Skip to content

Public version of Document 3:11 (2023–2024) / Published Information security in research in the knowledge sector

We have conducted penetration tests against three research institutions under the Ministry of Education and Research. The tests gave full control of IT infrastructure at two of them and control of researchers' IT equipment and cloud storage at the third.

Brief background

  • The penetration tests are part of our investigation of information security at 10 of a total of 24 universities, university colleges and other research institutions under the Ministry of Education and Research.
  • The security situation in the higher education and research sector has become more challenging in recent years.
  • Information and knowledge generated by research can be of great interest to both intelligence agencies and commercial enterprises.
  • We are publishing an unclassified version of the report. The full report contains some information that is exempt from public disclosure and some information classified restricted by the Security Act.

Overall assessment

  • It is objectionale that research data in enterprises under the Ministry of Education and Research are not adequately protected against cyber-attacks, given the requirements of the legislation and the possible consequences of sensitive data going astray.
  • The agencies do not have a good enough overview of research data that need protection. This is unsatisfactory.
  • Despite improvements during the survey period, many companies do not work systematically with information security to a sufficient extent, and the boards of directors do not fulfil their role sufficiently. This is unsatisfactory.
  • The Ministry of Education and Research has implemented several measures in the period 2019–2022 which, among other things, have led to increased attention to information security in the enterprises. At the same time, it is unsatisfactory that the instruments do not adequately target the enterprises that have the greatest need for support.

Conclusions

  • Research data in research enterprises under the Ministry of Education and Research are not sufficiently protected against cyber attacks
  • The institutions have largely set the framework for information security work, but do not achieve the desired level of security due to deficiencies in implementation
  • The Ministry of Education and Research has adjusted its use of policy instruments in recent years, but there are a number of challenges in the sector that current policy instruments do not address
  • The Ministry of Education and Research receives little information about the real state of safety in the sector, and risk-reducing measures decided at sector level are not followed up

Our recommendations

We recommend that the Ministry of Education and Research

  • clarifies the cooperation between the Ministry, the Norwegian Directorate for Higher Education and Competence and Norwegian Agency for Shared Services in Education and Research on information security and clarifies what NOKUT's role should be.
  • reviews the use of policy instruments and assesses measures that better target the research enterprises that have the greatest need for funding.
  • ensures a good information base on the state of security and values in the sector and follows up that risk-reducing measures at sector level are implemented.

We also recommend that the Ministry ensure that research enterprises.

  • ensures that the information security management system is fully implemented so that the board and senior management have an overview of the security situation, can ensure that decided measures are implemented and that the measures actually improve security as intended.
  • ensures a better overview of research data to be protected.
  • implement technical and organisational security measures as they deem necessary to reduce the risk of cyber-attacks.
Kategorier: