INFORMATION SECURITY PRINCIPLES OF THE UNIVERSITY OF JYVÄSKYLÄ

Transcription

1 INFORMATION SECURITY PRINCIPLES OF THE UNIVERSITY OF JYVÄSKYLÄ JYVÄSKYLÄN YLIOPISTO

2 Introduction With the principles described in this document, the management of the University of Jyväskylä further specifies the information security policies defined in the University of Jyväskylä Security Policy. The information security policy and principles outline the aims, means, responsibilities and organisational measures by which information security is steered and implemented at the University. The information security policy and principles are applied to all data handling at the University throughout the entire lifespan of the data, regardless of the form of the data, the tools used and who is handling the data. The information security principles concern everyone working or studying at the University. These principles are also followed when obtaining services from external providers and, where applicable, with contract partners. Information security refers to the protection of data, services, information systems, digital communication, and relevant operating environments and practices against factors threatening the accessibility, integrity and confidentiality of data. Information security may be threatened by external as well as internal risk factors. Appropriate information security measures are selected and adjusted based on risk analyses. Information security activities include the planning and implementation of administrative, technical and other measures aiming at information security. The information security practices of the state administration provide a framework for the implementation of information security at the University. Information security objectives The objectives of information security help achieve the University s strategic goals in research, education and societal interaction. Secure data management and processing enhance the quality and overall security of university activities. Information security aims at ensuring appropriate data protection (confidentiality), guaranteeing the validity (integrity) of data, and contributing to the accessibility and usability of data for relevant purposes. Information security activities seek to ensure continuous operation under normal conditions as well as during disruptions thereof and in exceptional circumstances as described in the Emergency Powers Act (2011/1552). The University s obligations in exceptional circumstances are stipulated in the Universities Act (2009/558). The purpose of information security is to secure the functioning of various information systems, services and data networks that are important for the University s operation, prevent their unauthorised use as well as any intentional or unintentional loss or corruption of data. Information security control mechanisms and risk management measures ensure adequate safety and undisturbed functioning of the operating environment and practices. The University s information security fully meets the state administration standards for basic level information security 1. The basic level standards are implemented in administrative, 1 VAHTI 2/2010 Appendix 5 1

3 technical and practical solutions. In activities that require higher than basic-level data protection, the processes, practices, information systems and tools are protected in line with the higher standards of state administration 2. According to the principle of sufficient security, the standards are applied as seen fit with respect to the risks concerned. The information and data resources handled at the University have been identified and classified according to the classification principles defined by the University 3. The data processing environments and information systems have also been identified and classified accordingly. The classification is based on the publicity, confidentiality and importance of the data. Through continuous development, we seek to integrate information security into daily working practices. The University ensures that the staff has regular and sufficient opportunities for improving their information security competence. The phenomena relative to cyber security or digital safety are accounted for by identifying threats and controlling relevant risks in the operating environment. Means of information security management Information security risks are controlled by regular and systematic risk management. Information security follows the principle of sufficient protection. The activities are enhanced through continuous development. The array of information security measures is defined more specifically in a separate description of information security management. As for the fulfilment of the information security standards, the applicability and necessity of the requirements is considered from the perspective of the University s activities. Similarly, attention is paid to the costs as well as to the likelihood and possible consequences of actualised risks. Setting standards is subjected to risk management. Individual requirements can be fulfilled by substitutive procedures, provided that the procedure, related risk assessment and decision with relevant justifications have been duly documented. Planning for sustainability, recovery and preparedness is focused at least on the critical functions and processes of the University as well as on the information systems facilitating these. The capacity for action in disruptions or exceptional conditions is developed and maintained by regular training. Information security is implemented through various controls, practices and instructions included in processes as well as by various technical solutions for information systems. Information security measures are designed so that they do not cause any significant harm to the users and working processes. In the planning and implementation of information security mechanisms, the cost effects of the solutions are also considered. 2 VAHTI 2/2010 Appendix 5 3 Instructions for classifying and handling confidential data at the University of Jyväskylä 2

