2.4 Organisation and coordination of information and IT-security at a university/college

Introduction

The university/college's information security policy, established xxxx-xx-xx, states that there is to be a central function for coordination of information security at the university/college. After this level the responsibility for information security is allocated according to the current university/college delegation procedures.

It is assumed that the university/college uses existing IT resources efficiently in its operations. A precondition for this is that these resources are perceived as being reliable, which means that activities concerned with information security at the university/college must be given very high priority. Central function for coordination of information security

This central function bears special responsibility for information security and owns the task of coordinating and revising activities concerned with information security at the University/college.

The information security function is located within the university/college's central administration. The task of this information security function is to continuously monitor information security at the university/college and ensure that policies, guidelines and other regulations are complied with. Another task of the information security function is to propose information security measures, follow up these measures and initiate development projects within the information security field. The information security function reports on a continuous basis to the President/Vice-Chancellor/Management of the university/college.

The information security function is responsible for coordination, support and information concerning information security at the university/college. The function also initiates development projects within information security and will form part of an expert function in all major IT projects.

Information Security Manager, Security Group and Reference Group

The Information Security Manager leads, and is responsible for, the information security function. In addition to the Manager, the function includes an Information Security Group which consists of individuals possessing special competence within the information security field. The tasks and responsibilities of the Information Security Manager must be documented and the function will work with its own budget. Tasks may not comprise responsibility for day-to-day operations or equivalent operations. The Information Security Group will play a guiding and developing role within, for example, technology steering committees.

In addition, the Information Security Manager will also be supported by an Advisory Reference Group consisting of representatives from operations possessing competence within the information security field, including legal advisers and system owners. Information security issues are initiated by this group and must be broadly accepted by it in order to assist the information security function.

Mandate

The primary task of the information security function is to create the preconditions for and to ensure that information security at the university/college is of a sufficient level to ensure credibility as regards the management of the university/college's information. The information security function will prepare issues for discussion by the Management Team, set up requirement levels for information and information security at the university/college, provide support and follow up operations through a process of continuous monitoring. Please also refer to the Delegation section.

Work forms

The information security function consists of the Information Security Manager, and when considered necessary, an Information Security Group. The information security function is staffed by a Manager (Information Security Manager), with clearly defined responsibility for the information security function. The Information Security Group will assist the Information Security Manager with studies, inspections, etc.

The Reference Group will receive continuous reporting on the operations of the function, operational planning proposals and budget. The Information Security Manager and IT operational function will cooperate on joint issues. The information security function will state requirements for operations while the IT operations function's responsibility is to ensure that operations are secure, in accordance with the university/college's policies, guidelines and other regulations. The Information Security Manager will work in collaboration with the Working Environment and Physical Security Manager and with systems owners and project managers.

Organisational location

The information security function should form a separate unit and is not to be part of the operations function. As far as professional matters are concerned, the Information Security Manager should be immediately subordinate to, and report directly to, the university/college management and be located as a staff function in the organisation.

Incident Response Team, IRT

There is to be an IRT function at the university/college, organisationally located at the IT operational function. This function is to be independent as concerns the day-to-day IT operations with its own area of responsibility and its own budget. The Group is to consist of experts within the information security field. Its task is to work in a preventative and investigative manner as concerns hacking, viruses, SPAM and similar types of attack. The Group will include IRT operator/s with specially delegated powers to examine and possibly stop operations in emergency situations. The Group will collaborate with the Information Security Officers in the various units.

The IRT Officer will cooperate with, and report to, the Information Security Manager. Please also refer to the Delegation section. Responsibility for information security at the university/college

Each person responsible for operations is also responsible for information security within their operations in accordance with university/college policies, guidelines and other regulations. Please also refer to the Delegation section.

All employees and students bear responsibility for their own application of current policies, guidelines and regulations within their respective fields of responsibility.

Delegation

On xxx-xx-xx, the Board adopted an Information Security Policy for the university/college.

The President/Vice-Chancellor has accordingly decided that information security will be organised as follows: that there will be an Information Security Manager, at a central location, whose task is to coordinate information security activities. The Information Security Manager reports on a continuous basis to the President/Vice-Chancellor/Management.

Please refer to Tasks of Information Security Manager.

that a special group/person is responsible for incident monitoring and incident management with responsibilities in accordance with Responsibilities, Powers and Duties as system administrator in the Incident Group (IRT Operator).

that each person responsible for operations is also responsible for information security within their operations in accordance with university/college policies, guidelines and other regulations.

that mangers with operational responsibility may delegate responsibility for information security to a specified individual, e.g. system administrator. See Responsibilities, Powers and Duties of Systems Administrators

that the System Owner is responsible for information security in each IT system and will appoint a specific person to monitor information security in the system and to act as the contact person regarding the information security function. See Responsibilities of System Owners

that a system administrator is appointed for each IT system with responsibility for the information security in this system. See Responsibilities of System Managers

that a Technical Officer to be responsible for IT/technical matters be appointed for the operations and maintenance of IT systems.

