Rules for the maintenance of information systems

1. Introduction

1.1 Definitions

In these rules, maintenance and administration refer to

  • keeping information systems functional and secure
  • making necessary alterations to or corrections in the information systems
  • documenting the use of and alterations made to the information systems
  • administering user IDs, user accounts and access rights for information systems, and
  • monitoring the operation and use of information systems and compiling statistics on them.

In these rules, an information system or a system refers to

  • a single data processing device or facility, or a system composed of such devices that are owned by the University or are connected to the University network
  • the University computer network
  • software and services running in the University computer network, and
  • the information content of all the above-mentioned systems.

A University unit refers to a faculty, department, division or other functional unit of the University.

The responsible owner of a specific information system within the University refers to the unit for which the information system has been acquired, and which designates the persons entitled to use the information system. The owner of information materials may also be the author of the materials, as defined in the Copyright Act.

The manager of an University information system is responsible for the management of said information system unless the management responsibilities have been transferred to another unit within the University or outsourced by contract. Usually, the manager of an information system is not the system administrator.

System administration refers to persons responsible for the technical management of the University’s information systems and to other University IT support personnel, who collaborate to maintain the systems and provide user support and guidance. In a broad sense, the term ‘administrator’ refers to all persons having administrative rights in the system.

1.2 System administrators’ privileges

To ensure the functionality of information systems, an administrator has extensive rights to inspect the status of the systems and, if necessary, to intervene in the function of the systems, in the actions of individual users and in their data in the systems if there is reason to suspect that such data violate current regulations or rules for the use of information systems (e.g. illegal copies of music or films).

To eliminate and fend off breaches of information security, an administrator has the right and obligation to take necessary steps to ensure information security. Cases of information security incidents shall be dealt with in accordance with the University of Helsinki Information Security Policy and the instructions for responding to information security incidents.

To avoid a conflict between an administrator's privileges and the legal protection of the users of the system, the application of an administrator's privileges is controlled by guidelines and rules based on current regulations. The University’s IT Center is responsible for the University’s information security policy, which, along with other valid regulations and instructions for the use of the University’s information systems, will be posted on the University’s web site. Departments and units may issue detailed system-specific rules and instructions.

These rules are binding for all system administrators at the University, including students, should they be the administrator of an information system or part of such a system that is connected to the University information network.

2. Responsibilities

A unit must document the information systems or system entities in its possession, prioritise them when necessary, and assign and document the managers and administrators. The owner of the information system is responsible for the existence, validity and availability of information system documentation.

The owner of the information system and, ultimately, the head of unit are responsible for ensuring that the system adheres to current legislation, good administrative practices and current guidelines and regulations issued by the University. The owner is always ultimately responsible for the maintenance of the system. The information systems manager is responsible for the technical maintenance of the systems in accordance with good administrative practices. Every system must have designated administrators. Administrative duties shall be distributed, if possible, to several individuals with different access rights. The actions and procedures taken by administrators shall also be logged.

The owner or manager of an information system is not responsible for the contents of an individual user’s data. Users are personally responsible for the legality of their data and are required to protect them in accordance with the guidelines issued by the University. The manager of an information system has, however, the right and obligation to intervene with a user’s data if there is reasonable cause to suspect that it contains information security hazards or illegalities.

If an administrator is suspected or has been found to have misused his or her privileges, the head of the relevant unit or a contact person designated by the head shall be contacted. The head or the contact person shall inform the Campus Information Security Officer. Further measures, if any, shall be taken in accordance with the University of Helsinki Information Security Policy.

 

3. Policy of operation

 

3.1 Good maintenance practices

Information systems shall be maintained in accordance with good maintenance practices. Good maintenance practices mean well planned, responsible and professional administration which complies with good information management practices as provided by the Act and Decree on the Openness of Government Activities[1].

3.2 Protection of privacy

The administration of the University's information systems takes into account the right to privacy and the confidentiality of communication between users and their communication partners. While adhering to these basic rights, however, the University reserves the right to control the information content and purpose of use of the information systems in its possession. This also applies to the telecommunications network owned by the University. The purpose of use is defined in greater detail in the Rules for the use of University of Helsinki information systems or in system-specific rules.

When users request an administrator to handle their email or other files, the administrator must check the person's identity in an appropriate manner, for example, by verifying their identity against an official certificate of identification.

An administrator may contact a user either by calling a telephone number found in the University’s information systems or by sending him or her an email. If, however, there is suspicion that the user ID has fallen into the wrong hands, email should not be used.

3.3 Confidentiality

Administrators are bound by confidentiality and a ban on the exploitation of information not related to work and of the existence of such information that they may learn while performing their professional duties. Non-public work-related matters may be discussed only between individuals or authorities that are bound by the same confidentiality and to whose professional duties the matter is relevant.

Administrators in particular are bound by Section 40, Sub-Section 5 of the Penal Code, according to which public officials must not deliberately, while in office or thereafter, unlawfully disclose a document or information which under law is to be kept secret or not to be disclosed.

Administrators shall sign a confidentiality agreement.

4. Practicalities

 

4.1 Identities, passwords

Administrators do not need to know users’ passwords to carry out their duties, and they must not inquire about users’ passwords.

If the rectification of a problem requires the administrator to temporarily assume a user's identity, the user must either be present to provide his or her password to the authentication service, or the administrator must assume the user’s identity through administrators’ privileges. The user must be informed of the latter beforehand or as soon as possible. The administrator must not retain the user’s identity any longer than is necessary for rectifying the problem.

In situations described above, the administrator must verify the identity of the user in an appropriate manner.

Administrators shall resort to main user privileges only when their maintenance duties so require. In all other cases, they shall use their own personal user IDs.

4.2 Restrictions on user accounts during investigations

If there is reason to suspect that the University's information security has been compromised or that a user is guilty of breaching the Rules for the use of University of Helsinki information systems or of other misuse, an administrator has the right to restrict the user's access rights to the information systems for the duration of an investigation.

The investigation shall be carried out and consequent further measures shall be taken in accordance with the University of Helsinki Information Security Policy.

4.3 Processing of emails

According to the Constitution of Finland, the secrecy of correspondence, telephony and other confidential communications is inviolable, unless otherwise provided by law. An email message is analogous to a letter in that it is confidential unless it has been intended for public distribution.

The principles for processing email are laid out in the Rules for processing email. The present Rules for the maintenance of University of Helsinki information systems provide rules for special circumstances in which an administrator must intervene with email communications to ensure the service level or security of the system.

An administrator has no right to view a user’s email. An administrator may be required to open files containing a user's email in the following situations:

  • A user requests this from the administrator. For example, the request can be made in a situation where the user's mailbox cannot be opened with the software at the user's disposal. The authorisation to open files containing a user's email concerns only that one instance. If the user asks for information about the contents of the mailbox, the administrator must, without exception, verify his or her identity (see Section 3.2).
  • A user's mailbox causes a disturbance because of, for example, its large size or damaged structure.
    • A mailbox that disturbs the flow of e-mail due to its large size must be transferred to another location without opening it. The user must be notified of the new location of the mailbox if the mail system cannot automatically find it. If the mailbox cannot be placed in a location accessible to the user because of its large size, a method for transferring the messages to the user must be agreed upon with the user. A transferred mailbox may be compressed to a less space-consuming format, provided that the user receives detailed instructions for accessing the emails. A large mailbox may also be deleted in exceptional circumstances if no other reasonable action can be taken. The decision to delete a mailbox will be made by the head of the unit administering the system.
    • An administrator is allowed to repair a structurally damaged mailbox without asking the user's permission. However, the administrator is not allowed to read any textual contents addressed to the recipient.
    • The user shall be immediately notified of any non-standard procedures performed on his or her mailbox.
  • The email system cannot deliver a message due to its insufficient or damaged structure. In such a situation, the administrator is authorised to examine and repair the technical guidance data of the message. However, the administrator must not, as far as possible, read the textual contents addressed to the recipient of the message.

An administrator also has the right to purge mail that is being delivered of any messages that jeopardise the proper functioning of the email system, as well as of messages generated by a technical error that are thus obviously unnecessary.

4.4 Processing of other data

As a rule, administrators have no right to read or otherwise process the contents of files owned by users.

However, an administrator has the right to open files owned by users under the following circumstances:

  • A user has authorised the administrator to do so in order to solve a problem.
  • A special written request has been made, for example, in a situation where the proper functioning of the University is jeopardised because of an absence. The files owned by the absent employee or student and protected from other users may have to be processed. The head of the relevant unit may order the administrator to grant a designated person access to the relevant files.
  • A user ID holds, owns, or is in charge of programs or initialisation files that disturb the proper functioning of the system or compromise the safety or information security of other users. In such cases, an administrator may examine the contents of the files and, if necessary, stop their operation.
  • There is reason to suspect that a user ID has fallen into the wrong hands and that the user ID possesses files or programs that can jeopardise or threaten the University’s safety and capacity to function.
    • If an administrator suspects that a user ID has fallen into the wrong hands, he or she has the right to cancel temporarily the user ID. Other subsequent action will be taken in accordance with the instructions for responding to information security incidents. As a rule, efforts will be made to contact the user before any action is taken, but protection and rectification measures may have to be initiated before contact can be made.
  • There is reason to suspect that the owner of a user ID is guilty of misuse and it can be assumed that certain files owned by the user contain evidence of this misuse.
    • An administrator has the right to cancel temporarily a user ID in case of misuse. Misuses are handled in accordance with the University of Helsinki Information Security Policy, the Rules for the use of University of Helsinki information systems and the instructions for responding to information security incidents.
  • Administrators have the right to stop the display of such web pages that are against law or the Rules for the use of University of Helsinki information systems.
  • The protection status of the files allows such action anyway, unless this is a clear error on the part of the user, who has unintentionally set free access rights to all his or her files. In such a case, it is the administrator’s responsibility to inform the user that the protection of his or her files is inadequate.

In addition to the above, administrators always have the right to:

  • Access and modify initialisation files, email forwarding or sorting files as well as other files in the users’ home directories that affect the functioning of the system if such files are found to threaten the functionality or security of the system or the information security of users. If modifications cannot be performed without erasing the modifications made by the users themselves, the old version made by the user must be transferred to another file name and the user must be notified of this.
  • Verify that common disk areas do not contain files that are illegal or threaten the functionality or security of the system or the information security of users. Such files include, for example, malware, recordings that violate copyrights and illegal data as defined by the Penal Code.
  • Manually or automatically delete files from disk areas that have been assigned for temporary storage. This deletion must take place in accordance with previously-agreed principles, which are also available to users. However, the users need not be informed of these deletions.
  • Delete documents from print queues if they hamper the operations of the print services. Users need not be informed of these deletions.

4.5 Monitoring of directories and file lists

Under normal circumstances, administrators cannot fully avoid processing and seeing file lists of directories owned by users. Processing directory structures, file names, modification dates, and size and protection levels along with other information pertaining to files is part of normal maintenance and administration, which are carried out in accordance with good administration practices.

If an administrator finds that the protection of a file or a directory is insufficient in relation to its nature, he or she has the right to upgrade the protection to the necessary level.

In carrying out maintenance and administrative duties, administrators shall take care to not display file names and equivalent information unnecessarily. For example, when file listings are needed to solve a problem, if possible, those file names that do not pertain to the matter at hand will be deleted from the list.

4.6 Monitoring of programs and processes

The manager of the information system and the system administrator together define which software shall be available in the system. Programs can be prohibited or withdrawn from use if their use is not necessary for the operation of the University or if they jeopardise the high level of services and security. This decision will be made by the head of the unit administering the system.

Administrators routinely monitor the programs running in the information system.

Administrators may adjust the priority of a process, if this process consumes excessive system resources.

An administrator may terminate a process if

  • The function of the process is clearly disturbed,
  • The process hinders the proper functioning of the rest of the system,
  • The process is connected to software which violates the instructions and rules issued by the system administrator. In such cases, the user shall be notified of the termination of the process and of the relevant regulations,
  • The user ID of the process owner has expired.

4.7 Monitoring of the data communications network

Administrators of the University data communications network monitor the traffic of the University network and its external connections using monitoring software and by reviewing log data to be able to ensure a reasonable level of services and security as well as the cost-effective use of external connections.

The monitoring of network traffic does not involve the contents of the information transferred, but rather the amount and nature of the traffic. The monitoring of source and target computers is statistical in nature and does not focus on an individual user, except in cases of disturbances. However, the traffic of an individual system can be monitored in greater detail if anomalies, such as excessive traffic load, are being investigated.

In order to investigate a possible incident of disturbance or misuse, a network administrator may contact the person responsible for the computer that is the source of excessive traffic or other anomalies.