4 Any deviations in information security will be reacted to as quickly as possible in order to minimise their consequences. Such deviations are dealt with according to a predefined protocol. The information security competence and awareness of staff and students are developed through training and by informing them about information security issues. Main principles of information security Protected data The University owns the rights to the data processed at the University, unless otherwise prescribed by law or agreements. Upon leaving the employment or a contractual relationship with the University, the employee must return all University property to the employer, including data sets, ICT tools and equipment (computers, tablets, mobile and smartphones, data storage devices, etc.). As a rule, the body of information the University deals with is public, as one of the University s missions is to produce and disseminate new research-based knowledge. However, the University s operation also involves data that call for secrecy. There are two information security categories for such data 4, confidential and secret, each with their own rules for handling. As a rule, the secrecy obligation is based directly on law. Separate instructions will be issued for the classification and handling of data calling for secrecy. When dealing with personal or any other data that call for secrecy, the employees need to be especially careful and follow the instructions given by the University. Any data calling for secrecy (confidential as well as secret) and personal data may be primarily handled using tools and equipment provided by the University. Data belonging to the category confidential and personal data can also be handled in cloud services approved and agreed on by the University. Data in the category secret and sensitive personal data may be handled only with the particular devices and equipment the University has assigned for this purpose. Sensitive personal data must not be handled via remote access. Handling of personal or other data calling for secrecy with one s own devices intended for private use should be avoided. The use of public cloud services for handling this type of data is not permitted. Besides the policies outlined above, we must take into account what has been agreed with the co-operation partners about the handling and protection of data. Access and user rights Access and user rights to the University s systems and data are given only to persons who have a job, study rights or other contractual relationship with the University, or some other permission granted based on application. In this context, data refers to a body of information that is not made publicly available. Access and user rights are granted according to the extent the user s position requires. When the contractual relationship ends, the access and user rights are revoked. These rights are always checked when the person s job description or user role changes, and otherwise 4 Instructions for classifying and handling confidential data at the University of Jyväskylä 3

5 on a regular basis according to the yearly information security agenda. The rights to confidential, secret or personal data are granted only when the person s duties so require (the need-to-know principle). If a person s work involves the handling of such data, the person must receive appropriate induction to secrecy practices before the user rights are granted. ICT devices University staff or persons in a contractual relationship equivalent to employment may access the University network with an ID provided and devices administered by the University, but when necessary also using their own equipment, as long as the data processing environment allows this. Students may access the network with their own devices and user IDs granted by the University. In order to ensure security, the University can limit access to its services, systems or network for people using their own devices. Those using their own devices are responsible for the information security of this equipment and for protecting the data handled on it. They must take care that the use of their own devices will not jeopardise the security of the University s network and the services available there. The University provides instructions for the protection and safe use of people s own devices. The University may set restrictions on software, applications and file formats to be used on the devices and systems it administers. Information systems and services Each information system and person register has a designated owner responsible for granting user rights and for preparing necessary personal data file and system descriptions. In regards to the University s common and general services, the rights to these systems are controlled and managed by IT Services, while for the subject-area specific systems of various units this responsibility belongs to the owner of the system. In systems involving sensitive personal information, a robust user identification procedure is applied. For the University s common services, IT Services keeps a record of the terminals, servers, telecommunication devices, information systems, and applications with related license information under its administration. Units are responsible for keeping similar records about the devices and licences they own and administer. When purchasing or developing new information systems that involve personal data, data protection principles are documented (default and builtin data protection). Personal security Security clearances are granted to personnel who deal with data calling for secrecy and who are eligible for personal security clearance according to the decision of the Finnish Security Intelligence Service (Dnro 258/2016). Security clearances are made in connection with recruitment and when launching new research projects. The backgrounds of staff who deal with data that calls for secrecy are checked according to the same principles. In its role as a service 4

