IT Security Strategy (IT-SL)

Content

• Preamble
• §1 OBJECT OF THE IT-SL
• §2 SCOPE OF APPLICATION
• §3 PARTIES INVOLVED IN THE IT SECURITY PROCESS
• §4 ESTABLISHMENT OF THE SECURITY ROLES
• §5 IT SECURITY DOCUMENTS
• §6 TASKS OF THE PARTIES INVOLVED
• §7 REALISATION OF THE IT SECURITY PROCESS
• §8 dealing with security incidents
• §9 ENTRY INTO FORCE

PREAMBLE

The University of Applied Sciences Fulda (HFD) recognises the central role that information technology (IT) plays in the academic and administrative environment. The security of these technological resources is of paramount importance to ensure and sustain the integrity, confidentiality and availability of data and IT services. This IT Security Strategy (IT-SL) serves as a framework to ensure comprehensive protection of the university’s IT systems and data in a continuous security process. It is essentially based on the best practice recommendations for IT security at universities, which were created as a template by the ZKI IT Security Working Group. The need to define an IT-SL is derived from Section 3 (1) of the Hessian IT Security Act (HITSiG).

The aim of this IT-SL is to create uniform security standards to ensure proper IT operations, which enable a balance between academic freedom and the need for IT security. In order to achieve this goal, all university institutions must recognise the protection of data and information technology as a common challenge.

Top of page

§1 OBJECT OF THE IT-SL

The IT security guideline determines the organisational structure required for the IT security process at HFD (structural and procedural organisation) and defines tasks and responsibilities.

top of page

§2 SCOPE

The IT-SL applies to the entire information technology of the HFD in its academic and non-academic institutions. It applies to all users who use or provide it. It is binding for the Executive Board, all departments, staff units, the central administration, all central or other institutions and all affiliated institutions of the university as well as other companies and persons who are commissioned with IT security-relevant activities for and on behalf of HFD. The same applies to all HFD partners not mentioned in the above list whose actions affect HFD’s IT security interests.

Top of page

§3 PARTIES INVOLVED IN THE IT SECURITY PROCESS

The main responsibility for the IT security process lies with the university management. It therefore appoints the following committees and functionaries and involves existing institutions in the IT security process:

(1) Presidential Board

(2) Information Security Unit (SIS)

(3) IT Security Management Team (SMT)

(4) Computer Emergency Response Team (HFD-CERT)

(5) Decentralised IT Security Officers* (dIT-SB)

(6) Computer centre (RZ)

(7) Data protection officer* of the university (DPO)

(8) Departments, staff units, central administration, university library,

central and other facilities of the university and their users

The parties involved in the IT security process work together in all matters relating to IT security, provide the necessary information and regulate the communication and decision-making channels both among themselves and in relation to third parties. In particular, the aspect of urgency required in crisis situations must be taken into account.

Top of page

§4 ESTABLISHMENT OF THE SECURITY ROLES

1. INFORMATION SECURITY UNIT (SIS)

(1) The university management shall establish an Information Security Unit (SIS), which reports directly to the Executive Board.

(2) The SIS consists of an Information Security Officer* (ISB) and a Central IT Security Officer* (zISB).

(3) The ISB* and the zISB* represent each other.

(4) Organisationally, the SIS is located in the Vice President’s Office for Teaching and Digitisation.

2. IT SECURITY MANAGEMENT TEAM (SMT)

(1) The Presidential Board shall set up an IT Security Management Team (SMT). The SMT is the university’s central control body for IT security.

(2) The composition of the SMT should - while limiting the number of members to the necessary minimum - reflect both the different areas of responsibility of the university and the different aspects of IT security relevant to the university.

(3) The SMT consists of the following permanent members:

i) Representative of the Presidential Board (VPLD)

ii) Representation of the Information Security Unit (SIS)

iii) Information Security Officer* of the HLSB (ISB HLSB)

iv) Representation of the management of the HFD-CERT

v) Representation of the management of the computer centre

vi) In an advisory capacity: the Data Protection Officer* of HFD

(4) By resolution of the SMT, it can be expanded to include advisory experts if required.

3. COMPUTER EMERGENCY RESPONSE TEAM (HFD-CERT)

(1) The members of the Computer Emergency Response Team of Fulda University of Applied Sciences are proposed by the SMT and appointed by the Presidential Board. The nomination of the HFD-CERT members are appointed exclusively from the full-time staff of the university. university.

(2) The HFD-CERT is organisationally assigned to the Computer Centre.

(3) The HFD-CERT is composed of the following members who are authorised to make decisions:

• Head of the HFD-CERT (qualification required for the operational and technical tasks arising within the HFD-CERT).

