Data processing user and operations regulations for the MTI network at the Universitätsklinikum of the FSU Jena

Transcription

1 Universitätsklinikum Jena Postfach Jena Data processing user and operations regulations for the MTI network at the Universitätsklinikum of the FSU Jena 1 Preamble Definitions Scope Personal scope Objective scope Consequences Fundamentals of IT systems usage Access Providing access to the MTI network Programs (Software) General Processing internal data, including personal Installation of Programs Installation of network services Orderly operation of IT systems Extension/Modification of hardware and system configuration Modifications of cabling and active network components Hard- and software-based integration of IT systems Outside access to the MTI network Integration of telecommunication devices Integration of mobile IT systems Data protection (Backup) Electronic mail ( ) Providing information to the Intranet and Internet Date of Effect Addendum Addendum Addendum Proper use of username Hints for creating and managing passwords Termination of Employment Use of account resources and shared drives... 7

2 1 Preamble The goal of the IT user- and operation regulations for the MTI network of the Universitätsklinikum at the FSU Jena is to guarantee safe, conflict-free and efficient use of the data processing systems (IT systems). The following regulations provide a summary, which will be clarified later: 1. Every user is obligated to know the regulations and their prohibitions. 2. The IT systems exist for business purposes. 3. Every user shall only work within the confines of their own user account and is responsible for the safety and contents thereof. This also applies to all data saved and used in that account. 4. Application software is installed by the Klinisches Rechenzentrum (KRZ), the Universitätsrechenzentrum (University Computing Center) and their authorized employees. 5. The principles of data protection and related statutory regulation are to be honored while working with personal data; especially those of the Bundesdatenschutzgesetz (federal data protection law, BDSG) and the Thüringer Krankenhausgesetz (hospital law of Thuringia). 6. Personal data must only be gathered, processed and used within the Klinikum, unless required otherwise by statutory regulation. Special regard is to be given to the regulations of the BDSG, the Thüringer Personenvertretungsgesetz (Thuringia substitute personnel law), and other statutory regulations. 7. Substitutes for users in cases of absence and/or retirement from the Klinikum are regulated by these regulations and/or case-by-case decisions by the responsible heads of department, under consideration of the Post- und Fernmeldegeheimnis (statutory regulations concerning postal- and telecommunications privacy). Thus, the already sizable and continuously growing number of IT users shall be able to behave in a way so that stable and effective operations can be provided to all users, the statutory regulations of data protection and data security can be ensured, and legal security is provided while working with IT systems at the Klinikum. 2 Definitions IT systems in the context of these regulations are: 1. non-networked IT systems like PCs, workstations, notebooks and other mobile devices, printers, scanners, image-providing devices etc. 2. networked IT systems like PCs, workstations, servers, notebooks, printers and other mobile devices as well as communications networks required for networking, etc. The workgroup "PC-Pool/WAP-Cluster" of the Institut für Medizinische Informatik, Statistik und Dokumentation (Institute for Medical Information Processing, Statistics and Documentation, subsequently called Systems Maintenance (Systembetreuung)) is responsible for the network of the Medizinisch-Theoretisches Institut des Universitätsklinikums (subsequently called MTI network). The use of personal computing devices in the MTI network is fundamentally forbidden. Exceptional permission can be granted when justified, upon a written request from the head of department (Einrichtungsleiter) in the context of a case-by-case assessment by Systems Maintenance. In this 2

3 situation, the personal computing device is treated as belonging to the Klinikum. It falls under the competence of Systems Maintenance and the data protection agent (Datenschutzbeauftragter). The user is responsible for ensuring that the personal device fulfills up-to-date standards and security regulations. Systems Maintenance is the operator of the MTI network and closely connected with the Klinisches Rechenzentrum (subsequently KRZ), which operates the Klinikum network. Both institutions are committed to providing powerful networking services and find solutions for problems of the IT systems that are acceptable to the user. 3 Scope 3.1 Personal scope These regulations apply to all employees, interns, trainees, citizens in civilian service, and all users of the IT systems and MTI network at the Universitätsklinikum. 3.2 Objective scope These regulations apply to all IT systems that are connected to the MTI network. The MTI network includes the following institutions: Institute for Anatomy, Physiology, Biochemics, Pharmacology and Toxicology, Pathophysiology and Pathobiochemics, Human Genetics and Anthropology, Medical Statistics, Information Processing and Documentation, Immunology, Vascular Medicine, Molecular/Cellular Biology and the Central Workshop for Research and Development. 4 Consequences The use of the IT systems is only permitted if the user has taken note of these IT regulations and operating order and confirmed this by signature. Each supervisor is responsible for ensuring that their users have had opportunity to do this. The IT systems must only be used for business purposes. Violations of these regulations can result in disciplinary, employment-law (ie. termination), civil-law (ie. compensation) and/or criminal-law consequences (see addendum for departmental regulation) for the concerned. Unauthorized changes to IT systems, or such that endanger the operation of the network, result in separation of the affected devices from the network until an orderly state is restored. Ultimately, a reinstallation can become necessary. 5 Fundamentals of IT systems usage 5.1 Access Generally, the IT systems of the Klinikum must only be accessed by authorized users, Every IT system shall be protected by access guards as required by the BDSG. 5.2 Providing access to the MTI network Access to the MTI network is only permitted to persons that have been registered by Systems Maintenance as users as per a formal request from the head of the relevant department (access authorization). Request forms for provision of access are provided by Systems Maintenance. They 3

