Information security policy
AcadeMedia’s operations involve the daily management of large quantities of information. Since we process both sensitive information about individuals and information that could affect our share price, secure and will-planned processing is required.
The responsibility for proper information security rests with all of us at AcadeMedia, both employees and others who work here (such as consultants). This policy describes how we must act and the general requirements that AcadeMedia’s senior management and Board of Directors have for all operations within the Group.
Objectives and security aspects
The objective of AcadeMedia’s information security work is to protect the information that exists within the operation so that it can only be used for the intended area of application. The protection must be tailored to the needs with respect to type, sensitivity, risk, legal requirements and other governing regulations or documents for our operations.
Information security at AcadeMedia is based on four aspects:
Confidentiality: Only someone who needs certain information for their work and receives authorisation, and no one else, shall receive access to the information.
Accuracy: Information must not be altered through a mistake, unauthorised access or technical errors.
Access: It must be possible for authorised persons to access and use information within the desired time and from the right place.
Traceability: It must be possible to trace processing of and access to critical information.
Meanwhile, transparency is a watchword in AcadeMedia’s communications policy. Therefore it is important to carefully determine whether information is confidential or sensitive from any perspective. If not, we must endeavor to be as transparent as possible.
Overall roles and responsibilities
All employees and others working at Academedia’s operations are responsible for processing information correctly. The ultimate responsibility lies with the party that owns the information, across the entire Group. The responsibility can be divided and delegated when needed. The primary confidential and sensitive information areas that AcadeMedia processes are listed below with their respective information owners:
- Personal data about children, students, guardians, participants, customers or partners. – An operation’s head/board that is subject to authorisation. A general delegation to the principal for our school operation, to the operations manager for the adult operation and to the preschool head within the preschools.
- Personal data about employees such as salary data, authorisation information, management profile, employee satisfaction index and other staff key figures – the Director of HR and their respective managers.
- Financial information – CFO
- Commercial tenders and confidential agreements – Signatory/Responsible Manager
- Risk reporting, supervision log and reports – Group quality manager
- Legal information – Group’s head of the legal department
A large part of our information is stored in dedicated IT systems for which there is often a designated system owner. (Appendix 1, Overview of AcadeMedia’s IT systems, in Swedish, login required.) Every system owner is responsible for the security of the information stored in their systems. This responsibility may be delegated within AcadeMedia’s operations as needed. System owners must report risks and their management as well as incidents to the information owners described above (who bear the overall responsibility for information security within their information area), with a copy to the Group’s CIO.
The Group’s CIO is responsible for the Group’s overall information security. This includes ensuring that the Group’s technical infrastructure enables and has reliable and secure information management. The responsibility includes ongoing follow-up and compliance with the policy regarding the system’s usage and security function. The CIO is also responsible for ensuring that mission-critical systems have a designated system owner who understands their responsibilities. A list of mission-critical IT systems and their system owners is shown in Appendix 2 (in Swedish, login required). Each country manager (or the equivalent) is responsible for providing the CIO with supporting documentation for the evaluation of mission-critical systems within their respective country.
Risk assessment and risk management
It is the responsibility of the respective information owners and system owners to regularly perform risk assessments and manage the information risks identified. In cases where deficiencies or risks regarding information security are discovered, the supervising function/responsible party and the Group’s CIO must be promptly informed and steps taken.
Information systems (IT)
A great deal of the operation’s information is kept in digital systems and archives. Therefore it is important for processes concerning access and authorisations to be well defined. Information security in the form of backups and continuity plans is also important.
Access: Access to IT-based systems takes place via user accounts. Accounts must be personal when processing important information to enable traceability. Accounts must only be created after ordering and approval by an authorised orderer. Every system and information owner must ensure that the security level for login (authentication) corresponds to the sensitivity of the information stored in their respective systems.
Every manager is personally responsible for ensuring that accounts are ordered, updated and canceled for employees when they begin, change or terminate their employment.
Password security requirements should follow best practices.
Authorisations: authorisations for different functions and information must only be provided to those who need this for their work, and may be given upon the order and approval of the respective information owner or upon their delegation. Authorisations for central financial, invoice and HR systems must be assigned according to established procedures and must comply with applicable authorisation levels.
All cases regarding access and authorisations must be traceable and documented in the case management system. Every information owner and system owner must ensure that the authorisations in each system are reviewed at least once a year.
The number of people with high authorisations (so-called full administrator rights) must be limited as far as possible. High authorisations may only be used to fulfill necessary job duties related to cases and problems.
Storage: It is the responsibility of the respective system owners to ensure that information is backed up and archived in accordance with good practice, as well as applicable laws and regulations. For systems operated in AcadeMedia’s central environment, the technical system owner is the party responsible for following up and, if necessary, specifying requirements for backups of the system. System owners must report whether there are any deficiencies or risks in this respect to their respective information owner and the Group’s CIO.
Continuity planning: For all mission-critical information, the information owner is responsible for the existence of a continuity plan that meets the needs posed by major breakdowns or shutdowns. For each mission-critical system, the system owner must ensure that there is a corresponding continuity plan and report any deficiencies or risks to the information owner.
Personal responsibility for information security
The starting point is that each individual is responsible for keeping their passwords and IT equipment secure. Appendix 3, User policy for digital tools (AcadeMedia Sweden, in Swedish) describes what applies to all employees or consultants in the Swedish operation. There must be an equivalent policy for the other countries.
