University Information Security Policy

The University of Helsinki Information Security Policy outlines the University management’s most important information security goals and strategic priorities for information security work. The Information Security Policy and information security work at the University is based on Finnish legislation.
Legislation underpinning the policy

The most important laws related to the use of information technology and IT services are:

The Criminal Code (19 December 1889/39) describes the criminal offences and their punishments (data and communications offences in chapter 38).

The Personal Data Act (22 April 1999/523) covers the gathering, processing, and storing of personal data. The obligations of the Personal Data Act are the reason why user accounts cannot be granted and forgotten passwords cannot be changed without confirming the ID of the account holder.

The Information Society Code (7 November 2014/917) fosters the supply and use of electronic communications services and ensures that everyone in Finland has access to communications networks and services at reasonable conditions.

The Act on the Protection of Privacy in Working Life (13 August 2004/759) covers the privacy of individuals in relation to their employer. The issues covered by the act also apply to students in some degree due to their close connection to the university.

University of Helsinki Information Security Policy

1 Purpose of the Information Security Policy

The University of Helsinki management uses the Information Security Policy to express

  • its views on information security and the connection of information security to implementing the University’s Strategic Plan,
  • the most important guidelines and strategy-compliant focus areas for information security activities, and
  • its willingness and commitment to information security at the University.

The Information Security Policy is approved by the Rector. Policies that supplement it are approved by the Chief Information Officer.

1.1 Three dimensions of information security

Information security consists of three key dimensions:

  • Confidentiality: Identifying confidential information and ensuring its confidentiality
  • Integrity: Ensuring the accuracy and consistency of information and its preservation for an appropriate length of time
  • Availability: Ensuring opportunities for the appropriate use of information

1.2 Reasons for ensuring information security

The University of Helsinki takes care of information security because the following quality factors are important for the University’s operations, interests and position:

  • complying with laws and other binding regulations
  • maintaining the University’s reputation and promoting confidence in the University
  • managing information security risks
  • creating a secure environment to meet the needs of the University’s core operations
  • safeguarding the performance of key operations, even in exceptional situations
  • safeguarding the ability to cooperate and complying with agreements
  • preventing the University’s systems from being misused.

1.3 Implementing information security

Information security is part of the University’s operations, quality and overall security. The principles of information security leadership, management and implementation have been defined as part of the enterprise architecture.

Ensuring information security requires

  • measures that are appropriately selected and implemented and targeted at each stage of the lifecycle of information and at the instruments, systems and methods used to handle information during these stages
  • rules, instructions and training for guiding the persons who handle information.

All the above are known by the common term of security mechanisms.

The implementation of information security is about selecting security mechanisms that are appropriate for the known information security risks and putting these mechanisms into place. In the targeting of security mechanisms to the most operation-critical areas, the categorisation of information is used as support. In the selection of security mechanisms, a balance must be reached between the three dimensions of information security and the costs of the mechanisms or the operational difficulties due to increased security. The costs may include direct financial investments as well as indirect costs caused by the slowing down of work.

The objectives of information security are defined and its implementation methods are selected so as to ensure the optimal achievement of information security, statutory data protection and privacy protection in the University’s operations.

The international ISO/IEC 27000 series standards, national public administration instructions and the University’s own internal guidelines are used as a basis for setting and measuring data security objectives and developing the information security management system. The requirements of the EU and Finnish legislation are also taken into account. The current state of information security and the achievement of the objectives are regularly reported to the University management and the Board of the IT Center.

The information security levels of the University of Helsinki’s systems are defined on the basis of the security requirements of operations and the information security objectives of the University. Information systems are protected in accordance with the information security principles of the University of Helsinki.

2.1 Secure and compliant operations

The scope of information security measures is defined and they are implemented as required by legislation and the agreements the University has concluded and in accordance with information security principles and objectives. In information security, too, the University prepares for disturbances and emergencies as well as unpredictable changes to ensure that its core operations can continue in all conditions.

2.2 Implementing the University’s Strategic Plan

The University’s Strategic Plan determines the focus areas for implementing information security. Information security operations support the University’s strategic guidelines, particularly in terms of supporting top-level research, international activities and increased community relations.

A development programme for information security is drawn up for each strategy period and it supports the programmes for implementing the Strategic Plan.

2.3 Controlled information security and the handling of information risks

The implementation of information security and the related risk management are organised and implemented in a controlled and systematic manner. Risk management and the selection of security mechanisms are forward-looking. This enables the secure and timely adoption of new technology and systems.

Risk management related to information security is organised and implemented as part of and in accordance with the University’s general risk management operating model. The unit report on information security risks in connection with general risk reporting under the category “Information and IT risks” according to the schedule of the risk management planning cycle. Risk management findings and results are used in developing the focus areas of the information security development programme and in prioritising resources.

