Providing quality IT services is crucial to running a successful university. Users’ trust in information technology forms the basis for positive outcomes. In order to earn their trust, IT services and data management must demonstrate integrity, confidentiality and accessibility.
To fulfil this responsibility, all departments and institutions at Augsburg University of Applied Sciences must commit to supporting information technology. These guidelines are meant to strengthen this effort and serve as the basis for on-going information security management.
This methodological approach puts in place necessary rules and appropriate measures which protect information and data in such a way that
- adequately ensures confidentiality and prevents access by unauthorised persons,
- demonstrates integrity through accuracy and completeness,
- facilitates accessibility so that authorized users can easily use IT resources at any time,
- adheres to legal requirements (e.g. The Bavarian Data Protection Act).
Section 1 Security Objectives
This document defines the basic regulations concerning the following information security goals:
- Protect the network infrastructure and IT systems, including the data they process, against internal and external misuse or sabotage.
- Establish information security measures to ensure a robust, reliable and safe university environment for teaching, research and administration.
- Provide secure and trustworthy online services for users at the university and beyond.
- Comply fully with the data protection requirements as set forth by law.
- Prevent and minimise damage caused by security infractions.
Section 2 Scope
These guidelines broadly cover information technology as a whole and address all university members and other external users who use or provide IT services. All central institutes and facilities of Augsburg University of Applied Sciences must comply with them. External service providers working at Augsburg University of Applied Sciences must also adhere to them.
Section 3 Information Security Management
The information security management system takes into account all the organisational and technical measures necessary to achieve a certain degree of information security (security level) and maintain it in the long term. In order to obtain a sufficient security level, additional measures for information requiring increased protection will be defined using risk analysis.
A security plan will detail the specific regulations necessary to establish a sufficient security level and explain how to implement the underlying principles. The security plan provides extensive security guidelines based on the requirements outlined here. Their implementation helps to ensure the required level of security, as they establish the basis for the necessary security measures. The specific measures are documented in implementation plans and service-specific security policies.
At a minimum, the security policies shall cover the following areas:
- Organisation of IT security
- Assignment of information values (classification)
- Access control, network security and operational safety
- IT systems (such as servers, storage systems, workstations)
- Detection of vulnerable areas and protection against malware
- Handling security incidents
- Backup and emergency planning
- Risk management, compliance and data protection
- Physical security
The central IT security officer is in charge of running the information security management system. He/She also advises the IT committee, IT representatives from the faculties as well as the Computer Centre.
By regularly reviewing the implementation of the security plan and further developing security measures, the officer helps secure a sufficient level of information security.
He/She has the authority to review IT security across the university.
The IT security officer as well as the data protection officer must evaluate IT services that can be accessed remotely.
Section 4 Information Security Accountability
The IT committee is responsible for the direction of the information security management system. The IT security officer acts on behalf of the IT committee and methodologically coordinates the information security management system.
The president’s office has the final authority over assumption of risk and implementation measures, as it is also responsible for properly maintaining university operations and information security.
In order to continuously develop guidelines and other related documents (e.g. the security plan), the IT committee meetings regularly include information security as an item on their agenda. The IT security officer provides status reports and receives directives based on decisions made by the IT committee.
The senate must be consulted before IT security guidelines are adopted.
All university employees, as individuals who own and process information, are responsible for maintaining the information security level in their unit.
Section 5 Classification of Information
All information is organised according to the IT security guidelines’ information classification. The owner of the information performs this task and classifies information based on its value and sensitivity in the development of a sufficient level of security.
Section 6 Access to Information and Data
Access to data and IT systems is controlled by technological means and processes that correlate to the value and importance of the data and systems.
Anyone who uses the applications/IT systems must be clearly identifiable and must have received the appropriate authorisation and authentication for their specific function and task.
Access is further limited based on the minimal rights principle, which means that authorization is only granted to the extent necessary for the fulfilment of a given task.
Any final decisions or changes to important information must be properly logged and documented. Information owners determine whether it is necessary to log and document such changes and how to do so.
Section 7 Security Awareness
In order to reach the required level of information security, employees must be made aware of information security threats. They must also know their individual areas of expertise and personal duties and conduct themselves responsibly.
Training sessions and information materials will be provided to university members to help familiarise them with security regulations and other relevant issues.
Section 8 Risk Intervention/Security Incidents
When the IT security of critical systems at the university is at risk, a service representative from the Computer Centre, together with the CIO, can immediately shut down the affected IT system and temporarily ban the user responsible for creating the threat.
The handling of security incidents must follow the protocol in place for such IT security incidents.
The IT committee decides which IT services require emergency plans, which the IT security officer then collects and coordinates. The emergency plans describe what to do in risk situations and in the event of system errors.
Section 9 Effective Date
These guidelines shall come into effect on the day after they have been made public.
Issued on the basis of the senate’s decision from 11 July 2017 and the approval of the president of Augsburg University of Applied Sciences on 14 July 2017.
Prof. Dr. Gordon T. Rohrmair, president
These regulations were put into writing on 14 July 2017 at Augsburg University of Applied Sciences; this fact was made public on 14 July 2017 via university email.
The public notification date is 14 July 2017.