Security instructions

Security at OsloMet

1.1. Peace, order and threatening situations
1.2. Emergency preparedness
1.3. Fire
1.4. Physically securing OsloMet's premises
1.5. Reporting criminal offences
1.6. Security incidents and breaches
1.7. Duty of confidentiality and declaration of confidentiality

Processing information at OsloMet

2.1.  What must  be protected?
2.2.  Storing and sharing data
2.3.  Sharing and online social behaviour
2.4.  Who owns the information and the results?
2.5.  Processing sensitive information
2.6.  Personal data and data protection
2.7.  Processing information stored in cloud computing services
2.8.  Mobile equipment, apps and wireless networks
2.9.  E-mail
2.10.  Bulk e-mail
2.11.  Calendars
2.12.  Deleting and shredding
2.13.  Printouts and papaer documents
2.14.  Fraud and misuse of information
2.15.  OsloMet's IT systems and computer networks
2.16.  User names and passwords
2.17.  Remote access to OsloMet's systems
2.18.  Connecting with private equipment from OsloMet's premises

Contents

1.1. Peace, order and threatening situations

• Peace and order shall be maintained in the working and study premises. 
• Everyone shall feel safe at OsloMet. Aggressive or threatening behaviour is not acceptable. If you end up in a threatening  situation:
  • Keep calm without provoking. If the situation escalates, withdraw from the situation.
  • If you need assistance from a security guard, call 40 911 000.
  • In case of serious violent and threatening situations, notify the police immediately by calling 112.
  • OsloMet would like to know about these situations also after they have happened. Please notify OsloMet by sending an e-mail to sikkerhet@oslomet.no.

1.2. Emergency preparedness

• Notify OsloMet's Emergency Preparedness Unit in the event of serious incidents or situations that may escalate. Call 40 911 000 (24 hours).
• For emergency assistance abroad in the event of serious incidents, call the local emergency number (Store it in your telephone before starting your journey).
• If you need assistance abroad, call the Norwegian Church Abroad emergency phone number: +47 95 11 91 81. The Church has agreed to assist HiOA students and staff in emergencies. (You can download an app with the Norwegian Church Abroad's emergency phone number before travelling).

1.3. Fire

When the alarm sounds, you must:

1. close all windows and doors in your area.
2. follow the instructions given by the floor manager, superior, and/or the fire department.
3. leave the building through the nearest emergency exit and proceed to the meeting point.

If you discover a fire, you must:

1. alert everyone in the area, set off the fire alarm, and call 110
2. rescue people who need help to evacuate the building
3. extinguish the fire if you are able to
4. evacuate via the nearest emergency exit

You must help prevent fires:

• The use of candles and open flames is prohibited. This also applies to flares on the outside of buildings. The only exception applies to serviced areas: Fyrhuset café, Festsalen in Pilestredet 52, and laboratory areas that are approved for this purpose. For large events at Kjeller Campus or for special occasions such as ceremonies to mark a death, permission to use candles may be applied for by contacting bie@oslomet.no.
• Electrical equipment:
  • Coffee makers/kettles must only be used with fixed timers.
  • Waffle irons, toasters, hobs, microwave ovens and other equipment must not be used without special permission from the Head of Physical Safety and Fire Prevention (contact bie@oslomet.no).
  • Extra heaters must not be used. If you want to raise the temperature in a room, contact bie@oslomet.no
• You must not cover or disconnect fire alarms, fire detectors or sprinkler systems.
• Keep escape routes free of clutter – avoid storing anything in or by designated escape routes.
• The use of door wedges, etc. to keep doors open is prohibited, because this will prevent them from automatically closing in the event of fire. Closed doors prevent smoke and fire from spreading.
• If you discover matters affecting fire safety, contact drift@oslomet.no

• You are required to complete this e-learning course about fire prevention as soon as possible after joining OsloMet. It can be found at sikresiden.no