If realised, information security risks may result in significant harm to reputation and finances. Therefore, the University has defined the limits of risk appetite related to information security from the perspectives of confidentiality, integrity and availability as follows.

2.3.1 Risk appetite with regard to confidentiality

The University of Helsinki’s risk appetite is extremely low with regard to the confidentiality risks associated with internal misuse and illegal activities. The University’s risk appetite is low with regard to the loss of confidentiality of personal data and confidential information. The University’s risk appetite is moderate with regard to the loss of confidentiality of other non-public information.

To manage confidentiality risks, the University’s information system management and information security procedures are designed and implemented in such a way that the likelihood of loss of confidentiality of data stored in the systems is acceptable in relation to the consequences of compromising the data content of the system and that the level of residual risk does not exceed the risk appetite.

2.3.2 Risk appetite with regard to integrity

The University of Helsinki’s risk appetite with regard to the loss of data integrity is moderate, and its risk appetite with regard to operation-critical data is low. The risk appetite with regard to personal data is low.

To ensure data integrity, the University’s information system architecture is designed in such a way that the data it contains can be backed up, the amount of data lost in incidents is controlled and errors in data transfer and storage can be detected. The University is prepared to accept risks influencing integrity when it is possible to reproduce the data with a minimal or moderate amount of work.

2.3.3 Risk appetite with regard to availability

The University of Helsinki’s risk appetite with regard to long-term risks related to the availability of information is moderate, with the exception of information deemed to be operation-critical, for which the risk appetite is low. The University’s risk appetite is low with regard to the loss of availability of personal data.

2.4 Information security in support of research, teaching and cooperation

The aim of information security is to enable the secure and efficient use of information processing and communication methods required by research, teaching, studying and societal impact. Security measures scale from individual researchers, teachers and students to research projects and groups, courses, disciplines and units and to the whole University.

The objective of information security mechanisms is to enable the maximum efficiency and security of research, teaching, studying and community relations. Disturbances are prevented by assessing situations in which risks may arise and by providing risk management instructions and training.

2.5 Information security in support of administration and other support services

The University’s enterprise architecture describes the operational and technical implementation of new information systems, and in connection with this implementation, an information security review of the systems is carried out. The purpose of information security activities is to promote the adoption of new, efficient and secure systems and practices in all University operations. The aim is to secure the operational capability of the University’s most important core systems even in exceptional circumstances.

3.1 Management

The management and monitoring of information security are part of the University’s general management and ultimately the Rector’s responsibility. The Chief Information Officer manages information security activities.

3.2 Handling of incidents

All information security incidents that affect the University, i.e. all things and events that compromise or have compromised information security, must be reported primarily to the IT management and secondarily to one’s own supervisor. Each supervisor is responsible for ensuring that information about an information security incident reported to them is also known to the IT management.

The University has an obligation to report an information security breach related to personal data to the Data Protection Ombudsman within 72 hours of the detection of the breach.

The Information Security Manager or a person designated by them coordinates the handling of information security incidents. In the event of an information security incident, the Information Security Manager may determine that an information system or a part of it must be closed or that an individual user’s access rights be withdrawn. The owner of any incident-related information, system or equipment has an obligation to make accessible all the resources under their responsibility that are necessary for the investigation of the information security incident.

In University-level crises, the University’s crisis management plan is followed. Information and communication crimes against the University are reported to the National Cyber Security Centre and to the police.

4.1 Shared responsibilities and obligations

Implementing and monitoring information security is the responsibility of each member of the University community. Each community group is responsible for the security and lawful processing of materials related to its own activities, and each decision-maker is responsible for the information security measures required by their decisions and the impacts of these measures. In addition, all University staff members and students are also responsible for implementing information security in their own activities and required to ensure that they

  • are familiar with the University's information security instructions and comply with them,
  • establish and maintain a good culture of information security in their daily activities,
  • take the University of Helsinki IT Security Test and the basic information security course regularly,
  • participate in other information security training related to their role,
  • are familiar with the information security responsibilities and duties assigned to them or belonging to them due to their position and act in accordance with them,
  • report on any compromise of information security to the IT management and, if they belong to the University staff, to their supervisor.

4.2 Specific responsibilities and obligations

Several roles and tasks at the University involve specific, designated information security responsibilities. These responsibilities are described in this policy’s Appendix “Information security responsibilities at the University of Helsinki”.

Communications related to information security must comply with the University’s general and crisis communications plans. Under normal circumstances, the Information Security Manager is responsible for the University’s internal information security communications. In the event of a crisis, the responsibilities for communications concerning information security are distributed as specified in the crisis communications plan.