See Responsibilities of Technical Officers

that Technical Administrators are appointed with responsibility according to the job description for Technical Administrators.

that managers with operational responsibility appoint an Authorisation Officer in accordance with the job description for Authorisation Officers.

that the system owners appoint an Authorisation Administrator according to the job description for Authorisation Administrators.

that managers with operational responsibility appoint an Archives Officer in accordance with the job description for Archives Officers. Current delegation decisions to be registered at the unit.

Information Security Manager

Will lead operations at the information security function and administer the activities of the Reference Group.

Primary tasks of the information security function:

Preparation and verification

  • Preparation of information security matters for decision by university/college management.

  • Continuous situation reporting concerning information security to management.

  • Establishment of annual Action Plan and budget, plus follow up for management.

  • Development of policy, guidelines, regulations, etc.

  • Continuous follow up of approved measures.

  • Initiate an annual inspection at the university/college.

  • Bear responsibility for methods and templates for monitoring and scrutiny of information security.

  • Develop a Verification Plan for joint IT systems, etc.

  • Compile inspection results and report to university/college management.

Requirements and monitoring

  • Security requirements during procurement of new systems.

  • Security requirements during operation of systems, computers and networks.

  • Security requirements of communications activities.

  • Incident Management (IRT operations. See IRT Operator).

  • Incident reporting and coordination with SUNET CERT.

  • Monitoring in steering committees of IT projects.

  • Follow-up of decisions within the relevant field of responsibility.

Support operations

  • The establishment of security levels and recommendations for suitable security levels for current IT systems, etc.

  • Recommendations for standards for security solutions.

  • The establishment of proposed measures and action plans.

  • Support to the university/college units' own inspections and control of information security.

  • Participation in seminars for heads of departments.

  • Provision of expert support.

  • Training and dissemination of information.

  • Collaboration with other universities/colleges, with SUSEC and with SUNET.

IRT Operator

RESPONSIBILITIES, POWERS AND DUTIES OF SYSTEM ADMINISTRATOR IN THE INCIDENT GROUP (IRT GROUP)

The President/Vice-Chancellor delegates to

Name:

Department/unit/equivalent:

To be a member of the university/college's IRT Group with powers and duties as listed below.

Area of responsibility

Powers and duties of IRT Operator in IRT Group in the case of hacking, or suspicion of hacking, covers all computer systems concerned and all network and other computer resources at the university/college.

If hacking is observed or suspected, the IRT Group will take appropriate action, following consultation with those affected or on their own initiative.

Requirements

This position carries considerable responsibilities and considerable powers, and also allows access to sensitive and critical systems. Consequently, the IRT Operator must be a suitable person for this position.

Authorisation

The IRT Operator is empowered to, on behalf of the university/college and in accordance with current legislation, policies, regulations and decisions, within his/her field of responsibility:

  • Carry out all the measures necessary for the investigation and for damage control as concerns all IT equipment including that for logging and backup.

  • Store log files and certain other files of importance to the investigation.

  • Initiate fault searching and re-installation of IT systems in IT equipment.

  • If considered necessary, isolate the IT equipment concerned.

  • If considered necessary, exclude a user.

  • When necessary collaborate with other IRT groups outside the university/college.

  • When necessary in order to carry out his/her work tasks, examine and check data, programs, data communications and other information contained within all IT equipment.

If possible when examining and checking data, there should be collaboration with the system administrator concerned and also, if necessary, with the information owner concerned.

  • When necessary in order to carry out his/her work tasks copy, move or delete data, programs and other information in IT equipment. However, deletions may not be made without the permission of the relevant information owner and/or System Owner unless adequate measures have been taken to save the information in question on other IT equipment or in another medium. Exceptions are when storage of such data is in beach of university/college regulations.

Duties

It is the duty of the IRT Operator:

  • Carry out activities with the care and accuracy necessary.

  • Follow the guidelines for IRT operations that apply in the university/college.

  • Follow the regulations for use of computers, standards, etc. that apply at the university/college and SUNET.

  • Follow the regulations and instructions for information security that apply at the university/college and SUNET.

  • Observe the duty of confidentiality in his/her work.

  • Manage secret or sensitive information as concerns personal integrity data, and the relevant data media and equipment in which the data is stored, in accordance with current regulations.

