University of Helsinki Information Security Policy
1 Purpose of the Information Security Policy
The University of Helsinki management use the Information Security Policy to express
- its views on information security and the connection of information security to implementing the University’s Strategic Plan,
- the most important guidelines and focuses for information security activities during the strategy period, and
- its willingness and commitment to information security at the University.
The Board of the University’s Centre for Information Technology approves the Information Security Policy and discusses and approves its supplemental guidelines.
1.1 Three dimensions of information security
- Confidentiality: Identifying confidential information and ensuring its confidentiality
- Integrity: Ensuring the accuracy and consistency of information and its preservation for an appropriate length of time
- Availability: Ensuring opportunities for the appropriate use of information
1.2 Ensuring information security
Information security requires the selection and implementation of measures that are appropriate for each stage of the lifecycle of information and are targeted at the instruments, systems and methods used to handle information during these stages. Also required are rules and instructions for guiding the persons who handle information as well as their training. All the above are known by the common term of security mechanisms.
In practice, information security is about selecting security mechanisms that are appropriate for the known information security risks and putting these mechanisms into place. The selection of security mechanisms requires seeking a balance between the three dimensions of information security and the costs of the mechanisms or the operational difficulties due to increased security. The costs may include direct financial investments as well as indirect costs caused by the slow-down of work.
The objectives and methods of information security are defined so as to ensure the optimal achievement of statutory data protection and privacy protection in the University’s operations. The objectives and current state of information security are regularly reported to the Board of the Centre for Information Technology.
The information security levels of the University of Helsinki’s computer systems are defined in accordance with instructions from VAHTI, the Government Information Security Management Board, and the systems are protected in ways described in the University of Helsinki’s information security architecture. Current and future EU and Finnish laws and regulations are also taken into account.
1.3 Reasons for ensuring information security
- To comply with laws and other binding regulations
- To safeguard the performance of key operations, even in exceptional situations
- To safeguard the ability to collaborate and compliance with agreements
- To create a secure environment to meet the needs of the University’s core operations
- To maintain the University’s reputation and promote confidence in the University
- To prevent the University’s systems from being used to harm others
2.1 Secure and compliant operations
The University will define the scope of information security measures and implement them, as required by legislation and the agreements the University has concluded in accordance with the principles of its information security architecture. The University will also prepare for disturbances and emergencies as well as unpredictable changes to ensure that it can continue to operate undisturbed in all conditions.
2.2 Implementing the Strategic Plan for the University of Helsinki
The University’s Strategic Plan determines the selection of focuses for information security. Information security supports the University’s strategic guidelines, particularly in terms of supporting top-level research, international activities and increased community relations. A development programme for information security must be drawn up for each strategy period to support the programmes for implementing the Strategic Plan.
2.3 Controlled information security and the handling of information risks
Information security and the related risk management measures are organised and implemented in a controlled and systematic manner. Risk management and the selection of security mechanisms are also forward-looking to enable the secure and timely adoption of new techniques and systems.
IT Management maintains documentation related to information security, covering the following:
- The organisation of risk management related to information and information systems
- The monitoring of compliance with information security requirements set out by the legislative environment and by the agreements binding the University
- Roles in the area of information security and related responsibilities and authorisation
Information security is part of the University’s overall security. The audit committee of the University Board receives reports on the management of information security risks.
2.4 Adjusting information security to open international activities
National and international standards and recommendations (e.g., ISO, KATAKRI and VAHTI) as well as internal University instructions are used to set objectives for information security, define the scope of information security, assess information security and select security mechanisms.
Internationalisation is supported by offering resources and training related to the University’s information security also in English. The increasingly international University must select sufficiently secure, user-friendly tools and offer related advice.
2.5 Information security in support of research, teaching and collaboration
The aim of information security is to enable the secure and efficient use of methods for information processing and communication, as required by research, teaching and collaboration. Security measures scale from individual researchers and teachers to research projects and groups, and from courses, disciplines and units to the whole University. The objective of information security activities is to enable the maximum efficiency and security of research, teaching and community relations. Disturbances are prevented by assessing situations in which risks may arise and by providing instructions on managing risks and the related training.
2.6 Information security in support of administration and other support services
Information security is addressed as part of the development of administrative systems. The University’s enterprise architecture describes the operational and technical implementation of new administrative systems, and in connection with this implementation, a security audit of the systems is carried out. The purpose of information security activities is to promote the adoption of new and efficient systems and practices in all University operations. The aim is to secure the operational capability of the University’s most important core systems even in exceptional circumstances.
The management and monitoring of information security are incorporated into the University’s general management system and are ultimately the rector’s responsibility. The chief information officer manages information security activities.
The chief information officer is responsible for the main guidelines, strategic guidance and monitoring of information security as well as for the ensuring of sufficient resources for the University’s central information security activities.
The University’s IT Management is responsible for developing instructions and activities related to information security.
The information security manager is responsible for developing information security, monitoring and cooperating on information security issues with external partners, and planning development measures for information security. The information security manager supervises information security, addresses any incidents and heads investigations into them. In the event of an information security incident, the information security manager may determine that an information system or its part must be closed or that an individual user’s access rights be withdrawn. The information security manager heads the information security group, which supports and assists departments in ensuring information security and provides regular information security training and audits.
Each head of department is responsible for the security of the systems it owns as well as for their costs and compliance with rules. All members of the University community must ensure and monitor information security. They are also responsible for ensuring information security in their own activities and required to report any deficiencies in information security to the information security manager.
Communication related to information security must comply with the University’s plans for communication and crisis communication. In normal circumstances, the information security manager is responsible for the University’s internal communication on information security. The unit director is responsible for the unit’s internal communication on information security. In the event of a crisis, the responsibilities for communication concerning information security must be distributed as specified in the plan on crisis communication.