The University may impose sanctions on a member of the University community due to activities that compromise the University’s information security, intentional or negligent failure to comply with the responsibilities defined in the Information Security Policy or a breach of information security instructions. The sanctions are determined by the University’s general sanction practices depending on the circumstances and the severity of the situation.

1 Introduction

The implementation of information security in the University community depends on the activities of its members and the choices they make in their daily work. Every member of the community must therefore be familiar with the responsibilities and obligations associated with their activities, to ensure

  • the confidentiality of information
  • the preservation and accuracy of information
  • the timely availability of information on the basis of access rights and
  • the publicity, confidentiality and data protection of information, as required by law, in the University community.

2 Specific responsibilities, obligations and tasks

In addition to the general responsibilities for implementing information security and data protection, as described in the Information Security Policy, certain tasks and roles involve specific responsibilities, which are summarised below. If a University staff member or student has several different roles, the responsibilities associated with all of their roles apply to them.

Rector         

  • approves the Information Security Policy and the division of information security responsibilities

Board of the IT Center    

  • sets requirements for information security reporting

Dean and Heads of Units

  • are responsible for information security guidance, development and resourcing with regard to the activities of their faculty or unit in accordance with the University’s guidelines
  • are responsible for the resourcing and information security of the services owned by their faculty or unit
  • are responsible for ensuring that the staff of their faculty or unit know and are familiar with their roles in relation to information security
  • appoint the owners of the services of their faculty or unit
  • report on the unit’s information and IT risks in accordance with the University’s risk management practices

Director of Administration                     

  • is responsible for taking information security into account in overall security activities

Chief Information Officer

  • is responsible for the main information security guidelines and strategic guidance
  • is responsible for the resourcing of the University’s central information security activities

IT management unit        

  • supports those involved in the management and implementation of information security in their areas of responsibility

Information Security Manager                     

  • reviews the need for changes in the Information Security Policy annually
  • is responsible for the development and monitoring of information security at the University
  • participates in University-level risk management regarding information security and data risks
  • participates in cooperation networks that are important for the University’s information security
  • cooperates with the data protection organisation
  • is responsible for planning and coordinating information security training
  • coordinates the handling of information security incidents
  • acts as the contact person for cooperation with authorities in the field of information security and information crimes
  • reports on information security to the University management and to the Chief Information Officer

Information security expert                     

  • monitors the state of information security at the University
  • reports on any identified information security hazards to the Information Security Manager Officer
  • participates in cooperation networks that are important for the University’s information security
  • participates in information security reviews and consultation
  • participates in making risk analyses
  • participates in the handling of information security incidents

Information owner          

  • is responsible for the organisation of information management
  • is responsible for the structure and quality of information
  • is responsible for the use and lifecycle of information
  • is responsible for data protection, access rights and backups
  • is responsible for information-related continuity planning
  • makes decisions on the categorisation of information
  • is responsible for the management of information-related risks
  • reports on the factors influencing the security of information to the Head of the Unit and to the IT management

Service owner                  

  • is responsible for managing the information and IT risks of the service
  • appoints the persons responsible for the service, their deputies and the service administrators
  • reports on the factors influencing the information security of the service to the Head of the Unit and to the IT management
  • is responsible for the data protection, access rights and backups of the service and its information
  • monitors the information security of the service
  • is responsible for service-related continuity and recovery planning
  • is responsible for ensuring that the instructions and documentation for the use of the service are created and kept up to date

Service administrator (superusers, IT staff and administrators)

  • monitors and maintains the information security of the service
  • reports on the information security of the service and the related disturbances to the service owner and the IT management
  • complies with good information management, maintenance and security practices
  • makes preparations for disturbances and the measures required for their management
  • takes care of the verification and recovery procedures of the service

Researcher in charge

  • is responsible for identifying the information security requirements in the research project they lead
  • is responsible for assessing the information security and data protection risks of the research project they lead and reporting on the risks to the faculty
  • is responsible for the implementation of the information security procedures needed in the research project they lead
  • is responsible for providing safety procedure instructions to the staff involved in their research project

Supervisor 

  • ensures that subordinates have sufficient information security knowledge and skills for their tasks
  • monitors compliance with the University’s instructions, rules and principles in daily work
  • intervenes in activities identified as compromising information security
  • assesses the risks of daily activities
  • reports on the risks identified in the activities to their supervisor

External partner              

  • complies with good data processing and information security practices
  • monitors and maintains information security in their own operations
  • reports on the information security of their work or services and the factors influencing it to the University
  • follows the instructions given by the University in the processing of information belonging to the University