Report Incident

Content

• What is an IT security incident?
• What is an IT security emergency?
• Who do I report what to

Your report should contain the following information:

1. who is reporting (name, email address, telephone number)?
2. when did the incident occur (date, time)?
3. where did the incident take place (building, room)?
4. type of incident (malware attack, system intrusion, …)?
5. which system is affected (name, IP address)?

You can also download and print out our IT emergency card.

What is an IT security incident?

1. you have accidentally opened a suspicious attachment in an attachment in an email.

2. you have inadvertently clicked on a suspicious web address (link) in an email.

3. you receive an extortion email.

4. you receive an e-mail in which you are asked to personal data (user name, password, account number, …) via a web page or communicate them to someone.

5. you receive a large number of unsolicited messages in your mailbox (spam mail).

6. your user account is being misused to send spam mail.

7. your computer is behaving strangely (hard drive is running continuously, computer does not respond to inputs, …) because it may be infected with malware. is infected with malware.

8. you receive a phone call (usually the people pretend to be employees of a hotline of a certain company) company) because your computer allegedly has problems that can be solved with your can be solved with your help if you certain settings, which are now given to you by telephone. are now given to you by telephone.

9. you are called and asked about your working environment environment (products used, colleagues, colleagues, superiors, email addresses, …) so that this information can later be used for an attack computers and/or the university network (information computers and/or the university network (information gathering via social engineering).

10. you have committed an irregular use according to **Chapter 6 of the IT Security Policy of the university**.

11. if something seems strange or suspicious to you suspicious, it may also be an IT security incident. IT security incident.

**Report the incident promptly! All members of the university are obliged to report IT security incidents **.

Top of page

What is an IT security emergency?

1. your end device has been stolen or you have lost it lost it.

2. your files are automatically deleted, modified or encrypted. **Try to limit the damage according to chapter 5 in the limit the damage according to chapter 5 in the basic protection document. requested to do so by the data centre.

3. your access data (user name/password, chip card, …) have been stolen. **Change your password immediately and/or have your user account blocked if necessary **.

4. you are being acutely blackmailed or threatened in order to compromise the to compromise the university’s IT infrastructure.

Top of page

Who do I report what to?

Please contact the contact person of your organisational unit or the data centre if you detect an IT security incident or emergency, notice a violation of the IT security policy or report it yourself. breach of the IT security policy or if you yourself are the have been the victim of an attack by electronic means or you you have noticed incidents with criminal consequences. All IT security incidents and emergencies (with the exception of blackmail and threats) must also be reported to the affected the system administrator concerned, who is responsible for the who is responsible for the end device, lab computer, server or special software, the server or the specific software.

Top of page

IT Security Training

BITS

https://it-sicherheit.hs-fulda.de/bits

Since July 2006, BITS, the government IT security training, has served as a learning course and awareness training to inform and sensitise colleagues at IT workplaces in administrations with regard to the relevant IT security topics. BITS is available under the Creative Commons BY-SA 4.0 licence and is hosted by us:

Online self-study course on cyber and information security

https://elearning.hs-fulda.de/help/course/view.php?id=1810

This learning programme is aimed at all students and lecturers at Fulda University of Applied Sciences. It serves to sensitise and strengthen your IT skills and your security awareness in dealing with the risks of digitalisation risks of digitalisation and cyberattacks. We rely on a flexible and intuitive online learning programme that enables participants to participants to learn independently and at their own pace. The course can also be used without enrolment, but the certificate for successful certificate is only available with enrolment.

Information security in the workplace

https://elearning.hs-fulda.de/help/course/view.php?id=1703

This learning unit gives you an overview of the basic dangers of information security at your workplace. By acting carefully and following a few rules, you can make a significant contribution to the security of information systems at your university. Using university-specific examples, you will learn what consequences your actions can have and how you can protect your institution and your data. protect your institution and your data**.

Data protection

https://elearning.hs-fulda.de/help/course/view.php?id=1704

This video-based learning unit provides basic knowledge about the relevance of relevance of data protection, the principles of data processing and legal foundations. At the same time, learners are given an overview of organisational and technical measures and the rights of data subjects. They learn what to look out for when working with third parties and who to contact in the area of data protection. data protection. Examples and use cases from the university from the university landscape.

Learning and working in the context of digitalisation

https://elearning.hs-fulda.de/help/course/view.php?id=1705

This learning programme offers specialists and managers in university administrations with self-learning materials for skills development in the digital learning and working. In three areas - Understanding Understand, Use, Share - you will find self-contained modules in different different levels of difficulty.

IT Security Strategy (IT-SL)

Content

• Preamble
• §1 OBJECT OF THE IT-SL
• §2 SCOPE OF APPLICATION
• §3 PARTIES INVOLVED IN THE IT SECURITY PROCESS
• §4 ESTABLISHMENT OF THE SECURITY ROLES
• §5 IT SECURITY DOCUMENTS
• §6 TASKS OF THE PARTIES INVOLVED
• §7 REALISATION OF THE IT SECURITY PROCESS
• §8 dealing with security incidents
• §9 ENTRY INTO FORCE

PREAMBLE

The University of Applied Sciences Fulda (HFD) recognises the central role that information technology (IT) plays in the academic and administrative environment. The security of these technological resources is of paramount importance to ensure and sustain the integrity, confidentiality and availability of data and IT services. This IT Security Strategy (IT-SL) serves as a framework to ensure comprehensive protection of the university’s IT systems and data in a continuous security process. It is essentially based on the best practice recommendations for IT security at universities, which were created as a template by the ZKI IT Security Working Group. The need to define an IT-SL is derived from Section 3 (1) of the Hessian IT Security Act (HITSiG).

The aim of this IT-SL is to create uniform security standards to ensure proper IT operations, which enable a balance between academic freedom and the need for IT security. In order to achieve this goal, all university institutions must recognise the protection of data and information technology as a common challenge.

