We need a culture of information security
Developing and integrating a safety culture within the Universitat de València is one of the most complex objectives to achieve. Firstly, because its application requires ample time periods and continuous actions over time; Second, and much more important, because we are talking about people.
Getting our staff to internalize in their daily tasks a way of working that ensures that things are done well in terms of information security is not an easy task.
Usually the staff sees in the security protocols that we implant in our university a complication, a nuisance or annoyance. The perception they have is that security is uncomfortable and hinders their daily activities by imposing limitations. It is necessary to reverse this negative vision and to take the necessary actions to create an authentic culture of security within our institution.
Traditionally, the security of information in any field has been understood as an expense that does not add value to work, since it is very difficult to see the return of this effort in measures that are not perceived as productive.
Training in security matters has so far played a negligible role in training plans. And if it comes to address, it is done in a timely manner or a small group of people.
In fact, if we ask about initiatives related to security training, we will see that only actions related to workplace safety and occupational risk prevention are addressed, leaving out areas of information security.
With the appearance in 1999 of the LOPD (Organic Law of Protection of Personal Data) there was a small change in this regard, and institutions and organizations most affected by compliance with this regulation, began to carry out training sessions related to the privacy protection requirements of the users.
In fact, the General Regulation of Data Protection (RGPD), contemplates how an obligation of our institution to train staff in the security of personal data, ensuring that they are managed in an appropriate manner and in accordance with the law.
It is essential that we are aware of the importance of training our staff in information security matters for our interests as an academic institution, and not only in terms of protection of personal data, but also from the point of view of all the information that The University of Valencia treats : academic, economic, research, administration, etc ...
However, not all UV personnel need the same type or level of safety training. The training required by the technical staff that manages the servers should not be the same as that received by the end user who only has access to a small part of the corporate information.
We should not think that the IT staff should be the exclusive recipient of training in information security.
Currently in any company the vast majority of employed personnel work with computers or devices that allow them to connect to corporate systems. Therefore, security today should not be limited only to technical aspects, but should incorporate other areas such as organizational and legal, thus exceeding the powers of the IT Service.
It is necessary to take into account that there are departments such as Human Resources or the student service, for example, that should know vital aspects in the management of data security, such as the RGPD, with those who work as part of their daily functions.
Failure to do so may result in the UV incurring in risk situations, both at the level of data protection and at the level of legislative infractions. In this case, it is necessary that some people of the UV receive specific training and even have the advice of an expert in legislation applied to data protection in corporate environments.
In fact, if the UV has as 'clients' natural persons training in the field of protection of personal data is fundamental, since the level of associated risk can be very high. The treatment of the data of the people linked to the Universitat de València must be done starting from certain conditions, both technically and legally, which are established by the RGPD.
For example, our staff serving users in any service ( SeDI , Students, IT ..) must be perfectly trained to know how to meet a request to exercise rights of access, rectification, cancellation or opposition, as there are some very tight deadlines to meet these types of requests.
However, we should not limit training and awareness in information security, only to the correct treatment of personal data.
There are many other aspects to consider in the training of the staff of the Universitat de València .
All the technical instructions, processes and procedures, norms and policies established in our institution must mark the premise of compliance in terms of information security. They must comply with our safety rules and policies, and all internal regulations established in this regard and must be applied in all departments, services, units, and centers, foundations, institutes, etc. without distinctions of any kind.
We must be permanently attentive to carry out our work, with the performance of good practices in information security, and have internal or external mechanisms, to be able to examine the records and the traceability of information processing in all processes carried out in the UV
It is the purpose of this website, to serve as a motor of awareness and awareness in information security for all people with some type of link with the University of Valencia .
But it is necessary that the staff is considered a fundamental part in this process, because otherwise, the treatment of the information and its security will be an absolute failure. We must be aware of the role we have in the UV so that the information is absolutely safe in any of its aspects and areas.
Awareness increases, therefore, the level of security of the University of Valencia, we will improve our image as a company before our students and citizens in general, and therefore will have an always positive impact on the development of our role as an academic institution and reference in society.
