Guideline on information security

Preamble

The Executive Board of the University of Kassel regards information security as an important factor in maintaining university operations. It therefore ensures that information security is appropriately addressed and acknowledges its responsibility for the continuous monitoring and further development of the information security strategy, the level of information security, and the corresponding measures.

Information security primarily serves to prevent and mitigate security incidents. This includes all events with negative impacts on the confidentiality, integrity, availability, and authenticity of information.

Most processes at the university are significantly supported by IT. Networked IT systems are vulnerable and can be compromised both internally and externally. IT security is thus an essential sub-area of information security.

The individual measures to increase the level of information security are consolidated in a continuous information security process (IS process) based on this information security guideline (IS-LL). The measures and rules that serve to define, control, monitor, maintain, and continuously improve information security are referred to as the information security management system (ISMS). The ISMS is implemented and further developed through the IS process. The IS-LL provides the strategic and organizational framework for the IS process and the ISMS and builds on the structure established by the statutes for the technical information management of 24.04.2020 (Mitt.Bl. Univ. Kassel No. 4/2020 of 15.05.2020, p. 75). In case of conflicting regulations in the area of information security, however, the provisions of the IS-LL take precedence over those of the mentioned statutes.

A central requirement of the university is to ensure academic freedom while at the same time fulfilling the requirements for information security pursuant to the Hessian Act on the Protection of Electronic Administration (Hessian IT Security Act – HITSiG).

§ 1 Subject

The IS-LL describes, in an understandable way, for what purposes, by which means, and with which structures information security is to be established within the University of Kassel through the IS process and the ISMS. The IS-LL initiates the IS process and is the central organizational framework of the ISMS.

§ 2 Scope

The IS-LL applies to all organizational units, members, and affiliates of the University of Kassel.

§ 3 Objectives

Information security includes the continuous and holistic protection of digital and analog data. The following fundamental protection objectives of information security must be ensured and continuously maintained as part of the IS process:

• Confidentiality: Information may only be accessed or processed by authorized persons, systems, or processes.
• Integrity: Information and systems must be protected from unauthorized or unintended modifications.
• Availability: Information systems and services must be accessible at all times to authorized users.
• Authenticity: Transmitted data can be assigned to their origin at any time in accordance with data protection regulations. It is ensured that they originate from the specified source (a particular person, an IT component, or an application).

Based on these fundamental protection objectives and the requirements of the HITSiG, the University of Kassel pursues its own security objectives:

1. Raising awareness of information security
   Members and affiliates of the university are to be informed about potential security risks. Comprehensive understanding and awareness of information security should be promoted among all members and affiliates to establish a culture of security through regular training, informational events, and targeted communication.
2. Compliance
   Compliance with regulations such as the General Data Protection Regulation (GDPR), the Hessian Data Protection and Freedom of Information Act (HDSIG), the Hessian IT Security Act (HITSiG), and other relevant laws and regulations must be ensured through the implementation of IS measures and verification mechanisms.
3. Ensuring functional task fulfillment
   Information technology must be operated in such a way that information is reliably and sufficiently quickly available. Failures leading to delays of more than one day in administrative, research, and teaching processes should be avoided as much as possible. Network infrastructure and IT systems, including the information processed within them, must be protected against misuse or sabotage from both internal and external sources.
4. Damage prevention
   Direct and indirect financial damages and negative impacts on the university's reputation, which could arise from the loss of confidentiality of sensitive data, data modifications, or system failures, should be prevented as far as possible through appropriate measures.
5. Protection of personal rights and trade secrets
   The confidentiality and integrity of personal and operational information must be protected regardless of the form in which it exists. This applies especially to the data protection requirements resulting from legal provisions. Confidentiality obligations must be complied with.
6. Continuous improvement
   The University of Kassel strives for the continuous improvement of the IS process.