Top of page

§1 OBJECT OF THE IT-SL

The IT security guideline determines the organisational structure required for the IT security process at HFD (structural and procedural organisation) and defines tasks and responsibilities.

top of page

§2 SCOPE

The IT-SL applies to the entire information technology of the HFD in its academic and non-academic institutions. It applies to all users who use or provide it. It is binding for the Executive Board, all departments, staff units, the central administration, all central or other institutions and all affiliated institutions of the university as well as other companies and persons who are commissioned with IT security-relevant activities for and on behalf of HFD. The same applies to all HFD partners not mentioned in the above list whose actions affect HFD’s IT security interests.

Top of page

§3 PARTIES INVOLVED IN THE IT SECURITY PROCESS

The main responsibility for the IT security process lies with the university management. It therefore appoints the following committees and functionaries and involves existing institutions in the IT security process:

(1) Presidential Board

(2) Information Security Unit (SIS)

(3) IT Security Management Team (SMT)

(4) Computer Emergency Response Team (HFD-CERT)

(5) Decentralised IT Security Officers* (dIT-SB)

(6) Computer centre (RZ)

(7) Data protection officer* of the university (DPO)

(8) Departments, staff units, central administration, university library,

central and other facilities of the university and their users

The parties involved in the IT security process work together in all matters relating to IT security, provide the necessary information and regulate the communication and decision-making channels both among themselves and in relation to third parties. In particular, the aspect of urgency required in crisis situations must be taken into account.

Top of page

§4 ESTABLISHMENT OF THE SECURITY ROLES

1. INFORMATION SECURITY UNIT (SIS)

(1) The university management shall establish an Information Security Unit (SIS), which reports directly to the Executive Board.

(2) The SIS consists of an Information Security Officer* (ISB) and a Central IT Security Officer* (zISB).

(3) The ISB* and the zISB* represent each other.

(4) Organisationally, the SIS is located in the Vice President’s Office for Teaching and Digitisation.

2. IT SECURITY MANAGEMENT TEAM (SMT)

(1) The Presidential Board shall set up an IT Security Management Team (SMT). The SMT is the university’s central control body for IT security.

(2) The composition of the SMT should - while limiting the number of members to the necessary minimum - reflect both the different areas of responsibility of the university and the different aspects of IT security relevant to the university.

(3) The SMT consists of the following permanent members:

i) Representative of the Presidential Board (VPLD)

ii) Representation of the Information Security Unit (SIS)

iii) Information Security Officer* of the HLSB (ISB HLSB)

iv) Representation of the management of the HFD-CERT

v) Representation of the management of the computer centre

vi) In an advisory capacity: the Data Protection Officer* of HFD

(4) By resolution of the SMT, it can be expanded to include advisory experts if required.

3. COMPUTER EMERGENCY RESPONSE TEAM (HFD-CERT)

(1) The members of the Computer Emergency Response Team of Fulda University of Applied Sciences are proposed by the SMT and appointed by the Presidential Board. The nomination of the HFD-CERT members are appointed exclusively from the full-time staff of the university. university.

(2) The HFD-CERT is organisationally assigned to the Computer Centre.

(3) The HFD-CERT is composed of the following members who are authorised to make decisions:

• Head of the HFD-CERT (qualification required for the operational and technical tasks arising within the HFD-CERT).

• HFD-CERT employees: At least three other IT security experts from e.g. the areas of: Network, identity management, e-mail server and gateway, critical infrastructure or facilities with a distinctive IT infrastructure.

• By decision of the HFD-CERT, it can be expanded by experts if necessary, while limiting the number of members to the necessary number.

(4) A member of the HFD-CERT shall represent the management of the HFD-CERT.

(5) The HFD-CERT works confidentially and directly with the SIS, coordinates on key issues and reports to the SMT on its activities at regular intervals, at least twice a year.

4. DECENTRAL IT SECURITY OFFICER (dIT-SB)

(1) Each department, academic, central and other institution of Fulda University of Applied Sciences that operates IT systems shall appoint a decentralised IT security officer* (dIT-SB).

(2) A dIT-SB* may be responsible for several institutions.

(3) The appointments must cover the entire scope of application, i.e. a dIT-SB* is assigned to each IT system and each user.

(4) Personnel continuity must be ensured in the appointment, i.e. the persons involved should belong to the full-time staff of the university.

(5) If an institution does not appoint a dIT-SB*, the SMT may appoint a temporary dIT-SB*.

(6) The tasks and authorisations of the dIT-SB are described in this IT-SL or the subsequent documents based on it.

Top of page

§5 IT SECURITY DOCUMENTS

(1) The IT Security Strategy (IT-SL) provides the strategic and organisational framework for the IT security process. It is adopted by the Executive Board and reviewed on its behalf after six years at the latest.

(2) Subordinate to the IT-SL is the IT security concept (IT-SK), which is based on best practice recommendations (e.g. BSI 200-1). The IT-SK is the documentation of the IT security process. In it, the Information Security Unit and HFD-CERT record identified risks and the associated, binding technical and organisational measures. The information security concept is reviewed regularly.

(3) The framework conditions and regulations required to implement the IT-SK are documented in the IT Security Guideline (IT-SR), which is proposed by SIS and approved by the SMT. It contains descriptions of the initial situation, the basic protection measures, the implementation of IT security as an updating process and the IT infrastructure as a basic component of IT deployment and, if necessary, a specification of the tasks or roles of those involved in the IT security process. In addition, instructions on special organisational measures and guidelines for dealing with certain risks and protection requirements may be included. These are also binding and are reviewed regularly. Initially, the IT-SR can also be adopted before the IT-SK is finalised, but must be continuously developed in close coordination with the IT-SK and adopted by the SMT.

(4) Further topic-specific guidelines and work instructions are added to the IT-SR, regulations, recommendations and specifications for dealing with specific risks downstream. The same applies to emergency concepts and emergency plans. They are proposed by SIS and approved by the SMT or, depending on the scope of the the scope of validity of the respective document, by other other persons responsible for procedures or department heads, i.e. by the heads of the departments concerned, the staff units, the central administration, the central or other central or other institutions as well as the affiliated institutions of the university.

(5) In each of the documents, the respective scope of application and the respective binding nature is expressly defined. The revision intervals of the documents documents downstream of this guideline are specified in the respective document.

