Public version of Document 3:11 (2023–2024) / Published Information security in research in the knowledge sector
We have conducted penetration tests against three research institutions under the Ministry of Education and Research. The tests gave us full control of the IT infrastructure at two institutions and control of researchers' IT equipment and cloud storage at the third institution.
Brief background
- The penetration tests are part of our investigation of information security at 10 of a total of 24 universities, university colleges and other research institutions under the Ministry of Education and Research.
- The security situation in the higher education and research sector has become more challenging in recent years.
- Information and knowledge generated by research can be of interest to both foreign intelligence and commercial enterprises.
- We are publishing an unclassified version of the report. The full report contains some information that is exempt from public disclosure and some information classified restricted by the Security Act.
Overall assessment
- It is objectionable that research data in research institutions under the Ministry of Education and Research are not adequately protected against cyber-attacks, given the requirements of the legislation and the possible consequences of sensitive data going astray.
- The institutions do not have a good enough knowledge of which research data they have that require protection. This is unsatisfactory.
- Despite improvements during the period of investigation, many institutions do not work systematically enough with information security and the boards of directors do not fulfil their role sufficiently. This is unsatisfactory.
- The Ministry of Education and Research has implemented several measures in the period 2019–2022 which, among other things, have led to increased attention to information security in the research institutions. At the same time, it is unsatisfactory that the measures do not adequately target the institutions most in need for support.
Conclusions
- Research data in research institutions under the Ministry of Education and Research are not sufficiently protected against cyber attacks
- The institutions have largely set the framework for their information security, but do not achieve the desired level of security due to deficiencies in implementation
- The Ministry of Education and Research has adjusted its use of policy instruments over the recent years, but there are a number of challenges in the sector that the current policy instruments do not address
- The Ministry of Education and Research receives little information about the actiual state of the information security in the sector. Risk-reducing measures set at sector level are not followed up
Our recommendations
We recommend that the Ministry of Education and Research
- clarifies the collaboration between the Ministry, the Norwegian Directorate for Higher Education and Skills and the Norwegian Agency for Shared Services in Education and Research on information security and clarifies the role of NOKUT.
- reviews the use of policy instruments and considers measures that better target the institutions most in need for support.
- ensures adequate information about the information security and the information values in the sector and follows up that risk-reducing measures set at sector level are implemented.
We also recommend that the Ministry sees to that research institutions
- ensures that their information security management systems are fully implemented so that the board of directors and senior management have knowledge of the information security state, can ensure that decided measures are implemented and that the measures actually improve information security as intended.
- ensures a better knowledge of which research data they possess that require protection.
- implement the technical and organisational security measures they find necessary in order to reduce the risk of cyberattacks.