6 provider, the University follows the client s instructions for security clearances and these are carried out on the client s behalf. Purchases The information security obligations for services purchased from outside of the University are negotiated with the service provider. Information security requirements are defined in connection with the bid for tenders and further specified upon the purchase. The service contracts are attached with provisions of information security either as incorporated in the main document or as a separate appendix for security issues (security agreement), if the service involves or produces data that requires protection. The same goes for data protection requirements, if the purchased service involves dealing with personal data. Guidelines for information security The University of Jyväskylä s information security activities comply with its Regulations. In addition to the Acts and Decrees mentioned in the University Regulations, those listed below are significant for information security issues: Act on the Openness of Government Activities (so-called Publicity Act, 1999/621) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) Personal Data Act (1999/523) Act on the Protection of Privacy in Working Life (2004/759) Information Society Code (2014/917) Security Clearance Act (2014/726) The Criminal Code of Finland (1889/39) In secrecy issues, the University s information security measures follow the Publicity Act (Act on the Openness of Government Activities 621/1999). In principle, information created at the University is public. Based on the Publicity Act or some specific legislation, however, a particular set of data or pieces of information may be classified as requiring secrecy. Secrecy may also be based on agreements made between contract partners. Regarding data protection, the University follows the EU General Data Protection Regulation as well as related national legislative specifications. The University has appointed a data protection coordinator independent of other activities. The development of information security is guided by the existing standards as well as by the recognition of risks and their potential consequences for intellectual capital, information systems and the operating environment. The university s information security management builds mainly on the information security practices of the state administration, which are guided by the VAHTI instructions. The structure of information security management is consistent with the ISO standard. 5

7 Information security responsibilities and organisation At the University of Jyväskylä, the Rector, with the assistance of the director of administration, is responsible for information security at the University. Information security measures are steered by the Information Security Steering Group. The Rector appoints the members of this group based on proposals by the faculties and independent units. The steering group is chaired by the director of administration and its agenda is prepared by the information security manager. The information security manager is responsible for the implementation of information security at the University and leads operational activities in this domain. Information security implementation is supported by an Information Security Group. The director of administration appoints the group members based on proposals from faculties and independent institutes. The group is chaired by the information security manager and the information security manager of IT Services acts as the secretary of the group. The group has a representative from each faculty and independent institute as well as from HR administration and IT Services. The data protection coordinator has the right to participate in the activities of this group. Responsibility for information security in the faculties lies with the deans, in the independent institutes with their directors, and in University Services with the director of administration. The registrar is also responsible for related data protection. The data protection coordinator monitors and supervises that the EU General Data Protection Regulation and other data protection legislation as well as appropriate register holder s procedures are followed. The implementation of information security and data protection is supervised by the information security manager and the data protection coordinator. For general services, the implementation of information security in technical systems (technical information security) falls under the responsibility of IT Services. IT Services must have sufficient expertise for the specification and implementation of necessary technical solutions as well as for the information security control of information networks and systems. As regards units own services, the implementation and control of information security for technical systems are the responsibility of the system owner. The information security manager of IT Services coordinates the implementation of technical information security in IT Services and the units. It is the duty of supervisors to ensure that their staff know the information security principles and responsibilities and receives the necessary training. Every staff member, student or other authorised user of the University s services is obligated to follow the instructions given. Everyone is, by their own actions, responsible for the implementation of information security and promoting the development of a good information security culture. Information security training Induction to information security issues always covers the basic principles of information security and the general principles related to the handling of data calling for secrecy. Persons 6

