The most important laws related to the use of information technology and IT services are:
• The Criminal Code (19 December 1889/39) describes the criminal offences and their punishments (data and communications offences in chapter 38).
• The Personal Data Act (22 April 1999/523) covers the gathering, processing, and storing of personal data. The obligations of the Personal Data Act are the reason why user accounts cannot be granted and forgotten passwords cannot be changed without confirming the ID of the account holder.
• The Information Society Code (7 November 2014/917) fosters the supply and use of electronic communications services and ensures that everyone in Finland has access to communications networks and services at reasonable conditions.
• The Act on the Protection of Privacy in Working Life (13 August 2004/759) covers the privacy of individuals in relation to their employer. The issues covered by the act also apply to students in some degree due to their close connection to the university.
1 Purpose of the Information Security Policy
The University of Helsinki management uses the Information Security Policy to express
The Information Security Policy is approved by the Rector. Policies that supplement it are approved by the Chief Information Officer.
1.1 Three dimensions of information security
Information security consists of three key dimensions:
1.2 Reasons for ensuring information security
The University of Helsinki takes care of information security because the following quality factors are important for the University’s operations, interests and position:
1.3 Implementing information security
Information security is part of the University’s operations, quality and overall security. The principles of information security leadership, management and implementation have been defined as part of the enterprise architecture.
Ensuring information security requires
All the above are known by the common term of security mechanisms.
The implementation of information security is about selecting security mechanisms that are appropriate for the known information security risks and putting these mechanisms into place. In the targeting of security mechanisms to the most operation-critical areas, the categorisation of information is used as support. In the selection of security mechanisms, a balance must be reached between the three dimensions of information security and the costs of the mechanisms or the operational difficulties due to increased security. The costs may include direct financial investments as well as indirect costs caused by the slowing down of work.
The objectives of information security are defined and its implementation methods are selected so as to ensure the optimal achievement of information security, statutory data protection and privacy protection in the University’s operations.
The international ISO/IEC 27000 series standards, national public administration instructions and the University’s own internal guidelines are used as a basis for setting and measuring data security objectives and developing the information security management system. The requirements of the EU and Finnish legislation are also taken into account. The current state of information security and the achievement of the objectives are regularly reported to the University management and the Board of the IT Center.
The information security levels of the University of Helsinki’s systems are defined on the basis of the security requirements of operations and the information security objectives of the University. Information systems are protected in accordance with the information security principles of the University of Helsinki.
2.1 Secure and compliant operations
The scope of information security measures is defined and they are implemented as required by legislation and the agreements the University has concluded and in accordance with information security principles and objectives. In information security, too, the University prepares for disturbances and emergencies as well as unpredictable changes to ensure that its core operations can continue in all conditions.
2.2 Implementing the University’s Strategic Plan
The University’s Strategic Plan determines the focus areas for implementing information security. Information security operations support the University’s strategic guidelines, particularly in terms of supporting top-level research, international activities and increased community relations.
A development programme for information security is drawn up for each strategy period and it supports the programmes for implementing the Strategic Plan.
2.3 Controlled information security and the handling of information risks
The implementation of information security and the related risk management are organised and implemented in a controlled and systematic manner. Risk management and the selection of security mechanisms are forward-looking. This enables the secure and timely adoption of new technology and systems.
Risk management related to information security is organised and implemented as part of and in accordance with the University’s general risk management operating model. The unit report on information security risks in connection with general risk reporting under the category “Information and IT risks” according to the schedule of the risk management planning cycle. Risk management findings and results are used in developing the focus areas of the information security development programme and in prioritising resources.
If realised, information security risks may result in significant harm to reputation and finances. Therefore, the University has defined the limits of risk appetite related to information security from the perspectives of confidentiality, integrity and availability as follows.
2.3.1 Risk appetite with regard to confidentiality
The University of Helsinki’s risk appetite is extremely low with regard to the confidentiality risks associated with internal misuse and illegal activities. The University’s risk appetite is low with regard to the loss of confidentiality of personal data and confidential information. The University’s risk appetite is moderate with regard to the loss of confidentiality of other non-public information.
To manage confidentiality risks, the University’s information system management and information security procedures are designed and implemented in such a way that the likelihood of loss of confidentiality of data stored in the systems is acceptable in relation to the consequences of compromising the data content of the system and that the level of residual risk does not exceed the risk appetite.
