Responsible for implementation: IT users, IT staff
The respective IT user must report any type of IT problem (system crashes, faulty, unexpected, inexplicable or unusual behaviour of applications that have run error-free so far, hardware failures, intrusion by unauthorised persons, manipulations, virus attacks etc.) to the responsible IT staff in order to clarify the problem and, if necessary, report an information security incident to the responsible ISK or the responsible management.
Responsible for implementation: Competent management
Violations can have disciplinary or employment law consequences. Moreover, violations of legal provisions (e.g., data protection laws, medical confidentiality) can be prosecuted as a criminal or administrative offence.
Culpable non-observance of the information security guideline particularly constitutes a violation according to Sentence 1 especially if it
significantly impairs the security of the members of the University of Göttingen Foundation, users, contractual partners, advisers,
jeopardises the security of data, information, IT systems or the networks,
causes material or immaterial damage to the University of Göttingen Foundation,
facilitates unauthorised access to systems and information and their disclosure and/or modification,
facilitates the use of information of the University of Göttingen Foundation for illegal purposes and
facilitates unauthorised access to personal data and confidential University data.
If there are sufficient factual indications of a violation, the IT employees can take measures - even without the knowledge of the person/persons concerned - that are appropriate for preventing, intercepting or recording the imminent damage as a result of the violation. The responsible Data Protection Officer, a representative of the respective Staff Council and a representative of the internal auditing department (hereinafter collectively referred to as: parties to be involved) must be consulted before taking action; their consent for the measures to be taken is required before they are implemented. The IT staff carrying out the measures informs the following about the course and the result of the measures:
the parties to be involved,
in every case the person concerned, if necessary, the supervisor and other persons; in all cases in coordination with the parties to be involved.
Any additional data collected as a result of the measure or stored beyond the deletion period must be destroyed immediately after the measure has been completed. The parties to be involved must determine that a measure has been completed.
Responsible for implementation: IT staff, IT users
Only that software which is necessary for the fulfilment of official and study-related tasks may be installed or used on the IT systems of the University of Göttingen Foundation.
IT users are not permitted to install or run additional software without authorisation. This particularly applies to downloading software from the Internet or launching software received via email.
Responsible for implementation: IT staff, IT users
An up-to-date virus scanner, which automatically checks all files when they are accessed, must be installed on all workstation computers. This is intended to detect and prevent the intrusion of malicious programs.
The competent IT staff must be informed if malware infection is suspected.
Responsible for implementation: IT staff, IT users
Rooms that have workstation computers must be locked outside the normal working hours (especially at night and on weekends) and when there is no one in them. Deviation from this may be allowed only if work organisation urgently necessitates this and if other security measures allow it.
In rooms open to the public or during mobile working workstations must be set up by placement or privacy screens such that sensitive data cannot be viewed from screens by unauthorised persons.
When sensitive data is printed, the removal of the printouts by unauthorised persons must be prevented (ensuring confidentiality).
Responsible for implementation: IT staff, IT users
When leaving the workstation, the workstation computer must be locked with a password.
Locking must also be automatically time-controlled when the computer is not used.
In general, workplace computers are to be shut down at the end of the shift.
Deviation from the rules for locking and shutting down systems is possible only if work organisation urgently necessitates this (e.g., in the case of measurement and control computers) and if appropriate security measures allow it.
In principle, mobile end devices and storage media must be protected against theft using appropriate security measures.
Unauthorised access to mobile end devices and the data stored on them must be prevented by means of appropriate access protection measures (e.g., passwords, PINs, biometric procedures).
Storing of sensitive data on notebooks, mobile storage media (e.g., smartphones, USB sticks, etc.) is permitted only if there is a business need and the data is encrypted in accordance with the current security requirements . Furthermore, it must be ensured that unauthorised access to data by unauthorised persons is excluded.
Responsible for implementation: IT staff, IT users
All IT systems (including smartphones) that are used for official purposes must be set up such that only authorised persons have access to them. This primarily requires a login with a suitable authentication method (password, smart card, biometric procedure, etc.).
The creation of user accounts that are to be used jointly by several people (shared function accounts) is only permitted if such accounts are indispensable for the fulfillment of tasks.
The allocation of user accounts for working on IT systems must be person-related-specific principally. Working under another person's user account is not permitted.
Deputies (temporary delegation of duties) must not be organised by passing on login data for personal user accounts, but by appropriately assigning rights.
An IT user is prohibited from passing on login data required for the authentication process.