8 who handle personal data or other information calling for secrecy are provided with separate training on the classification and processing of such data. Records are kept of the personnel who have participated in induction sessions and other training. The information security manager ensures that there is appropriate information security induction and training available for staff and students. The level of the staff s information security competence is assessed by an online test. Following the information security principles and guidelines Every employee, student or anyone otherwise in a contractual relationship with the University is obligated to follow the principles defined in this document and the instructions specifying these, other information security guidelines provided by the University as well as the rules for the use of information systems and networks, computers and other ICT equipment. Neglecting or acting counter to these policies, principles or instructions is considered an infringement of information security. Deliberate negligence of the information security principles and instructions may lead to sanctions. Depending on the severity of the information security infringement, the consequences for a staff member may be as follows: an admonishment a verbal warning a written warning 5 termination of user rights 6 dismissal from employment 7. Admonishments are given by the University s information security staff. The authority to decide on the other consequences is determined by Rector s decision on personnel matters and directions for its implementation 8. The consequences for a student may be as follows: an admonishment a verbal warning a written warning 9 suspension 9 Admonishments are given by the University s information security staff. The authority for deciding on the other consequences is determined by the Universities Act 10. The regulations for the use of information systems include illustrative examples of various infringements, their severity, and consequences. 5 Employment Contracts Act (2001/55) Chapter 7, Section 2 6 Employment Contracts Act (2001/55) Chapter 7, Section 2 7 Employment Contracts Act (2001/55) Chapter 8, Section 1 8 Rector s decision on personnel matters and directions for its implementation 9 Universities Act (2009/558) Chapter 5, Section Universities Act (2009/588) Chapter 5, Section 45 a 7

9 If an infringement gives reason to suspect a crime, the director of administration decides whether the University should request a police investigation of the incident. When a crime is suspected, the University can suspend user rights. User rights may also be suspended or revoked when the user is considered to pose a significant threat to information security at the University. Monitoring and surveillance The respective owner is responsible for monitoring and supervising the implementation of information security for each information system, resource or service. The implementation of administrative information security at the University is monitored by means of external audits, internal inspection and reviews. In addition, technical information security is evaluated by means of continuous technical surveillance. The most important environments and systems are subjected to separate information security checks according to an audit plan. For any systems and services crucial to the University s operation, an external reviewer checks their information security before these are taken into use, and thereafter according to the audit plan. IT Services is responsible for the surveillance of information systems and networks both within the intranet and at the Internet interface. Any notices of vulnerability issued by system and software suppliers, authorities or other partners are followed actively. Software-based vulnerabilities are scanned within the systems on a regular basis. The risks and their potential effects arising from such vulnerabilities are reviewed to provide a basis for remedial actions. The control arrangements for external information systems are ensured by agreements. The data protection coordinator supervises and monitors, according to a separate work plan, the appropriateness of data protection regulations, the given guidelines and processing of personal data. The possibility to audit the processes and systems of external service providers is ensured by agreements. In any case, based on risk assessments, audits are conducted at least once during the contract term. The information security requirements set for the service providers are monitored regularly in customer meetings. Control for deviations It is every employee s duty to notify the information security manager (tietoturva@jyu.fi) and their own supervisor about any observed information security deviations or shortcomings as well as suspected misconducts or information security infringements. The handling and management of information security deviations are described in separate instructions. Detected deviations are utilised in developing data-secure practices, processes and technical environments. If the deviations give reason to suspect a crime, the director of administration decides whether a police investigation of the incident should be requested. 8

10 Approval and maintenance of information security policies and principles Information security policies and principles are drafted and maintained by the University s information security manager together with the Information Security Group. The information security policy as part of the general safety and security policy is reviewed by the Information Security Steering Group at least every five years, and it is approved by the University Board. The information security principles are reviewed annually by the Information Security Steering Group, and they are approved by the Rector. The information security policy is published on the University s website while the information security principles are available on the intranet. A public version is distributed to contract partners when necessary. The processual history of these information security principles The University of Jyväskylä Information Security Principles were drafted by Information Security Manager Teijo Roine, and before the final approval they have been reviewed as follows: in meetings of the Information Security Group on 6 February 2017, 7 March 2017, and 9 May 2017 in the Information Security Steering Group on 23 March 2017 and 9 June 2017 in the University Management Group on 15 May 2017 in the co-operation procedure on 15 June 2017 In addition, comments on these principles have been requested by from IT Services. Jyväskylä, 16 June 2017 Matti Manninen, Rector 9