Information Security Policy

Information Security Policy in Finnish

The top management of the Tampere University community is responsible for its functionality. The operation and services of the Tampere University community are dependent on the uninterrupted availability and safe functioning of IT services. The use of information technology and investing in both information technology and information security are strategic decisions of the management that influence the Tampere University community’s ability to function. Legislation also poses obligations on taking care of information security.

The information security policy is a statement by the management of the Tampere University community that defines the goals, responsibilities and implementation methods of protecting information. All members of the Tampere University community are notified about the information security policy, and they must act in accordance with it. The policy is specified in the rules and instructions on handling information.

Securing information is part of the quality and overall security of the operations and services as well as the daily processing of information. Good information security management requires constant monitoring of all activities, long-term planning, preparing for threatening situations, following the agreed-upon procedures, instructions, training and communication. The goal is to create and maintain a reliable and safe environment for the Tampere University community to process both its own information as well as the information of interest groups.

Definitions

Administrator

Administrator refers to all individuals responsible for the technical maintenance of the Tampere University community’s services, as well as other people responsible for the activities related to system management, user support and guidance. Broadly speaking, administrator refers to every person with extensive rights to a system, regardless of the purpose of the said system. Students are also considered to be administrators if they manage an information system or service of the Tampere University community.

Service

Service refers to a whole comprised of technology, people and processes that is produced by a service provider or producer.

The other concepts comply with the definitions found in well-known glossaries.

Objectives

Information security consists of the confidentiality, integrity and availability of information. The goal is to ensure the functioning of information, information systems, services and information networks at a sufficient and appropriate level, and to prevent their unauthorised use as well as intentional or unintentional destruction or corruption of information.

Information security must be ensured in the processing of information both manually as well as by information technology, in all forms of the information throughout its life cycle. The nature of each Tampere University community unit and the potential need to enhance security are taken into account. The protection of information must be ensured in units that process a great deal of information that is confidential or that has a security classification. When securing information, administrative, personnel, physical, data, communications, hardware, software and operational safety are taken into account as separate aspects.

The work on information security consists of the continuous development, planning, implementation and monitoring done in order to protect information. Its aim is to prevent damages caused by internal and external threats to information or to limit them to an acceptable level, and to ensure the continuity of operations in case of an incident.

The information security of the Tampere University community is ensured in accordance with national and international regulations on information security and by complying with best practices and recommendations on information security.

Organising information security and responsibilities

Information security and data protection are a part of overall safety. The information security measures are dimensioned based on risk assessments. The principles and responsibilities of data protection are defined in the Data Protection Policy.

Each user of the service is obliged to comply with the rules and instructions issued by the Tampere University community.

The key actors and roles related to information security and their duties and responsibilities have been listed in a separate Information Security Responsibilities document.

Implementation methods

Maintaining and developing information security is a continuous process. The activities of users are guided by the Terms of Use and operating instructions, as well as training and communication about the safe handling of information. Agreements on the safe handling of information are made with the Tampere University community’s organisations and partners that process information.

Processing information is based on recognising the nature of the information, risk assessment, and the requirements set by legislation.

An information security plan for the Tampere University community is drawn up based on the information security policy and risk assessments; the development needs and implementation methods are described in the plan.

The units are responsible for the development needs and implementation of information security with regard to their own activities, together with the information security organisation. The units are responsible for ensuring that the systems that are critical to them are designed, maintained and tested, and that they have been taken into account in the unit’s continuity plan.

The personnel and students are instructed in information security. The information security awareness of the members of the Tampere University community is raised regularly. The information security level of the Tampere University community’s information processing is assessed by means of an internal or external inspection.

Communications

If public communications are needed, the management of the Tampere University community makes the decision together with communication services. The information security organisation is responsible for internal communications.

Monitoring information security and handling problems

The information security organisation is tasked with conducting surveys on the safety of information processing and taking measures to correct any deficiencies discovered. In case of incidents, separately appointed people have the right to take immediate measures to minimise the risk to the organisation or its information.

Maintaining information security requires constant monitoring and reporting. The information security manager coordinates the monitoring of information security and reports regularly to the Tampere University community’s management about information security.

The community must report any deficiencies in information security, abuses related to information security, and suspected breaches of information security to the information security organisation. There are separate rules concerning the sanctions for information security breaches.