IT Security Guideline (IT-SR)

VERSION 23.10.2008

VERSION 23.10.2008

The IT Security Guideline (IT-SR) was adopted on 23 October 2008 by the Presidential Board of Fulda University of Applied Sciences and has been in force since then.

Content

  1. Overview
  2. Introduction
  3. Promoting security awareness
  4. Minimum standards for the operation of a computer
  5. Minimum standards for the operation of a network
  6. Use contrary to the rules
  7. Consequences of non-compliance with the IT security policy

1. overview

Fulda University of Applied Sciences expects users of the university’s computers and networks to and networks of the university to use them responsibly. responsible behaviour when using them. In response to violations violations of the security guidelines or legal provisions Fulda University of Applied Sciences and its organisational units are entitled to withdraw access authorisations from users temporarily or permanently, delete data from Fulda University of Applied Sciences computers if necessary Fulda University of Applied Sciences and to remove computers from the network. In the event of ambiguities or in cases of dispute, the IT Security Officer of Fulda University of Applied Sciences and, in the second instance, the the head of the university’s computer centre decides on such measures. measures.

Based on the User Regulations for Computers and Networks at Fulda University of Applied Sciences, this guideline details the general rules for the use and operation of computers and networks with regard to IT security. If you notice a security-relevant event, please report it. You will find instructions in the document “Report IT security incident”.

1.A Reason

Fulda University of Applied Sciences would like to enable all users to work efficiently and undisturbed. Therefore the IT security guideline contains a list of prohibited behaviours prohibited behaviour (improper use), **which every user can demand to refrain from to protect themselves from harassment and threats and to protect the University of Fulda and its organisational units from damage and legal consequences. legal consequences. In order to ensure flawless operation operation, the IT security guideline defines standards for the security of computers, networks and data. These These are minimum requirements. The organisational units organisational units of Fulda University of Applied Sciences can stricter rules in writing for their area of responsibility.

1.B Scope of validity

The IT Security Policy is binding for all members of members of Fulda University of Applied Sciences and persons who are authorised by the use of computers and networks at Fulda University of Applied Sciences. Fulda University of Applied Sciences.

In addition, it forms the basis for reactions to all security-related incidents from outside.

1.C Version

Version 1.0 from 23 September 2008

At this point, revisions to the document are noted with a brief document with a brief summary of the changes. The guideline should be reviewed regularly (e.g. every two years) to ensure that it is be reviewed. Serious changes to the technologies used technologies used or of an organisational nature can organisational changes may result in short-term revisions.

Top of page

2. introduction

The use of computers and networks has become an everyday routine for members of the members of Fulda University of Applied Sciences. When use, it facilitates many activities and activities and some work would be inconceivable without the use of would be unthinkable without the use of computers. Negligent or even unlawful use use, on the other hand, can infringe the rights of other users. rights of other users. Fulda University of Applied Sciences therefore requires all users to careful and responsible and responsible behaviour when using computers and networks.

In principle, within the framework of the legal provisions the discretion of each individual user or the discretion of the departments or the discretion of the departments and facilities of Fulda University of Applied Sciences as to the manner in which computers and networks are used. This practised approach of maximum openness has proved its worth over the years and should be maintained. However, the experience of recent years has made it clear that there must be a generally recognised consensus which irregular use is not accepted, which [minimum standards for is not accepted, which minimum standards for the operation of a computer or a network are binding and which consequences are drawn in the event of non-compliance with the guideline.

The purpose of the IT security guideline is to formalise these topics formalise these topics and to provide all users with a uniform basis basis on which to decide which use is compliant and which measures compliant and which measures are to be taken.

Due to maximum openness, misuse cannot be ruled out a priori. be ruled out a priori. The IT security guideline is intended to to accelerate the detection of security problems in order to minimise the damage minimise the damage to each individual and to Fulda University of Applied Sciences. It is intended to serve as a guideline for one’s own actions and for judgement of the actions of others. This also reduces the probability that violations will remain without consequences.

Fulda University of Applied Sciences relies on users to report security problems to the users report security problems to the computer centre and their their responsible IT security officers (contact persons of the organisational units and the system administrators to report security problems to the computer centre. system administrators rectify recognised deficiencies in their area of responsibility themselves. The complete list of contact addresses is updated regularly.