Passwords in particular are an important part of our digital security and must never be disclosed to anyone else. Passwords used for AcadeMedia’s systems may not be used in any other systems or services, since this sharply increases the risk of intrusions. If we leave a computer/tablet/phone unsupervised, it should be locked or turned off to prevent unauthorised access.
Lost equipment or suspected unauthorised use of passwords or other access must be reported to AcadeMedia IT immediately.
Some employees have access to especially sensitive information that could affect share prices and are therefore subject to special security measures. These employees must certify and comply with the guidelines contained in Appendix 4, Mobile device protection guidelines (in Swedish). We proceed from the basis that this applies to everyone in group management, group control, Investor Relations and employees on the access persons list. In addition, certain persons in areas including group accounting and AcadeMedia IT are subject to these measures. Who is subject to these measures is determined in every case by the Group’s CFO.
Information classification and printouts
When managing projects with price-sensitive information, such as acquisitions, procedures relating to the logbook and non-disclosure agreements must be followed. See our Insider policy (in Swedish) for more information. Printing documents within AcadeMedia’s various head offices requires logging in personally with your own security card. A corresponding security function may be obtained in all Swedish operations by placing an order.
Sensitive personal data
Sensitive personal data (such as health or union affiliation) or personal data that can be perceived as sensitive in privacy terms (such as salary data, child development or educational investigations) should always be handled with extra care and in systems/solutions that are tailored for this purpose. Ordinarily logging in to these systems/solutions should be done with a secure login (two-factor login). The Group’s data protection policy describes the management of personal data in more detail.
Every care provider at AcadeMedia must have a well-documented management system that clearly indicates responsibility for medical and psychological efforts, and also contains an Information security policy. The Information security policy must be checked with the Group’s CIO, and compliance must be regularly monitored by the responsible party within the operation. As an example of such a policy, there is an Information security policy for Student Health’s medical efforts at AcadeMedia’s upper secondary schools (in Swedish).
AcadeMedia’s central accounting system contains both important and sensitive information about the Group’s operations. Therefore the systems are subject to strict requirements for authorisation management and access. Access requires a connection via AcadeMedia’s network or via a VPN.
Financial information that is sensitive or important may only be sent by e-mail as an encrypted attachment where the key is provided by means other than e-mail (such as SMS). People who regularly work with such sensitive financial information must have computers and phones equipped with encrypted storage as well as observing extra vigilance with their digital work tools. All board material is distributed through a secure board portal (Directors Desk), where particularly sensitive information may require a password or printing may be prevented.
Physical working material containing important information is handled by people in access positions locking up such printouts and ensuring that their workplaces are equipped with doors that lock.
IT infrastructure security
AcadeMedia’s CIO bears the ultimate responsibility for IT security. This responsibility includes security in the form of relevant firewalls as protection against intrusions and fundamental protection for information stored in systems within AcadeMedia’s central operating environment. It also includes the responsibility to ensure that suppliers of centrally procured IT services meet the Group’s information security requirements regarding both data and physical security (protection of data centres).
AcadeMedia IT has a responsibility to ensure that the communication solutions used within the Group live up to a market level in terms of communication security and availability. AcadeMedia IT has the ability to control access and authorisations for communication networks in order to protect the operation. AcadeMedia IT also has a mandate to limit access to all IT systems and infrastructure, at both the individual and group levels, if necessary in the event of external attacks (such as attacks and viruses).
Monitoring and logs
System owners are responsible for stipulating requirements for monitoring and logging functions for each system based on their current needs.
When collecting information of an investigative nature, i.e. without the explicit consent of the individual, the Group’s CIO must always be notified and at least two people with different functions (such as a manager and HR representative) must act together to ensure good management and thus also protect individuals from potential abuse, see Appendix 7, Digital investigations (in Swedish). Every country is responsible for establishing the corresponding documents after checking them with the Group CIO or head of the legal department.
Management of information security incidents
Respective information owners and system owners are responsible for managing and following up possible security incidents and remedying them promptly, as well as taking steps to reduce their impact.
In cases where operations or persons may be affected, the relevant responsible party from the operation concerned must be involved. If the incident involves the police or is otherwise serious in nature, someone from segment or Group management must be involved. The Group’s CIO should always be informed about incidents that are not trivial. In case an incident concerns personal data that are sensitive from a privacy or other standpoint, the operation’s data protection officer must also be notified promptly, after which they will decide whether to report it to the Swedish Data Protection Authority.
If an incident risks affecting AcadeMedia’s operation in business terms (entirely or in parts), each operation’s crisis management team or the Group’s crisis management team must be involved. If the information security incident is of such nature that information that affects the share price may have been disseminated or is at risk of doing so, the CFO and IR manager must be informed immediately.
Follow-up and audit
In connection with the annual audit, the IT area is also examined and information security is followed up through interviews with concerned parties as well as through follow-up of specific cases.
Appendices (in Swedish):
• Appendix 1 – Overview of AcadeMedia’s IT systems (login required)
• Appendix 2 – List of mission-critical IT systems and system owners (login required)
• Appendix 3 – Policy for use of digital tools (AcadeMedia Sweden)
• Appendix 4 – Security procedures for mobile devices (login required)
• Appendix 5 – Information security policy for Student Health’s medical efforts
• Appendix 6 – Information security policy for Student Health’s medical and psychological efforts at AcadeMedia’s preschools and primary schools
• Appendix 7 – Digital investigations (AcadeMedia Sweden)