Information Security Policy

The University of Iceland's information security management system applies to all buildings, hardware, software, services, processes and staff that are required to maintain an acceptable level of service for the clients and internal operations of the University of Iceland, along with the setting up and maintenance of terminals and user administration for the University of Iceland. This is consistent with the "Declaration on usability", version 10.

The objectives of the Information Security Policy are to ensure that:

• Information is accurate and accessible to authorised parties as required.
• Confidentiality is maintained when appropriate and confidential information is inaccessible to unauthorised parties.
• Information is reliably protected against corruption and deletion, whether deliberate or accidental.
• The risks of processing, storing and sharing information do not exceed defined limits and are consistent with a risk assessment.

• The University of Iceland's Information Security Policy is binding for all University staff members and applies to all parties providing services to the University of Iceland.
• There is a Data Protection and Information Security Committee, intended to provide a platform for discussion of information security and data protection issues in accordance with operational rules set by the rector and ratified by the University Council.
• The University of Iceland guarantees the security of data about the institution and its students in terms of confidentiality, accuracy and accessibility.
• The University of Iceland will act in accordance with objectives, laws, regulations and guidance pertaining to information security management, which together form the basis of planning and measures that safeguard the confidentiality, accuracy and accessibility of data and information systems.
• All employees of the University of Iceland are obligated to protect data and information systems against unauthorised access, use, editing, disclosure, deletion, loss or transfer.
• University of Iceland employees, students and service providers are encouraged to report incidents or irregularities regarding information security, in order to promote an ongoing culture of continuous improvement.
• Employees, students or service providers, current and former, must not disclose information on the internal affairs of the University of Iceland, students, external parties or other employees.
• The University of Iceland promotes active security awareness among employees, students, partners, contractors, service providers and guests. The activities and working practices of University of Iceland employees shall be exemplary with regard to information security.
• The University of Iceland will, as appropriate, comply with ISO/IEC 27001, the Information Security Management Standard which forms the basis for planning and maintenance measures aimed at safeguarding the confidentiality, accuracy and accessibility of data and information systems.
• The University of Iceland's policy for information security is described in further detail in the Information Security Management Standard.
• All laws, regulations and rules that apply to the University of Iceland regarding the storage, handling and protection of information will be upheld. Particular care will be taken when resolving issues where there may be a conflict between the provisions of different laws and regulations, e.g. the Information Act and the Data Protection Act.
• There will be audits of information security policy and individual standards and procedures. These audits will not focus solely on isolated incidents, but rather consider all aspects of information security. Audits must be defined and approved by the Data Protection and Information Security Committee at the University of Iceland.
• The University of Iceland will implement regular risk assessments and internal audits in order to determine whether further action is needed and identify opportunities for continuous improvement.
• The information security officer will issue an annual report on the University of Iceland's actions and effectiveness in relation to this policy.The University of Iceland will review this policy as required or at least every two years.

Responsibility for implementing and maintaining the Information Security Policy is assigned as follows:

The rector of the University of Iceland is responsible for the Information Security Policy and ensuring that it is formally reviewed.

Following such a review, the Information Security Policy is updated and formally approved by the University Council. The policy and potential amendments are also presented to staff and partners.

The director of central administration is responsible for implementation of the Information Security Policy and shall introduce appropriate standards and procedures to this end.

All University of Iceland employees are responsible for ensuring that working procedures fully comply with the Information Security Policy. Partners, contractors and suppliers are responsible for implementing contractual procedures that comply with the policy.

All employees must work in accordance with the Information Security Policy.  They are required to report security irregularities, weaknesses or breaches in an appropriate manner.

The Information Security Policy shall be presented to management teams within the University. In order to ensure that these policy objectives are achieved, an action plan is created in accordance with the information security officer's comprehensive strategy, which is then followed up using formal processes.

• Comprehensive strategy of the information security officer
• Goals and metrics
• VLR-0373 Suggestions, complaints and queries