§ 4 Organizational structure

Establishing a successful IS process requires clearly defined responsibilities and the fulfillment of the resulting tasks within the organizational structure. Information security is integrated into the existing CIO governance, which refers to the unified control and coordination process of technical information management to shape the digital transformation of the university:

➜ Graphic on organizational structure

Accordingly, the IS process is supported by the following responsible parties:

The Executive Board holds overall responsibility for information security. It determines the importance of information security, ensures its integration into business processes, and provides appropriate resources for this purpose.

The Information Security Officer (ISB) is a member of the CIO committee. He/she implements, controls, and coordinates the IS process and continuously develops the IS concept and other central IS documents together with the CIO. In his/her role as Information Security Officer, the ISB is only subject to directives from university management. He/she advises the Executive Board on information security matters, reports on the status of information security, and supports the implementation of the guideline's objectives. The ISB manages and reviews the implementation of security measures, the operation and further development of the ISMS, incident management, raising security awareness throughout the university, and reporting to authorities. The ISB has the right to inform and make proposals to the Executive Board.

The IS Management Team supports the ISB in developing and updating IS documents and in coordinating measures to implement the IS-LL, the IS concept, and the ISMS. In addition, the IS Management Team analyzes the current security situation and handles security incidents. Members of the IS Management Team are:

• ISB (chair),
• Deputy of the ISB,
• Area Information Security Officers,
• ITS management,
• Data Protection Officer,
• Staff council representative.

Additional persons — e.g., contacts for specific specialist procedures and other IT managers — may be invited as guests to the IS Management Team meetings as needed.

The IS Management Team holds regular meetings at least twice per calendar year.

The IS Management Team implements security measures according to the IS concept pursuant to § 6 IS-LL and checks their effectiveness.

An Area ISB is appointed in each faculty, each central institution, each department, and generally also in each staff unit of the central administration of the university. Other organizational units of the university may also appoint an Area ISB. He/she is responsible within the organizational unit for implementing, complying with, and communicating the IS-LL, the IS concept, and the ISMS. Area ISBs support the ISB in fulfilling reporting obligations as well as in recording and handling security/suspected incidents.

In special cases, a Project/System ISB is appointed for individual projects or systems. The Project/System ISB is responsible for implementing measures to improve information security and for reporting security/suspected incidents to the responsible Area ISB or the ISB.

All members and affiliates of the University of Kassel contribute to achieving security objectives by participating in training and awareness-raising activities on information security and by reporting security/suspected incidents.

§ 5 Strategy

A systematic approach is necessary to achieve the defined security objectives and thereby an appropriate level of security. By following an approach based on the BSI IT-Grundschutz (§ 3 para. 1, last sentence HITSiG) in combination with modules from the BSI IT-Grundschutz Compendium and the ZKI IT-Grundschutz Profile for universities, a systematic methodology for implementing, maintaining, and continuously improving an ISMS at the University of Kassel is applied within the IS process. Evaluations from university-wide risk management are taken into account within the ISMS. The ISB ensures that aspects of IS management, especially IS-related risk management, are integrated into the university-wide risk management.

1. Creation of the IS concept
   The ISB develops the IS concept for the University of Kassel in coordination with the CIO and the IS Management Team, which is enacted by decision of the Executive Board. It describes the measures to be used to achieve the objectives and strategies defined in the IS-LL, defines their scope, and prioritizes the assets to be protected. The IS concept is continuously further developed in parallel with the subsequent steps of the strategy pursuant to § 5 IS-LL.
2. Establishment of the IS organization
   Tasks and areas of responsibility must be assigned to the responsible parties defined in § 4 and, if necessary, specified in the structural planning of the areas and/or in job descriptions of employees according to the applicable procedures. Information security must be integrated into the processes and workflows of the university. The IS process and any additional processes required to fulfill tasks must be established, and the IS organization, including these processes, must be documented within the ISMS.
3. Implementation of basic protection according to BSI IT-Grundschutz
   The basic protection oriented to BSI IT-Grundschutz includes organizational, personnel, infrastructural, and technical requirements related to components of business processes, applications, and IT systems, which must be fulfilled as part of the IS process and are summarized in action fields as follows:
   
   ➜ Graphic on action fields for basic protection according to BSI IT-Grundschutz
   
   Selection and prioritization: The information networks (scopes) defined in the IS concept are modeled system- and process-based in accordance with the IT-Grundschutz Compendium. Based on this, IS measures are systematically selected and prioritized.
   