Top of page

§6 TASKS OF THE PARTIES INVOLVED

(1) The Executive Board of the university shall give the IT security process process with sufficient priority so that the tasks associated with the process can be can be carried out immediately and comprehensively.

(2) The SMT draws up and adopts the standardised framework guideline for IT security at Fulda University of Applied Sciences and is responsible for updating and monitoring the IT security process. Among other things the development of emergency plans. The SMT issues the university’s internal technical standards for IT security. In addition training and further education of the decentralised IT security security officers and support with the implementation of guidelines.

(3) The Information Security Unit is responsible for the implementation of the IT security framework guideline at the university and is supported by the SMT. supported by the SMT. It is the point of contact for all security-related issues point of contact both externally and internally. The SIS documents security-relevant incidents, prepares an annual IT security report and develops a report and develops a training and further education plan on cyber security topics for all employees of Fulda University of Applied Sciences.

(4) The dIT-SB are responsible for the implementation of the IT security process in their institution.

(5) Despite the appointment of the dIT-SB, the responsibility of the of the departments, the staff units, the central administration, the central and other central and other institutions as well as the affiliated institutions of the university for IT security in their areas remains unaffected. They are They are obliged to consult with the relevant decentralised departments in all relevant related to IT security, the respective responsible decentralised IT security officers and the SIS. The users assigned to them users of the IT infrastructure assigned to them must comply with the regulations and specifications from the IT security documents (IT-SL, IT-SK, IT-SR), the user regulations of the HFD, as well as instructions from authorised IT security roles.

(6) The University Computer Centre is responsible for the system, network and operational aspects of IT security. aspects of IT security. The computer centre provides significant support in ensuring information security and coordinates the IT emergency management. It also supports all IT-SBs, the HFD-CERT and the SMT in technical matters.

(7) The HFD-CERT is responsible for overarching coordination and, at an operational level operational level, the timely response to security incidents and computer computer misuse in the context of the use of information infrastructure. The HFD-CERT is responsible for the design and implementation of measures to prevent security incidents and minimise any damage that occurs. damage to a minimum. The HFD-CERT supports the dIT-SB and the SMT in technical technical issues and intervenes independently to avert danger in an emergency. It regularly prepares a situation report for the SMT on the IT security situation at Fulda University of Applied Sciences. The management of the HFD-CERT reports regularly to the SMT on operational measures. It also reports immediately to the SIS in acute cases. HFD-CERT members are responsible to authorised to issue instructions to users and IT operators in IT emergencies and IT incidents and crises. crisis situations.

(8) The staff council of the university is involved in accordance with accordance with §69 of the Hessian Staff Representation Act.

(9) Insofar as data protection issues are concerned, the university’s data protection officer* of the university is consulted.

Top of page

§7 REALISATION OF THE IT SECURITY PROCESS

(1) SIS shall design a university-wide information and communication communication system through which all participants in the IT security process are in contact and manages the information security management system (ISMS).

(2) The decentralised IT security officers are obliged to to obtain up-to-date security-relevant information and are supported in this by supported by SIS. In addition, the system operators shall provide the dIT-SB all requested information that is necessary for reporting to internal and external to internal and external superordinate bodies and provide this information to SIS and the HFD-CERT in a complete and structured manner. The dIT-SB shall arrange for the necessary IT security measures in their area to avert danger. To this end, they must be given the necessary competences by the management of their institution. competences by the management of their institution.

(3) Those involved in the IT security process shall inform each other immediately, comprehensively and completely about security-relevant incidents. incidents. SIS must be informed of every incident.

(4) The information security unit may disclose all information information that arises during the implementation of the IT security process in the individual individual organisations. If the information is obtained in the form of information protected under data protection law, this must be documented. If If recurring processes arise in which personal data is regularly personal data are regularly used, these processes must be described in a processing activities. Furthermore, the user concerned must be notified in the cases prescribed by law. If workplace and personnel-related data of university employees is required, the staff council must be informed. If, for example in the context of emergency, rapid action is required in a specific situation, this is is sufficient afterwards.

(5) For the continuous further development of the framework guideline for IT security framework guideline, the SMT should meet regularly, but at least twice a year. Those involved in the IT security process can submit proposals to the SMT for this purpose. to the SMT.

(6) This IT-SL shall be reviewed and updated by the SMT after 2 years, to ensure that it remains relevant and effective. Changes become effective after approval by the university management.

Top of page

§8 DEALING WITH SAFETY INCIDENTS

(1) The instructions of the HFD-CERT members and/or the staff unit Information Security Unit must be followed immediately in the event of an IT security incident or emergency. to be followed immediately.

(2) In the event of a breach of the IT-SL or its binding follow-up documents (see §5) SIS or the members of HFD-CERT may order the immediate, temporary shutdown of the affected shutdown of the IT system concerned and temporarily prevent the responsible responsible users from using the information technology. from using the information technology. In this case, the responsible dIT-SB* must be informed of the incident immediately. informed of the process.

(3) In the event of the data centre can temporarily block network connections or network segments. block them. The data centre must immediately inform HFD-CERT, the SIS and the responsible dIT-SB* about the incident.

(4) The temporarily decommissioned IT systems is subject to their thorough in-depth review and approval by the responsible dIT-SB*.

(5) The exclusion of a user temporarily blocked from using the information technology from using the information technology will be cancelled by the blocking authority as soon as proper use appears to be guaranteed again. A permanent restriction of use of an IT system is only considered in the case of serious or repeated violations if, despite prior reminders, proper operation can no longer be proper operation can no longer be expected in the future. The The decision is made by the Information Security department after detailed consultation with the SMT and the responsible dIT-SB*. Possible claims of the university and the system operator arising from the user relationship remain remain unaffected.

(6) The SMT shall determine the IT services for which the Information Security emergency plans. They contain instructions for action in situations and in the event of incidents and are divided into a generally accessible a generally accessible notification plan, an emergency concept for service use and a detailed emergency and a detailed emergency manual, which is available in printed form at the SIS and in a and in a designated room for crisis management.

