Information Security Policy
Report security incidents: it.security@uwasa.fi
1 General provisions
1.1 The three dimensions of information security
- Confidentiality: Recognizing confidential information and protecting the confidentiality. The information is only available to those entitled to it.
- Integrity: Ensuring that the information is accurate and unambiguous and remains so. The information cannot be changed by anyone else than those authorized to do it.
- Availability: Ensuring the possibilities of using information correctly. Data and information systems are available for use for authorized users.
The three dimensions of data security encompass all information of value and the processing of it regardless of the means. Disclosure and publication of information only through planned channels is ensured through confidentiality.
Through integrity we ensure that the value of information is preserved and that the information can be used. Through availability it is possible to use the information within the planned frame of time delay.
1.2 Aims
Data risks are managed through using good national and international practices. Services and systems are designed to be operationally secure and well protected so that they reasonably well can withstand expected cyber threats. Laws, binding norms as well as obligations stated in agreements are adhered to. A high-quality and information secure work and study environment is maintained. The university’s reputation is upheld. Trust in the university’s operations and productions is cultivated. The university’s operational prerequisites under all circumstances are ensured, even during malfunction and exceptional circumstances.
2 Organisation
2.1 Management and authority
Information security and maintenance of it are part of the university’s quality assurance system. Managing and monitoring the information security are also part of the general management of the university. Everyone implements the information security within their own areas of management and authorization. The main users of each service are authorized to take measures permitted by the law in order find and correct deviations which endanger the information security.
The Chief Information Security Officer is authorized to interrupt operations which create significant danger to the university’s information security.
2.2 Responsibilities
As a rule authority and responsibility go hand in hand. To the extent that it is possible to decide on how a matter is implemented and handled, one also has the responsibility for the information security of that implementation. It is the task of the ICT Management and the Chief Information Security Officer to help everyone to assume this responsibility.
- Everyone is responsible for the information security of the information they handle.
- Everyone is obligated to follow the rules and user instructions
- Everyone is obligated to either rectify or report an information security problem when it is discovered
- The main responsibility for the information security of a service or a piece of information lies with its owner.
- The owner is the unit or person who is responsible for handling the information in question or for producing the information contents of a service. The main responsibility remains with the owner regardless of on whose initiative the information is handled.
- The owner decides on the purpose of use and the permitted ways of use if the nature of the information requires it.
- The owner is responsible for planning the service and the processes connected to it as well as for the implementation meeting the requirements together with selecting the appropriate security mechanisms.
- The owner is responsible for the necessary descriptions, risk analysis and continuity planning. The owner is also responsible for providing the potential protection requirements connected to the information when disclosing it to another party.
- The owner is responsible for writing user instructions and providing them to the users of the service.
- The owner is responsible for writing and updating possible register information.
- The service or system provider is responsible for the information security of the service.
- The user and owner must have an opportunity to assess, whether the system and its properties meet/comply with the security requirements set for handling the information.
- The ICT Management is responsible for the information security of the services acquired or produced for the general use of the university. The ICT Management shall offer instruction and training for the secure use of them.
- The service producers are responsible for implementing the stated level of information security and managing and reporting technical risks or deviations related to the information security of the service.
- The main users of a service are responsible for following the administrative rules.
- The supervisor is responsible for providing the subordinate with sufficient orientation in information security and the significance of implementing it.
- The ICT Management is responsible for supervising the university’s information security and will when necessary take protective measures in order to restore the security.
- The Chief Information Security Officer is responsible for developing information security, the supervision of it as well as enhancing it in the university together with external cooperation on information security.
The Chief Information Security Officer leads the internal investigation of deviations and is responsible for contacts with the authorities in criminal matters.
3 Implementing data security
3.1 Security controls
Maintaining information security requires selecting and implementing the appropriate measures for equipment, systems and methods when handling information during all the stages of the information's life cycle and also rules, instructions and training for those handling the information. A common name for all of these measures is controls.
Through the controls an acceptable availability delay for all information is defined, i.e. the time within which the information must be available for handling without the time delay disrupting the work. For some types of information the acceptable time delay may be a few seconds and for other types of information the delay is a few days. If there is reason to doubt the integrity of the information the time required for restoring the integrity must be included in the estimated time delay.
When selecting the controls the aim is to find a balance between the three dimensions and the costs of the controls. The costs can be direct economic investments but they can also occur indirectly as a consequence of the work being slowed down.
The objectives for information security and the methods of implementation are chosen so that the information security and privacy as stated/defined in the applicable laws are achieved in the best possible way in the operations of the university.
3.2 Advance planning
When planning services or data systems the following must be considered before put in operation:
- The service must be sufficiently documented. The documentation contains information on the structure of the service, its purpose of use, user instructions, instructions for the administrator, dependencies from other services, controls, agreement issues, the planned life cycle of the service together with potential particular obligations connected to it. The protection of the documentation must be planned (the confidential part e.g. controls, and the public part for descriptions, service, operational handbooks and user instructions).
- It has to be evaluated if the the service is importantant enough to be funcionally secured in disorder and a state of emergency. Research and education activities of the university must continue seamless so that there are as few disturbancies as possible under all circumstances. The requirement of the continuity has to be considered when producing services on which education and research activities are significantly based on.
- The required system descriptions must be created and also updated regularly. These are the privacy statements of systems processing personal data and the descriptions of information management systems referred to in The Act on the Openness of Government Activities. Other oblications may also be applicable to the service (certifications, audit sections or special provisions on sensitive information etc.) and these shall be taken into consideration in the planning phase.
The university has a continuity plan for information management. This plan is regularly updated by the ICT Management. This plan describes the continuity of the principal services which the university’s operations depend on together with the methods of producing them under all circumstances. Other units with independent information management systems shall notify the Chief Information Security Officer about them if it is necessary to take the system into account in the continuity plan.
4 Communication
Under normal circumstances the Chief Information Security Officer is responsible for the university’s internal information security communication. The controller/owner of an individual service is responsible for the information security communication for that service. The Head of the Unit is responsible for the unit’s internal information security communication. In a crisis situation the responsibility for the information security communication is divided in compliance with the internal crisis communication plan.
5 Regulations and instructions related to information security
The university’s definitions, instructions and regulations have been divided into the following main documents.
- Rules of IT Service Use
- Information Security Policy
- E-mail rules
- E-mail filtering
- Retrieving and opening an employee's e-mail
- Consequences of IT service abuse
- Relevant legislation
In addition to these documents, sufficient support documentation will be created on the ICT Management’s web pages for developing and regulating the information security.