulate requirements concerning the handling and protection of sensitive information and critical national objects and infrastructure, a national warning system for digital infrastructure, security requirements in connection with procurements. They also contain requirements that apply to foreign suppliers and procedures for visits from abroad in connection with classified procurements (see also the Export Control Regulations) and personnel security (including authorisation of persons holding foreign citizenship).
Governing document for the work on security and emergency preparedness in the Ministry of Education and Research's sector
Governing document for the work on security and emergency preparedness in the Ministry of Education and Research's sector sets out requirements for security work in undertakings that are subordinate to KD. For undertakings in KD's policy area that are subject to more limited control by KD (for example private undertakings), these requirements are formulated as strong recommendations.
The requirements are divided into the three security areas national security, public security and emergency preparedness, information security, and data protection. Taking a holistic view of the work on the three security areas is recommended, also in terms of international cooperation. This is because the these security areas are connected, can affect and be affected by each other.
The work must be based on knowledge and experience. This involves regularly conducting and updating risk and vulnerability analyses, emergency and contingency plans, and accompanying action plans. There are also requirements for emergency and contingency exercises.
The basic measures are summarised in the governing document as follows:
KD's subordinate undertakings shall/other undertakings in the sector should:
ROS analysis
- Prepare ROS analyses covering the three security areas of public security and emergency preparedness, national security, and information security and data protection.
- The analysis shall be reviewed at least annually and revised as necessary.
- The analysis must be presented in a comprehensive report.
- Develop an action plan for the ROS analysis for all adverse events of medium or high risk (this can be included in the overall ROS report).
- The action plan shall describe how the individual measures reduce the likelihood and consequences of the adverse events.
Emergency and contingency plans
- Develop an emergency and contingency plan. Reviewed annually and revised as necessary. As a minimum, the plan must contain:
- Defined roles, tasks and authorisations in an emergency situation or crisis
- Procedures for crisis communication internally and externally
- Whistleblowing procedures (including notifying the Ministry)
- Procedures for coordination with other actors
- Develop a continuity plan as part of the contingency plan. Kept up to date and revised as necessary.
- Develop a pandemic preparedness plan that complements the contingency plan. Revised as necessary.
Emergency and contingency exercises
- Carry out at least one emergency and contingency exercise per year. The exercises must be based on adverse events identified in the undertaking's ROS analysis.
- Develop an annual plan for exercises that must as a minimum include:
- The purpose of the individual exercise
- Time and place of the exercise
- Exercise scenario
- Type of exercise
- Target group
- Conduct and document evaluations of completed contingency exercises and actual incidents.
- Implement follow-up plans with the support of management. As a minimum, the plans must contain:
- Learning points
- Description of the measures taken
- Timeframe/deadline for implementing the measures
- A designated person responsible for each individual measure
How to contribute to the work on risk and vulnerability analyses
The management is responsible for providing framework conditions and structures for security work. The governing document also emphasises that a security culture must be established that involves all employees and raises their awareness and accountability. One element of this work is being involved in risk and vulnerability analyses (ROS analyses) for collaborative projects. Here you create a unified overview of value chains, vulnerabilities and challenges, as well as the threats associated with the cooperation project. The employees closest to the project are often most aware of potential risks and should therefore be involved. The ROS analysis aims to identify and assess threats and risks related to the undertaking's operations and values/assets, and identify relevant risk mitigation measures. KD recommends that the undertakings also take account of the threat assessments carried out by NSM, PST and NIS in their ROS analyses. Thorough ROS work helps prevent potential risks through knowledge-based preventive measures, which should be documented in the cooperation agreement.
Work on ROS analyses can be based on various methods and standards, including ISO 31000 (Risk management) and NS 5814 (Risk assessments). The Council for Public Security and Preparedness in the Knowledge Sector has drawn up a guide to risk and vulnerability analyses (ROS analyses) for the knowledge sector (in Norwegian only). The guide can be used as a work of reference, especially for people who have roles and responsibilities related to the implementation of ROS analyses. NSM has developed a guide to security management (in Norwegian only) and a guide to valuation of information (in Norwegian only).The Norwegian Agency for Public and Financial Management (DFØ) also has a guide for risk management (in Norwegian only). We also refer to Sikt's recommendations for work on security and emergency preparedness for the knowledge sector. The aim is to facilitate a shared understanding of what risk is and how it can be managed through measures at the institutional level.
Through mapping and assessing the risk associated with the undertaking's operations at an overall level, the ROS analysis will contribute to a good understanding of risk and provide a basis for the choice of measures. The ROS analysis identifies possible events and situations that may threaten the undertaking's values/assets. By assessing what may happen and the associated uncertainty, it is possible to identify and implement relevant measures that can help prevent the event in question from occurring and/or reduce the consequences if the event cannot be avoided. The results of ROS analyses provide a basis for further work on emergency and contingency plans and exercises.
How to contribute to the work on emergency and contingency plans and exercises?
In order to achieve a comprehensive approach to the security and emergency preparedness work, the emergency and contingency plans and exercises must be based on the work that went into the ROS analysis.
A crisis can occur as a sudden event, as an escalating event that gradually goes from being handled in the normal manner to necessitating crisis management, or as an announced crisis. Crisis situations often require very quick decisions and the implementation of measures in a faster and more efficient way than in a normal situation. It is therefore important to have an emergency and contingency plan that can be implemented quickly to deal with different types of crises.
The plans must contain:
- Defined distribution of roles and tasks and authorisations in an emergency situation or crisis.
