Statsrevisorerne Rigsrevisionen

National Audit Office of Denmark (Rigsrevisionen)
1 Using private devices, local administrator privileges
Risk: failure to protect data

The study shows that the five largest universities have defined guidelines for researchers’ use of software and hardware centrally, but that they have failed to centralise efforts to maintain a satisfactory level of security for research data. This is due mainly to the fact that, at some universities, researchers are allowed to bring their own devices, and at all the universities, researchers are allowed to have local administrator privileges, which gives them access to install software. Additionally, all five universities know of incidents where unknown hardware has been connected to their network.

2 Inadequate framework for the use and management of IT equipment
Risk: incompliance with the desired level of it security

The study shows that the University of Copenhagen does not adequately protect research data. The university has decided to adhere to ISO 27001, but has not carried out a threat or risk assessment as prescribed in ISO 27001. Moreover, the management of the University of Copenhagen has only defined an inadequate general framework for the use and management of IT equipment at the university. Additionally, the management of the university has developed two policies that in practice leave the responsibility for IT security and the protection of research data to the individual researcher,who, in order to solve this task, must have insight in a number of the university’s IT security measures that are not described in the provided general framework. This approach has significantly limited the possibilities of establishing a high level of IT-security.

3 No awareness of existing rules
Risk: lower security of data storage

The management of the University of Copenhagen expects the researchers to take responsibility for storing research data, and Rigsrevisionen has therefore examined whether the researchers are familiar with and follow existing rules to protect research data in the best possible way. The study shows that only one of the 26 interviewed researchers was familiar with the university’s guidelines on data protection. The study shows examples of researchers who store data in other and less secure ways than those provided by the university.

Background

The research data held by the universities are of great value and therefore obvious targets of cyber attacks or cyber espionage. In the past years, there have been several incidents of cyber attacks against Danish universities; in the spring 2018, it came to light that three Danish universities had been hacked in the period from 2014 to 2016 as part of a large global cyber attack launched by a foreign state actor. Threat assessments carried out by the Danish Centre for Cyber Security in December 2016 and in March 2018 lead them to conclude that the threat level towards Danish universities is high. Universities as well as public research environments are traditionally very open, which makes research data vulnerable to cyber attacks. According to the Centre for Cyber Security, research data in the fields of, for instance, economics, chemistry, physics, geology, environmental science and transport attract the attention of hackers.

Research at the universities are funded partly by the Danish government, as mentioned above, and partly by the European Community and private partners, who contributed just under DKK 8 billion in 2018. It could therefore have financial consequences for the universities, if research data are copied or disappear. Such incidents may also weaken confidence in the affected universities, which can have serious consequences, because the universities depend on their ability to attract researchers and private research funding.

Objectives

This report concerns protection of research data within the remit of the Ministry of Higher Education and Science. This ministry has the overall responsibility for research carried out at the eight Danish universities and allocated just under DKK 9 billion for research in 2018. Each individual university is responsible for ensuring a high level of local IT security in order to protect research data. The study was initiated by Rigsrevisionen in February 2018 and is based on IT audits carried out by Rigsrevisionen during the course of 2018.

The high threat level makes it important for the universities to maintain a high level of IT-security so as to protect research data.

The objective of the study is to assess whether the universities adequately protect research data.

The items above were selected and named by the e-Government Subgroup of the EUROSAI IT Working Group on the basis of publicly available report of the author Supreme Audit Institutions (SAI). In the same way, the Subgroup prepared the analytical assumptions and headings. All readers are encouraged to consult the original texts by the author SAIs (linked).