(7) The HFD-CERT, together with the SIS, shall investigate all incidents and take appropriate taking appropriate remedial and preventive measures.

Top of page

§9 VALIDITY

This IT Security Guideline shall be valid upon its publication following a resolution by the Executive Board.

Top of page

IT Security Guideline (IT-SR)

VERSION 23.10.2008

Content

1. Overview
2. Introduction
3. Promoting security awareness
4. Minimum standards for the operation of a computer
5. Minimum standards for the operation of a network
6. Use contrary to the rules
7. Consequences of non-compliance with the IT security policy

1. overview

Fulda University of Applied Sciences expects users of the university’s computers and networks to and networks of the university to use them responsibly. responsible behaviour when using them. In response to violations violations of the security guidelines or legal provisions Fulda University of Applied Sciences and its organisational units are entitled to withdraw access authorisations from users temporarily or permanently, delete data from Fulda University of Applied Sciences computers if necessary Fulda University of Applied Sciences and to remove computers from the network. In the event of ambiguities or in cases of dispute, the IT Security Officer of Fulda University of Applied Sciences and, in the second instance, the the head of the university’s computer centre decides on such measures. measures.

Based on the User Regulations for Computers and Networks at Fulda University of Applied Sciences, this guideline details the general rules for the use and operation of computers and networks with regard to IT security. If you notice a security-relevant event, please report it. You will find instructions in the document “Report IT security incident”.

1.A Reason

Fulda University of Applied Sciences would like to enable all users to work efficiently and undisturbed. Therefore the IT security guideline contains a list of prohibited behaviours prohibited behaviour (improper use), **which every user can demand to refrain from to protect themselves from harassment and threats and to protect the University of Fulda and its organisational units from damage and legal consequences. legal consequences. In order to ensure flawless operation operation, the IT security guideline defines standards for the security of computers, networks and data. These These are minimum requirements. The organisational units organisational units of Fulda University of Applied Sciences can stricter rules in writing for their area of responsibility.

1.B Scope of validity

The IT Security Policy is binding for all members of members of Fulda University of Applied Sciences and persons who are authorised by the use of computers and networks at Fulda University of Applied Sciences. Fulda University of Applied Sciences.

In addition, it forms the basis for reactions to all security-related incidents from outside.

1.C Version

Version 1.0 from 23 September 2008

At this point, revisions to the document are noted with a brief document with a brief summary of the changes. The guideline should be reviewed regularly (e.g. every two years) to ensure that it is be reviewed. Serious changes to the technologies used technologies used or of an organisational nature can organisational changes may result in short-term revisions.

Top of page

2. introduction

The use of computers and networks has become an everyday routine for members of the members of Fulda University of Applied Sciences. When use, it facilitates many activities and activities and some work would be inconceivable without the use of would be unthinkable without the use of computers. Negligent or even unlawful use use, on the other hand, can infringe the rights of other users. rights of other users. Fulda University of Applied Sciences therefore requires all users to careful and responsible and responsible behaviour when using computers and networks.

In principle, within the framework of the legal provisions the discretion of each individual user or the discretion of the departments or the discretion of the departments and facilities of Fulda University of Applied Sciences as to the manner in which computers and networks are used. This practised approach of maximum openness has proved its worth over the years and should be maintained. However, the experience of recent years has made it clear that there must be a generally recognised consensus which irregular use is not accepted, which [minimum standards for is not accepted, which minimum standards for the operation of a computer or a network are binding and which consequences are drawn in the event of non-compliance with the guideline.

The purpose of the IT security guideline is to formalise these topics formalise these topics and to provide all users with a uniform basis basis on which to decide which use is compliant and which measures compliant and which measures are to be taken.

Due to maximum openness, misuse cannot be ruled out a priori. be ruled out a priori. The IT security guideline is intended to to accelerate the detection of security problems in order to minimise the damage minimise the damage to each individual and to Fulda University of Applied Sciences. It is intended to serve as a guideline for one’s own actions and for judgement of the actions of others. This also reduces the probability that violations will remain without consequences.

Fulda University of Applied Sciences relies on users to report security problems to the users report security problems to the computer centre and their their responsible IT security officers (contact persons of the organisational units and the system administrators to report security problems to the computer centre. system administrators rectify recognised deficiencies in their area of responsibility themselves. The complete list of contact addresses is updated regularly.

Top of page

3. promotion of safety awareness

The following measures are intended to promote safety.

3.A Users

• Users should keep themselves informed about changes to the to the security policy.

• Necessary actions due to a change in the security security guideline must be carried out immediately.

• Violations or suspected violations of the the security guideline must be reported immediately to the responsible IT security officer immediately.

• Regular participation in training on the topic of IT security is recommended.

3.B Administrators

• All of the above measures for users and additionally

• Informing users about security-related incidents security-relevant incidents, threats, etc.

• Training users, in particular on relevant topics for maintaining and increasing IT security (also for new users).

• Providing information about vulnerabilities and threats in the software used.

Top of page

4. minimum standards for the operation of a computer

In order to ensure the proper operation of a computer or an active active network component, at least the following requirements must be met. In addition the applicable security measures of the data centre must be observed.

1. the system must be professionally installed.
2. . The necessary security patches or upgrades must be installed promptly.
3. if a system does not have suitable protection mechanisms, it must be protected on the network side, e.g. by a firewall.
4. user accesses that are no longer used must be removed.
5. passwords must be changed immediately if they have fallen into unauthorised hands or there is a suspicion that they have become known to unauthorised persons and secure passwords or stronger authentication authentication methods (e.g. public key) must be used. must be used.
6. passwords may not be sent in plain text across the the boundaries of the university network and should also not be within the university network in plain text if possible. transmitted in plain text.
7. passwords should never be stored on the hard drive to avoid entering them in a programme.
8. if a procedure is introduced or significantly changed, in which personal data is processed, a [record of processing activities pursuant to record of processing activities pursuant to Article 30 GDPR must be drawn up beforehand. The result must be sent to the data protection officer of Fulda University of Applied Sciences.