4 shall be filled out, signed by the responsible head of department, and returned to Systems Maintenance. Further information regarding access and password usage is listed in the addendum. 5.3 Programs (Software) General For each user, the institution at which they are employed is to define in writing, and in agreement with the KRZ and Systems Maintenance, a spectrum of licensed software required in the line of their work. Usage of programs other than those required for work is not permitted. Attempting to manipulate installed software is strictly prohibited. Furthermore, attempting to gain access to others' data, such as user accounts, mail boxes and passwords, is also prohibited. Using the provided software for commercial, non-work purposes is also prohibited. Accessing, providing or distributing racist, extremist, pornographic and other legally relevant data or documents, as well as downloading it from the Internet, is explicitly prohibited. Downloading or distributing copyrighted data, like films, music or software, without possessing a license, is explicitly prohibited and will be prosecuted. This also applies to downloading licensed software from servers of the Klinikum. Specific regulations for business- and private usage of Internet and services will be formulated in a separate agreement Processing internal data, including personal Personal data must only be raised, processed and used as specified by the Bundesdatenschutzgesetz, the Thüringer Krankenhausgesetz and other legal regulations. Other internal data must only be processed as per the requirements of the employer. Protected data must not be stored on local drives at the workplace, or processed or used outside the Klinikum, unless separate contractual agreements with the Klinikum permit it Installation of Programs The IT workstations are generally administered and managed using centralized tools by Systems Maintenance, in cooperation with the responsible IT coordinators of the institutions. Exceptions can only be permitted on a case-by-case assessment by Systems Maintenance. Local installation of any software requires the formal agreement, in writing, of the responsible head of the institution, as well as the permission of Systems Maintenance and their employees or authorized persons, under compliance with license regulations. Especially the installation of programs for remote-control is prohibited. Remote-controlling PCs for service reasons is regulated in a separate document. Software that was acquired by the KRZ is workplace-licensed and must not be circulated inside or outside of the institution. Unlicensed, personal or software that is unrelated to the demands of work, will be removed when found Installation of network services The establishment and maintenance of network services is generally done by Systems Maintenance. To guarantee data protection and work safety in the MTI network, the installation and configuration of decentralized services (FTP, Mail, directory services, servers and server services, etc) is only permitted under inclusion of Systems Maintenance Orderly operation of IT systems Systems Maintenance verifies and monitors the orderly state and smooth operation of the individual IT systems using appropriate means. The data thus gathered falls under data protection laws, and is only used for optimizing IT processes in agreement with the Personalrat and accordance with legal 4

5 requirements. If violations of the regulations or irregularities are discovered, the legal authorities are notified and a safe state is immediately restored, for instance by disconnecting network access. Present protocol files are then evaluated in cooperation with Systems Maintenance, the data protection agent (Datenschutzbeauftragter), and the Personalrat. 5.4 Extension/Modification of hardware and system configuration Modifications of cabling and active network components Modifications of the cabling of the network must only be done by authorized facilities of the Klinikum or persons authorized by them. The same applies to manipulations of active network components (routers, switches, hubs, network cards, etc). Components for wireless data transfer (Access points, wireless network cards, etc) are centrally provided and installed Hard- and software-based integration of IT systems Integration of IT systems into the Klinikum network must only be carried out by employees of Systems Maintenance or their authorized personnel. The same applies to network configuration, directory services, catalogs etc Outside access to the MTI network Special services for external access to the MTI network, like , are present. Providing these services is done by request of the responsible head of department (compare 5.2). It is explicitly pointed out that personal data must not be transmitted, or used from, outside the network Integration of telecommunication devices The usage of telecommunication devices (Modems, ISDN cards and others) is to be requested in writing from Systems Maintenance and only permitted in exceptional cases. Manipulating networked IT systems is fundamentally not permitted, to guarantee a safe and error-free operation of the network and IT systems Integration of mobile IT systems Users of mobile systems carry a heightened responsibility for their systems and the connected networks. The user must ensure that the mobile systems comply with current security demands of hard- and software manufacturers and the Klinikum in specific. Hardware-, operating system- and software updates must be installed soon after their publication by the manufacturer. Mobile systems must be registered with Systems Maintenance before usage. Systems Maintenance assigns the user network access to connect the system with the MTI network. Due to the mobile characteristics, this is urgently necessary to prevent infestation by viruses, worms and other harmful programs. Connecting an unregistered device will result in termination of network access. 5.5 Data protection (Backup) Backups of the servers are organized and performed by Systems Maintenance. To prevent data loss, the user must take care to save his data on his home drive (H:) or the Institut drive (I:) on these servers. Performing backups of data on local drives is the responsibility of the users. Systems Maintenance will provide support on demand (backup strategies, purchase recommendations). 5

