IT-säkerhetshandboken
http://www.susec.sunet.se
susec@sunet.se

1.5 Policy and regulations

Introduction

This section takes up the basic preconditions for creating good information security at a university/college. These are decisions to be taken by management.

The policy states the management's approach to operations, an approach which is then to be developed in the form of regulations, organisation and guidelines.

User regulations define the requirements of the university/college concerning who may access and use the university/college's IT resources.

Here, examples of design and individual undertakings are given. These undertakings must be read and signed by all prospective users in order to be able to use university/college IT resources.

Information Security Policy

This policy was established by the Board/President/Vice-Chancellor on xxxx-xx-xx.

General

In order to secure the information contained in the university/college systems it is necessary to adopt a holistic approach to information security bearing in mind that the information security solutions applied are critical for enabling the use of information technology.

The aim of this policy is to inform, guide and clarify goals and responsibilities for information security at the university/college. The point of departure is that the university/college's information constitutes an extremely important resource and that if this information is not managed in the correct manner, the university/college's operations, good name and reputation may be placed at risk.

Secure information also forms a precondition for the university/college to be able to fulfil its task of providing education, carrying out research and collaborating with society.

Information security activities must be carried out based on preventative, long-term and cost-efficient operations where implementation is carried out in a well-structured fashion and with the clear support of the university/college management.

General acceptance and awareness of employees forms the actual foundation of security operations. The university/college must ensure that employees gain access to suitable training inputs and continuous competence enhancement within this field.

Information security is defined as both administrative security and technical security. Administrative security refers to security during the processing and/or storage of information. Technical security is defined as security through technical solutions. Technical security may be divided into physical security and IT security. Physical security concerns the physical protection of e.g. data media. The concept IT security covers security of information in information processing technical systems. IT security may also be divided into data security and communications security. Data security is connected with the protection of data and IT systems against, for instance, unauthorised access. Communication security concerns security in connection with transfer of data.

Information security activities are to be coordinated with other security operations at the university/college.

Objectives

The objective of information security is to protect the university/college's information within its organisation against various threats and to create efficient and effective protection by ensuring:

Threats are defined as: potential, undesirable occurrences whose consequences have a negative impact on operations.

All information is worth protecting, though with different protection levels. In order to achieve the desired level of protection there must be a balance between required protection level and efficient utilisation of existing resources.

In order to achieve the objective of efficient management of information based on a security perspective, the identification of assets in need of protection, and an assessment of relevant threats, is necessary. Proper organisation and control of operations is also required.

Responsibility and organisation

The overall responsibility for universities/colleges is borne by the relevant Board and President/Vice-Chancellor. This includes responsibility for the university/college's information security.

The President/Vice-Chancellor should appoint a person to be responsible for coordination of information security in accordance with the university/college's working procedures (Information Security Manager). Responsibility then follows the relevant university/college's delegation procedures.

All employees and students are responsible for their own compliance with current policy, guidelines and regulations within their own fields.

Regulations for use of university/college IT resources

General

University/college IT resources are owned by the university/college in question and are intended for use in, and for the remit of, the university/college, namely to provide education, research and attendant administration and to collaborate with society, i.e. the Third Mission. All other uses are not permitted unless otherwise stated in the university/college user regulations.

IT resources are defined as computers, computer networks and all other equipment used in connection with the management of information in digital form.

University/college IT resources may not be used to, in an improper manner, spread, store or transfer information that is:

Nor may any use be made in breach of SUNET regulations (Regulations for connection to and use of SUNET).

When using the university/college IT resources, the university/college's good name and reputation must be protected.

Authorised users

An authorised user is a user who has been authorised to utilise the university/college's IT resources. Authorisation is personal and may not be transferred to, or in any other way be made available to, another person.

It is not permitted to use someone else's authorisation or to exploit faulty configurations, program errors or in any other way to manipulate IT resources.

Authorisation is for a fixed term and is directly linked to studies, employment, project participation or assignments. The user is obliged to inform the university/college of any circumstances that may cause authorisation to cease.

Access to university/college IT resources will cease after a period of inactivity of six months, unless otherwise agreed.

Authorisation may be withdrawn if the user breaches user regulations.

Use of Internet

Internet is intended for use during information searching and for other relevant uses within the operations of the university/college.

When using the Internet it is forbidden;

When publishing material on the university/college website the relevant university/college Web Policy must be followed.

Comments: Concerning private use, two alternatives are presented.

Certain Internet use to a limited degree with the help of university/college's IT resources for private purposes is permitted on the condition that these user regulations are fully complied with.

alternatively

All private Internet use with the help of university/college IT resources is not permitted.

Use of e-mail

E-mail is intended for use in communications internally within the university/college and for external communications outside the university/college for university/college operations.

All communications concerning university/college operations must take place via e-mail accounts allocated by the university/college with the intention to clearly state to the recipient that this e-mail message comes from this university/college and concerns university/college operations.