If a user of a computer becomes aware of security security deficiencies, he or she is obligated to report the deficiencies to the person responsible for system administration. responsible for system administration or, if he or she does not know the person person, the IT security officer of the organisational unit. organisational unit. The IT security officer is obliged obliged to report information known or made known to him or her about security deficiencies of a computer to the person person responsible for system administration. This person in turn is obliged to take appropriate countermeasures. take appropriate countermeasures.

Top of page

5. minimum standards for the operation of a network

A network operation within the meaning of this guideline exists if dedicated network hardware (e.g. router) is operated or network services are offered at the logical level, such as NAT gateways, DNS or DHCP servers.

1. at least one responsible person must be named for each area (subnet, IP area, DNS domain) at least one responsible person must be named for each area (preferably several persons, so that in the event of errors or security incidents responsible person can always be contacted in the event of errors or security incidents) who is also technically capable of carrying out emergency measures.

2. access to the network must not be uncontrolled. The access to the network must be either physical (closed room) or administratively regulated by access lists, VPN access or similar. be regulated.

3. if IP addresses are assigned, it must be possible to trace who or which device had an IP address at a certain time. time.

4. the locations of all components in the network, including those of the of the connected computers, must be known to the responsible persons must be known.

5. the names and / or addresses of the network components (including the computers) should be visible on the be visible on the outside of the device.

Top of page

6. improper use

The rule violations defined in the security guideline are categorised into the following four areas. Behaviour sanctioned under criminal law sanctioned behaviour is always against the rules.

6.A Use of electronic communication to attack individuals or groups of individuals

6.B Use of electronic communications to obstruct the work of others

6.C Offences against licence agreements or other contractual provisions

6.D Use of electronic communication for attacks against computers, the network or services provided on it

The following violations must be reported to the respective IT security officer of the organisational unit and of Fulda University of Applied Sciences!

Top of page

7. consequences of non-compliance with the security policy

Experience has shown that most violations result from result from ignorance of the security guideline or technical inadequacy. In such cases, it will be sufficient if the perpetrator is informed about the violation of the violation of the security guideline of the Fulda University of Applied Sciences and demanded to refrain from further violations is demanded. In the event of breaches of licence agreements, the deletion of the corresponding data on the affected computers. If it can be assumed that recognised violations will also affect other departments, institutions or organisations (including those outside Fulda University of Applied Sciences) Fulda University of Applied Sciences, the responsible persons concerned and possibly the Fulda University Computer Centre must be informed (e.g. Blocking a user who also has access authorisations on other computers access authorisations on other computers).

If the direct request is unsuccessful or the identity of the identity of the perpetrator cannot be determined, the computer centre cannot be determined, the computer centre of Fulda University of Applied Sciences should be involved in solving the problem. Contact with the computer centre should best be centre via the e-mail address provided for this purpose. provided for this purpose.

In addition to the description of the problem, it should always be explicitly stated which point of the security policy has been violated. has been violated. In case of disagreement about the correctness of the complaint the IT security officer of Fulda University of Applied Sciences and, in the second instance second instance, the head of the computer centre.

7.A Measures taken by the computer centre

1. the data centre will ask the person responsible for the network or computer responsible for the network or computer to stop rule violations, if necessary, block the access authorisation of the perpetrator. block the access authorisation of the perpetrator and, in the event of breaches of licence agreements information concerned from the computers in the event of breaches of licence agreements.

2. the computer centre carries out regular checks on aspects of the IT security policy. If violations of the policy are detected (e.g. due to the activities of installed malware), the data centre reserves the the computer centre reserves the right to contact the user by telephone and and deactivate the user account. Activation of the account is only possible on site after prior consultation.

3. if the person responsible cannot be contacted or is unable or unwilling to able or unwilling to prevent such violations, the computer centre is the computer centre is obliged to inform the next higher authority (e.g. the dean) of the grievances and to instruct him or her to rectify them. and request that he or she rectify them.

4. if the measure in point 2 is also unsuccessful, the computer centre is computer centre is entitled to remove the computer in question from the network from the network or to block the services concerned or, if necessary, an entire subnetwork. block.

5. if circumstances so require (imminent danger), the data centre can also carry out blocks without consulting the the respective person responsible. The data centre is obliged in such data centre is obliged in such cases to inform the data possible) and the next higher authority immediately afterwards about the measures taken.

6. incidents that are relevant under criminal law, e.g. due to possible claims for compensation for damages, damage, must always be forwarded to the President of Fulda University of Applied Sciences.

7. in addition, the perpetrator may be required to provide written acknowledgement of the IT Security Policy. may be requested.

7.B Measures taken by the University, State and City Library (HLSB)

The measures taken by the University, State and City Library are set out in the “User Regulations of the Fulda University of Applied Sciences Sciences for the University, State and City Library (HLB) of 28 March 2019” in "§ 22 Exclusion from use".

Top of page

Legal framework

Content

1. Overview 2 Hessian Higher Education Act 3 Hessian Matriculation Ordinance
2. Hessian Data Protection and Freedom of Information Act
3. Criminal Code
4. Telecommunications Act 7 Digital Services Act
5. Copyright Act

1. overview

The legal texts are available from the Federal Ministry of Justice (https://www.gesetze-im-internet.de), on Hesse Law (https://www.rv.hessenrecht.hessen.de) or at the Hessian Commissioner for Data Protection and Freedom of Information (https://datenschutz.hessen.de/infothek/gesetze) and can be read there or downloaded as a downloaded as a PDF file.

Top of page

The following is a selection of paragraphs from some laws, relevant for research and teaching or IT security. are relevant.

2. Hessian Higher Education Act

top of page

3rd Hessian Matriculation Ordinance

Top of page

4. Hessian Data Protection and Freedom of Information Act

Top of page

5th Penal Code

Top of page

6th Telecommunications Act

Top of page

7th Digital Services Act

Top of page

8. copyright law

Top of page

Basic IT-Security

Content

1. Overview
2. Necessary and helpful programmes (technical protection)
3. Passwords and two-factor authentication
4. Personal behaviour
5. Measures in the event of a virus attack
6. System administration
7. Wireless networks (WLAN) / Server
8. Data encryption
9. Disposal of computers, printers and data carriers
10. Further information

1. overview

This document describes which programmes should at least be installed on the computers computers at Fulda University of Applied Sciences and how these programmes programmes must be configured so that a certain “basic security” is available. Since even the best security measures do not offer any protection if the users circumvent the users circumvent the protection or do not take the measures seriously measures seriously, there are also some tips on user behaviour. behaviour.