• HFD-CERT employees: At least three other IT security experts from e.g. the areas of: Network, identity management, e-mail server and gateway, critical infrastructure or facilities with a distinctive IT infrastructure.

• By decision of the HFD-CERT, it can be expanded by experts if necessary, while limiting the number of members to the necessary number.

(4) A member of the HFD-CERT shall represent the management of the HFD-CERT.

(5) The HFD-CERT works confidentially and directly with the SIS, coordinates on key issues and reports to the SMT on its activities at regular intervals, at least twice a year.

4. DECENTRAL IT SECURITY OFFICER (dIT-SB)

(1) Each department, academic, central and other institution of Fulda University of Applied Sciences that operates IT systems shall appoint a decentralised IT security officer* (dIT-SB).

(2) A dIT-SB* may be responsible for several institutions.

(3) The appointments must cover the entire scope of application, i.e. a dIT-SB* is assigned to each IT system and each user.

(4) Personnel continuity must be ensured in the appointment, i.e. the persons involved should belong to the full-time staff of the university.

(5) If an institution does not appoint a dIT-SB*, the SMT may appoint a temporary dIT-SB*.

(6) The tasks and authorisations of the dIT-SB are described in this IT-SL or the subsequent documents based on it.

Top of page

§5 IT SECURITY DOCUMENTS

(1) The IT Security Strategy (IT-SL) provides the strategic and organisational framework for the IT security process. It is adopted by the Executive Board and reviewed on its behalf after six years at the latest.

(2) Subordinate to the IT-SL is the IT security concept (IT-SK), which is based on best practice recommendations (e.g. BSI 200-1). The IT-SK is the documentation of the IT security process. In it, the Information Security Unit and HFD-CERT record identified risks and the associated, binding technical and organisational measures. The information security concept is reviewed regularly.

(3) The framework conditions and regulations required to implement the IT-SK are documented in the IT Security Guideline (IT-SR), which is proposed by SIS and approved by the SMT. It contains descriptions of the initial situation, the basic protection measures, the implementation of IT security as an updating process and the IT infrastructure as a basic component of IT deployment and, if necessary, a specification of the tasks or roles of those involved in the IT security process. In addition, instructions on special organisational measures and guidelines for dealing with certain risks and protection requirements may be included. These are also binding and are reviewed regularly. Initially, the IT-SR can also be adopted before the IT-SK is finalised, but must be continuously developed in close coordination with the IT-SK and adopted by the SMT.

(4) Further topic-specific guidelines and work instructions are added to the IT-SR, regulations, recommendations and specifications for dealing with specific risks downstream. The same applies to emergency concepts and emergency plans. They are proposed by SIS and approved by the SMT or, depending on the scope of the the scope of validity of the respective document, by other other persons responsible for procedures or department heads, i.e. by the heads of the departments concerned, the staff units, the central administration, the central or other central or other institutions as well as the affiliated institutions of the university.

(5) In each of the documents, the respective scope of application and the respective binding nature is expressly defined. The revision intervals of the documents documents downstream of this guideline are specified in the respective document.

Top of page

§6 TASKS OF THE PARTIES INVOLVED

(1) The Executive Board of the university shall give the IT security process process with sufficient priority so that the tasks associated with the process can be can be carried out immediately and comprehensively.

(2) The SMT draws up and adopts the standardised framework guideline for IT security at Fulda University of Applied Sciences and is responsible for updating and monitoring the IT security process. Among other things the development of emergency plans. The SMT issues the university’s internal technical standards for IT security. In addition training and further education of the decentralised IT security security officers and support with the implementation of guidelines.

(3) The Information Security Unit is responsible for the implementation of the IT security framework guideline at the university and is supported by the SMT. supported by the SMT. It is the point of contact for all security-related issues point of contact both externally and internally. The SIS documents security-relevant incidents, prepares an annual IT security report and develops a report and develops a training and further education plan on cyber security topics for all employees of Fulda University of Applied Sciences.

(4) The dIT-SB are responsible for the implementation of the IT security process in their institution.

(5) Despite the appointment of the dIT-SB, the responsibility of the of the departments, the staff units, the central administration, the central and other central and other institutions as well as the affiliated institutions of the university for IT security in their areas remains unaffected. They are They are obliged to consult with the relevant decentralised departments in all relevant related to IT security, the respective responsible decentralised IT security officers and the SIS. The users assigned to them users of the IT infrastructure assigned to them must comply with the regulations and specifications from the IT security documents (IT-SL, IT-SK, IT-SR), the user regulations of the HFD, as well as instructions from authorised IT security roles.

