Information security - Deviations
How to report a deviation related to information security and a personal data breach.
Norwegian: Informasjonssikkerhet - avvik
Report a deviation #
Deviations in information security and privacy occur when we do not follow legislation, rules and NTNU’s internal documents governing the use of NTNU’s ICT infrastructure and processing of personal data. Deviations are mainly information security breaches in connection with the way that work is carried out and work practices. A deviation may have major, minor or no consequences.
Is it a deviation or a digital security incident? #
A deviation is different from a digital security incident. Examples of digital security incidents include cyber attacks, scams, or ICT equipment that has been lost.
If you have any doubts about whether the issue you want to report is a deviation or a security incident, report it to NTNU SOC for faster processing.
Registering deviations #
The deviation report must describe the deviation and where it took place. The report must not include personal data related to names or other types of information where confidentiality may be needed. Deviations must never be directed at a person, but at the element or action in the work process that led to the security breach. In other words, a deviation report must describe the action, not the person who performed it.
If you plan to submit a deviation report, be careful not to include sensitive information in the report. The deviation report must also describe what the possible consequences of the breach might be.
Examples of deviations in information security and breaches of personal data #
- email and attachments mistakenly sent to the wrong person, especially where they include personal data
- collection of data in forms that makes the information searchable on the Internet, or in form tools for which NTNU does not have a data processor agreement
- incorrect disclosure or incorrect publishing of information
- errors in access rights, equipment or software that impair the availability of information, and which may in turn compromise security
- procedures that are missing, do not work, or are not followed
- information with a classification level that requires access control is open and accessible to unauthorized persons
- lack of a basis or of an assessment of the basis for processing personal data
- a national identity number that is sent unencrypted by email to external parties (a single document containing a national identity number sent between employees is not a deviation because it does not leave NTNU’s computer network)
Why should I report deviations? #
Everyone with access to NTNU’s ICT infrastructure is responsible for being on the alert for any security breaches, for reporting deviations. This way, everyone is contributing in building a strong culture for information security. Notification of deviation is necessary and desirable. Dealing with deviations creates learning and improvement that is very important for systematic work with information security and privacy. The deviation process is also an important part of NTNU's internal control.
What happens when I report a deviation? #
Deviations related to information security and privacy is processed to the Digital Security Section. There, staff classify the deviation and consider whether the Norwegian Data Protection Authority must be notified. If there is a personal data breach, the assessment is done in a dialogue with the Division for Governance and Management Systems and the Data Protection Officer.
If immediate measures are necessary, action is taken in cooperation with those responsible for the service or the function concerned. The line manager will be involved and will be tasked with finding the root-cause and measures to prevent the same thing from happening again. This kind of assessment is often done in close cooperation with the Digital Security Section.
If information about people has been leaked and it is likely that this could have negative consequences, the people affected must be notified. Such notification is the line manager’s responsibility.
Managers at NTNU must address deviations classified as serious or critical in their management meetings and must use procedures for dealing with deviations as an important factor in the improvement efforts in their part of the operation.
See also #
- IT services for employees
- IT support for students
- Students: Report deviations - Speak up!
- Guidelines on whistleblowing and follow-up of issues of concern
- Retningslinje for avviksmelding og avvikshåndtering innen informasjonssikkerhet og personvern (Guidelines for reporting deviations and dealing with deviations within information security and privacy - PDF, in Norwegian)
- Retningslinje for behandling av personopplysninger (Guidelines for processing personal data) only in Norwegian.
If you have any questions, please contact NTNU’s Security Operations Centre (NTNU SOC)
- Email: firstname.lastname@example.org
- Phone: (+47) 90 66 43 50