What is information security?
Information security concerns the appropriate protection of our information. People often think that security always means “as safe as possible”, but that is not the case. It is not possible to ensure 100% safety, and the closer we get to providing this, the more measures we must take that can prove to be burdensome or even invasive. That may be appropriate for some highly sensitive data, but we can make do with less protection in other instances.
In the case of data protection, we not only consider confidentiality – that is, these data can only be seen by persons with authorised access – but also consider integrity and availability. In this way, we want to be sufficiently certain that our salary and research data are correct, and that our information systems and the data they contain can be accessed when needed. The more important that is, the more measures we will need to take to ensure that.
The starting point for information security is that the implementing organisation is itself responsible for taking appropriate protective measures. Based on incidents and the development of threats around us, the Chief Information Security Officer (CISO) draws up frameworks that form the starting point for appropriate protection. The institutes implement these frameworks, or they are deliberately deviated from and, in that case, it is examined how the risks can be dealt with in other ways.
The reliable provision of information is vital for scientific research and the proper functioning of the operational processes. Information security is the process that safeguards this reliable provision of information. Today, the inclusion of information security as a normal quality criterion for the healthy operation of an organisation is no longer a choice, but a necessity.
The information security policy
NWO-I approved the Strategic Information Security Policy NWO-I in 2023. This document explains the responsibilities and guiding principles for how we, as an organisation, want to deal with risk management concerning our data processing. In this policy, several principles are elaborated that guide us in this approach.
The 8 principles
We base the measures on the possible security risks of our information, processes and IT facilities.
Everybody is and feels responsible for the correct and safe use of resources and authorisations.
Information security is part of the DNA of all our activities.
From the outset, information security is an integral part of every project or every change concerning information, processes and IT facilities.
Users only have access to the information and IT facilities needed for their work. Making information available is a conscious choice.
Knowing that things can always go wrong, we ensure the adequate detection of possible incidents and that we prepare an expert response should these occur.
- Safely facilitating work
Security measures and procedures have a reputation for being burdensome. This no longer fits in well with our current way of working. The traditional approach of limiting shall, wherever possible, be replaced by an approach of safely facilitating work.
By exchanging experiences and seeking internal and external collaboration, the ultimate outcome will be better for everyone. Information security is not a zero-sum game; we all need to protect ourselves against the same threats, and collaboration increases our chances of success.
What can I do myself?
As an employee of NWO-I, you are an important part of our data protection. Here are a few things you could do:
- Take part in the security & privacy e-learnings at https://investigatesecurity.enter-the-wave.com
- Report suspicious situations to the information security experts at your institute. More information about reporting suspicious situations and incidents can be found here.
- Make each other aware of possibilities to improve security, demonstrate mutual understanding and try not to react defensively when you yourself are made aware of similar points of improvement.
Do you have any questions about information security, suggestions or comments? You can best pose these via the Information Security Officer of your institute or by sending a mail to email@example.com.