Data processing user and operations regulations for the MTI network at the Universitätsklinikum of the FSU Jena

Similar documents
Status: February IT Security Directive External Service Providers

Department of Public Health O F S A N F R A N C I S C O

IT ACCEPTABLE USE POLICY

I. PURPOSE III. PROCEDURE

Department of Public Health O F S A N F R A N C I S C O

Seven Requirements for Successfully Implementing Information Security Policies and Standards

Data Processor Agreement

Liechtenstein. General I Data Protection Laws. Contributed by Wanger Advokaturbüro. National Legislation. National Regulatory Authority.

RMU-IT-SEC-01 Acceptable Use Policy

Directive. on the Use of IT Resources at the University of Bern. For internal use. Classification. Released. Document status

Leiden University Regulations on ICT and Internet Use. Version

Responsible Officer Approved by

Employee Security Awareness Training Program

DONE FOR YOU SAMPLE INTERNET ACCEPTABLE USE POLICY

Name of Policy: Computer Use Policy

PURPOSE: To establish policies and procedures for the use of University-owned and -operated information technology resources.

Information Security Policy

Individual Agreement. commissioned processing

Acceptable Use Policy

SPRING-FORD AREA SCHOOL DISTRICT

Legal notice and Privacy policy

SECURITY & PRIVACY DOCUMENTATION

1.1. Gomilio is a service provided by Activa System Srls (hereinafter referred to as

The Apple Store, Coombe Lodge, Blagdon BS40 7RG,

Guidelines for the use of the IT infrastructure at the University of Bayreuth 10 February 2005

Virginia Commonwealth University School of Medicine Information Security Standard

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

Data Processing Agreement

INFORMATION TO BE GIVEN 2

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Acceptable Use Policy

Conceptboard User Agreement for users registered before October 23, 2015.

Internet, , and Computer Usage Policy

19 Dec The forwarding and returning obligation does not concern messages containing malware or spam.

Information technology security and system integrity policy.

HIPAA Security and Privacy Policies & Procedures

Wireless Communication Stipend Effective Date: 9/1/2008

PUPIL ICT ACCEPTABLE USE POLICY

GM Information Security Controls

3. As far as the hosting services of WWW INFOTECH are through leased severs of our data centre partners in US and UK through contracts.

Security Policies and Procedures Principles and Practices

Subject: University Information Technology Resource Security Policy: OUTDATED

WASHINGTON UNIVERSITY HIPAA Privacy Policy # 7. Appropriate Methods of Communicating Protected Health Information

Wireless Network Standard

Information Technology Cyber Security Policy. Convergint Technologies, LLC

INFORMATION ASSET MANAGEMENT POLICY

Acceptable Use Policy

Privacy Policy of the products of Ilves Solutions Ltd and Ilves Valmisohjelmistot Ltd / Ilveshaku

POLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND. October Table of Contents

COMMERCIAL BANK OF DUBAI PSC GENERAL CONDITIONS OF ACCESS AND USE OF COMMERCIAL BANK OF DUBAI FACEBOOK BRANCH

Security and Privacy Breach Notification

Checklist According to ISO IEC 17065:2012 for bodies certifying products, process and services

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) ITS Responsible Use of Telephone, Telecommunications, and Networking Resources ISUPP 2280

<Criminal Justice Agency Name> Personally Owned Device Policy. Allowed Personally Owned Device Policy

Technology Control Plan

Ohio Supercomputer Center

ACCEPTABLE USE POLICY

Website Privacy Policy

Violations of any portion of this policy may be subject to disciplinary action up to and including termination of employment.

