In publica commoda

Information Security Guideline

The Information Security Guideline was put into force at 25.01.2020 by announcement in the bulletin Amtlichen Mitteilungen der Universität Ausgabe 04/2020. We provided the following information for you as a PDF-file. The individual paragraphs and Appendix 1 of the guideline can be viewed directly below:

  1. The information security guideline defines responsibility structures, assignment of tasks and the cooperation between those involved as well as the content-related specifications of the University’s information security process.
  2. It applies to all employees of the University of Göttingen/University of Göttingen Public Law Foundation including the University Medical Center (hereinafter collectively referred to as University of Göttingen Foundation). Especially when they use the IT infrastructure of the University of Göttingen Foundation or process data of University of Göttingen Foundation or their customers to the entire IT infrastructure of the University of Göttingen Foundation, including the IT systems that are operated.
  1. Running a university and a maximum-care university hospital increasingly requires the integration of procedures and processes that are based on the possibilities offered by the communication and information technology (IT). Functional and secure IT processes are therefore the key basis for the efficiency of the University and its administration, especially in the areas of research, teaching, medical care, public health services, training, advanced training and continuing education as well as technology transfer.
  2. Information security is of fundamental and strategic importance here, and it requires the development and implementation of an information security guideline. Not least, secure IT processes are the basic requirement for all data protection measures that have to be implemented when personal data is processed.
  3. Due to the complex subject matter, the rapidly developing technical possibilities and the limited financial and human resources, this can only be done through a continuous information security process. This information security process must be developed and updated based on the tasks and the rights of the University on the one hand and, on the other hand, can only be achieved through continuous information security process within regulated responsibility structures.
  4. The information security guideline not only aims at meeting the existing legal requirements, but also at fundamentally protecting the data and applications used in the University as well as protecting the University from material and immaterial damage and, in the process, taking into account the freedom of research and teaching, worldwide cooperation based on professional exchange, common project structures, high staff turnover, various user groups with their different roles and rights and the rapid development cycles of information technology.
  1. For the purposes of this guideline, information security means to establish and maintain:
    1. “confidentiality”; i.e., to guarantee that only authorised persons have access to information,
    2. “integrity”; i.e., to ensure the correctness and completeness of information and processing methods,
    3. “availability”; i.e., to guarantee need-based access to information to authorised persons.
  1. This information security guideline is intended to ensure that security measures are taken, which are appropriate for the respective protection purpose and which correspond to the state of the art, in order to minimise the occurrence of information security incidents. These measures particularly serve:
    1. reliable support of processes by the IT and the continuity of workflows,
    2. patient security and treatment effectiveness in medical care by the University Medical Center,
    3. the preservation of official, company, business and other secrets,
    4. that the requirements resulting from legal specifications are met,
    5. that the right of self-determination with respect to information of the person concerned is ensured when his or her personal data is processed,
    6. compliance with the regulation of the University of Göttingen to ensure good scientific practice,
    7. the reduction of material and immaterial damage resulting from information security incidents and
    8. the implementation of secure and trustworthy procedures for exchanging information, for communication and for transactions with cooperation partners.
  1. The information security process is used for securing data, whereby the security of data processing systems and entities must be guaranteed, and particularly includes the following tasks:
    1. Definition and determination of responsibilities,
    2. Determination of protection requirements and recognition of risks,
    3. Definition and determination of access to information as well as the type and scope of authorisation,
    4. Determination of security and control measures in accordance with the information security guideline,
    5. Implementation, review and updating of security and control measures to protect information.
  1. All information shall be assigned to categories with approximately equal protection requirements; where:
    1. “Normal protection required” means that the impacts of damage are limited and manageable,
    2. “High protection required” means that the impacts of damage could be considerable,
    3. “Very high protection required” means that the impacts of damage could reach an existentially threatening, catastrophic extent.
  1. Based on possible damaging events and their causes and effects, risks must be assessed and handled with the help of a risk treatment plan by taking risk mitigation, risk avoidance, risk transfer or risk acceptance measures, considering the financial and organisational effort. Any remaining risks within the framework of risk acceptance must be described and the management should assume responsibility for them.
  1. The overall responsibility of information security and the information security process lie with the management of the University and respectively, with the Management of the University Medical Center (UMG).
