Student collaboration enhances security at Stralfors

Four university students have been analysing Stralfors. Their work is enhancing Stralfors’ information security and is at the same time one element of the implementation of the security standard ISO 27001.


From left: Thomas Schuster, Amar Basic, Christoffer Johnsson, Boris Berberovic and Mohammed Ar-Rawi.

When the time came to write their final project thesis on the Information Systems course at Lund University, four students chose not to opt for a project from the list provided by the university. Instead they made their own contacts with companies. And Stralfors responded.
The four students, Mohamed Ar-Rawi, Amar Basic, Thomas Schuster and Christoffer Johnsson, got in touch with Boris Berberovic, Group Security Manager at Stralfors.
“When we met, I realised straight away that the students were a group of competent, cooperative individuals with a real passion for what they are doing. They have that magical blend of business focus and a holistic view of implementing IT solutions,” says Boris Berberovic.
Everything clicked at that very first meeting. The students had soon started work on a project, the aim of which was to further enhance information security at Stralfors, which works with sensitive and confidential information.

Reorganisation an Achilles heel
According to Boris Berberovic, the allocation of users’ access rights is an Achilles heel for many large companies. When roles change at the workplace in connection with a reorganisation, it’s often the case that access rights are not changed at the same time. This can result in major risks of information leaks. Such risks can be largely avoided by working in a standardised way. The students from Lund University therefore performed an assessment of Stralfors, with the aim of implementing parts of ISO 27001, a standard for information security management systems.
“We conducted an analysis of how access rights are allocated within the organisation, and then compared it with the ISO standard, so that ultimately we could put forward suggested improvements,” says Amar Basic.

Role-based rights the solution
By interviewing those responsible at Stralfors, the students were able to map out how Stralfors works with access rights. The students could then put forward suggestions for a work process to enhance security. 
The result was a proposal for role-based access rights through Active Directory, a shared directory service for different user systems. The proposal also includes a formalised work method in which HR has to be included in the process of allocating rights, according to Boris Berberovic.
It is also proposed that every change to access rights must require a signature, so that it is known who suggested the change. This is a way of increasing traceability. 
“We must be able to track critical data throughout the whole process. If we receive an encrypted file from a customer, we must know who’s accessed it, where it’s gone and how it’s been modified. It must be possible to track the whole life cycle. This is to protect both users and customers.”

Satisfied students and a satisfied Boris
Now that the project has been completed, the students are clearly happy about their time at Stralfors.
“Boris really did give us free rein. There was a big difference compared with the experiences of our fellow students,” says Mohamed Ar-Rawi.
“We appreciate having been treated as colleagues rather than pupils who need their hands holding all the time,” adds Christoffer Johnsson.
Boris Berberovic is also very satisfied.
“They’ve produced some really good material right from the outset, which has made the collaboration extremely relaxed. It feels as though we could drop the students straight into the business after they’d completed the project,” he says.
The students were inspired by working at Stralfors, and they had their eyes opened to work on security, a specialist area they hadn’t realised existed in their profession. Some of them are even considering specialising in security as a career.
“A couple of them have applied to work here, which I view as a success and a compliment for Stralfors,” says Boris Berberovic.