Customer Proprietary Network Information

Acceptable Usage Policy (Student)

Acceptable Use Policy

OPTIMAL BLUE, LLC PRIVACY POLICY

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

PS Mailing Services Ltd Data Protection Policy May 2018

II.C.4. Policy: Southeastern Technical College Computer Use

North Carolina Health Information Exchange Authority. User Access Policy for NC HealthConnex

Data Privacy Statement for myportal to go

DATA PROTECTION POLICY THE HOLST GROUP

Lakeshore Technical College Official Policy

ADIENT VENDOR SECURITY STANDARD

PRIVACY POLICY OF THE WEB SITE

Texas Health Resources

Open Data Policy City of Irving

Rules for Commissioned Processing. (DDV Declaration of Conformity)

IT CHARTER. Révisée le 7 janvier 2014

TERMS AND CONDITIONS OF PROVIDING ELECTRONIC SERVICES. 1. General provisions

Electronic Network Acceptable Use Policy

Wireless Communication Device Use Policy

GEWISS S.p.A. IT CODE OF CONDUCT

Platform Privacy Policy (Tier 2)

RUTGERS POLICY. Section Title: Legacy UMDNJ policies associated with Information Technology

Children s Health System. Remote User Policy

PRIVACY POLICY Let us summarize this for you...

ETHIOPIAN NATIONAL ACCREDITATION OFFICE. Minimum Requirements For The Operation Of Product Certification Bodies

ACCEPTABLE USE ISO INFORMATION SECURITY POLICY. Author: Owner: Organisation: Document No: Version No: 1.0 Date: 10 th January 2010

INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES

Use of data processor (external business unit)

Guest Wireless Policy

Information Security Management Criteria for Our Business Partners

Learning Management System - Privacy Policy

Effective security is a team effort involving the participation and support of everyone who handles Company information and information systems.

Data Processing Agreement

Department of Public Health O F S A N F R A N C I S C O

ISO27001 Preparing your business with Snare

Acceptable Use Policy

Wireless Communication Device Policy Policy No September 2, Standard. Practice

Internet Service Provider Agreement

General Terms and Conditions of Participation

Data Processing Agreement

Transcription:

Universitätsklinikum Jena Postfach 07740 Jena Data processing user and operations regulations for the MTI network at the Universitätsklinikum of the FSU Jena 1 Preamble... 2 2 Definitions... 2 3 Scope... 3 3.1 Personal scope... 3 3.2 Objective scope... 3 4 Consequences... 3 5 Fundamentals of IT systems usage... 3 5.1 Access... 3 5.2 Providing access to the MTI network... 3 5.3 Programs (Software)... 4 5.3.1 General... 4 5.3.2 Processing internal data, including personal... 4 5.3.3 Installation of Programs... 4 5.3.4 Installation of network services... 4 5.3.5 Orderly operation of IT systems... 4 5.4 Extension/Modification of hardware and system configuration... 5 5.4.1 Modifications of cabling and active network components... 5 5.4.2 Hard- and software-based integration of IT systems... 5 5.4.3 Outside access to the MTI network... 5 5.4.4 Integration of telecommunication devices... 5 5.4.5 Integration of mobile IT systems... 5 5.5 Data protection (Backup)... 5 6 Electronic mail (Email)... 6 7 Providing information to the Intranet and Internet... 6 8 Date of Effect... 6 9 Addendum... 7 9.1 Addendum 1... 7 9.2 Addendum 2... 7 9.2.1 Proper use of username... 7 9.2.2 Hints for creating and managing passwords... 7 9.2.3 Termination of Employment... 7 9.2.4 Use of account resources and shared drives... 7