- Procedures for crisis communication internally and externally
- Whistleblowing procedures (clarify who should be notified and who is responsible for this, as well as how notification should take place)
- Procedures for coordination with other actors.
Procedures for practising the emergency and contingency plans Exercises are learning arenas that will help managers and employees in the undertaking become familiar with the emergency and contingency plan and their role and tasks in a crisis situation. This is an important prerequisite for succeeding in managing adverse events and crises. When prioritising and choosing the exercise scenario, the undertakings must base their decision on the ROS analysis, especially adverse events with high or medium risk.
There are different types of exercises, such as discussion-based exercises, game exercises or full-scale exercises. What exercise is appropriate depends on the purpose and objectives of the exercise, as well as the available resources. DSB has a guide for exercises (in Norwegian only) that can be used to structure this work.
The exercise must be evaluated afterwards. Improvement and learning points identified in the evaluation must be followed up and specified in a follow-up plan. The undertakings must draw up a follow-up plan with the support of management. As a minimum, it must contain:
- Learning points
- Concrete description of measures
- Timeframe/deadline for implementing the measures
- A designated person responsible for each individual measure
Relevant authorities and resources to contact
The Council for Public Security and Preparedness in the Knowledge Sector is a voluntary measure to strengthen work on public security and preparedness in the knowledge sector in general. The goal is for state and private institutions to acquire knowledge of the field so that they can work systematically and well with this. An important task for the council is to facilitate the development of a coordinated practice in the sector in areas where this is deemed appropriate, and to contribute to the sharing of best practices and experience between the institutions.
The Norwegian for Civil Protection (DSB) shall be an advisory body to the Ministry of Justice and Public Security and provide expertise to the justice and preparedness sector, other public bodies, NGOs, the business sector and the population. Its role means that DSB is responsible for monitoring conditions that affect society's emergency preparedness, and for compiling knowledge and experience and acting as a national standard-setter in our field of work.
The National Security Authority (NSM) is the Norwegian directorate for preventive national security. NSM gives advice on and carries out supervision and other control activities in relation to both civilian and military issues related to securing of information, systems, objects and infrastructure of national importance. It also has a national responsibility to detect, report and coordinate the handling of serious cyberattacks.
The Police Security Service (PST) is Norway's domestic intelligence and security service and is subordinate to the Minister of Justice and Public Security. PST’s main task is to prevent and investigate serious crime that threaten national security. PST collects information about individuals and groups that may pose a threat, prepares analyses and threat assessments and provides advice.
Sikresiden.no is created by and for Norwegian universities, university colleges and research establishments. The website is intended to help students and employees to know what to do when something happens and how to work preventively. The website covers travel, online fraud and cyberattacks, among other things.
Sikt is the knowledge sector's service provider. It develops, procures and delivers products and services for education and research. It offers the knowledge sector infrastructure, data and shared services that provide great user experiences and meet the overarching goals of digitalisation, data sharing and open research. It is also responsible for the role of sectoral response environment relating to ICT events for the higher education and research sector.
Glossary
In Report No 9 to the Storting (2022-2023) Nasjonal kontroll og digital motstandskraft for å ivareta nasjonal sikkerhet. Så åpent som mulig, så sikkert som nødvendig ('National control and digital resilience to safeguard national security. As open as possible, as secure as necessary' – in Norwegian only), hybrid threats are described as 'strategies of competition and confrontation below the threshold of direct armed conflict, which may combine diplomatic, informational, military, economic, financial, intelligence and legal means to achieve strategic objectives. Hybrid threats can occur in security policy grey areas for the purpose of sowing discord and creating destabilisation. A wide range of methods can be employed and combine open, covert and clandestine methods. The methods may be directed at specific activities or situations, or may be more long-term means of giving rise to doubts, undermining trust and thereby weakening our democratic values. Hybrid threats are inherently complex and challenge the possibilities of early warning, unified situational awareness and effective and coordinated management.’
Knowledge security refers to preventing the unwanted transfer of sensitive knowledge and technology with negative consequences for national security and innovation capacity. The term covers activities aimed at influencing and disrupting activities on behalf of foreign state actors within higher education and research. Such activities may lead to censorship and impair academic freedom. Knowledge security also covers ethical issues related to cooperating with countries where fundamental rights are not respected.
Countries of concern refer to countries identified as high-risk countries in the annual national risk and threat assessments issued by NIS, PST and NSM.
National security is defined as state security and a limited part of the social security area which is essential for a state's ability to safeguard national security interests.
National security interests are a country's sovereignty, territorial integrity and democratic system of government, as well as general political security interests related to (a) the activities, security and freedom of action of the highest state bodies, (b) defence, security and contingency preparedness, (c) relations with other states and international organisations, (d) economic stability and freedom of action, and (e) fundamental societal functions and the basic security of the population.
Public security is the ability of society to protect itself against and deal with events that threaten fundamental values and functions and endanger life and health. Such events may be natural, a result of technical faults or human errors, or of deliberate actions.
A vulnerability assessment describes how vulnerable the values/assets are in light of identified threats and forms the basis for preventive and mitigating countermeasures.
On the one hand, 'values' refers to norms and principles, such as academic freedom. However, the term 'values' or 'assets' is also used in the context of valuation and risk analysis. Here, the terms refer to anything that is worthy of protection and can be threatened, such as life and health, information, material assets and reputation.
A valuation is an analysis to identify what information, objects, and other assets (e.g., life and health, reputation, etc.) are so important that they need to be shielded or protected. A valuation forms the basis for identifying threats that are relevant to the activities in terms of how threat actors can affect the institution’s values/assets.