In the settings instructions from chapter 2 onwards “Start > … > …” means that you start with the Start entry in the menu bar (generally at the bottom left of the screen) and then click on an entry in the menu screen) and then start with an entry in the menu, a tab or another tab or another element that has the corresponding label. corresponding labelling.

Top of page

2. necessary and helpful programmes

(technical protection)

In order for you to be able to work with the computer at all, it requires an operating system. The operating system must always be up to date so that all known security security holes" are “plugged”. If the operating system provides an “Automatic Update” is available, this feature should be activated, as the security holes are then closed as quickly as possible. closed as quickly as possible. The current Windows operating systems from Microsoft offer this function. With Windows 10 you can you cannot actually prevent the system from updating automatically so you don’t have to do anything. If you nevertheless still want to start a manual search for updates, click in Windows 10 with the right mouse button on “Start” and then on “Settings”. Then click then click on “Updates and security” and then on “Check for updates” to start a search for current versions to start a search for current versions.

Access to the computer from the Internet or from programmes programmes on the computer to the Internet should be monitored and controlled. This task is performed by a firewall. Although all computers at Fulda University are protected by a central firewall, a local *firewall nevertheless a local firewall should be set up on each computer to protect computers within the university network (intranet). (intranet), which may be poorly maintained and therefore and are therefore infected with malware (viruses, worms, Trojans, etc.), etc.). In addition, the local firewall may be able to prevent malware from spreading from an infected computer to other computers in the from spreading from an infected computer to other computers at the university. Under Windows, for example, you can use the Windows firewall, which is included as standard in the newer Windows operating systems. Click with the left mouse button on “Start” and then select “Windows Security” (at the bottom of the programme list) if you are using Windows 10. There you should see for “Firewall & Network Protection” should say “No action required.” should be displayed. If actions are required, click on “Firewall & network protection” and then successively on “Domain network”, “Private network” and “Public network” and switch the switch there “Windows Defender Firewall” to “On”. **On Portable computers (notebooks) must have a firewall set up.

Every computer must be protected against malware (viruses, worms, Trojans, etc.) by an antivirus programme. The university Fulda uses the Sophos Intercept programme for this purpose, which must be used on all university computers. Please check all formatted attachments (Word, Excel, PDF, …) of emails for malware before you open the attachments with the corresponding programmes. open the attachments with the corresponding programmes. Further information (also for private computers) can be found on the Virus protection (Sophos) page of the computer centre.

Of course, you not only want to protect your computer but also use it. The required security settings for your email programme can be found in the separate document E-Mail and the settings for your for your web browser in the document web browser, as the number of different products is beyond the scope of this document. number of different products is beyond the scope of this document. the scope of this document. You can also open these documents via the navigation bar. The security settings for your other programmes should be researched in the Help of the programme or on the Internet.

Remember to update all programmes automatically or at least or at least regularly, so that you can prevent malware and hackers as difficult as possible.

Top of page

3. passwords and two-factor authentication

Choose a good password and keep it secret. The document Passwords describes how to create a good password and how to change it. change it. Please be sure to observe the following instructions.

1. never give your password to other people, as you as you may be held responsible for this, if your user account (Account) is misused by other people. misused by other persons.

2. do not write down your password or at least keep it far away at least far away from your computer and without any recognisable reference to your user account (never in the same room).

3. never save your passwords in files or programmes to programmes to “make your work easier”, as they can otherwise be otherwise they can be read and misused by malware. by malicious software.

4. change your password immediately if it has fallen into hands or if you suspect that it has become known to unauthorised it has become known to unauthorised persons.

5. use different passwords for different computers or different computers or activities.

6. never use your user name and password for competitions for competitions or similar.

7. never use a password on any Internet site that is similar or even the same as your own password or even the same as your own password, as this will give a potential “hacker” an opportunity to break into your computer if these details are stored in plain text.

8. if you have forgotten your password, you can a new password at the computer centre. at the computer centre. Your identity can be verified on site using a photo ID or via a video conference. video conference.

9. protect the booting of your computer (the so-called boot process) with a password (the so-called (the so-called “BIOS password”, see sections “Functions” and “Security” in the German explanation of the BIOS or better explained in the section “Configuration” in the English explanation BIOS](https://en.wikipedia.org/wiki/BIOS)) if you store personal or other sensitive data on the computer. personal or other sensitive data on the computer. This protection must also be effective if an intruder uses the computer with its own CDROM, DVD, a memory stick or something similar. wants to start the computer. If the computer does not have such BIOS password protection, personal data may not be personal data only encrypted on the hard disc. stored on the hard disc.

Access to some functions of some applications (e.g. in the Huniversity Organisation System for **study and teaching (“horstl”)) is restricted for some persons (e.g. employees and lecturers) by means of a two-factor authentication (often also referred to as “two-factor authentication”), so that these persons must identify themselves legally by a second factor in addition to the password. The system can can then verify (authenticate) the identity of the factors (authenticate) and grant them the privileges privileges (rights) to which the proven identity is entitled (authorisation). identity (authorisation). The web page for two-factor authentication of the data centre describes which procedures are supported and how they can be can be set up. Further information on two-factor authentication can also be found at Wikipedia. Please note the following information.

1. enter your second factor (smartphone with registered app registered app or hardware token for generating a one-time to generate a one-time password) to other other people, as you may be held responsible if your user account be held responsible if your user account (account) is misused by other misused by other persons.

2. if you use a hardware token, it is prohibited to hardware token* together with the end device (e.g. notebook) in the same bag. notebook) in the same bag.

3. loss of the second factor or suspicion of misuse of the second factor misuse of the second factor must be reported immediately to the IT security officer of the data centre. must be reported immediately.