1 Preamble The goal of the IT user- and operation regulations for the MTI network of the Universitätsklinikum at the FSU Jena is to guarantee safe, conflict-free and efficient use of the data processing systems (IT systems). The following regulations provide a summary, which will be clarified later: 1. Every user is obligated to know the regulations and their prohibitions. 2. The IT systems exist for business purposes. 3. Every user shall only work within the confines of their own user account and is responsible for the safety and contents thereof. This also applies to all data saved and used in that account. 4. Application software is installed by the Klinisches Rechenzentrum (KRZ), the Universitätsrechenzentrum (University Computing Center) and their authorized employees. 5. The principles of data protection and related statutory regulation are to be honored while working with personal data; especially those of the Bundesdatenschutzgesetz (federal data protection law, BDSG) and the Thüringer Krankenhausgesetz (hospital law of Thuringia). 6. Personal data must only be gathered, processed and used within the Klinikum, unless required otherwise by statutory regulation. Special regard is to be given to the regulations of the BDSG, the Thüringer Personenvertretungsgesetz (Thuringia substitute personnel law), and other statutory regulations. 7. Substitutes for users in cases of absence and/or retirement from the Klinikum are regulated by these regulations and/or case-by-case decisions by the responsible heads of department, under consideration of the Post- und Fernmeldegeheimnis (statutory regulations concerning postal- and telecommunications privacy). Thus, the already sizable and continuously growing number of IT users shall be able to behave in a way so that stable and effective operations can be provided to all users, the statutory regulations of data protection and data security can be ensured, and legal security is provided while working with IT systems at the Klinikum. 2 Definitions IT systems in the context of these regulations are: 1. non-networked IT systems like PCs, workstations, notebooks and other mobile devices, printers, scanners, image-providing devices etc. 2. networked IT systems like PCs, workstations, servers, notebooks, printers and other mobile devices as well as communications networks required for networking, etc. The workgroup "PC-Pool/WAP-Cluster" of the Institut für Medizinische Informatik, Statistik und Dokumentation (Institute for Medical Information Processing, Statistics and Documentation, subsequently called Systems Maintenance (Systembetreuung)) is responsible for the network of the Medizinisch-Theoretisches Institut des Universitätsklinikums (subsequently called MTI network). The use of personal computing devices in the MTI network is fundamentally forbidden. Exceptional permission can be granted when justified, upon a written request from the head of department (Einrichtungsleiter) in the context of a case-by-case assessment by Systems Maintenance. In this 2

situation, the personal computing device is treated as belonging to the Klinikum. It falls under the competence of Systems Maintenance and the data protection agent (Datenschutzbeauftragter). The user is responsible for ensuring that the personal device fulfills up-to-date standards and security regulations. Systems Maintenance is the operator of the MTI network and closely connected with the Klinisches Rechenzentrum (subsequently KRZ), which operates the Klinikum network. Both institutions are committed to providing powerful networking services and find solutions for problems of the IT systems that are acceptable to the user. 3 Scope 3.1 Personal scope These regulations apply to all employees, interns, trainees, citizens in civilian service, and all users of the IT systems and MTI network at the Universitätsklinikum. 3.2 Objective scope These regulations apply to all IT systems that are connected to the MTI network. The MTI network includes the following institutions: Institute for Anatomy, Physiology, Biochemics, Pharmacology and Toxicology, Pathophysiology and Pathobiochemics, Human Genetics and Anthropology, Medical Statistics, Information Processing and Documentation, Immunology, Vascular Medicine, Molecular/Cellular Biology and the Central Workshop for Research and Development. 4 Consequences The use of the IT systems is only permitted if the user has taken note of these IT regulations and operating order and confirmed this by signature. Each supervisor is responsible for ensuring that their users have had opportunity to do this. The IT systems must only be used for business purposes. Violations of these regulations can result in disciplinary, employment-law (ie. termination), civil-law (ie. compensation) and/or criminal-law consequences (see addendum for departmental regulation) for the concerned. Unauthorized changes to IT systems, or such that endanger the operation of the network, result in separation of the affected devices from the network until an orderly state is restored. Ultimately, a reinstallation can become necessary. 5 Fundamentals of IT systems usage 5.1 Access Generally, the IT systems of the Klinikum must only be accessed by authorized users, Every IT system shall be protected by access guards as required by the BDSG. 5.2 Providing access to the MTI network Access to the MTI network is only permitted to persons that have been registered by Systems Maintenance as users as per a formal request from the head of the relevant department (access authorization). Request forms for provision of access are provided by Systems Maintenance. They 3