E-mail may not be used for political, commercial or other purposes that work counter to university/college operations.

Please avoid attaching large documents to e-mails as this may cause overloading of servers and networks.

Comments: Two alternatives are presented as concerns private use.

Certain use of university/college e-mail to a limited degree for private purposes is permitted on the condition that these user regulations are fully complied with. It is not, however, permitted to subscribe to distribution lists for private use.

Alternatively

Use of university/college e-mail for private purposes is not permitted. E-mail and processing of official documents Regulations concerning public access to official documents (Freedom of the Press Act Chapter 2.) also covers e-mails. For more information [LINK]

Information which may be the object of secrecy requirements in accordance with the Secrecy Act must be processed according to special regulations [LINK]

If an e-mail account holder is absent, incoming mails must be dealt with in a suitable manner. Mail may, for example, be diverted to a function address such as "mathematics@university/college.xx.se". Such function addresses are to be monitored so that matters arriving are processed in the manner prescribed by the relevant legislation.

Consequently an automatic out-of-office reply does not fulfil the prescribed requirements as to how incoming e-mails are to be processed.

Remote access

For employees and students it is also vital to be assured of secure, reliable access to university/college IT resources via outside networks ('remote access').

The university/college supplies the necessary IT services that must be in place for remote access.

Computers used for remote access must be secure from an IT security aspect. Please look under Remote Working to see the technical and other requirements that have been established for remote access.

User regulations must also be respected when using the university/college's IT resources via remote access.

Regulations for selection of password

It is vital to manage passwords in a secure manner.

Passwords and user identities are personal and may not be given to anyone else. In special cases the university/college may decide to grant an exception to this regulation.

When selecting a password consider the following:

1. The password should consist of 8 to 10 signs/digits.

2. Do not use a password with a direct connection to yourself, your family or your workplace and which others know about.

3. Use letters, figures and special signs. Use both upper and lower case letters. Do not use åäö or ÅÄÖ. Always begin with a letter.

  1. The password may not take the form of a word that may be listed in any dictionary or wordlist - nor should it consist of two words written without a space in between.

  1. Do not use simple keyboard patterns such as QWERTYU or 1qaz2wsx.

Do not write down the password anywhere close to the location of the computer where it could be found by unauthorised individuals. Do not save user ID and password for automatic log-in. The password must be changed immediately if there is a suspicion that an unauthorised person has become aware of it or how it is structured.

Other security regulations (identification, bugging, viruses)

Identification: It is not permitted to hide user identity when using university/college IT resource.

Bugging: Bugging network traffic is not permitted; exceptions may be made for a specially appointed function. See below under "Control and monitoring of IT resources".

Protectable information may not be transmitted in text form over the network. Examples of such information include passwords, credit card numbers, door codes etc.

Viruses: It is strictly forbidden to purposely spread viruses or any other malicious codes to or from university/college IT resources.

University/college computers must be equipped with a functioning virus protection system. Deactivating this protection system or manipulating it in any other fashion is strictly forbidden.

Processing of personal information in official documents: Personal information is protectable information and must be managed in accordance with the Personal Data Act.

Official documents Information that is managed via university/college IT resources may constitute official documents. Official documents must be processed in accordance with regulations in the Freedom of the Press Act.

Control and monitoring of IT systems

Users who, when utilising university/college IT resources, discover a fault or something else that may be of importance to the operation of the IT resources must report this immediately to the officer responsible.

IT resources are monitored and events on the computer network and within the other IT resources are logged. These logs are saved and filed in accordance with current regulations on disposal of documents and filing and they may, if necessary, comprise evidence of possible breaches of the user regulations.

Sanctions for breaches of user regulations

Exclusion from IT resources. If a breach of these user regulations is discovered the user in question risks being totally or partially excluded from access to the university/college IT resources. The user may, however, be limited to a computer/workplace (that is connected to the electricity supply only) so that the user is able to fulfil his/her studies/work tasks during the period when any investigation is underway.

Any abused or mismanaged IT resource may be closed down immediately.

Disciplinary measures for students

Students may, if in breach of these user regulations, risk being reported to the President/Vice-Chancellor and the Student Disciplinary Board in accordance with Chapter 10 of the Higher Education Ordinance. Disciplinary measures consist of a warning or exclusion for a certain period from teaching and other activities at the university/college.

Disciplinary measures for employees

Employees may, if in breach of the user regulations, risk being reported to the President/Vice-Chancellor and the Staff Disciplinary Board. Disciplinary measures consist of a disciplinary warning or suspension.

Crime

Users who are suspected of crimes according to the criminal code may become the object of a police report.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Undertaking (see also Undertaking)

I confirm that I have read the university/college's user regulations and intend to comply with them. I also intent to keep myself up-to-date on any changes or amendments to these regulations and then also undertake to follow the new regulations.

Date Signature Name in capitals ID check Personal registration number


IT-säkerhetshandboken
http://www.susec.sunet.se