Top of page

3. promotion of safety awareness

The following measures are intended to promote safety.

3.A Users

  • Users should keep themselves informed about changes to the to the security policy.

  • Necessary actions due to a change in the security security guideline must be carried out immediately.

  • Violations or suspected violations of the the security guideline must be reported immediately to the responsible IT security officer immediately.

  • Regular participation in training on the topic of IT security is recommended.

3.B Administrators

  • All of the above measures for users and additionally

  • Informing users about security-related incidents security-relevant incidents, threats, etc.

  • Training users, in particular on relevant topics for maintaining and increasing IT security (also for new users).

  • Providing information about vulnerabilities and threats in the software used.

Top of page

4. minimum standards for the operation of a computer

In order to ensure the proper operation of a computer or an active active network component, at least the following requirements must be met. In addition the applicable security measures of the data centre must be observed.

  1. the system must be professionally installed.
  2. . The necessary security patches or upgrades must be installed promptly.
  3. if a system does not have suitable protection mechanisms, it must be protected on the network side, e.g. by a firewall.
  4. user accesses that are no longer used must be removed.
  5. passwords must be changed immediately if they have fallen into unauthorised hands or there is a suspicion that they have become known to unauthorised persons and secure passwords or stronger authentication authentication methods (e.g. public key) must be used. must be used.
  6. passwords may not be sent in plain text across the the boundaries of the university network and should also not be within the university network in plain text if possible. transmitted in plain text.
  7. passwords should never be stored on the hard drive to avoid entering them in a programme.
  8. if a procedure is introduced or significantly changed, in which personal data is processed, a [record of processing activities pursuant to record of processing activities pursuant to Article 30 GDPR must be drawn up beforehand. The result must be sent to the data protection officer of Fulda University of Applied Sciences.

If a user of a computer becomes aware of security security deficiencies, he or she is obligated to report the deficiencies to the person responsible for system administration. responsible for system administration or, if he or she does not know the person person, the IT security officer of the organisational unit. organisational unit. The IT security officer is obliged obliged to report information known or made known to him or her about security deficiencies of a computer to the person person responsible for system administration. This person in turn is obliged to take appropriate countermeasures. take appropriate countermeasures.

Top of page

5. minimum standards for the operation of a network

A network operation within the meaning of this guideline exists if dedicated network hardware (e.g. router) is operated or network services are offered at the logical level, such as NAT gateways, DNS or DHCP servers.

  1. at least one responsible person must be named for each area (subnet, IP area, DNS domain) at least one responsible person must be named for each area (preferably several persons, so that in the event of errors or security incidents responsible person can always be contacted in the event of errors or security incidents) who is also technically capable of carrying out emergency measures.

  2. access to the network must not be uncontrolled. The access to the network must be either physical (closed room) or administratively regulated by access lists, VPN access or similar. be regulated.

  3. if IP addresses are assigned, it must be possible to trace who or which device had an IP address at a certain time. time.

  4. the locations of all components in the network, including those of the of the connected computers, must be known to the responsible persons must be known.

  5. the names and / or addresses of the network components (including the computers) should be visible on the be visible on the outside of the device.

Top of page

6. improper use

The rule violations defined in the security guideline are categorised into the following four areas. Behaviour sanctioned under criminal law sanctioned behaviour is always against the rules.

6.A Use of electronic communication to attack individuals or groups of individuals

(A1) Disseminating or circulating information that insults or degrades individuals (e.g. on the basis of their skin colour, nationality, religion, gender, political opinions or sexual orientation).
A2)
A3) Multiple unsolicited sending of messages.

6.B Use of electronic communications to obstruct the work of others

B1) Obstructing the work of others (e.g. through mail bombs and similar techniques).
B2) Appropriation of resources beyond what is authorised (e.g. extreme data traffic).
B3) Sending electronic mass mailings (e.g. SPAM e-mails). Exception: distribution of official messages in analogy to internal mail.
B4) Forwarding or circulating electronic chain letters.
B5) Unauthorised manipulation of electronic data of others.
B6) Accessing third party data without their permission.

