“Get in control of our information”

per hbg

image by Lizzan Wiberg

Approximately 130,000 people live in the municipality of Helsingborg, which makes it the 8th biggest in Sweden. They spend roughly 5 billion SEK each year to provide services to citizens. The majority goes to schools and care for the elderly and people with disabilities.

The unit of Safety and Security has four different core areas; crisis management, information security, risk management and insurances. The cooperation with iFACTS started already in 2007 and over time it has developed to cover several different areas. Today iFACTS’ method and software is used for incident & event reporting, information security, insurance management and facility data.

Per Sandström has worked as Information Security Manager in Helsingborg the past 7 years. They have a continuity perspective on the information security work.

Already in autumn 2006 Per got the assignment to investigate the information security perspective for the city – prior to this only IT security had been an issue. The start was a current situation analysis, followed by a GAP analysis performed with the support of iFACTS. A number of improvement areas were identified.

During 2007 two pilot projects were carried out with two different administrations. Then a procurement process was performed. Per clarifies:

“It soon became evident that working with information security requires a clear method and a qualified IT system – therefore a procurement process was put in effect, where iFACTS was one of the participants.”

Per again:

“The need for a policy became clear, this was established in 2009. Shortly thereafter the implementation process started, with the project “Startpunkt”. It was run as a learning project – the whole area was new to our operations. A training program in cooperation with iFACTS was also started – on how to inventory and classify information.”

A recent IT audit revealed some non-conformities – in regards to roles and responsibilities, the lack of risk analysis for some of the information systems. Documentation on some systems was also lacking. An updated system maintenance organization has been established. Shortly, new training will take place, covering the need for documentation.

Per continues:

“iFACTS is at present used to get in control of our information system – who owns and who is responsible for different types of information – what rules and regulations apply. The information is evaluated on its sensitivity in regards to dependencies and confidentiality, risk analysis is continuously performed. The documentation work has been started. Everything gathered in one common place – the iFACTS platform.”

“What result has been achieved? At first it was evident –that there was no control! The level of competence has now been increased with the system owners - iFACTS has given important support in this process. The general awareness has been increased; people talk more and more about information security.”

iFACTS makes it possible to connect the work with information security efficiently to the work with risk management, directly connected to continuity planning.