shall be filled out, signed by the responsible head of department, and returned to Systems Maintenance. Further information regarding access and password usage is listed in the addendum. 5.3 Programs (Software) 5.3.1 General For each user, the institution at which they are employed is to define in writing, and in agreement with the KRZ and Systems Maintenance, a spectrum of licensed software required in the line of their work. Usage of programs other than those required for work is not permitted. Attempting to manipulate installed software is strictly prohibited. Furthermore, attempting to gain access to others' data, such as user accounts, mail boxes and passwords, is also prohibited. Using the provided software for commercial, non-work purposes is also prohibited. Accessing, providing or distributing racist, extremist, pornographic and other legally relevant data or documents, as well as downloading it from the Internet, is explicitly prohibited. Downloading or distributing copyrighted data, like films, music or software, without possessing a license, is explicitly prohibited and will be prosecuted. This also applies to downloading licensed software from servers of the Klinikum. Specific regulations for business- and private usage of Internet and email services will be formulated in a separate agreement. 5.3.2 Processing internal data, including personal Personal data must only be raised, processed and used as specified by the Bundesdatenschutzgesetz, the Thüringer Krankenhausgesetz and other legal regulations. Other internal data must only be processed as per the requirements of the employer. Protected data must not be stored on local drives at the workplace, or processed or used outside the Klinikum, unless separate contractual agreements with the Klinikum permit it. 5.3.3 Installation of Programs The IT workstations are generally administered and managed using centralized tools by Systems Maintenance, in cooperation with the responsible IT coordinators of the institutions. Exceptions can only be permitted on a case-by-case assessment by Systems Maintenance. Local installation of any software requires the formal agreement, in writing, of the responsible head of the institution, as well as the permission of Systems Maintenance and their employees or authorized persons, under compliance with license regulations. Especially the installation of programs for remote-control is prohibited. Remote-controlling PCs for service reasons is regulated in a separate document. Software that was acquired by the KRZ is workplace-licensed and must not be circulated inside or outside of the institution. Unlicensed, personal or software that is unrelated to the demands of work, will be removed when found. 5.3.4 Installation of network services The establishment and maintenance of network services is generally done by Systems Maintenance. To guarantee data protection and work safety in the MTI network, the installation and configuration of decentralized services (FTP, Mail, directory services, servers and server services, etc) is only permitted under inclusion of Systems Maintenance. 5.3.5 Orderly operation of IT systems Systems Maintenance verifies and monitors the orderly state and smooth operation of the individual IT systems using appropriate means. The data thus gathered falls under data protection laws, and is only used for optimizing IT processes in agreement with the Personalrat and accordance with legal 4

requirements. If violations of the regulations or irregularities are discovered, the legal authorities are notified and a safe state is immediately restored, for instance by disconnecting network access. Present protocol files are then evaluated in cooperation with Systems Maintenance, the data protection agent (Datenschutzbeauftragter), and the Personalrat. 5.4 Extension/Modification of hardware and system configuration 5.4.1 Modifications of cabling and active network components Modifications of the cabling of the network must only be done by authorized facilities of the Klinikum or persons authorized by them. The same applies to manipulations of active network components (routers, switches, hubs, network cards, etc). Components for wireless data transfer (Access points, wireless network cards, etc) are centrally provided and installed. 5.4.2 Hard- and software-based integration of IT systems Integration of IT systems into the Klinikum network must only be carried out by employees of Systems Maintenance or their authorized personnel. The same applies to network configuration, directory services, catalogs etc. 5.4.3 Outside access to the MTI network Special services for external access to the MTI network, like Email, are present. Providing these services is done by request of the responsible head of department (compare 5.2). It is explicitly pointed out that personal data must not be transmitted, or used from, outside the network. 5.4.4 Integration of telecommunication devices The usage of telecommunication devices (Modems, ISDN cards and others) is to be requested in writing from Systems Maintenance and only permitted in exceptional cases. Manipulating networked IT systems is fundamentally not permitted, to guarantee a safe and error-free operation of the network and IT systems. 5.4.5 Integration of mobile IT systems Users of mobile systems carry a heightened responsibility for their systems and the connected networks. The user must ensure that the mobile systems comply with current security demands of hard- and software manufacturers and the Klinikum in specific. Hardware-, operating system- and software updates must be installed soon after their publication by the manufacturer. Mobile systems must be registered with Systems Maintenance before usage. Systems Maintenance assigns the user network access to connect the system with the MTI network. Due to the mobile characteristics, this is urgently necessary to prevent infestation by viruses, worms and other harmful programs. Connecting an unregistered device will result in termination of network access. 5.5 Data protection (Backup) Backups of the servers are organized and performed by Systems Maintenance. To prevent data loss, the user must take care to save his data on his home drive (H:) or the Institut drive (I:) on these servers. Performing backups of data on local drives is the responsibility of the users. Systems Maintenance will provide support on demand (backup strategies, purchase recommendations). 5