  • As soon as possible contact others who are or may be affected by an incident.

  • Document all elements of emergency calls and report to the IRT Officer.

  • Collaborate with the system administrators concerned.

  • When considered necessary or appropriate, report if the university/college's computers, networks or system resources have been used in breach of current regulations, or when such a breach is suspected, to the Head of Department (equivalent) and/or to the Information Security Manager at the university/college.

  • If the operator suspects that a situation may require disciplinary measures or involve a criminal act, immediately inform the Information Security Manager/Officer at the university/college or another suitable person appointed by the President/Vice-Chancellor.

  • Participate in investigations of the abuse of university/college computer, network and system resources in breach of current legislation and regulations.

  • Assist the Disciplinary Board, the police and the Prosecutor's Office in their investigations.

The duty of confidentiality according to the above does not restrict the rights and duties enjoyed by all citizens under the Freedom of the Press Act and the Secrecy Act. The signatory has read and accepted the above provisions.

University/college date..................

................................................ .......................................

Employee

Manager

Document available for download in .pdf format here

System Administrator

Responsibilities, powers and duties

The aim of these guidelines is to create the preconditions for good levels of IT security in the administration of university/college computers, networks and computer systems.

These guidelines are based on the university/college Information Security Policy adopted on xxxx-xx-xx together with regulations for the use of the university/college computer, network and IT system resources.

Background

The university/college's Information Security Policy prescribes, among other things, the following.

There must always be a named Information Security Officer responsible for computers, data systems, data networks or data equipment used at the university/college.

Every unit that uses computers, data systems or data networks must be able to access the relevant competence as concerns information security in order to maintain a suitable level of information security at the unit.

The President/Vice-Chancellor decided that: The Head of Department/equivalent is the Information Security Officer for each unit. This responsibility may be delegated. Each unit will appoint one or more individuals to bear responsibility for systems administration at the unit and to establish the duties and, when necessary, the powers to be delegated.

Current delegation decisions, including their scope, are to be duly registered at the department. Below there is a general summary of the duties and powers that may be delegated to a systems administrator. The intention is that this summary should form a template that may be adapted locally to the conditions prevailing in each unit.

Responsibilities, powers and duties of systems administrators

Name:

Institution/unit/equivalent:

Area of responsibility:

Responsibilities, powers and duties concerns the computer systems, networks and computer resources stated below:

Authorisation

The systems administrator is empowered to, on behalf of the university/college and in accordance with current legislation, regulations and decisions within his/her field of responsibility:

  • Install and configure operative systems and software in all equipment.

  • Modify and install computers and other data and communications equipment.

  • Set up, change and remove users and authorisation for this IT equipment.

  • Issue user IDs and passwords to users, however only after the individual responsible has signed the relevant undertaking.

  • Fault search and carry out repairs and service on IT equipment within his/her area of responsibility.

  • Allow external service staff, while complying with all current regulations, fault search, carry out repairs and service on IT equipment.

  • When necessary collaborate with other systems administrators or IRT Operators at the university/college for fault searching, repairs and service.

  • When necessary in order to carry out his/her work tasks, examine and check data, programs, data communications and other information in all IT equipment. When examining and checking data, permission must be granted by the information owner or the President/Vice-Chancellor.

  • When necessary in order to carry out his/her work tasks, copy, move or delete data, programs and other information in all IT equipment. However, deletions may not be made without the permission of the relevant information owner (equivalent) unless adequate measures have been taken to save the information in question on other IT equipment or in another medium.

Duties

It is the duty of the system administrator:

  • Carry out activities with the care and accuracy necessary.

  • Document routines and version changes.

  • Follow the regulations for computer use, standards, etc. that apply at the university/college and for SUNET.

  • Follow the regulations and instructions for data security that apply at the university/college and for SUNET.

  • Observe the duty of confidentiality as concerns working material and information that may be deemed secret, including information on protective measures, etc. that the system administrator may have become aware of.

  • Manage secret or sensitive information as concerns personal integrity data, and the relevant data media and equipment in which the data is stored, in accordance with current regulations.

  • Report faults and problems as soon as possible to IT Manager/system owner.

  • Document serious disruptions and incidents, and report these to the IRT Group.

  • When necessary monitor outside personnel who are carrying out repairs, service of equipment or programs.

  • When necessary inform users that they are using university/college computers, networks or system resources in breach of current regulations.

  • When considered necessary or appropriate, report if university/college computers, networks and system resources are used in breach of current regulations, or when such a breach is suspected, to the Head of Department (equivalent) and/or to the Information Security Manager at the university/college.

