Guidelines for Information Security
Please note: The English text in this document only serves the purpose of providing informations on the corresponding German text. Only the German text is legally binding.
Running a university relies to a great extent on IT services. The users’ trust in information technology is fundamental for its successful operation. In order to warrant this trust, the security of information and information technology must be guaranteed across the University.
This information security policy defines basic regulations for information security for the University of Applied Sciences Würzburg-Schweinfurt (hereafter called “FHWS” or “the University”. The policy will form the basics of the University´s approach to information security. As a framework document, it sets out the importance and goals of information security as well as how information security will be managed. This policy will supplement the University´s existing policies and will be consistent with current legal regulations and other relevant provisions.
The university management will take full responsibility for information security at FHWS. In order for the university management to fulfil its responsibility in the face of the growing threat of rapidly developing technology, all areas of the University must regard the University’s information security as a common goal and support those responsible for maintaining it in conducting their tasks. These tasks should be conducted based on this policy in the ongoing management of information security.
Importance of information security
The FHWS is one of the largest universities for applied sciences in Bavaria. The smooth running of teaching, research and administration at FHWS depends to a great degree on the quality of IT services. The University’s digitalization strategy underscores this important role played by IT. The strategy’s goal includes increasing the digitisation of internal processes at the University, along with providing students with digital literacy. Digitisation will increase demands on information security at the University. The three essential objectives of information security are confidentiality, integrity and availability. A system is considered to be information secure if it does not accept states that lead to unauthorized information modification or extraction.
The initialisation, implementation and ongoing improvement of the University’s approach to information security will ensure that the University can complete its tasks, meaning that processes supported by IT can run securely and without fault.
Scope of application
This policy shall be valid for all members of the University according to BayHSchG Art. 17 para. 1 (e.g. Students, lecturers, teaching staff, scientific and technical staff, administrative staff, university management and former members of the FHWS) as well as for guests if they gain access to university information or use the information technology of the university. The policy applies to all organizational units (e.g. faculties, institutes, staff units, university services, central facilities) as well as all project organizations at all FHWS locations.
Information security goals
By improving information security, FHWS wants to achieve the following goals in particular:
(1) Guaranteeing the availability, integrity and reliability of information and information technology while taking specific requirements into account.
(2) Protecting IT infrastructure and the information processed within it against internal and external misuse.
(3) Ensuring reliable IT support for teaching, research and administrative activities.
(4) Meeting legal requirements for information and information Technology.
(5) Maintaining the University’s positive public image.
There is no absolute security of information. For this reason the University aims to reduce risks, which accompany the running of the IT infrastructure and the processing of information, to an acceptable level. The security measures to be implemented must be economically feasible and proportionate to damage, which can be expected in the case of a security incident. In addition to this, security measures must be balanced with academic freedom.
The prioritization is based on the respective risk profile of information and infor-mation technology.
Information security measures
The University will take the technical and organisational measures which are necessary for achieving the goals mentioned above. For this purpose, FHWS will estab-lish an Information Security Management System (ISMS), which will follow a procedure of a certifiable standard. Individual measures shall be based on the BSI’s protection catalogue (Federal Office for Information Security). The ISMS and the adherence to technical and organisation measures will be tested regularly to check that they are up to date and effective, in order to achieve level of security we are aiming for. Deviations shall be analysed according to goals, in order to improve the security situation at the University.
The required degree of information security can only be reached at the University, if all members of the University know their own skills and duties and act with an awareness of their own responsibility. In order to develop and/or strengthen the necessary skills for information security, all members of the University will be trained to have greater awareness and acquire qualifications as necessary. All members of the University will be informed about issues and regulations relevant to information security through appropriate channels.
The university management will have full responsibility for information security at FHWS. They will give their complete support to achieving the goals formulated in these guidelines and measures arising and derived from it. The university management will make strategic decisions regarding FHWS’ approach to information security, shall issue binding regulations and will make members of the University aware of these. They will ensure that it is possible to read the current version of regulations at any time.All members of the University will be responsible for handling information and information technology in a proper way in accordance with the regulations. They will be instructed to apply the regulations for information security in their own field of work. The entire organizational structure for information security is described in the document “Information security and data protection management – organization concept”
Implementation of the Guidelines
The university management will put the guidelines into action. All members of the University will be required to know and acknowledge the guidelines. The university management will motivate members of the University to keep to these guidelines and will support ongoing improvements to the level of security. All members of the University will be instructed to report any suggestions for improving the ISMS to the ISB.The guidelines will be revised twelve months after coming into effect by the ISB and will also be subject to annual Revision.
Würzburg, 02 November 2020
Prof. Robert Grebner, President