An administrator of the data communications network may deny a computer or a part of the network access to data communications or the use of a certain service if this computer or part of the network:

  • Causes traffic that jeopardises the high level of service or security of the network,
  • Gives cause to suspect that a computer or computers have fallen into the wrong hands or are infected by malware.
  • Breaches the Rules for the use of University of Helsinki information systems
  • Is not properly maintained and administrated, especially in view of information security.

In all of the above cases, the administrator responsible for the computer or part of the network shall be contacted without delay once access to data communications has been denied.

4.8 Processing of log files

The University's information systems create log files to document the functioning of the system, to investigate possible disturbances or misuse and to collect statistical and invoicing data. The University normally uses the logged information only for technical maintenance, invoicing and statistics. The log files may form a register that falls under the scope of the Personal Data Act or contain identification data which fall under the scope of the Act on the Protection of Privacy in Electronic Communications.

4.9 Storage of data

The provider of information system services shall, as a part of maintenance and system administration, ensure that backup copies are made of the systems. Depending on the purpose of the system, backups are made with sufficient frequency in case of, for example, disk failures.

Backup copies shall be stored in an appropriate manner, and the administrator shall ensure that they are accessible. The processing of data on backups shall comply with the same principles as the processing of equivalent data in information systems. The deletion of backups shall take place in such a manner that the confidentiality of the data in them will not be compromised.

5. Monitoring the observance of these rules

Monitoring the observance of these rules is the responsibility of the owner of the IT Center and of other information systems in the University units. Breach of these rules shall be handled in accordance with the University of Helsinki Information Security Policy. The IT Center shall update these rules and the IT Security Manager shall monitor the need for updates. A valid version of the Rules for the maintenance of University of Helsinki information systems shall be posted on the IT Center’s web pages.

Appendices

 

Appendix 1: Relevant legislation

Maintenance and administration shall comply with current rules and regulations.

Relevant legislation* for maintenance and administration includes:

  • Provisions on privacy, freedom of expression and publicity in the Constitution of Finland (Perustuslaki (731/1999)
  • Personal Data Act (Henkilötietolaki (523/1999)
  • Act on the openness of government activities (Laki viranomaisen toiminnan julkisuudesta (621/1999)
  • Decree on the openness of government activities and good information management practices (Asetus julkisuudesta viranomaistoiminnassa ja hyvästä tiedonhallintatavasta (1030/1999)
  • Act on the protection of privacy in electronic communications (Sähköisen viestinnän tietosuojalaki (516/2004)
  • Act on the protection of privacy in working life (Laki yksityisyyden suojasta työelämässä (759/2004)
  • Act on the amendment of the act on cooperation in government agencies and institutions, Amendment in Section 7 (Laki yhteistoiminnasta valtion virastoissa ja laitoksissa annetun lain (651/1988) muuttamisesta (479/2001), Muutos 7 §:ssä (762/2004)
  • Act on the provision of information society services (Laki tietoyhteiskuntapalveluiden tarjoamisesta (458/2002)
  • Penal Code (Rikoslaki (39/1889)
  • Coercive Measures Act (Pakkokeinolaki (450/1987)

as well as all other acts, decrees, regulations and rules prescribed on the basis of the above legislation.

* English translations of Finnish Acts and Decrees are unofficial; authoritative versions exist only in Finnish and Swedish

 

Appendix 2: University of Helsinki Confidentiality Agreement

During my employment with the University of Helsinki, I hereby agree not to disclose to a third party the confidential contents of documents or any other information that comes to my knowledge and which is prescribed by law as private or confidential.

I hereby agree not to misuse any non-public and confidential information that comes to my attention while carrying out my professional duties and not to leave this information available to third parties or otherwise make such information easily accessible to outsiders.

My commitment to confidentiality and to privacy will also be valid after my employment or commission contract with the University of Helsinki is terminated.

Confidential information includes various kinds of personal data, information related to security, and the professional and business secrets of cooperation partners. Outsiders include employees of the University of Helsinki or its cooperation partners who do not need access to such confidential information to perform their duties.

When my employment or commission contract with the University of Helsinki terminates, I shall return to the University all non-public or confidential documents, data media and copies, if any, pertaining to the University of Helsinki or its cooperation partners.

I have studied the statutory regulations on confidentiality and the ban on the exploitation of information, the University of Helsinki Information Security Policy and the Rules for the maintenance of University of Helsinki information systems. I hereby agree to observe current instructions and regulations, which are posted on the IT Center’s website.

Breach of the above-listed rules and regulations may, in certain cases, constitute a crime.