6 Electronic mail (Email) The Universitätsklinikum uses the mail system Groupwise, which is maintained by Systems Maintenance as well as the KRZ. Access to Email communication and devices via WebAccess is generally encrypted. To ensure a smooth operation of the service, the size of mails is limited. The maximal size in the MTI network currently lies at 10MB. Email is generally considered unsafe in regards to delivery and data protection. Thus, protection-worthy data must not be sent unencrypted to external sites by Email. Before sending Email to large user groups (like everyone in Novell systems) Systems Maintenance is to be consulted. Furthermore, POP3 access to Internet services is prohibited, because this bypasses the virus scanner. To protect the user, incoming emails are automatically checked for viruses and in case of infestation cleaned or summarily deleted. 7 Providing information to the Intranet and Internet Information can be provided to the Intranet and Internet. This information must be released before publication by the responsible head of department. The head of department carries responsibility for the content. Personal information of patients and coworkers (including photos, letters of patients to the Klinikum, pictures of operations etc) require personal agreement of the person concerned before publicizing them in the Intranet and/or Internet. This agreement must be provided in writing. Information must be anonymized as much as possible during publication. 8 Date of Effect These rules are effective as of 07-01-2005. The rules of 11-01-1997 are thus obsoleted. 6

9 Addendum 9.1 Addendum 1 Addendum 1, containing legal sanctions arising from improper use of DV systems, has been omitted from this translation. Please consult the German original. 9.2 Addendum 2 9.2.1 Proper use of username The requested user account will be set up by a member of Systems Maintenance. The user will be given all required access information (login name, initial password, mail address and mail password, potentially access to further subsystems). Providing this information to other employees is prohibited. If a user is absent, the responsible head of department can request access to their account with Systems Maintenance if needed. If granted, the organizational data protection agent (Datenschutzbeauftragter) is to be informed. Each user is responsible for damages arising from careless use of the account. 9.2.2 Hints for creating and managing passwords To prevent access to the MTI network from unprivileged parties, every account is protected by a password. A password should contain at least six characters. All available characters should be used. The use of so-called trivial passwords (first names, pet names, cities and similar) is to be avoided. Preferably, the following special characters can also be used:! " $ % & / () =? ` [ ] { } \,. - _ < >. Umlauts as well as the letter ß are to be avoided. By varying these special characters, memorable and safe passwords can be created even on password change. Passwords are to be kept secret from other persons. If the suspicion of illegitimate access by third parties arises, Systems Maintenance is to be informed immediately. 9.2.3 Termination of Employment Login can be granted on a temporary or unlimited basis. Upon termination of the work relationship or other legal relation with the Klinikum, work in the MTI network must not continue, unless arranged otherwise in writing. For this purpose, the Department of Employment (Dezernat Personalwesen) notifies Systems Maintenance of terminated employees every month. In special cases, a short-term notification can occur. Before termination, still-required data must be transferred to a successor. After termination, the entire user account is first barred and completely deleted after a period of three months. If the user re-enters employment at the Klinikum, the user account can be reactivated. If an account is not used for a year or more, it can be deleted by Systems Maintenance. Because of this, in case of prolonged absence Systems Maintenance should be informed. 9.2.4 Use of account resources and shared drives Every user is assigned a personal data drive, called "home drive" (Home-Bereich). The data on this drive can only be read, modified and erased by the user and, in special cases, the network administration. In some cases leading coworkers or IT workers have access to this drive. The user must be informed of this. In connected institutions, a so-called Institutsbereich (institution drive; I: drive) is configured. This is a shared data drive for members of the department. Access to this drive must be requested as part of user registration. The size of these drives is determined by work requirements as well as technological and financial constraints. 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback