Skip to main content

Requirements for security management

Why should institutions think about risk and security when it comes to international academic cooperation?

Recently edited : 16. October 2023

The open threat assessments carried out by NSM, PST and the Norwegian Intelligence Service (in Norwegian) point out that the risk landscape for the security areas – national security, public security and emergency preparedness, as well as information security and data protection – is becoming more complex and that the dividing lines are being erased. Therefore, more and more people must constantly be aware of an expanded and complex risk landscape. The risk landscape can affect several values/assets, cover several security areas and entail the use of complex measures. This also applies to international cooperation.

For example, a threat actor may use a combination of economic, information-based and intelligence-based instruments to achieve a goal that may pose a threat to institutions ' information security, but also challenge Norwegian security interests. PST points to the mapping of potential sources as an adverse event that can affect international cooperation. It may start with a Norwegian researcher being paid well to write for a foreign think tank. They are then invited to attend conferences with all expenses paid. The relationship building continues in social contexts over time. In reality, the goal may be to get them to share sensitive information. This is one of several examples of threats to the institutions; see the threat assessments or this page for more information about the threat landscape.

The threat assessment point to specific areas (see What is the threat landscape and what should be kept in mind in international cooperation?) within the research and education sector as potential targets, where there is a present risk of adverse events occurring. International academic cooperation is not risk-free. By implementing measures that reduce risk based on good insight into the risk landscape and own vulnerabilities, good and important academic cooperations can continue.

Success is contingent on building a good security culture based on competence and trust between management and employees. Employees and students must feel safe to reach out about situations that give cause for concern. This is achieved through good security management and knowledge-based decisions, rooted in current legislation and recommendations for risk and vulnerability analyses, emergency and contingency plans and exercises.

How does international cooperation affect security management at the institutions?

The work on responsible international cooperation should be linked to the institutions' security management structures and form part of their overall risk management work. Security management is about the systematic activities necessary to protect the company's values/assets from adverse events. Risk assessment, risk management, security control and incident management are included in this work. This is a management responsibility, but in order to build a good security culture, employees at all levels must contribute.

All undertakings under KD are required to work systematically and comprehensively on security and emergency preparedness. The requirements follow from KD's Styringsdokument for arbeidet med sikkerhet og beredskap i Kunnskapsdepartementets sektor (2021) ('Governing document for the work on security and emergency preparedness in the Ministry of Education and Research's sector' – in Norwegian only). The policy is based on laws, regulations and instructions with guidelines for security work. Some institutions and cooperations will also have to deal with situation-specific requirements and orders imposed by legislation other than those mentioned here, such as cooperation and activities subject to the export control regulations.

What overriding requirements apply to security management for the institutions?

Requirements and guidelines follow from several laws, regulations and instructions. The most important overriding requirements and documents are listed below. The institutions must themselves consider what other laws and requirements they must comply with.

The Act relating to national security (Security Act)

All KD's subordinate undertakings are, in the same way as governmental, county and municipal administrative bodies, subject to the Security Act. Subcontractors, public or private, may also be subject to the Act.

The Act is intended to contribute to safeguarding Norway's security interests by preventing, detecting and countering activities which present a threat to security. This follows from the requirement for regular reviews of risk assessments, which forms the basis for the implementation of action plans to maintain an appropriate level of security. It is a requirement that roles and responsibilities are defined, that the necessary systems for security management are in place, and that the undertaking has adequate security understanding and expertise.

For KD's subordinate undertakings, the requirements related to the Security Act are summarised in the governing document:

All undertakings in the sector subject to the Security Act shall ensure:

Security management system

  • Develop a security management system that must address:
    • Risk management
    • Security management
    • Security organisation
    • Security measures and procedures
    • Relationship with other institutions
    • Security follow-up
    • Security documentation
  • Coordinate the security management system with the management system for information security and corporate governance.
  • Document the security management system in writing and revise if necessary.

Critical values/assets

  • Assess, map and keep track of your institution's critical values/assets (defined as critical information, information systems, infrastructure or objects).

Security cleared and authorised personnel

  • Maintain an overview of the institution's employees who have security clearance and/or are authorised pursuant to the Security Act. The overview must be updated at all times.

The Regulations relating to the protective security work of undertakings (the Security of Undertakings Regulations)

The Regulations relating to the protective security work of undertakings stipulate requirements concerning the handling and protection of sensitive information and critical national objects and infrastructure, a national warning system for digital infrastructure, security requirements in connection with procurements. They also contain requirements that apply to foreign suppliers and procedures for visits from abroad in connection with classified procurements (see also the Export Control Regulations) and personnel security (including authorisation of persons holding foreign citizenship).

Governing document for the work on security and emergency preparedness in the Ministry of Education and Research's sector

Governing document for the work on security and emergency preparedness in the Ministry of Education and Research's sector sets out requirements for security work in undertakings that are subordinate to KD. For undertakings in KD's policy area that are subject to more limited control by KD (for example private undertakings), these requirements are formulated as strong recommendations.

The requirements are divided into the three security areas national security, public security and emergency preparedness, information security, and data protection. Taking a holistic view of the work on the three security areas is recommended, also in terms of international cooperation. This is because the these security areas are connected, can affect and be affected by each other.

The work must be based on knowledge and experience. This involves regularly conducting and updating risk and vulnerability analyses, emergency and contingency plans, and accompanying action plans. There are also requirements for emergency and contingency exercises.

