How does your organisation deal with sensitive information and possible dual-use research? Can employees continue to work if systems fail? Who can access the systems and alter data?
Information security has three sub-areas: Availability, Integrity and Confidentiality (known by the Dutch translation BIV). Availability – or continuity – safeguards the security of systems, thus helping to manage the risks of failures, malfunctions and incidents. Integrity – or reliability – ensures that information is correct and up-to-date. Confidentiality – or exclusivity – ensures that only authorised personnel have access to systems and information. Information security is a cycle: risk analyses and risk management are essential and periodically recurring activities for an organisation.
Availability or continuity of systems is important for the security of information. In the event of a network failure, employees must be able to resume work as quickly as possible, and no dangerous situations should arise. This includes the continuity of ICT systems and the storage of data, but also backup systems for building management, such as maintaining negative pressure in laboratories, security and authorisation systems.
Integrity or reliability describes the extent to which data, IT services or IT resources are correct, complete and up-to-date. This includes authorisation systems, but also preventing identity fraud, data theft or hacking of computer systems. Ensuring resilience to incidents and calamities is crucial. To prevent damage and to resume operations quickly, an information security incident must therefore be detected and reported as quickly as possible. Conscientious and well-trained employees know what they have to do when an incident occurs.
Confidentiality or exclusivity means that data can only be accessed by someone who is authorised to do so. Therefore, you need to know which ‘crown jewels’ (the most sensitive information) of the organisation should be protected. Information or data is defined as confidential if damage occurs when this information becomes known outside the authorised group. Such confidential information could include data about research with high-risk pathogens, dual-use research, data about storage or building management systems, or personal details. The level of confidentiality is determined by the classification of the information and the restriction of access to the information. Levels of confidentiality can be assigned to various forms of information with the aid of labels. For agencies of the national government, the Decree on Information Security, Classified Information Service (VIRBI) is in force. This decree can also provide guidelines for classification in other organisations.
No matter how thoroughly information is secured, the behaviour of employees remains crucial for safeguarding the availability, integrity and confidentiality of information within the organisation. Careless behaviour can lead to sensitive information falling into the wrong hands. Therefore, employees should be aware that using sensitive information securely depends on various aspects, such as policy, classification, access and information exchange. Dual-use aspects of research are also important, even if they only become apparent after the research has begun. For publishing research and for export regulations, see ‘publishing and export control’ under the transport security tab. Training and raising the awareness of employees are important priorities in information security.