Text: Marianne Fuglsang Welling Farsinsen, ITS. Photo: AAU

Background for the masterplan

Geopolitical developments in recent years have led to an increased risk of cyber attacks on Danish institutions, including universities. At the same time, the demand for a secure and reliable digital infrastructure that can better support research both at the individual university and across research environments worldwide has also increased. Digital infrastructure and IT security have not kept up with this development at the same pace. This applies to Aalborg University, just as it does to many other institutions in the sector and in society. An up-to-date digital infrastructure with good cyber and information security is a prerequisite for addressing the increased risk, complying with GDPR legislation as well as FAIR principles and other requirements for secure data processing and operation, including expectations from external partners and the guidelines in the national strategy for cyber and information security.

The previous "Security Masterplan 2019-22" has made it possible to deliver several of the planned security initiatives, including most importantly the establishment of an information security organisation that now works on a risk-based basis and regularly informs the Information Security Committee about the threat and risk picture for AAU, while other initiatives have not been completed. Resources from the masterplan were also redirected to deal with the consequences of COVID-19 and the severe cybersecurity incident in 2020. At the end of the masterplan, it is clear that there is still a long way to go to reach an up-to-date level of cyber and information security at AAU.

At the request of the chairman of the Information Security Committee (ISU), the external actor Globeteam, in collaboration with ITS, has delivered an evaluation of the security efforts at AAU in order to prepare an update of the Masterplan for the area. The evaluation compares AAU's current efforts with the threat landscape, external requirements and best practice and identifies where greater efforts should be made in the future.

The evaluation report concludes that there are many good intentions and safety initiatives at AAU that are in good shape, but it identifies 19 initiatives where the level of effort is problematic or insufficient and where the risk to AAU is high or very high. The 19 initiatives are prioritised into 8 must initiatives, 10 should initiatives and 1 can initiative. The report has subsequently been discussed in the ISU, which has assessed that AAU should follow the recommendations in the report.

The 18 must and should initiatives are included in AAU's Masterplan for Cyber and Information Security. The initiatives are considered a prerequisite for ensuring the basic level of security in relation to cyber and information security, so that AAU reduces the level of risk, which, according to the Information Security Committee's assessment, is currently too high.

Organising

In collaboration with the external consultant, a portfolio overview has been created in which the initiatives are organised into projects with reference to two steering groups responsible for policies and processes and the technical set-up. This organisation ensures appropriate management of project progress. The one steering group in which the university director participates will also function as a portfolio steering group.

Status and next steps

ITS has been in the process of identifying employees internally who could be moved to the projects and is now in the process of hiring to fill the competency gaps that have been identified.

Some of the key initiatives that are being taken on from the start are:

• A redesign of the ActiveDirectory that forms the foundation for authentication of users and services at AAU. It was designed at a time when the threat landscape and organisation at AAU was significantly different, so a number of changes are expected, which will be felt across the university.
• Registration of devices that need to be able to access the network at AAU, so we get a better handle on the individual devices and what they need access to.
• Finally, an effort to further protect the university on our interface to the Internet.

ITS will provide regular updates on the progress of the projects, and the Executive Board will be informed directly on an ongoing basis.