Main Content

Information Security Guideline

In 2021, the Cabinet of the State of Hesse updated the Information Security Guideline for the Hessian State Administration (Ger.) (StAnz. 2021, No. 47, page 1517) and asked the departments to implement the guideline in the departments of the Hessian State Administration.

The University's Information Security Guideline was adopted by the Presidium of Philipps-Universität Marburg on February 23, 2021 and replaces the IT Security Guideline of April 24, 2012. Following its publication in the official notices (No. 06/2021), it entered into force on March 25, 2021.

The information security guideline defines the basic structure for the establishment of an information security management system at Philipps-Universität. Through information security management, an appropriate level of information security is to be strived for and ensured for deployed and planned IT systems at Philipps-Universität Marburg.

With the establishment of an information security management team and the appointment of an information security officer, the Presidium of Philipps-Universität pursues the goal of further developing the information security management process at the University.

The university's information security guideline can be viewed as a full text (Eng.) or downloaded as a PDF document (Ger.). The English full text below is a reading version. The German version is binding.

  • Philipps-Universität Information Security Guideline - full text/reading version

    Preamble

    There is a high demand on the quality of information technology (IT) at the University. The members and staff of Philipps-Universität are dependent on a faultlessly functioning IT. This applies to almost all applications in research, study and teaching as well as in the administration of Philipps-Universität. Secure IT plays a decisive role in ensuring that all members of Philipps-Universität can exchange and process information efficiently, without errors, and in accordance with the applicable legal framework. To ensure this, information must be protected in terms of its availability, confidentiality and integrity through appropriate security measures. In this regard, information security should be the core principle of every existing and newly developed service. The present guideline clarifies the self-image of all members of Philipps-Universität with regard to information security by means of goals and framework conditions and ensures the ability to act in research and teaching.

    § 1 Scope of Application

    The guideline is binding for all members of Philipps-Universität.

    § 2 General Security Objectives and Definitions

    Philipps-Universität and all its organizational units ensure the confidentiality, integrity and availability of the processing information. Weighing up the opportunities for the university, the value of the information to be protected, the risks involved, and the human and material resources required for information security, the university strives to achieve an appropriate level of security. Information security is a snapshot in time in which the risks that exist in IT use due to threats and vulnerabilities to the confidentiality, integrity, and availability of data and IT are reduced to an acceptable level through appropriate measures. The core values of information security are

    Availability: The availability of services, functions of an IT system, IT applications or IT networks, or even of information is present if they can always be used by users as intended.

    Integrity: Integrity refers to ensuring the correctness (integrity) of data and the correct functioning of systems. When the term integrity is applied to "data," it expresses that the data is complete and unchanged. In information technology, however, it is usually defined more broadly and applied to "information." In this context, the term "information" is used to refer to "data" that can be assigned certain attributes, such as author or time of creation, depending on the context. The loss of integrity of information can therefore mean that it has been altered without authorization, that details of the author have been falsified, or that the time at which it was created has been manipulated.

    Confidentiality: Confidentiality is the protection against unauthorized disclosure of information. Confidential data and information must be accessible only to authorized parties as permitted.

    (The definitions of availability, integrity and confidentiality were taken from the Cyber Glossary (Ger.) of the German Federal Office for Information Security).

    § 3 Essential Goals for Ensuring Information Security

    1. Members of Philipps-Universität are aware of and comply with the legal requirements and contractual regulations on information security relevant to their IT use.
    2. Philipps-Universität's IT is made more resistant to threats such as cyber attacks, system failures or data loss through coordinated measures.
    3. There is an orderly approach to commissioning and changing IT procedures. Information security concerns are addressed to the required extent.
    4. IT systems are operated in an appropriately secure manner and environment so that the protection goals of IT-supported business processes are not jeopardized. The administration of IT systems is designed to be traceable and software is kept up to date in a timely manner. For this purpose, the members of the Philipps-Universität tolerate short-term restrictions in IT services (e.g. for security updates).
    5. The Staff Unit Information Security regularly offers event-related trainings on various information security topics for the members of Philipps-Universität.
    6. Information is evaluated with regard to its need for protection in terms of availability, integrity and confidentiality. Security measures for systems and procedures are based on the level of protection required and are documented, for example, in security concepts. Security concepts are submitted to the information security officer.
    7. The procedure in the case of IT emergencies is specified in emergency management plans.
    8. The effectiveness and appropriateness of the security measures are checked and documented by means of regular revisions. Deviations are analyzed with the aim of continuously improving the security level and keeping it up to date.
    9. Information security management at Philipps-Universität is organized in accordance with common standards for information security management.
    10. In cooperation with third parties, the implementation of information security management is regulated by agreements to the required extent.