1.4. Physically securing OsloMet's premises

• If you need to contact a security guard, call 40 911 000.
• Admission cards/student ID cards are personal and must not be lent to others. Your code must be stored separately from the card. Always carry the card when on OsloMet's premises.
• Do not permit people access to locked areas if you do not know that they are permitted to have access.
• Latched doors must normally be kept closed and must always be closed before you leave at the end of the day. For fire safety reasons, door wedges, etc. must never be used to hold doors open. Windows must always be closed before you leave at the end of the day and when the premises are left empty during daytime.
• If you lose your keys, immediately contact Brukerstøtte i Eiendom: bie@oslomet.no. If you lose your admission card, immediately order a new one on your user account (Bitadmin.hioa.no), and the old card will be deactivated.
• Documents or equipment containing sensitive information should be locked away and not be left accessible in OsloMet's premises when not in use. This also applies to offices that are locked.
• Take good care of equipment/items that might be attractive to steal. Do not leave such objects unattended in public areas or classrooms. Remember that equipment may also contain information that you would not want to lose or let others have access to.
• When you leave/are no longer an active student, your admission card will be deactivated. You must return keys to the reception in P46 (Pilestredet Campus) or at the reception at Kjeller Campus. You must return any equipment borrowed from OsloMet. IT equipment must be returned to IT Service Desk.

About physically securing HiOA's premises.

1.5. Reporting criminal offences

• You are solely responsible for reporting thefts of and criminal damage to your property on OsloMet's premises.
• All cases of burglary, theft, and vandalism perpetrated against OsloMet property will be reported.
• We want to be notified of all criminal offences committed on OsloMet's premises. If you become aware of such cases, notify sikkerhet@oslomet.no. If your report contains sensitive information, please do not send this information in an e-mail. Ask for an appointment with OsloMet’s contact person for the police.

1.6. Security incidents and breaches

If you have questions or know something that can be significant for the safety at OsloMet, please send an e-mail to sikkerhet@oslomet.no. E-mails are only processed during office hours. NB! Do not send sensitive information in an e-mail. Ask for a meeting instead

Abour reporting security incidents and breaches.

1.7. Duty of confidentiality and declaration of confidentiality

• Everyone who signs the declaration of confidentiality is obligated to make themselves familiar with what this entails.
• The person responsible for the research project /practical training or immediate superiors must ensure that the necessary confidentiality agreements are signed and filed.
• The duty of confidentiality also applies after you leave OsloMet.

About the duty of confidentiality and the declaration of confidentiality at OsloMet.

Processing information at OsloMet

2.1. What must be protected?

• You must have an awareness of the value of the information you process.
• You must know whether any legal requirements apply to the information you process, and you must comply with such requirements.
• You must reduce the risk associated with the information you process to an acceptable level.

What must be protected, about value and risk assessments.

2.2. Storing and sharing data

• You must know where you store the information and that it is sufficiently secured relative to its value.
• You must know who you share the information with and that they are authorised to share the content.
• Employees must register and store all information that is subject to case processing and that has documentary value in OsloMet's official document management system (Public360). 

About storing and sharing data at OsloMet.

2.3. Sharing and online social behaviour

• In accordance with Norwegian law, you may not post confidential information, personal data without consent, material protected by copyright without permission, defamatory accusations, racist remarks, or threats or representations of sexual abuse of children.
• Be conscious of when you are acting as a private individual and when you are acting on behalf of OsloMet. You should also keep in mind that your different roles will nonetheless be associated with you as an individual and that in practice it may be difficult for you and others to distinguish between these roles. For example, a future employer will not distinguish between your different roles as a private individual, a student or an employee.
•  There is no "inner circle" in social media. Show extreme caution when referring to students, teachers, colleagues, superiors, internal affairs or external partners, or when referring to deaths, accidents or criminal cases before they are made public.
• Act in accordance with general rules for good manners, accountability, and academic integrity. For example, use citations whenever relevant. Do not post emotionally!
• If material posted on behalf of OsloMet is done so illegally or if it might damage OsloMet's reputation, contact nettredaksjonen@oslomet.no; for help on how to deal with it.

