Helpdesk - IT guidance,
Rules for the maintenance of University of Helsinki information systems
In these rules, maintenance and administration refer to
In these rules, an information system or a system refers to
A University unit refers to a faculty, department, division or other functional unit of the University.
The responsible owner of a specific information system within the University refers to the unit for which the information system has been acquired, and which designates the persons entitled to use the information system. The owner of information materials may also be the author of the materials, as defined in the Copyright Act.
The manager of an University information system is responsible for the management of said information system unless the management responsibilities have been transferred to another unit within the University or outsourced by contract. Usually, the manager of an information system is not the system administrator.
System administration refers to persons responsible for the technical management of the University’s information systems and to other University IT support personnel, who collaborate to maintain the systems and provide user support and guidance. In a broad sense, the term ‘administrator’ refers to all persons having administrative rights in the system.
1.2 System administrators’ privileges
To ensure the functionality of information systems, an administrator has extensive rights to inspect the status of the systems and, if necessary, to intervene in the function of the systems, in the actions of individual users and in their data in the systems if there is reason to suspect that such data violate current regulations or rules for the use of information systems (e.g. illegal copies of music or films).
To eliminate and fend off breaches of information security, an administrator has the right and obligation to take necessary steps to ensure information security. Cases of information security incidents shall be dealt with in accordance with the University of Helsinki Information Security Policy and the instructions for responding to information security incidents.
To avoid a conflict between an administrator's privileges and the legal protection of the users of the system, the application of an administrator's privileges is controlled by guidelines and rules based on current regulations. The University’s IT Department is responsible for the University’s information security policy, which, along with other valid regulations and instructions for the use of the University’s information systems, will be posted on the University’s web site. Departments and units may issue detailed system-specific rules and instructions.
These rules are binding for all system administrators at the University, including students, should they be the administrator of an information system or part of such a system that is connected to the University information network.
A unit must document the information systems or system entities in its possession, prioritise them when necessary, and assign and document the managers and administrators. The owner of the information system is responsible for the existence, validity and availability of information system documentation.
The owner of the information system and, ultimately, the head of unit are responsible for ensuring that the system adheres to current legislation, good administrative practices and current guidelines and regulations issued by the University. The owner is always ultimately responsible for the maintenance of the system. The information systems manager is responsible for the technical maintenance of the systems in accordance with good administrative practices. Every system must have designated administrators. Administrative duties shall be distributed, if possible, to several individuals with different access rights. The actions and procedures taken by administrators shall also be logged.
The owner or manager of an information system is not responsible for the contents of an individual user’s data. Users are personally responsible for the legality of their data and are required to protect them in accordance with the guidelines issued by the University. The manager of an information system has, however, the right and obligation to intervene with a user’s data if there is reasonable cause to suspect that it contains information security hazards or illegalities.
If an administrator is suspected or has been found to have misused his or her privileges, the head of the relevant unit or a contact person designated by the head shall be contacted. The head or the contact person shall inform the Campus Information Security Officer. Further measures, if any, shall be taken in accordance with the University of Helsinki Information Security Policy.
3. Policy of operation
3.1 Good maintenance practices
Information systems shall be maintained in accordance with good maintenance practices. Good maintenance practices mean well planned, responsible and professional administration which complies with good information management practices as provided by the Act and Decree on the Openness of Government Activities.
3.2 Protection of privacy
The administration of the University's information systems takes into account the right to privacy and the confidentiality of communication between users and their communication partners. While adhering to these basic rights, however, the University reserves the right to control the information content and purpose of use of the information systems in its possession. This also applies to the telecommunications network owned by the University. The purpose of use is defined in greater detail in the Rules for the use of University of Helsinki information systems or in system-specific rules.
When users request an administrator to handle their email or other files, the administrator must check the person's identity in an appropriate manner, for example, by verifying their identity against an official certificate of identification.
An administrator may contact a user either by calling a telephone number found in the University’s information systems or by sending him or her an email. If, however, there is suspicion that the user ID has fallen into the wrong hands, email should not be used.
Administrators are bound by confidentiality and a ban on the exploitation of information not related to work and of the existence of such information that they may learn while performing their professional duties. Non-public work-related matters may be discussed only between individuals or authorities that are bound by the same confidentiality and to whose professional duties the matter is relevant.
Administrators in particular are bound by Section 40, Sub-Section 5 of the Penal Code, according to which public officials must not deliberately, while in office or thereafter, unlawfully disclose a document or information which under law is to be kept secret or not to be disclosed.
Administrators shall sign a confidentiality agreement.
4.1 Identities, passwords
Administrators do not need to know users’ passwords to carry out their duties, and they must not inquire about users’ passwords.
If the rectification of a problem requires the administrator to temporarily assume a user's identity, the user must either be present to provide his or her password to the authentication service, or the administrator must assume the user’s identity through administrators’ privileges. The user must be informed of the latter beforehand or as soon as possible. The administrator must not retain the user’s identity any longer than is necessary for rectifying the problem.
In situations described above, the administrator must verify the identity of the user in an appropriate manner.
Administrators shall resort to main user privileges only when their maintenance duties so require. In all other cases, they shall use their own personal user IDs.
4.2 Restrictions on user accounts during investigations
If there is reason to suspect that the University's information security has been compromised or that a user is guilty of breaching the Rules for the use of University of Helsinki information systems or of other misuse, an administrator has the right to restrict the user's access rights to the information systems for the duration of an investigation.
The investigation shall be carried out and consequent further measures shall be taken in accordance with the University of Helsinki Information Security Policy.
4.3 Processing of emails
According to the Constitution of Finland, the secrecy of correspondence, telephony and other confidential communications is inviolable, unless otherwise provided by law. An email message is analogous to a letter in that it is confidential unless it has been intended for public distribution.
The principles for processing email are laid out in the Rules for processing email. The present Rules for the maintenance of University of Helsinki information systems provide rules for special circumstances in which an administrator must intervene with email communications to ensure the service level or security of the system.
An administrator has no right to view a user’s email. An administrator may be required to open files containing a user's email in the following situations:
An administrator also has the right to purge mail that is being delivered of any messages that jeopardise the proper functioning of the email system, as well as of messages generated by a technical error that are thus obviously unnecessary.
4.4 Processing of other data
As a rule, administrators have no right to read or otherwise process the contents of files owned by users.
However, an administrator has the right to open files owned by users under the following circumstances:
In addition to the above, administrators always have the right to:
4.5 Monitoring of directories and file lists
Under normal circumstances, administrators cannot fully avoid processing and seeing file lists of directories owned by users. Processing directory structures, file names, modification dates, and size and protection levels along with other information pertaining to files is part of normal maintenance and administration, which are carried out in accordance with good administration practices.
If an administrator finds that the protection of a file or a directory is insufficient in relation to its nature, he or she has the right to upgrade the protection to the necessary level.
In carrying out maintenance and administrative duties, administrators shall take care to not display file names and equivalent information unnecessarily. For example, when file listings are needed to solve a problem, if possible, those file names that do not pertain to the matter at hand will be deleted from the list.
4.6 Monitoring of programs and processes
The manager of the information system and the system administrator together define which software shall be available in the system. Programs can be prohibited or withdrawn from use if their use is not necessary for the operation of the University or if they jeopardise the high level of services and security. This decision will be made by the head of the unit administering the system.
Administrators routinely monitor the programs running in the information system.
Administrators may adjust the priority of a process, if this process consumes excessive system resources.
An administrator may terminate a process if:
4.7 Monitoring of the data communications network
Administrators of the University data communications network monitor the traffic of the University network and its external connections using monitoring software and by reviewing log data to be able to ensure a reasonable level of services and security as well as the cost-effective use of external connections.
The monitoring of network traffic does not involve the contents of the information transferred, but rather the amount and nature of the traffic. The monitoring of source and target computers is statistical in nature and does not focus on an individual user, except in cases of disturbances. However, the traffic of an individual system can be monitored in greater detail if anomalies, such as excessive traffic load, are being investigated.
In order to investigate a possible incident of disturbance or misuse, a network administrator may contact the person responsible for the computer that is the source of excessive traffic or other anomalies.
An administrator of the data communications network may deny a computer or a part of the network access to data communications or the use of a certain service if this computer or part of the network:
In all of the above cases, the administrator responsible for the computer or part of the network shall be contacted without delay once access to data communications has been denied.
4.8 Processing of log files
The University's information systems create log files to document the functioning of the system, to investigate possible disturbances or misuse and to collect statistical and invoicing data. The University normally uses the logged information only for technical maintenance, invoicing and statistics. The log files may form a register that falls under the scope of the Personal Data Act or contain identification data which fall under the scope of the Act on the Protection of Privacy in Electronic Communications.
4.9 Storage of data
The provider of information system services shall, as a part of maintenance and system administration, ensure that backup copies are made of the systems. Depending on the purpose of the system, backups are made with sufficient frequency in case of, for example, disk failures.
Backup copies shall be stored in an appropriate manner, and the administrator shall ensure that they are accessible. The processing of data on backups shall comply with the same principles as the processing of equivalent data in information systems. The deletion of backups shall take place in such a manner that the confidentiality of the data in them will not be compromised.
5. Monitoring the observance of these rules
Monitoring the observance of these rules is the responsibility of the owner of the IT Department and of other information systems in the University units. Breach of these rules shall be handled in accordance with the University of Helsinki Information Security Policy. The IT Department shall update these rules and the IT Security Manager shall monitor the need for updates. A valid version of the Rules for the maintenance of University of Helsinki information systems shall be posted on the IT Department’s web pages.