    § 4 Responsibilities

    The Presidium is responsible for ensuring an appropriate level of security for Philipps-Universität. The Presidium bears the overall responsibility for this. The Presidium appoints an information security officer and designates responsibility for information security management in its schedule of responsibilities. In order to fulfill its responsibility for an appropriate level of information security, the University's Presidium implements and continuously develops an organization-wide information security management system. The information security management system is used to plan, direct, and control the process of establishing information security.
    The management of the respective organizational unit bears the responsibility for the organization of information security in the respective area.
    Each member of Philipps-Universität is responsible for maintaining an appropriate level of security in the area of its own IT use and supports the fulfillment of the goals and principles stated in §2 and §3.

    § 5 Organizational Structure

    • Information Security Management Team

      (a) In order to fulfill its responsibility for information security, the Presidium establishes an Information Security Management Team of the University as a central body. It is responsible for information security management and the establishment and further development of an information security management system.

      (b) The information security management team includes:
      the Presidium member responsible for information security management,
      the Presidium member responsible for information management,
      the Chancellor,
      the information security officer,
      the official data protection officer,
      the head of the HRZ.

      Additional non-permanent members may be added to the information security management team as appropriate.

      (c) The Information Security Management Team is headed by the Presidium member who is responsible for information security in accordance with the applicable schedule of responsibilities of the Presidium.

      (d) The information security management team supports the Presidium in IT-related strategic and tactical decisions so that the Presidium member responsible for information management can decide on tactical guidelines

    • Information Security Officer

      (a) The information security officer reports directly to the presidium member responsible for information security. In organizational terms, he or she and other employees form the information security staff unit.

      (b) The IT administrators of the central and decentralized IT systems of the University support the information security officer. The information security officer has the right to information and to inspect relevant information.

      (c) The information security officer advises the information security management team on information security management issues and implements the strategic guidelines of the information security management team.

    • Contact person for decentralized information security coordination

      (a) The departments provide a contact person who takes care of the decentralized initiation of information security measures. The contact person shall be documented and communicated to the information security officer.

      (b) The contact person for decentralized information security coordination shall support the information security officer. The information security officer has the right to information and to inspect relevant information.

    • Management of facilities and departments

      (a) The departments, the facilities and the university administration have the task of ensuring an appropriate level of information security. The heads of the institutions and departments (e.g., deans) are responsible for this in their area of responsibility within the framework of the specifications of the presidium and the relevant guidelines.

      (b) The contact persons for decentralized information security coordination support the management of the institutions and departments.

    • University Computer Center (HRZ)

      (a) The HRZ has a special responsibility in the area of IT security, since it operates the basic supply of facilities for communication and information processing, for example the university data network or the telecommunications system.

      (b) The HRZ supports the Staff Unit Information Security in advising the departments, the facilities, and the university administration, as well as the departmental process managers in assessing information security risks and implementing measures to reduce information security risks.

    § 6 Procedure for dealing with security incidents

    Security incidents are reported to the information security officer in an appropriate form and documented so that an appropriate response can be made in a timely manner. The Staff Unit Information Security, in cooperation with the HRZ and, if necessary, the contact persons for decentralized information security coordination, initiates appropriate measures to avert the threats, coordinates them, checks their effectiveness, informs the responsible offices if necessary, and documents the incident. The information security officer shall inform the Presidium and the data protection officers immediately of any major security incidents.

    § 7 Rules and Regulations

    This guideline on information security is supplemented and specified by additional guidelines. The Presidium adopts these guidelines on the recommendation of the Information Security Management Team and after discussion by the University Conference and the IT Advisory Council. Central subordinate guidelines to the information security guideline are:

    • Information Security Management Guideline including a security organization structure and general information security guidelines,
    • Guideline on IT operations with binding specifications and instructions for the creation of security concepts for all information technology operators.

    § 8 Entry into force

    The Information Security Guideline shall enter into force after its announcement in the Official Notices and shall replace the IT Security Guideline of Philipps-Universität Marburg dated 24.04.2012. It shall be evaluated no later than five years after its entry into force.