About sharing and online social behaviour.

2.4. Who owns the information and the results?

• You must not copy personal data or sensitive information that is collected or produced through your studies or work at OsloMet unless this has been cleared with the programme coordinator/immediate superior and a written agreement has been signed stating how it should be stored, used, and deleted.
• Material protected by copyright may only be used, made available and distributed under an agreement with the licensee.
• Software subject to licence restrictions is distributed or installed by the Department of ICT.
• Questions of ownership of information may be regulated by law, be determined by an agreement, or assessed based on what assignments you have had at OsloMet and what investments OsloMet has made.
• You may not use information belonging to OsloMet for private commercial purposes unless OsloMet has signed an agreement transferring the rights for commercial purposes.
• Before you leave OsloMet and your user account is deleted, you are personally responsible for removing information that belongs to you. Transfer OsloMet's information to the right location (archive, project, superior).
• The information asset owner at OsloMet must ensure that the information is correctly processed according to its value and in compliance with laws and regulations.

About who owns the information and results at OsloMet.

2.5. Processing sensitive information

2.6. Personal data and data protection

• All personal data must be processed with caution, while sensitive personal data must be processed according to highly  restrictive rules.
• If you process personal data in connection with your studies or research or in other job contexts, your teacher/project manager/superior must provide you with the necessary training.
• You are personally responsible for ensuring that you process personal data in accordance with the current procedures that apply for the data you are processing. If you have any questions, ask your teacher/project manager/superior.
• Be conscious of what information you post about yourself on the internet and in social media. Ask permission before posting information about others, including pictures.
• Never use someone else's identity; to do so is illegal, regardless of the medium used.

About personal data and data protection at OsloMet.

2.7. Processing information stored in cloud computing services

• Sensitive information or information that should not be lost must not be stored in a cloud storage service.
• OsloMet offers the cloud storage service BOX for storing, sharing and cooperation when working on files and documents
• Use of cloud services in connection with studies or work is done so on personal initiative and responsibility.

About processing information stored in cloud computing services.

2.8. Mobile equipment, apps and wireless networks

• As a general rule, sensitive information may not be processed on mobile devices or via wireless networks.
• Show caution when using open wireless networks, as everything you transmit, including user name and password, is easy to monitor.
• Assess apps before installing them, and remove the ones you do not use. Be aware of what you give apps access to. You should realise that apps may gather information from your device without asking or informing you.
• Employees who synchronise OsloMet e-mail/calendars with mobile devices must use a PIN containing at least six digits to unlock the mobile device.

About mobile equipment, apps and wireless networks at OsloMet.

2.9. E-mail

• All students and employees have a personal e-mail address: username@oslomet.no / firstname.lastname@oslomet.no. This address shall mainly be used in connection with correspondence related to studies/work.
• Sensitive information must not be sent by e-mail. Consider other alternatives.
• Employees must register and store all e-mails that either contain documentary evidence of decisions made on behalf of OsloMet or have documentary value in OsloMet's official document management system (Public360). 

About using e-mail at OsloMet.

2.10. Bulk e-mail

• Bulk e-mail must only be used for dissemination of academic or administrative information that is relevant for the recipients on the address list. It must not be used for the purposes of exchanging opinions, marketing, or buying/selling. Private/social e-mail communication, invitations, events, etc. may be distributed via bulk e-mail if an event is relevant for the recipients on the address list.

About bulk e-mail at OsloMet.

2.11. Calendar

Avoid entering private or sensitive information in calendars or as attachments. Such entries can be read by others.

About using calendars at HiOA.

