IT security policy
IT security policy for the University of Borås (Dnr 243-07-10)
The IT security policy was affirmed of the vice-chancellor 10 April 2007 and applies until further notice. Other earlier resolutions with regard to that which is regulated by this policy cease to apply.
This policy applies to the security of IT systems, within this applies data and information systems, computer networks, computers and other computer equipment.
The goal of the work with IT security at the University of Borås is to protect the university, its employees, students and the general public, from extensive damages or costs caused by interruptions to IT systems. The goal is also to assure that the university can use communication networks, computer systems and computers without unnecessary interruptions and for their intended function with high availability.
Outermost responsibility for the university’s IT security lies with the board and the vice-chancellor. The Vice-Chancellor has sets the IT security policy and, when required, other completing guidelines. The practical responsibility for IT security shall be allotted so that:
- Department Heads (Prefects, Unit Managers or equivalent) are responsible for the IT security for their respective units (institutions or equivalent). If a system owner has been elected, that person is responsible for the IT security of that system.
- For central or common systems and resources, the administrative manager will elect system owners.
- Each IT user is responsible for their own IT security in accordance with that which is stated in regulations and responsibility agreements. Users shall approve a responsibility agreement that explains their responsibilities before they gain access to resources.
- Monitoring, logging and investigation of intrusions etcetera is tasked to the ”Incident Response Team” (IRT) with the Computer Services Office.
Security levels and protection measures
In all security tasks shall the protection of life, health and personal integrity be valued highest.
Security levels and protection measures for IT security at the university shall be formed such that the goals for IT security are met within reasonable costs and without daily operations being made more complicated than necessary.
Assessments of threats and consequences of interruptions should be completed regularly and systematically.
The IT security at the university should be designed in accordance with applicable laws and regulations.
Protection measures for the IT security shall, where possible, be based on standards or de-facto standards.
Regulations and guidelines
Each individual is responsible for security correlation with their own computer usage. The university is connected to SUNET and is therefore required to follow SUNET’s regulations. In addition to these, the following local rules apply to the use of the university’s IT resources:
- Regulations for the utilisation of the University of Borås’ computer network
- Responsibility, authority and responsibilities for system administrators.
- Responsibility, authority and responsibilities for system administrators in the incident group
In addition to the above can system owners/department heads issue directions for their own systems and are therein responsible for the information regarding the presence of such directions.
Information and education
Responsibility of seeing that employees in each unit (institution or equivalent) have the necessary competence in regard to IT security lays with each department head.
Those specially elected system owners are responsible for assuring that informational and educational material for central and common systems is available. System owners are also responsible for seeing to that users have received the information and that education is initiated.
Programme and course leaders are responsible for students receiving information and education about IT security.
Outage planning shall be completed for all IT systems where a longer outage could cause large damage for the university, personnel, students or other affected persons.
Procurement and development
When procuring or developing an IT system or IT service the security requirements must always be heeded. Requirements for IT security shall be included in the requirement specification and contract, unless it is clearly unnecessary.
External operation and service
If another party performs services or assignments for the university in which IT services or IT systems constitute an important part, the university shall through contract insure itself that the party maintains an IT security that meets the university’s requirements.
External use of the university’s IT resources
If another party receives access to or can use the university’s IT resources, the university shall through contract insure itself that the usage occurs in accordance to the university’s regulations and guidelines, and that the party maintains an IT security that meets the university’s requirements.