Dispensing with personal user accounts is permitted for IT systems, in which a quick change of user is required due to the work organisation (e.g., control centres in the UMG, reading rooms) or which are intended for general public access (e.g., kiosk systems, query stations for library catalogues).
Responsible for implementation: IT staff, IT users
Every person is responsible for all actions performed using a user account assigned to the person.
The passwords used for the use of IT systems of the University of Göttingen Foundation (in the following: official passwords) must not be identical or similar to passwords used for the usage of IT systems not belonging to the University of Göttingen Foundation. The differences between the passwords must be significant, and in particular there must be no systematic connections that could lead to the other being derived from one password.
The following must be observed when dealing with passwords:
Passwords must be kept secret.
Passwords for personal user accounts may not be shared with other people.
The following applies to passwords for user accounts that are to be shared by several people (shared functional accounts):
The password of a functional account may only be shared with those involved in the function.
If a person who knows the password of a functional account leaves, the password of the functional account must be changed.
A password must be entered unobserved.
The following rules apply to storing passwords in IT systems:
Storing official passwords in applications, especially browsers, or on programmable function keys is principally not permitted.
The following exemptions to the prohibition on storing official passwords apply:
Saving a work password in the Eduroam configuration is permitted on desktop and laptop systems and on smartphones.
It is permitted to store official passwords for email access on a smartphone.
The storage of official passwords in a password manager with a secure master password in accordance with the regulation on password strength in paragraph (7)is permitted. Longer passwords as master passwords are recommended.
The following rules apply to writing down passwords on paper
Writing down of passwords on paper must be avoided.
If writing down of passwords cannot be avoided, the passwords must be kept at least as securely as a bank card or bank note.
Leaving a password in a sealed envelope in a safe under the supervision of the entity for which the account holder works is permitted
Rules for changing passwords:
A password must be changed if it has become known to unauthorised persons.
Initial passwords must be changed immediately before using the services.
Old passwords may not be reused.
New passwords and previously used passwords must differ significantly; in particular, there must be no systematic connections through which the new password could be derived from the previous password.
Unless other rules have been explicitly enacted for certain passwords, the following password requirements apply:
Letters and/or character sequences that are common or easy to guess, such as names, license plate numbers, birth dates, individual words in German or a different language or only slightly varied versions of such character strings, must not be used.
The password must have at least 8 characters. A length of at least 10 characters is recommended.
Each password must contain at least one upper case and one lower case letter, one number and one special character.
Alternatively, it is possible to deviate from (c) if it is ensured that the selected password is just as secure, for example because it is longer, as the one that is selected as per (b) and (c).
If, for unexplained reasons, a user does not get access to the system when logging in with his/her password, this could indicate that an attempt has been made to determine the password by trial and error to gain illegal access to the system. Such incidents must be reported to the competent superior and the IT staff (see A.2).
If a user forgets his or her password, he or she shall request a reset from the responsible IT staff or, if available, via self-service functions without repeated attempts. This provision is intended to prevent the process from being logged and treated as an attempted intrusion.
A user may only be given those access rights that he/she needs to carry out his/her official tasks. In particular, work that does not necessarily require higher privileges not allowed to be performed using privileged user accounts (“administrator”, “root”, etc.).
Privileged user accounts may only be assigned to the IT staff, or persons with privileged user accounts must be regarded as IT staff and must observe and implement the measures laid down for the IT staff.
In addition to technical measures, organisational rules must also be observed (e.g. for accessing patient data in the University Medical Centre).
Responsible for implementation: IT staff, IT users
IT systems may only be connected to the data network via the infrastructure provided for this purpose. Set-up or use of additional network access (routers, switches, modems, WLAN access points, etc.) that is unauthorised or carried out without the prior consent of the network operator is prohibited.
The “Network Operation Regulation of the University Medical Center” and the “Usage Regulation of GWDG” must be observed during implementation.
Responsible for implementation: IT staff, IT users
In teleworking, mobile working and home office, data goes out of the spatially limited area of the data processing body.
For the establishment and operation of such workplaces, the existing company agreements as well as further regulations on data protection and data security shall be observed.
Responsible for implementation: IT staff, IT users
Only official email accounts may be used for official email communication.
Automated forwarding of official emails to external providers (Internet providers) is not permitted.
Existing technical solutions for secure and encrypted data transmission or data provision must be used for the electronic forwarding of sensitive data.
If official emails are accessed from outside the University of Göttingen Foundation, it is mandatory to use encrypted transmission protocols. The regulations laid down in measure (A.8) must be observed.