  2. The Presidential Board and Management Board delegates the organisation and implementation of information security management to the extent specified in 11 and 12 to the Information Security Officer (Informationssicherheitsbeauftragter, ISB) or the Information Security Manager (ISM).
  3. The competent management of the respective unit specified in Addendum 1 (hereinafter called: competent management) is responsible for performing the tasks specified in § 8 at a decentralised level. The Presidential Board or the Management Board can cancel the delegation according to Sentence 1 and decide for themselves.
  1. The IT Steering Group and the joint Chief Information Officer of the University and the UMG (CIO) perform tasks for the IT and thus also for the information security of the University of Göttingen Foundation.
  2. Specific responsibilities are defined in the “Operating Procedures for Joint IT Governance of the University of Göttingen and the University Medical Center for the IT Steering Group and the Chief Information Officer” in the currently applicable version.
  1. IT systems and IT services for the University of Göttingen Foundation are primarily provided by the following IT service providers cooperatively:
    1. Department of Digital Library of the Göttingen State and University Library (SUB),
    2. The Information Technology division of the UMG,
    3. Gesellschaft für wissenschaftliche Datenverarbeitung mbH Göttingen (GWDG).
  1. By providing professional and secure IT services, IT service providers make a significant contribution to the information security of the University of Göttingen Foundation.
  2. If a task is not performed by the IT service providers mentioned in Section (1), institutions can use their own IT systems and IT services and have them operated by other service providers. In such IT systems, IT service providers help with fundamental issues of IT operation and information security.
  1. The competent management as specified in Addendum 1 can, in its sphere of responsibility, entrust subordinate managements of a subdivision with the performance of its tasks, thus making the subordinate management the competent management in their sphere of responsibility. This must be documented and communicated to the ISM. This does not affect the representative performance of these tasks by a deputy in the event of absence.
  2. In its sphere of responsibility, the competent management is responsible for:
    1. appointing an Information Security Coordinator according to Section (3),
    2. appointing specialist managers according to Section (5),
    3. deciding on the respective specific information security concepts according to Section (6),
    4. deciding on the further handling of information security incidents according to § 16.
  1. The competent management can appoint an employee of the University of Göttingen Foundation as the Information Security Coordinator (ISK) for the respective unit. The appointment must be documented. If an ISK is not appointed, then his or her tasks are the responsibility of the competent management. The competent management can also appoint one or more deputies for the ISK.
  2. Competent management can mutually appoint joint ISKs for their units.
  3. The competent management can appoint an appropriate number of specialist managers for the data sets, IT procedures, IT systems and infrastructures assigned to a unit. The appointment must be documented. If a specialist manager is not appointed, then his/her tasks are the responsibility of the competent management.
  4. The competent management decides on the specific information security concepts based on the opinion of the ISK and upon getting an approval from the ISB and is responsible for the risks undertaken in these concepts.
  1. Information Security Coordinators (ISK) coordinate the information security process within their sphere of responsibility and monitor its implementation by IT users. ISK’s report on this to the competent management.
  2. The competent management is responsible for ensuring that ISKs are equipped with the authority and the resources necessary to carry out their tasks. The competent management is obliged to ensure that it participates in the necessary further trainings in the field of information security; participation in further training is a duty arising from the individual employment or service relationship.
  3. The tasks of the ISK particularly include:
    1. Recommendation of awareness-raising and training measures,
    2. Providing advice to specialist managers for the performance of their tasks,
    3. Initiation of the preparation and updating of protection requirement assessments and risk analyses,
    4. Giving opinion on specific information security concepts,
    5. Immediate submission of specific information security concepts to the ISB,
    6. Gathering and providing specific information security concepts of the respective unit,
    7. Assessing the severity of the reported information security incidents; checking whether an information security incident could also be a data protection incident and preparing the recommended course of action according to § 16 for the competent management,
  1. ISKs may seek advice from the ISB and the ISM to perform their tasks.
  1. Specialists reponsible are responsible for implementing the information security processes for the datasets, IT procedures, IT systems and infrastructure assigned to them. This particularly includes the following tasks:
    1. Identification of the protection requirement for information, IT procedures, IT systems and infrastructure as well as the analysis of risks,
    2. Preparing and updating operational concepts based on the protection requirements assessment and risk analysis,
    3. Regular review of the protection requirements assessment, risk analysis and the operational concept according to the intervals to be defined in the operational concept,
    4. Initiating and controlling the implementation of the measures laid down in an operational concept, particularly also when using external IT service providers (e.g., order processing).