6.C Offences against licence agreements or other contractual provisions

C1) The use, copying and distribution of copyrighted material in contravention of the Copyright Act, the Statutes of Fulda University of Applied Sciences for Safeguarding Good Scientific Practice, licence agreements or other contractual provisions on computers of Fulda University of Applied Sciences or the transport of these documents via networks of Fulda University of Applied Sciences.
C2) Infringement of copyright by falsification of electronic documents.
C3) Passing on access authorisations to third parties (e.g. accounts, passwords, Fulda University chip cards)

6.D Use of electronic communication for attacks against computers, the network or services provided on it

The following violations must be reported to the respective IT security officer of the organisational unit and of Fulda University of Applied Sciences!

D1) Systematic investigation of servers and services (e.g. port scans). Exception: Security tests after consultation with the person responsible for system administration.
D2) Unauthorised appropriation of access authorisations or attempts to do so (e.g. cracking). Exception: security tests after consultation with the person responsible for system administration.
D3) Damage to or disruption of electronic services (e.g. denial of service attacks).
D4) Intentional dissemination or circulation of malicious programmes (e.g. viruses, worms, Trojan horses).
D5) Spying on passwords or attempting to spy on them (e.g. password sniffer).
D6) Unauthorised manipulation or falsification of identity information (e.g. email headers, electronic directories, IP spoofing, etc.).
D7) Exploitation of recognised security flaws or administrative deficiencies.

Top of page

7. consequences of non-compliance with the security policy

Experience has shown that most violations result from result from ignorance of the security guideline or technical inadequacy. In such cases, it will be sufficient if the perpetrator is informed about the violation of the violation of the security guideline of the Fulda University of Applied Sciences and demanded to refrain from further violations is demanded. In the event of breaches of licence agreements, the deletion of the corresponding data on the affected computers. If it can be assumed that recognised violations will also affect other departments, institutions or organisations (including those outside Fulda University of Applied Sciences) Fulda University of Applied Sciences, the responsible persons concerned and possibly the Fulda University Computer Centre must be informed (e.g. Blocking a user who also has access authorisations on other computers access authorisations on other computers).

If the direct request is unsuccessful or the identity of the identity of the perpetrator cannot be determined, the computer centre cannot be determined, the computer centre of Fulda University of Applied Sciences should be involved in solving the problem. Contact with the computer centre should best be centre via the e-mail address provided for this purpose. provided for this purpose.

In addition to the description of the problem, it should always be explicitly stated which point of the security policy has been violated. has been violated. In case of disagreement about the correctness of the complaint the IT security officer of Fulda University of Applied Sciences and, in the second instance second instance, the head of the computer centre.

7.A Measures taken by the computer centre

  1. the data centre will ask the person responsible for the network or computer responsible for the network or computer to stop rule violations, if necessary, block the access authorisation of the perpetrator. block the access authorisation of the perpetrator and, in the event of breaches of licence agreements information concerned from the computers in the event of breaches of licence agreements.

  2. the computer centre carries out regular checks on aspects of the IT security policy. If violations of the policy are detected (e.g. due to the activities of installed malware), the data centre reserves the the computer centre reserves the right to contact the user by telephone and and deactivate the user account. Activation of the account is only possible on site after prior consultation.

  3. if the person responsible cannot be contacted or is unable or unwilling to able or unwilling to prevent such violations, the computer centre is the computer centre is obliged to inform the next higher authority (e.g. the dean) of the grievances and to instruct him or her to rectify them. and request that he or she rectify them.

  4. if the measure in point 2 is also unsuccessful, the computer centre is computer centre is entitled to remove the computer in question from the network from the network or to block the services concerned or, if necessary, an entire subnetwork. block.

  5. if circumstances so require (imminent danger), the data centre can also carry out blocks without consulting the the respective person responsible. The data centre is obliged in such data centre is obliged in such cases to inform the data possible) and the next higher authority immediately afterwards about the measures taken.

  6. incidents that are relevant under criminal law, e.g. due to possible claims for compensation for damages, damage, must always be forwarded to the President of Fulda University of Applied Sciences.

  7. in addition, the perpetrator may be required to provide written acknowledgement of the IT Security Policy. may be requested.

7.B Measures taken by the University, State and City Library (HLSB)

The measures taken by the University, State and City Library are set out in the “User Regulations of the Fulda University of Applied Sciences Sciences for the University, State and City Library (HLB) of 28 March 2019” in "§ 22 Exclusion from use".

Top of page