2.12. Deleting and shredding

• Before equipment/media are sent for repair, handed over to others or discarded, all sensitive information must be deleted using the proper deletion software. The computer's regular deletion function is inadequate. Equipment must be returned to IT Service Desk for disposal or reinstallation.
• If the equipment you return to IT Service Desk  contains internal or sensitive information, you must always indicate this on the form that must be completed when returning the equipment. IT Service Desk will then delete such information in a proper manner before discarding the equipment. Memory cards and memory sticks including internal or sensitive information must be handed over to IT Service Desk for destruction if they are not to be used by the exact same person(s).
• Sensitive paper documents must always be destroyed in a shredder or be put in the plastic containers with padlocks, marked with "Norsk Gjenvinning og sikkerhetsmakulering" (Norwegian Recycling and Secure Shredding). These are located at different locations around the campuses.
• When you leave OsloMet, your e-mail account and any information stored on OsloMet`s home server will be deleted. You must make your own copies if you want to keep this information.

About deleting and shredding at OsloMet.

2.13. Printouts and paper documents

• Sensitive paper documents must be securely locked away when you leave the office.
• Paper documents containing sensitive information must not be disposed of in trash cans.
• Only print documents if necessary, and collect your printouts immediately.

About printouts and paper documents at OsloMet.

2.14. Fraud and misuse of information

Be conscious of what information you possess that could be misused by others. Apply sound scepticism, and be conscious of the different ways you may be tricked (e.g. by phishing, social manipulation, identity theft, and malware).

About fraud and misuse of information.

2.15. OsloMet's IT systems and computer networks

• OsloMet's IT systems shall mainly be used for purposes of study, teaching, research, administration or organisational work for associations that are relevant to studies or work.
• The IT systems must not be used in ways that generate expenses for OsloMet unless expressly agreed in writing in advance.
• You must always read your e-mail to make sure you catch important messages. Students are expected to keep updated on information published in Studentweb and Canvas.

Guidelines for using ICT equipment and mobile devices at OsloMet.

2.16. User names and passwords

• Never give anyone your password, and never log onto OsloMet's systems using other people's password.
• If someone knows your password, you must change it.
• The password you use at OsloMet must never be used elsewhere, e.g. on Facebook or Gmail.
• The password must be at least 16 characters long. Use normal words, spaces and sentences that are easy to remember rather than special characters.
• Always lock your computer or log off when leaving it in a room where others have access to it, even if you are just popping out for a few minutes.

Everything you need to know about user names and passwords / changing passwords (Employment).

Guidelines concerning user accounts at OsloMet.

2.17. Remote access to OsloMet's systems

• Remote access to OsloMet's system must only occur via the security solutions provided by IT Service Desk.
• Remote access must only be activated from trusted machines (equipment owned by OsloMet or personal equipment which only you use and control). You must not activate connections from random machines in internet cafés, hotel lobbies, etc.
• Do not leave your computer unlocked when you are logged on, and log off when you are inactive.
• Equipment owned by OsloMet must not be used by others, such as family members.
• Central administrative systems must only be used from equipment owned by OsloMet and in accordance with OsloMet's guidelines for using the systems.
• Avoid enabling people around you to view your screen.

About remote access to OsloMet's services, access to file servers and external desktop.

Guidelines concerning ICT equipment and mobile devices at OsloMet.

Guidelines concerning laptops at OsloMet.

2.18. Connecting with private equipment from OsloMet's premises

Connecting to the network: As a general rule, you must connect to the wireless network, Eduroam. Network cables are available in classrooms for connecting private equipment. Connecting private equipment to cabled networks is not permitted in other rooms. If cable connection is necessary in special circumstances, such as during conferences, etc., contact itservicedesk@oslomet.no. 

Installations in the network: You may not set up separate installations in the network (such as a separate server or wireless base station). The Department of ICT is notified of abnormal use of the network. If you require additional services in the network, send a request to itservicedesk@oslomet.no.

Requirements for private equipment: Private equipment must be installed with the latest security updates and antivirus software. Laptops must have their firewall enabled. File-sharing programmes  such as BitTorrent must be turned off. Exemptions may be granted by applying to itservicedesk@oslomet.no.

IP address: Use the IP address that is automatically generated by OsloMet. Use the standard settings and do not set a fixed IP address.

Guidelines for ICT equipment and using mobile devices at OsloMet.

Guidelines concerning laptops at OsloMet.