  1. To perform their tasks, specialists responsible may seek advice from the may seek advice from the ISK, ISB or other staff of the respective unit or the internal IT service provider.
  2. A protection requirements assessment and risk analysis may also result in a decision that no further measures over and above the implementation of the information security guideline and the catalogue of measures for basic IT protection are required for a dataset, IT procedure, IT system or an infrastructure (Addendum 2).
  1. The Presidential Board and Management Board appoint an Information Security Officer (Informationssicherheitsbeauftragte*r, ISB). The appointment must be documented.
  2. The tasks of the ISB particularly include:
    1. Coordination and further development as well as the monitoring of the implementation of the information security process for the University of Göttingen Foundation,
    2. Preparing recommendations for the Presidential Board and Management Board for the following topics:
      1. Preparation and updating of the catalogue of measures for basic IT protection,
      2. Additional information on the information security guideline (e.g., recommendations for internal University technical standards, model solutions, and contingency plans),
      3. Changes to specific information security concepts based on security incidents (with respect to §16 Section (5)),
      4. Training concepts.
    1. Providing advice to the following:
      1. The Presidential Board, Management Board, IT Steering Group and CIO for information security related issues,
      2. Managements of IT service providers,
      3. Data protection officers and data protection managers for technical and organisational measures,
      4. Units for the implementation of the information security guideline,
      5. ISK for the elimination of information security risks,
      6. Specialists responsible for the preparation of specific information security concepts.
    1. Approving specific information security concepts of the units; in the event of disagreement, the decision is made by the Presidential Board or the Management Board
    2. Preparing and updating an index of all specific information security concepts,
    3. Assessing information security incidents and deriving structural and conceptual recommendations in accordance with § 16,
    4. Preparing the annual report on information security for the Presidential Board and the Management Board, including recommendations for the revision of this information security guideline and other overarching information security concepts; if necessary, this report is also submitted to other authorities.
  1. During the information security process, the ISB has to consider data protection issues and involve the Data Protection Officer in the formation of measures and concepts in the event of a conflict of objectives between information security and data protection.
  1. The Presidential Board and Management Board appoint an Information Security Manager (ISM) for the University and the University Medical Center.
  2. The tasks of the ISM particularly include:
    1. Assignment for the management and monitoring of the implementation of information security measures in the context of risk treatment plans, including awareness-raising and training measures, as well as documentation of measures of the respective sphere of responsibility,
    2. Assessing and forwarding information security incident reports and preparing the recommended course of action for handling information security incidents in the operational area in accordance with § 16 Section (4).
    3. Preparing an information security report insofar as it concerns:
      1. the progress and problems involved in the implementation of information security measures (operational aspects) or
      2. information security incidents of the respective sphere of responsibility.
  1. The Data Protection and Information Security Advisory Council (DIB) comprises:
    1. the ISB,
    2. a deputy of the ISB,
    3. the ISMs of the University and the UMG,
    4. the Data Protection Officers (Datenschutzbeauftragte*r, DSB) of the University, the UMG and GWDG,
    5. the Data Protection Manager (Datenschutzmanager*in, DSM) of the University and the UMG,
    6. one representative each from GWDG, the Information Technology division of the UMG, SUB and the University's IT department,
    7. two representatives of University faculties and one representative of the medical faculty,
    8. one representative of Department 2 (Medical Care) of the UMG,
    9. one representative each of the departments and staff units of the central administration and of Department 3 (Economic Management and Administration) of the UMG,
    10. one member each of the Staff Council of the University and the UMG as well as
    11. other persons appointed by the ISB as required.
  1. The meetings of the DIB take place as often as the state of business requires, but at least four times a year. They are convened and chaired by the ISB.
  2. The DIB serves the following purposes:
    1. Information exchange between those involved in the information security process and the data protection process,
    2. Consideration of the interests of the areas of research and teaching, medical care and administration as well as of those involved in the information security process,
    3. Involvement of IT service providers in the information security process,
    4. Advising the ISB, DSB, the ISM and the DSM on information security and data protection issues,
    5. Drafting recommendations for amending the information security guideline and overarching concepts or advisories on information security and data protection.