2.3.2 Risk appetite with regard to integrity
The University of Helsinki’s risk appetite with regard to the loss of data integrity is moderate, and its risk appetite with regard to operation-critical data is low. The risk appetite with regard to personal data is low.
To ensure data integrity, the University’s information system architecture is designed in such a way that the data it contains can be backed up, the amount of data lost in incidents is controlled and errors in data transfer and storage can be detected. The University is prepared to accept risks influencing integrity when it is possible to reproduce the data with a minimal or moderate amount of work.
2.3.3 Risk appetite with regard to availability
The University of Helsinki’s risk appetite with regard to long-term risks related to the availability of information is moderate, with the exception of information deemed to be operation-critical, for which the risk appetite is low. The University’s risk appetite is low with regard to the loss of availability of personal data.
2.4 Information security in support of research, teaching and cooperation
The aim of information security is to enable the secure and efficient use of information processing and communication methods required by research, teaching, studying and societal impact. Security measures scale from individual researchers, teachers and students to research projects and groups, courses, disciplines and units and to the whole University.
The objective of information security mechanisms is to enable the maximum efficiency and security of research, teaching, studying and community relations. Disturbances are prevented by assessing situations in which risks may arise and by providing risk management instructions and training.
2.5 Information security in support of administration and other support services
The University’s enterprise architecture describes the operational and technical implementation of new information systems, and in connection with this implementation, an information security review of the systems is carried out. The purpose of information security activities is to promote the adoption of new, efficient and secure systems and practices in all University operations. The aim is to secure the operational capability of the University’s most important core systems even in exceptional circumstances.
The management and monitoring of information security are part of the University’s general management and ultimately the Rector’s responsibility. The Chief Information Officer manages information security activities.
3.2 Handling of incidents
All information security incidents that affect the University, i.e. all things and events that compromise or have compromised information security, must be reported primarily to the IT management and secondarily to one’s own supervisor. Each supervisor is responsible for ensuring that information about an information security incident reported to them is also known to the IT management.
The University has an obligation to report an information security breach related to personal data to the Data Protection Ombudsman within 72 hours of the detection of the breach.
The Information Security Manager or a person designated by them coordinates the handling of information security incidents. In the event of an information security incident, the Information Security Manager may determine that an information system or a part of it must be closed or that an individual user’s access rights be withdrawn. The owner of any incident-related information, system or equipment has an obligation to make accessible all the resources under their responsibility that are necessary for the investigation of the information security incident.
In University-level crises, the University’s crisis management plan is followed. Information and communication crimes against the University are reported to the National Cyber Security Centre and to the police.
4.1 Shared responsibilities and obligations
Implementing and monitoring information security is the responsibility of each member of the University community. Each community group is responsible for the security and lawful processing of materials related to its own activities, and each decision-maker is responsible for the information security measures required by their decisions and the impacts of these measures. In addition, all University staff members and students are also responsible for implementing information security in their own activities and required to ensure that they
4.2 Specific responsibilities and obligations
Several roles and tasks at the University involve specific, designated information security responsibilities. These responsibilities are described in this policy’s Appendix “Information security responsibilities at the University of Helsinki”.
Communications related to information security must comply with the University’s general and crisis communications plans. Under normal circumstances, the Information Security Manager is responsible for the University’s internal information security communications. In the event of a crisis, the responsibilities for communications concerning information security are distributed as specified in the crisis communications plan.
The University may impose sanctions on a member of the University community due to activities that compromise the University’s information security, intentional or negligent failure to comply with the responsibilities defined in the Information Security Policy or a breach of information security instructions. The sanctions are determined by the University’s general sanction practices depending on the circumstances and the severity of the situation.
The implementation of information security in the University community depends on the activities of its members and the choices they make in their daily work. Every member of the community must therefore be familiar with the responsibilities and obligations associated with their activities, to ensure
2 Specific responsibilities, obligations and tasks
In addition to the general responsibilities for implementing information security and data protection, as described in the Information Security Policy, certain tasks and roles involve specific responsibilities, which are summarised below. If a University staff member or student has several different roles, the responsibilities associated with all of their roles apply to them.
Board of the IT Center
Dean and Heads of Units
Director of Administration
Chief Information Officer
IT management unit
Information Security Manager
Information security expert
Service administrator (superusers, IT staff and administrators)
Researcher in charge