  • If the operator suspects that a situation may require disciplinary measures or involve a criminal act, immediately inform the Information Security Manager/Officer at the university/college or another suitable person appointed by the President/Vice-Chancellor.

  • After decision by the President/Vice Chancellor or the Information Security Manager at the university/college or another person appointed by the President/Vice Chancellor, participate in investigations of the abuse of university/college computer, network and system resources in breach of current legislation and regulations.

  • Assist the Disciplinary Board, the police and the Prosecutor's Office in their investigations.

The system administrator's duty of confidentiality according to the above does not restrict his/her rights and duties enjoyed under the Freedom of the Press Act and the

Secrecy Act.

The above-mentioned responsibilities, powers and duties are delegated to the systems administrator stated below: University/college, date

Head of Department

The signatory has read and accepted the stipulations stated above.

Systems Administrator

Document is available to download in .pdf format here

System owner

There must be a System Owner (employee responsible for the system) for each system.

The System Owner is responsible for:

When acquiring or developing the system: That the planned IT system is designed and managed so that it is possible for fulfil requirements for good levels of information security. That the project organisation has access to sufficient information security competence. That, in cases where personal data is included in the planned system, this is documented and reported to the university/college's Personal Data Representative and that the system is designed so that it complies fully with the requirements of the Personal Data Act. That a management organisation including an appointed system manager as well as the system owner, IT Officer/Technical Officer and Technical Administrator is created for the system's operations and maintenance.

For existing systems:

That an analysis of security needs is carried out, taking the information content and operational requirements into consideration. That security requirements are stated concentrating on accessibility, accuracy, confidentiality and traceability. That a management organisation including an appointed System Owner as well as the System Manager, IT Officer/Technical Officer and Technical Administrator is created for the system's operations and maintenance. That guidelines for authorisation allocation are established and that security requirements for the IT Officer/Technical Officer are fulfilled.

Examples of system owners: HR Manager could be the System Owner of the HR Administrative System while the Director of a group of researchers could be the System Owner of the group's research database. System Manager The System Manager's responsibilities are to administer the system based on the directives of the System Owner as concerns application, user requirements and user needs. The System Manager must possess in-depth knowledge of the operations of the system he/she is to support, and also overall knowledge of the technology applied in the system. The System Manager is responsible for information security in the IT system and must report any events or incidents that may affect information security. The System Manager will act as the contact person for users of the IT system and will cooperate on a regular basis with the Technical Officer on system operation matters.

Technical Manager/IT Officer

A Technical Officer must be appointed to be responsible for technical operations security. (For example Manager of Central IT Operations or alternatively IT Officer for each unit.)

Technical Officer is responsible for ensuring:

That technical security solutions follow established university/college standards. That IT systems can, when called for, be integrated with existing systems without information security deteriorating to less than satisfactory levels. That a Technical Administrator is appointed for larger-scale IT systems by the System Owner for the proposed management organisation. That the IT system is entered into the university/college's system register if such a register exists. That analyses of technical IT security are carried out taking into consideration accessibility, confidentiality, accuracy and traceability and that any problems discovered are solved.

That the System Owner's security requirements are fulfilled technically.

Technical Administrator

The responsibilities of the Technical Administrator include the technical administration of the IT system based on the directives of the Technical Officer. The Technical System Administrator must possess good levels of knowledge on the construction of the IT system, data management and technical security solutions, and also overall knowledge of the operations that the IT system supports.

The Technical Administrator is responsible for information security in the IT system and reports events and incidents that may affect information security.

The Technical Administrator is the contact person for technical matters concerning the IT system and will cooperate on a regular basis with the System Manager on system operation matters.

Authorisation Manager

Takes decisions concerning allocation of access rights to the university/college's joint and local IT systems. Bears responsibility for the follow up of and allocation of authorisation in accordance with guidelines established by the System Owner and the Technical Officer. The Authorisation Manager may be a Head of Department, Departmental Manager of Admin Services, a Unit Manager for the Library in the university library or the Manager of another unit.

Authorisation Administrator

Responsible for the registration and deregistration of authorisations in accordance with decision by Authorisation Manager. Responsible for ensuring that decisions on allocation of authorisation are filed according to established archival requirements.

Archives Officer

The university/college's archives must reflect operations and act as a source of current and future research, as well as a support to daily activities. Management and storage of information will occur so that it is protected from loss, damage or unauthorised use. Each unit will appoint an Archives Officer. This person will be responsible for the management and storage of information in accordance with university/college instructions as concerns information security, public access and confidentiality, registration, archival structure, archival reporting and archival management. This applies to both digitally stored information (also websites and e-mails) and to pictures and paper documents.

IT-säkerhetshandboken | Utskriftsvänlig sida | Kontakt