  1. Content-related specifications for IT systems with a normal protection requirement (basic IT protection) are defined in the “Catalogue of measures for basic IT protection”, which is subdivided into measures for IT users and IT staff.
  2. The provisions of the catalogue of measures are binding; deviating from them is possible solely in accordance with Section (3).
  3. Provisions that deviate from the catalogue of measures may be drawn up in specific information security concepts for restricted datasets, areas of the IT infrastructure or IT systems taking into account specific risks and protection requirements, provided that no information security or data protection requirements with regard to the data to be processed or the IT infrastructure are in conflict with them.
  4. The GWDG as an IT service provider for the University is contractually obliged to comply with the information security guideline.
  5. External IT service providers entrusted with performing tasks on IT systems are obliged to comply with the information security guideline, insofar as this is in line with the protection requirement. Compliance with the information security guideline by external IT service providers must be verified by the competent IT staff of the client External IT service providers are obliged to inform the client of the risks that can arise in the IT system as a result of the services they provide.
  1. For all IT systems, the respective specialist responsible must check if there is a higher protection requirement over and above basic IT protection.
  2. Where a higher protection requirement is identified, additional measures within the framework of an operational concept must be determined by the specialists responsible.
  3. IT systems for which a higher protection requirement has been identified may be put into operation only after operational concept for these has been decided upon, implemented and released for operation based on risk assessment.
  1. Employees of the University of Göttingen Foundation must immediately notify the responsible ISK about incidents relevant to information security (information security incidents).
  2. The ISK assesses the severity of the information security incident and forwards his or her recommended course of action to the competent management.
  3. The competent management decides on the further handling of the information security incident. The management also decides whether the ISM must be informed owing to the severity of the information security incident and, if necessary, immediately informs the ISM itself or asks the ISC to do so. Information security incidents relating to data protection must be reported to the DSM and the ISM.
  4. The ISM informs the ISB of the reported information security incident and seeks his/her statement. Based on his/her own assessment and the statement of the ISB, the ISM informs the Presidential Board or the Management Board about the reported information security incident immediately and/or in the form of an information security report. In consultation with the ISB, the ISM prepares the recommended course of action for the operational processing of the information security incident for the competent body.
  5. After an information security incident, the ISB checks whether there is a need to change information security regulations, in particular the guideline as well as overarching and specific information security concepts and prepares the recommended course of action for the Presidential Board, the Management Board, the competent management and the ISK based on the opinion of ISM, the competent ISK, the competent management and the DIB.
  6. The ISM reports information security incidents to the competent authorities. Insofar as information security incidents are also data protection incidents, the DSM reports them to the competent authorities.
  7. The Presidential Board or the Management Board can, in a guideline document, regulate further details on how to handle information security incidents.
  1. In order to avert a current threat to information security, the IT staff and internal IT service providers (including the GWDG), in their respective spheres of responsibility, takes the necessary measures to prevent or eliminate the impact of the damaging event. If the threat is significant, blocking of network connections and user accounts may be taken as a necessary measure.
  2. If there is an important reason, network connections and user accounts may be blocked without giving prior notification to those affected by the blocking.
  3. The competent ISC and the ISM must be informed immediately.
  4. The measures are lifted with the consent of the ISM and the ISK after the necessary IT security measures have been carried out.
  1. The information security guideline of the University of Göttingen/University of Göttingen Public Law Foundation will come into force on the day after its publication in the Official Announcements I of the University of Göttingen.
  2. At the same time, the general safety guideline of the University of Göttingen and the University Medical Center in the version contained in the announcement dated 15.06.2007 (Official Announcements 11/2007 p. 493) and the organisational guideline for IT security of the University of Göttingen and the University Medical Center in the version contained in the announcement dated 15.06.2007 (Official Announcements 11/2007 p. 522) will cease to be in force.
Unit Competent management
Faculties the respective Dean
Interdisciplinary institute and central academic institutions (e.g., centres, Lichtenberg-Kolleg) the respective Director/Management
Interdisciplinary and central infrastructure institutions (e.g., SUB, labs) the respective Management
Institutions for special tasks (e.g., XLAB) the respective Director/Management
Departments and staff units of the central administration the respective Management
University hospitals and institutes of the UMG the respective Management
departments, divisions and central institutions of medical care or administration of the UMG the respective Management