   IT-Grundschutz check: According to the priorities defined in the IS concept, individual areas, processes, or assets are checked to determine whether or to what extent the requirements formulated in the basic protection standards have already been fulfilled and which security measures are still missing.
   
   Implementation: Appropriate security measures are defined and implemented for the basic requirements not yet fulfilled.
   
   Follow-up approach: Basic protection serves as an entry approach. It must therefore be determined in good time when and with which IT-Grundschutz approach the security level should be further increased.
4. Effectiveness control
   The IS process, the ISMS, the IS concept, and the IS organization are subject to a PDCA lifecycle ("Plan – Do – Check – Act") and are regularly reviewed for currency and effectiveness by the ISB.
   
   ➜ Graphic on effectiveness control
   
   "Effectiveness control (Check)" also includes the immediate elimination of minor deficiencies. Before fundamental or extensive changes, the planning phase must be restarted.

§ 6 Documents / regulations

The IS-LL provides the strategic and organizational framework of the ISMS. It is issued by the Executive Board and is reviewed regularly, but at least every four years.

Subordinate to the IS-LL is the IS concept. In it, the ISB documents, together with the IS Management Team and in consultation with the CIO, the identified risks and the appropriate technical and organizational measures to minimize them. The IS concept must be updated before any significant change to the technical systems in use and reviewed every two years.

The preparation and updating of specific organizational and/or technical regulations and measures referred to as guidelines for information security (IS guidelines) are coordinated by the ISB, agreed upon in the IS Management Team and CIO committee, and implemented in a suitable form (e.g., as service agreements or instructions for employees, within the IT usage regulations, as handouts, as standardized clauses in contracts and agreements). The aim is to achieve the highest possible level of binding force for the scope defined in § 2 IS-LL. The guidelines are regularly reviewed for currency and effectiveness, but at least annually.

§ 7 Security-relevant events

A security-relevant event is defined as an event that may impair the fundamental values of confidentiality, integrity, availability, and authenticity (see point 5.8 of the Information Security Guideline for the Hessian State Administration [2021]).

1. Definition
   Suspected case: exists if, in the professional assessment of a security-relevant event, it is determined that there is a possibility of a security incident or that this event could develop into a security incident.
   
   Security incident: any event that significantly impairs information security in at least one of its fundamental values (confidentiality, availability, integrity, or authenticity).
2. Distinction
   Disruption: is a situation in which processes or resources are not available as intended. Disruptions are generally resolved by the IT operator as part of normal operations. However, disruptions can escalate into a security incident.
3. Handling security incidents
   Members and affiliates of the University of Kassel are obliged to immediately report security/suspected incidents to the responsible Area ISB or the ISB. Security/suspected incidents that result in a breach of personal data must also be reported immediately to the Data Protection Officer. Reporting channels must be communicated in all areas.
   
   An escalation strategy (clear instructions on who should be involved, in what way, for which type of recognizable or suspected security disruptions, and when) and responsibilities in the event of a security incident must be defined.
   
   All security incidents must be documented and reported to the responsible authorities in accordance with legal and regulatory requirements.
   
   The process for handling security incidents is to be defined in a subsequent document (guideline).

§ 8 Entry into force

The Information Security Guideline of the University of Kassel enters into force on the day following its publication after adoption by the Executive Board of the University of Kassel.

The Information Security Guideline of the University of Kassel (Mitt.Bl. Univ. Kassel No. 6/2019 of 28.05.2019, p. 332) shall be repealed at the same time.