6 6 Electronic mail ( ) The Universitätsklinikum uses the mail system Groupwise, which is maintained by Systems Maintenance as well as the KRZ. Access to communication and devices via WebAccess is generally encrypted. To ensure a smooth operation of the service, the size of mails is limited. The maximal size in the MTI network currently lies at 10MB. is generally considered unsafe in regards to delivery and data protection. Thus, protection-worthy data must not be sent unencrypted to external sites by . Before sending to large user groups (like everyone in Novell systems) Systems Maintenance is to be consulted. Furthermore, POP3 access to Internet services is prohibited, because this bypasses the virus scanner. To protect the user, incoming s are automatically checked for viruses and in case of infestation cleaned or summarily deleted. 7 Providing information to the Intranet and Internet Information can be provided to the Intranet and Internet. This information must be released before publication by the responsible head of department. The head of department carries responsibility for the content. Personal information of patients and coworkers (including photos, letters of patients to the Klinikum, pictures of operations etc) require personal agreement of the person concerned before publicizing them in the Intranet and/or Internet. This agreement must be provided in writing. Information must be anonymized as much as possible during publication. 8 Date of Effect These rules are effective as of The rules of are thus obsoleted. 6

7 9 Addendum 9.1 Addendum 1 Addendum 1, containing legal sanctions arising from improper use of DV systems, has been omitted from this translation. Please consult the German original. 9.2 Addendum Proper use of username The requested user account will be set up by a member of Systems Maintenance. The user will be given all required access information (login name, initial password, mail address and mail password, potentially access to further subsystems). Providing this information to other employees is prohibited. If a user is absent, the responsible head of department can request access to their account with Systems Maintenance if needed. If granted, the organizational data protection agent (Datenschutzbeauftragter) is to be informed. Each user is responsible for damages arising from careless use of the account Hints for creating and managing passwords To prevent access to the MTI network from unprivileged parties, every account is protected by a password. A password should contain at least six characters. All available characters should be used. The use of so-called trivial passwords (first names, pet names, cities and similar) is to be avoided. Preferably, the following special characters can also be used:! " $ % & / () =? ` [ ] { } \,. - _ < >. Umlauts as well as the letter ß are to be avoided. By varying these special characters, memorable and safe passwords can be created even on password change. Passwords are to be kept secret from other persons. If the suspicion of illegitimate access by third parties arises, Systems Maintenance is to be informed immediately Termination of Employment Login can be granted on a temporary or unlimited basis. Upon termination of the work relationship or other legal relation with the Klinikum, work in the MTI network must not continue, unless arranged otherwise in writing. For this purpose, the Department of Employment (Dezernat Personalwesen) notifies Systems Maintenance of terminated employees every month. In special cases, a short-term notification can occur. Before termination, still-required data must be transferred to a successor. After termination, the entire user account is first barred and completely deleted after a period of three months. If the user re-enters employment at the Klinikum, the user account can be reactivated. If an account is not used for a year or more, it can be deleted by Systems Maintenance. Because of this, in case of prolonged absence Systems Maintenance should be informed Use of account resources and shared drives Every user is assigned a personal data drive, called "home drive" (Home-Bereich). The data on this drive can only be read, modified and erased by the user and, in special cases, the network administration. In some cases leading coworkers or IT workers have access to this drive. The user must be informed of this. In connected institutions, a so-called Institutsbereich (institution drive; I: drive) is configured. This is a shared data drive for members of the department. Access to this drive must be requested as part of user registration. The size of these drives is determined by work requirements as well as technological and financial constraints. 7