Preamble
This document is addressed to all members and guests of JGU who operate or use devices of any type and function on JGU networks. It defines basic responsibilities and principles in the field of IT security. The security policy will be supplemented by future operating rules that regulate details for the operation of devices such as printers, multimedia devices, web servers, mobile devices and others.
Information and communication technology is of central importance for the fulfillment of tasks in research and teaching as well as administration at JGU. The range of IT applications includes operating facilities, performing tests and experiments, scientific applications and simulations, teaching, online examinations, work in the administration as well as in the central facilities, and communication with external partners and clients.
IT security as well as compliance with data protection and other legal regulations are a fundamental prerequisite for a functioning university. Ensuring IT security is the responsibility of all university facilities and users of the IT infrastructure and IT systems.
IT security at JGU is based on the current guidelines for basic IT protection, published in the IT- Grundschutz-Compendium[1] of the German Federal Office for Information Security (BSI).
§ 1 Definitions
The following definitions are being used:
1. Key security objectives of information security
The key security objectives of information security are confidentiality, integrity and availability of any kind of data.
In the context of research, teaching and administration, including the documentation of research projects, the handling of research data, the preparation of academic papers, and issuing of transcripts of records or diplomas, the following key security objectives must be observed at JGU:
- Authenticity
- Liability
- Reliability
- Non-Repudiation
2. IT security
IT security is defined as compliance with the key security objectives defined under 1 regarding all IT systems and all processes at JGU that involve data processing. This includes all active components of the network, all systems on which data is stored and processed, and all processes that record, process and store data. This also includes devices with which access to data is possible and the associated organizational and structural framework conditions.
3. Confidentiality
Data of any kind may only be accessed and used by authorized persons in a defined and permissible manner.
4. Integrity
Integrity refers to ensuring the correctness (intactness) of data and the correct functioning of
systems. When the term integrity is used in connection with the term data, it means that the data in question is complete and unchanged. In information technology terms, however, integrity is typically used more broadly to describe information. The term information is used for data that, depending on the context, can be associated with certain attributes, such as the author or the time and date of creation. Loss of the integrity of information can therefore mean that it was changed without authorization, the information regarding the author was tampered with, or that the date of creation was manipulated.
5. Availability
Services, information, and the functions of IT systems, IT applications, and IT networks are considered available when users are able to access them as intended at all times.
6. IT infrastructure
In terms of IT-Grundschutz, infrastructure is understood to include the buildings, rooms, power supplies, air conditioning systems, and cabling used for IT. IT systems and network switching elements are not part of infrastructure.
7. IT systems
A functional unit of hardware and software that collects, records, prepares, uses, stores, transmits, program-controlled processes, internally displays, outputs and recovers data.
8. IT security process
All procedures aiming at integrating IT security in all processes at JGU in order to continually develop and improve IT security at JGU.
§ 2 Scope
The IT Security Policy applies to all persons and institutions that use the IT infrastructure, networks and connected IT systems of JGU Mainz at any JGU location or operate IT systems in this environment.
§ 3 Basic principles for the operation of IT systems at JGU
The following principles apply to the operation of devices at JGU:
- Members as well as guests of JGU are allowed to operate their own IT systems at JGU and receive a network connection with access to the Internet for these devices that meets the security requirements of JGU.
- Members as well as guests of JGU are granted access to IT resources for which there is a justified need, if this access can be realized appropriately and securely.
- Members of JGU may provide network services on their own IT systems under the following conditions:
- They must have sufficient, appropriate, current knowledge of both IT system operation and IT security.
- There must be a justified need for offering network services beyond the own network segment.
- The operation of IT systems must not compromise the security of the JGU IT infrastructure and other IT systems.
- Central security measures, such as firewalls or access and access restrictions, may not be circumvented.
- Responsibility for IT security basically follows the responsibilities for IT systems, i.e. anyone operating an IT system in the JGU network is responsible for its proper and secure operation over the entire lifetime of the system until it is decommissioned and disposed of properly.
- Events that could affect IT security must be reported immediately to the ZDV. The ZDV will immediately inform the IT security officer.
§4 Participants in the IT security process and their tasks
1. Executive University Board
The overall responsibility for ensuring IT security and compliance with the IT security process at JGU lies with the Executive University Board. The Chief Information Officer (CIO), on behalf of the Executive University Board, carries out the IT security coordination tasks regarding the university as a whole after consultation with the IT security officer.
2. Senate Committee for Information Technology and Digital Processes
The Senate Committee develops strategic proposals regarding information and communication technologies as decision criteria for the Senate. Results are forwarded to the Executive University Board for approval or implementation.
3. Crisis Management Team IT Security
The Crisis Management Team manages and coordinates all actions related to security incidents. The core team consists of the IT Security Officer, the CIO, and named ZDV staff.
4. IT Security Officer
The IT security officer’s tasks include analyzing and improving JGU's IT security, advise JGU decision-makers, investigate IT security-related incidents, and prepare reports on the state of IT security. Regarding IT security, the IT security officer is only bound by instructions from the Executive University Board and the CIO.
The IT security officer has the right to make proposals. The IT security officer’s right to make proposals serves to make their own proposals regarding IT security to all parties and bodies mentioned under § 4 as well as to users. The IT security officer must be informed and, if necessary, involved in all projects that have a significant impact on the security aspects of information processing.
5. Head of the Data Center (ZDV).
The Head of the ZDV is responsible for the security of the IT infrastructure and IT systems operated by the ZDV and for documenting the implemented security measures.
6. Responsible operators of IT systems
Responsible operators of IT systems are authorized within their area to take individual further measures in addition to the university-wide IT security measures. In case of possible effects on the IT infrastructure and IT systems of the university, consultation with the ZDV is required. The measures taken independently must be documented.
§5 Danger intervention
The ZDV and the IT security officer are entitled to take immediately necessary defensive measures in case of imminent danger. The principle of proportionality must be observed. The measures should be taken in such a way that the affected user - if at all possible - is informed in advance. Affected users (to the extent that they can be identified), the management of the affected institution and the IT security officer must be informed immediately about the incident and the measures taken.
If an incident is classified by a person responsible for an IT system as potentially endangering IT security, that person is obliged to take appropriate defensive measures without delay and to inform the ZDV and the IT security officer of the incident and the measures taken.
§6 Preventive measures
Preventive measures are necessary to ensure IT security. Suitable technical and organizational measures should be used to identify and contain risks of danger and to detect attacks on IT security at an early stage.
The IT security officer and the ZDV can propose preventive measures. The implementation of preventive measures is the responsibility of the respective IT system operator. The decision on the implementation of cross-divisional measures is the responsibility of the Executive University Board.
§7 Update provisions for maintaining and further developing the IT security process
The IT security officer is responsible for continuously reviewing and further developing the IT security policy, the operating rules and the effectiveness of the previous organizational form as well as the measures and processes for IT security. They report on this to the Executive University Board and the CIO at least every two years.
§ 8 Entry into force
This IT Security Policy for Johannes Gutenberg University Mainz enters into force on the day of publication.
*** Please note that this is a courtesy translation for non-German speaking readers. Only the German version is legally binding.***
[1]BSI IT-Grunschutz-Compendium (sorry but only the "old" 2021 Version is yet translated)