If official emails are accessed from non-university IT systems, it must be ensured that no content remains on the external systems after use.
It is generally prohibited to log in via Internet links stored in emails. This does not apply to emails that have been triggered to verify identity by one’s own actions when registering for services.
It is expressly prohibited to respond to requests contained in emails for the disclosure of login data.
Attachments and Internet links received by email can be opened only if their harmlessness can be assumed, e.g., through their origin and context.
Responsible for initiation: Specialists responsible
Responsible for implementation: IT staff
Official data must always be stored within the IT systems of the University of Göttingen Foundation (including the IT systems that the GWDG operates for the Foundation University).
The options of storing data on central servers must be used.
Storing of sensitive data on the hard disk of the workstation computer or on other local storage media is permitted only if the operational concept for the respective data set allows this and if the security measures specified therein have been taken.
Storing (and processing) of official data outside the IT systems of the University of Göttingen Foundation (e.g., on cloud services or private devices) is permitted only if this is required for official purposes and if the operational concept for the respective data set allows such storage. If data is stored externally, then it must be protected against loss of data, confidentiality and data integrity in a manner appropriate to the protection requirement. It must be possible to recover and delete data from an external storage.
Storing of sensitive data outside the IT systems of the University of Göttingen Foundation is permitted only in the states of the European Economic Area and secure third countries in accordance with the data protection law.
The synchronization of emails on private devices and the associated data storage is permitted as long as it is not expected that emails contain particularly sensitive content in the sense of data protection or other confidentiality requirements. Synchronization on private devices is not permitted for email accounts where, due to the function of the account holder, it is expected that emails contain particularly sensitive content in terms of data protection or other confidentiality requirements.
The IT systems of the University of Göttingen Foundation can be accessed via the Internet when external communications services (e.g., Skype, Teamviewer) are used.
The use of such services is permitted only if the operational concepts for the data processed on the computer used and the used sub-areas of the infrastructure allow such use.
Using private hardware and software in connection with the official data or IT infrastructure of the University of Göttingen Foundation is permitted only if the operational concepts for the respective data or sub-area of the infrastructure or general instructions or service agreements allow it.
Using private devices in designated areas and at designated connections especially in libraries, connections for lecturers in lecture halls and seminar rooms, in student work areas or guest networks and generally in the eduroam and GuestOnCampus wireless networks of the University of Göttingen Foundation is expressly permitted.
Admission of private devices in other parts of the infrastructure of the University of Göttingen Foundation necessarily presupposes that the end devices connected there meet the requirements of the catalogues of measures for basic IT protection of the Foundation University.
A.16 must be observed when storing and processing official data on private hardware.
The ISK must be informed in the event of loss of private hardware on which official data was stored. If personal data is affected by the loss, the ISK must be informed so that the ISK informs the responsible data protection officer
Responsible for initiation: Specialists responsible
Responsible for implementation: IT staff, specialists responsible
Data must be protected against loss resulting from faulty operation, technical faults, etc. To do so, data backups (creating copies of the data on separate storage systems) must be performed on a regular basis.
If storage on central servers with regulated data backup is not possible, the respective specialists responsible are responsible for data backups.
In the case of central data backup, specialists responsible must learn about the applicable regulations for data backup frequency and procedure.
The long-term archiving of academic data that is necessary for the implementation of the “Regulation of the University of Göttingen for ensuring good scientific practice” must be distinguished from a data backup for protecting data against loss. This must be ensured by specialists responsible.
Responsible for initiation: Specialists responsible
Responsible for implementation: Specialists responsible
Data storage devices must be stored in secure locations. Data storage device safes must be procured if necessary.
Furthermore, data storage devices must be marked if the identification of the data storage device is not carried out by a different technical procedure.
Data storage devices must be protected from damage during transport. Encryption is required for sensitive data.
Responsible for initiation: Specialists responsible
Responsible for implementation: IT staff, IT users
Data storage devices containing sensitive data must be securely deleted before being passed on to unauthorised persons. This can be done with suitable programmes or other suitable technical measures (e.g., with a device for magnetic flood erasure for hard disks and magnetic tapes).
Data storage devices that need to be discarded or are defective must be rendered completely illegible if they contain or have contained sensitive data.
Papers with confidential content must be destroyed using a document shredder that meets the protection requirements. Alternatively, disposal can also be carried out centrally via a service provider.
University regulations must be observed when the disposal is carried out via a service provider.
More information can be obtained from the following authorities: GWDG, the Information Technology division of the UMG, the IT department of the University administration, the Data Protection Officer of the UMG.