Top of page

4. personal behaviour

Never enter personal data on the Internet, if it is not absolutely necessary. If necessary, make up names and addresses, when registering with web providers, discussing in forums or chatting in in chat rooms. Please also note the following tips.

1. never change your password, the configuration of the operating operating system or a programme at the request of another (unknown) person who contacts you by telephone. Never download software from the Internet at the request of another person from the Internet at the request of another person in order to install it. Never call up certain web pages and never enter any commands never enter any commands if an unknown person by an unknown person.

2. never pass on sensitive or internal information by telephone. by telephone.

3. label portable data carriers (CDROM, DVD, memory stick, etc.) containing sensitive data and lock them lock them when you leave the room.

4. ensure appropriate disposal of sensitive documents and documents and data carriers that currently contain confidential data or have contained confidential data in the past.

5. never use CDROMs, DVDs etc. from unknown sources (simply “lying around” somewhere in public) on a university computer, as the autostart function can automatically install automatically install malware on the computer. could be installed on the computer.

6. never open email attachments if you you were not expecting the email and before you have checked the attachment have checked the attachment for malware. Remember that the sender may be forged.

7. never forward an email just because the email asks you to. it is requested in the email. Do not contribute to the spread malware or spam e-mail.

8. do not send sensitive information by email or only in encrypted form.

9. protect your computer with a password-protected screen saver or log off when you leave the room. when you leave the room.

10. make sure that you always have the latest antivirus and antivirus and anti-spy software is always installed on your computer and use an up-to-date firewall.

11. never deactivate or remove the antivirus software or the antivirus software or the firewall without the permission of the data centre.

12. no one may download or use software that enables the circumvention of protection mechanisms. Exception: System administrators and system administrators to check and maintain the security of the systems.

13. no one may connect their own network access to their workstation computer without the computer centre without the consent of the computer centre.

14. students are not entitled to data backup and restoration, so that they may have to back up important data themselves. back up important data themselves.

15 Pay attention to security-relevant incidents and report them. report them.

Top of page

5. measures in the event of a virus attack

If you suspect or even know that your computer has been infected by one or more one or more malicious programmes (viruses, worms, Trojans, etc.) you should take the following measures.

1. disconnect the infected computer as quickly as possible possible from the university network**, to avoid further damage by spreading the malware to other other systems. The affected system should not be disconnected from the power supply and also not be shut down, so that forensic analyses can be forensic analyses can be carried out later to investigate the malware and the damage caused and so that measures can be taken to contain consequential damage. can be taken.

• If the computer is connected to the university network with a **network cable university network, the cable should be disconnected. The cable is provided with a tick, which is sometimes hidden under a plastic cover and must be pressed down before disconnecting. must be pressed down before disconnecting.

• If the computer is connected to the university network via the wireless network (WLAN), you should university network, you should try to switch off the network via the WLAN switch or the touch-sensitive screen (*touchscreen screen (touchscreen) to switch off the network. If the malware prevents this, you should try to switch off the switch off the device by pressing the on/off button for several seconds. In this case disconnect the device from the power supply if it is and remove the battery if this is possible. possible.

Then immediately inform the helpdesk of the data centre and the person computer centre and the person responsible for the administration of the computer.

2. also report the incident to your IT security officer or your IT security officer, who may be able to assist you in cleaning your computer or tell you who can help you, remove the malware from your computer. Depending on depending on the type of infection, it may be necessary to reinstall the computer and restore the data from a from a data backup, as this is the only way to ensure that the that the malware has been completely removed. has been completely removed.

3. if a new installation is not necessary and you want to you want to remove the malware yourself, you will need a so-called rescue CD, which contains a boot-compatible operating system and antivirus software (e.g. Desinfec’t). You will need to remove the CD/DVD or the memory stick on a different computer and then start your computer from this medium so that you have a “virus-free” environment. Then you can scan your hard drive with the antivirus programme and remove the malware. If no virus is found, your computer may still be infected with malware that the antivirus programme just cannot find. In this case, be sure to contact the computer centre before you reconnect your computer to the university network.

4. to ensure that your computer is not immediately infected with malware again immediately, you should update the software on your computer computer software and, if you have not already done so, install an antivirus programme and a local firewall. You will find information on this in Chapter 2 of this document.

5. the computer centre and the local system administrators are system administrators are obliged to ensure the operation and security operation and security of the university network and carry out the following actions if there is imminent danger is imminent:

• If necessary, they block the IP address at the next possible location.

• If the infected computer is in the university network via the (WLAN) in the university network, block the user account user account and interrupt the connection.

• They notify the user or the administrator responsible or the responsible administrator about the error. administrator responsible about the error.

Top of page

6. system administration

System administrators have a special responsibility and special responsibility and should ensure that in their area of responsibility the IT security policy is implemented and adhered to. They should also observe the following instructions.

1. user accounts should be created in such a way that only good passwords can be used and that the user user account is blocked if a password is entered incorrectly several times password is entered incorrectly (if the system offers these possibilities).

2. change default passwords of telephone systems, computers, network components etc. and, if necessary, block standard users (guest (guest accounts) to protect the systems.

3. regular data backups should be backups should be carried out and the data backup media should stored in fireproof and burglar-proof cabinets if necessary fireproof and burglar-proof cabinets where necessary for the data inventory. If personal or other sensitive data is stored externally, they should be stored in encrypted form.

4. change or block the computer access authorisation, when a person leaves the university or is assigned a new receives a new area of responsibility. The required data must be from the Student Service Centre (SSC) for students and by the Human Resources Department for staff to the Computing Centre, which immediately forwards the data immediately to all system administrators and system administrators. to all system administrators.

5. if a system administrator leaves the university, the system administrator leaves the university, **all system passwords must be changed immediately and, if necessary, the password files or databases must be searched for new for new accounts with privileges in order to privileges to ensure the security of the systems. Under UNIX-like operating systems, it may also be necessary to search for programmes with privileges (SUID or SGID bit set) that do not that are not part of the normal operating system.

6. temporary user accounts should be deactivated if the project for which they were set up has been terminated. they were set up.

