University of Tampere Information Security Principles

suomeksi

These Principles were approved by the University Board on 7 June 2002. They replace the information security policy approved on 18 December 1998.

1. Goal and objectives

The University Board uses the Principles of Information Security to define the goals, obligations and means of realisation of University information security. Information security is an integral part of safeguarding and developing the entire operations of the University of Tampere.

The goal of the University information security measures is to ensure the uninterrupted functioning of those manual and automatic information systems and information networks crucial to the University's operations, to prevent the unauthorised use of information and information systems, the intentional or unintentional destruction or distortion of information and to minimise the extent of damage. The work for information security will take due account of the challenging nature of the University as an organisation disseminating and providing information. Information security is to cover all information processing, taking into account the essential nature of each unit, including the possible need for enhanced information security.

In addition to rendering information processing secure in normal times, precautions will be taken against threatening situations causing disturbances in operations and recovery from these.

The University's information, data processing systems and services will be appropriately protected in both normal and exceptional conditions by administrative, technical and other measures.

It is the aim of the University that the information security arrangements should be of good national and international level. Each individual processing University information shall for his or her respective part be obliged to attend to information security.

2. Information security

Information security means the securing of information handling. Information security is built up on confidentiality, integrity and availability of information and also, where appropriate on access control and non-repudiation.

Confidentiality means that information and information systems are only available to those so entitled in a stipulated manner, at a stipulated time and at stipulated places. The information should not be disclosed or otherwise put at the disposal of others.

Integrity means that information and information systems are reliable, accurate
and current and have not been altered or damaged due to faults in hardware, software, natural disasters or in consequence of unauthorised human action.

Availability means that information and information systems are available and usable within a suitable time considering the nature of operations to authorised users.

Access control means that data and information systems cannot be used without permission.

Non-repudiation means the creation of documentary proof such that no party to a transaction or transfer can ever subsequently dispute his/her part therein.

Information security work is the planning and implementation of those measures to be taken in order to ensure adequate information security. These include methods for the protection of information, tools and measures, resources allocated to the work and the data security properties of the equipment.

Information security extends to all kinds of information processing tasks, also including the archiving of various types of document. Information security measures concern the processing, storing, surrender and transfer of information in electronic, spoken and written form.

The University information security will be handled according to national and international information security regulations and the instructions and guidelines on information security issued by the state administration.

3. Modes of implementation

The basis for the implementation of information security shall be the written document University of Tampere Principles for Information Security as approved by the University Board, which will be provided to all members of the University personnel, students and users of the information systems.

Pursuing the objectives of information security is an ongoing process which occurs through the administrative, physical and technical solutions. In order to define the developmental needs and objectives for University's information security there will be University information security risk analyses at regular intervals. The purpose of these will be to identify potential threats to operations, to identify weak points in information processing, to assess the loss in the event of a threat materialising and to estimate the costs of pursuing information security in order to reduce risks.

On the basis of the information security principles and risk analysis a University information security plan is to be formulated and reviewed at regular intervals.

In order to define the level of information security the University collections of data and information systems will be classified with regard to confidentiality and importance. A required level of information security and the appropriate measures will be defined for every category.

Each information system or part thereof shall have an owner (department, unit).

The personnel and students will be informed about information security and the regulations and recommendations which apply to them. Awareness raising about information security in the University community will be accomplished through bulletins and by arranging training in the subject. Documents stipulating how information security is to be achieved will be approved and made available to the relevant target groups.

4. Organisation of information security and areas of responsibility

According to the University Regulations 13 § the Rector shall be in charge of overall information management. As part of their overall responsibility the Rector and the University Board shall be responsible for the implementation of information security and for creating the necessary preconditions.

The steering group appointed by the Rector for a term of three years will prepare and direct the practical implementation and development measures of the information security of the University and the related risk management in accordance with the document information Security Principles approved by the University Board.

The Rector will appoint an information security manager under the chief of information management. This person will be responsible for monitoring, reporting and development projects in connection with information security and prepare these in collaboration with the information security steering group.

The Computer Centre of the University shall be responsible for the technical aspects of information security.

Heads of units, persons in charge of information systems, the ADP personnel of the departments and those responsible for information security, likewise technical experts are to be responsible for the implementation of information security in their respective units and information systems.

The units of the University shall make provision for the implementation of information security in their own action plans. Implementation of information security in the units and their information systems will be directed and supervised by a person with responsibility to be nominated for each unit.

Every individual in the University having to do with information shall be responsible for the realisation of information security for his/her own part.

5. Information dissemination

Information dissemination on University information security matters outside the University and within the University on a general level shall be the responsibility of the information security manager according to the Information Security Plan. Internal communications of the units will further be taken care of by persons assigned responsibility.

6. Safeguarding information security and addressing problems emerging

The information security manager and the steering group are authorised and charged with analysing the security of the University's information systems and undertaking measures to eliminate identified security weaknesses.

Every user of the university information processing systems is obligated to observe the approved rules for the use of information systems and information security instructions.

Those using and maintaining the systems are to report any security deficiencies they notice, abuse relating to information security and suspicions of breaches of information security to the heads of their respective units, and, if the nature and extent thereof should so require to the information security manager. The information security manager will report to the University management and further to the national Ministry of Finance regarding serious breaches of information security or suspicion thereof.