The basic measures are summarised in the governing document as follows:

KD's subordinate undertakings shall/other undertakings in the sector should:

ROS analysis

  • Prepare ROS analyses covering the three security areas of public security and emergency preparedness, national security, and information security and data protection.
  • The analysis shall be reviewed at least annually and revised as necessary.
  • The analysis must be presented in a comprehensive report.
  • Develop an action plan for the ROS analysis for all adverse events of medium or high risk (this can be included in the overall ROS report).
  • The action plan shall describe how the individual measures reduce the likelihood and consequences of the adverse events.

Emergency and contingency plans

  • Develop an emergency and contingency plan. Reviewed annually and revised as necessary. As a minimum, the plan must contain:
    • Defined roles, tasks and authorisations in an emergency situation or crisis
    • Procedures for crisis communication internally and externally
    • Whistleblowing procedures (including notifying the Ministry)
    • Procedures for coordination with other actors
    • Develop a continuity plan as part of the contingency plan. Kept up to date and revised as necessary.
    • Develop a pandemic preparedness plan that complements the contingency plan. Revised as necessary.

Emergency and contingency exercises

  • Carry out at least one emergency and contingency exercise per year. The exercises must be based on adverse events identified in the undertaking's ROS analysis.
  • Develop an annual plan for exercises that must as a minimum include:
    • The purpose of the individual exercise
    • Time and place of the exercise
    • Exercise scenario
    • Type of exercise
    • Target group
  • Conduct and document evaluations of completed contingency exercises and actual incidents.
  • Implement follow-up plans with the support of management. As a minimum, the plans must contain:
    • Learning points
    • Description of the measures taken
    • Timeframe/deadline for implementing the measures
    • A designated person responsible for each individual measure

How to contribute to the work on risk and vulnerability analyses

The management is responsible for providing framework conditions and structures for security work. The governing document also emphasises that a security culture must be established that involves all employees and raises their awareness and accountability. One element of this work is being involved in risk and vulnerability analyses (ROS analyses) for collaborative projects. Here you create a unified overview of value chains, vulnerabilities and challenges, as well as the threats associated with the cooperation project. The employees closest to the project are often most aware of potential risks and should therefore be involved. The ROS analysis aims to identify and assess threats and risks related to the undertaking's operations and values/assets, and identify relevant risk mitigation measures. KD recommends that the undertakings also take account of the threat assessments carried out by NSM, PST and NIS in their ROS analyses. Thorough ROS work helps prevent potential risks through knowledge-based preventive measures, which should be documented in the cooperation agreement.

Work on ROS analyses can be based on various methods and standards, including ISO 31000 (Risk management) and NS 5814 (Risk assessments). The Council for Public Security and Preparedness in the Knowledge Sector has drawn up a guide to risk and vulnerability analyses (ROS analyses) for the knowledge sector (in Norwegian only). The guide can be used as a work of reference, especially for people who have roles and responsibilities related to the implementation of ROS analyses. NSM has developed a guide to security management (in Norwegian only) and a guide to valuation of information (in Norwegian only).The Norwegian Agency for Public and Financial Management (DFØ) also has a guide for risk management (in Norwegian only). We also refer to Sikt's recommendations for work on security and emergency preparedness for the knowledge sector. The aim is to facilitate a shared understanding of what risk is and how it can be managed through measures at the institutional level.

Through mapping and assessing the risk associated with the undertaking's operations at an overall level, the ROS analysis will contribute to a good understanding of risk and provide a basis for the choice of measures. The ROS analysis identifies possible events and situations that may threaten the undertaking's values/assets. By assessing what may happen and the associated uncertainty, it is possible to identify and implement relevant measures that can help prevent the event in question from occurring and/or reduce the consequences if the event cannot be avoided. The results of ROS analyses provide a basis for further work on emergency and contingency plans and exercises.

How to contribute to the work on emergency and contingency plans and exercises?

In order to achieve a comprehensive approach to the security and emergency preparedness work, the emergency and contingency plans and exercises must be based on the work that went into the ROS analysis.

A crisis can occur as a sudden event, as an escalating event that gradually goes from being handled in the normal manner to necessitating crisis management, or as an announced crisis. Crisis situations often require very quick decisions and the implementation of measures in a faster and more efficient way than in a normal situation. It is therefore important to have an emergency and contingency plan that can be implemented quickly to deal with different types of crises.

The plans must contain:

  • Defined distribution of roles and tasks and authorisations in an emergency situation or crisis.
  • Procedures for crisis communication internally and externally
  • Whistleblowing procedures (clarify who should be notified and who is responsible for this, as well as how notification should take place)
  • Procedures for coordination with other actors.

Procedures for practising the emergency and contingency plans Exercises are learning arenas that will help managers and employees in the undertaking become familiar with the emergency and contingency plan and their role and tasks in a crisis situation. This is an important prerequisite for succeeding in managing adverse events and crises. When prioritising and choosing the exercise scenario, the undertakings must base their decision on the ROS analysis, especially adverse events with high or medium risk.

There are different types of exercises, such as discussion-based exercises, game exercises or full-scale exercises. What exercise is appropriate depends on the purpose and objectives of the exercise, as well as the available resources. DSB has a guide for exercises (in Norwegian only) that can be used to structure this work.

The exercise must be evaluated afterwards. Improvement and learning points identified in the evaluation must be followed up and specified in a follow-up plan. The undertakings must draw up a follow-up plan with the support of management. As a minimum, it must contain:

  • Learning points
  • Concrete description of measures
  • Timeframe/deadline for implementing the measures
  • A designated person responsible for each individual measure

Relevant authorities and resources to contact

Glossary