(6) The University Computer Centre is responsible for the system, network and operational aspects of IT security. aspects of IT security. The computer centre provides significant support in ensuring information security and coordinates the IT emergency management. It also supports all IT-SBs, the HFD-CERT and the SMT in technical matters.

(7) The HFD-CERT is responsible for overarching coordination and, at an operational level operational level, the timely response to security incidents and computer computer misuse in the context of the use of information infrastructure. The HFD-CERT is responsible for the design and implementation of measures to prevent security incidents and minimise any damage that occurs. damage to a minimum. The HFD-CERT supports the dIT-SB and the SMT in technical technical issues and intervenes independently to avert danger in an emergency. It regularly prepares a situation report for the SMT on the IT security situation at Fulda University of Applied Sciences. The management of the HFD-CERT reports regularly to the SMT on operational measures. It also reports immediately to the SIS in acute cases. HFD-CERT members are responsible to authorised to issue instructions to users and IT operators in IT emergencies and IT incidents and crises. crisis situations.

(8) The staff council of the university is involved in accordance with accordance with §69 of the Hessian Staff Representation Act.

(9) Insofar as data protection issues are concerned, the university’s data protection officer* of the university is consulted.

Top of page

§7 REALISATION OF THE IT SECURITY PROCESS

(1) SIS shall design a university-wide information and communication communication system through which all participants in the IT security process are in contact and manages the information security management system (ISMS).

(2) The decentralised IT security officers are obliged to to obtain up-to-date security-relevant information and are supported in this by supported by SIS. In addition, the system operators shall provide the dIT-SB all requested information that is necessary for reporting to internal and external to internal and external superordinate bodies and provide this information to SIS and the HFD-CERT in a complete and structured manner. The dIT-SB shall arrange for the necessary IT security measures in their area to avert danger. To this end, they must be given the necessary competences by the management of their institution. competences by the management of their institution.

(3) Those involved in the IT security process shall inform each other immediately, comprehensively and completely about security-relevant incidents. incidents. SIS must be informed of every incident.

(4) The information security unit may disclose all information information that arises during the implementation of the IT security process in the individual individual organisations. If the information is obtained in the form of information protected under data protection law, this must be documented. If If recurring processes arise in which personal data is regularly personal data are regularly used, these processes must be described in a processing activities. Furthermore, the user concerned must be notified in the cases prescribed by law. If workplace and personnel-related data of university employees is required, the staff council must be informed. If, for example in the context of emergency, rapid action is required in a specific situation, this is is sufficient afterwards.

(5) For the continuous further development of the framework guideline for IT security framework guideline, the SMT should meet regularly, but at least twice a year. Those involved in the IT security process can submit proposals to the SMT for this purpose. to the SMT.

(6) This IT-SL shall be reviewed and updated by the SMT after 2 years, to ensure that it remains relevant and effective. Changes become effective after approval by the university management.

Top of page

§8 DEALING WITH SAFETY INCIDENTS

(1) The instructions of the HFD-CERT members and/or the staff unit Information Security Unit must be followed immediately in the event of an IT security incident or emergency. to be followed immediately.

(2) In the event of a breach of the IT-SL or its binding follow-up documents (see §5) SIS or the members of HFD-CERT may order the immediate, temporary shutdown of the affected shutdown of the IT system concerned and temporarily prevent the responsible responsible users from using the information technology. from using the information technology. In this case, the responsible dIT-SB* must be informed of the incident immediately. informed of the process.

(3) In the event of the data centre can temporarily block network connections or network segments. block them. The data centre must immediately inform HFD-CERT, the SIS and the responsible dIT-SB* about the incident.

(4) The temporarily decommissioned IT systems is subject to their thorough in-depth review and approval by the responsible dIT-SB*.

(5) The exclusion of a user temporarily blocked from using the information technology from using the information technology will be cancelled by the blocking authority as soon as proper use appears to be guaranteed again. A permanent restriction of use of an IT system is only considered in the case of serious or repeated violations if, despite prior reminders, proper operation can no longer be proper operation can no longer be expected in the future. The The decision is made by the Information Security department after detailed consultation with the SMT and the responsible dIT-SB*. Possible claims of the university and the system operator arising from the user relationship remain remain unaffected.

(6) The SMT shall determine the IT services for which the Information Security emergency plans. They contain instructions for action in situations and in the event of incidents and are divided into a generally accessible a generally accessible notification plan, an emergency concept for service use and a detailed emergency and a detailed emergency manual, which is available in printed form at the SIS and in a and in a designated room for crisis management.

(7) The HFD-CERT, together with the SIS, shall investigate all incidents and take appropriate taking appropriate remedial and preventive measures.

Top of page

§9 VALIDITY

This IT Security Guideline shall be valid upon its publication following a resolution by the Executive Board.

Top of page