7. users may not deactivate their user account deactivate by telephone or have it activated. Deactivation or activation can only be only be arranged in writing or in person. If the person is not known, the identity must be be verified beforehand. The verification can be carried out on site using photo identification or via a video conference. video conference. In the case of written applications, it should it should also be clarified whether the application was actually person has actually made the application.

8 System administrators should download and use software use software that makes it possible to check and maintain the security security of the systems (e.g. Password Cracker for checking verification of good and bad passwords passwords if the system allows access to the passwords). passwords).

Top of page

7. wireless networks (WLAN) / server

The following provisions apply to the operation of wireless networks (WLAN) and servers. the following provisions apply.

1. the departments and central facilities may own wireless networks that allow access to the general computer computer infrastructure may only be operated with the consent of the computer centre. Isolated radio networks for for training may be set up and operated as required. as required.

2. network access to productive radio networks may only take place via user authentication. Access via hardware or IP addresses is not permitted.

3. data traffic in wireless networks must be encrypted. Under no circumstances may passwords be transmitted in plain text be transmitted in plain text in a wireless network. Instructions for setting up the WLAN can be found on the website WLAN (eduroam) of the computer centre.

4. the access data (IP address, user account, time) for productive wireless networks productive wireless networks must be logged.

5. the departments and central facilities may operate their own servers that are connected to the university network, only with the approval of the computer centre. Isolated servers in closed laboratory networks for may be set up and operated as required. as required.

6. no servers may be operated in wireless networks.

7. servers* may only be managed via external access points using a secure VPN connection. Information on setting up the VPN software can be found on the web page VPN access of the computer centre.

8. the VPN access software, the configuration file for the VPN software the VPN software and the user ID and password for dialling into the for dialling into the wireless network of Fulda University of Applied Sciences not be passed on to other persons.

Top of page

8. data encryption

There are many products that support the encryption of data. encryption. If you want to send sensitive data as an attachment to an email, you can compress and encrypt the file or files for example with the programme 7-zip and encrypt it. The password for decryption can then be communicated to the recipient by telephone, for example. “7-zip” also supports the encryption of the archive directory (header encryption), so that an unauthorised person unauthorised person cannot even find out the names of the files in the archive. the names of the files in the archive.

If you work on your hard drive on a daily basis, you do not want to encrypt and decrypt the files manually, especially as the files would then be stored unencrypted on the hard drive for the would be stored on the hard drive for the duration of processing. For this you need product that encrypts the data automatically and transparently for you (on-the-fly) encrypts and decrypts the data. These products can be into two classes:

1. products that encrypt files or all files in a file directory directory. This category includes, for example the product Encrypting File System (EFS), which is an extension of the of the NTFS file system from Microsoft and can therefore be used in every modern Windows* operating system. Since temporary files in the Windows world are often are often stored in other directories or even in other partitions partitions, it can happen that the temporary files are stored files are available unencrypted after processing (the temporary (the temporary file is deleted, but its content is not destroyed content is not destroyed, so that it could be be restored later).

2. products that create an encrypted partition in a file (a so-called file (a so-called container) or encrypt a complete encrypt a complete partition of the hard drive. They are then divided into products that can only encrypt can encrypt data partitions and those that can can also encrypt system partitions. If a can encrypt both data and system partitions, the entire hard disc the entire hard drive can be encrypted. This group This group includes, for example, the commercial product SecurStar DriveCrypt and the free product VeraCrypt. Wikipedia presents in the article Comparison of disk encryption software" describes the features, availability, up-to-dateness etc. of many hard disk hard disc encryption programs. Microsoft Windows offers for some operating system versions the programme BitLocker for some operating system versions.

A detailed description of the use of these programmes would beyond the scope of this documentation. Further information can be found Wikipedia 7-zip, Encrypting_File_System, VeraCrypt, BitLocker.

Top of page

9. segregation of computers, printers and data carriers

When disposing of computers and data carriers, you should data carriers, you should remember that the data is not physically destroyed or overwritten when the files are deleted, so that they can be restored later under certain be restored later. It is therefore essential that you observe the following notes.

1. make sure that sensitive documents or data carriers data carriers (hard disk, CDROM, DVD, memory stick, etc.) containing personal or other sensitive data data are not destroyed in a recoverable manner (e.g. using a shredder, where possible) before they are possible) before they are discarded.

2. ensure that hard drives are completely magnetised if necessary magnetised or destroyed in such a way that they cannot be cannot be recovered if they contain personal or other sensitive data. or other sensitive data.

3. remember that (network) printers are often equipped are often equipped with hard discs on which files are temporarily files before printing and therefore do not forget to destroy the data on these hard disks before the printer is discarded. is discarded.

4. many devices store configurations in flash memories. Remember to delete the configurations before before removing the device from service, as knowledge of the configuration knowledge of the configuration may facilitate an attack on the IT infrastructure.

5. remember that under certain circumstances multi-function devices, scanners, fax machines etc. may also be equipped with hard disks or flash memories on which data is stored temporarily. data is stored temporarily. Delete this data before you discard the device.

Top of page

10. further information

Modern copiers are generally equipped with hard discs, on which the copies are temporarily stored before printing. Do not forget to destroy the data on the hard discs, before the copier is discarded. If the copier is also used to copy personal or other sensitive data is to be copied on the copier, the photocopier should always be installed in a locked room and not be and should not be connected to the university network. The data can be read if a computer can be connected to the copier and the computer can be connected to the copier and the administrator password is known password is known (for many copiers, the standard password together with the the operating instructions on the Internet). Some copiers can be equipped with a module to securely erase the hard disc. hard disc.

Top of page

Imprint

Imprint

I object to any commercial use and disclosure of my data. of my data.

Journalistic-editorial responsibility: The IT Security Officer of Fulda University of Applied Sciences Leipziger Str. 123 D-36037 Fulda Phone: +49 (0)661 / 9640 - 1073 E-mail: isb(at)hs-fulda.de

Disclaimer

Despite careful control of the contents I do not assume no liability for the contents of external links. They do not not an offer of the Fulda University of Applied Sciences. For the content of these The operators of these pages are solely responsible for their content.