Information Security Responsibilities

Information Security Responsibilities in Finnish

Common responsibility to maintain information security in the Tampere University community

All members of the community are responsible for ensuring that they

  • are familiar with the instructions on information security that apply to them and that they comply with them;
  • create and implement a good information security culture in their daily activities;
  • participate in the information security training targeted at them; and
  • are familiar with the duties and responsibilities related to information security that are assigned to them or are connected to their position and act in the manner required by them;
  • notify the information security organisation, maintenance personnel or their supervisor about serious deviations or if the information security has been endangered.

Information security is part of the work of the community

Most of the work done in the community in order to implement information security is part of the normal duties of those working in the community.

All people working in the community must be familiar with the responsibilities related to their work concerning

  • the confidentiality of information;
  • the preservation and validity of information;
  • the availability of information in a manner that is timely and based on authorisation; as well as
  • ensuring the accessibility and confidentiality of information as required by law, and data protection in the Tampere University community.

In addition to the responsibility for implementing general information security and data protection, specific responsibilities are linked to certain work tasks and roles.

Specific information security duties and responsibilities

In the Tampere University community, the following work roles and tasks have specific duties and responsibilities related to information security; their responsibilities are described below.

  • University management
  • IT Services
  • Information security manager
  • Information security specialist
  • Information Security Group
  • Director of the unit
  • Service owner
  • Service administrator
  • Consultants and service companies carrying out an assignment

The duties of the management include

  • approving the information security policy
  • being responsible for the preconditions and resourcing of the implementation of policy
  • being responsible for external communications related to information security

The duties of the IT Services include

  • being responsible for the technical implementation and monitoring of information security
  • being responsible for the information security of their own services

The duties of the information security manager include

  • comprehensive development, guidance, monitoring and management of the Tampere University community’s information security
  • participating in the overall risk management with regard to information security and data security risks
  • coordinating information security in procurements, projectising, and the work on systems together with the service owners and the information security organisation
  • participating in networks important for the information security of the service
  • cooperating with the data protection organisation
  • planning and coordinating information security training
  • coordinating information security audits
  • coordinating the handling of information security incidents
  • coordinating cooperation with the authorities
  • reporting to the management of the Tampere University community
  • being responsible for the internal communications related to information security

The duties of the information security specialist include

  • monitoring the legislation and the related instructions
  • monitoring instructions by the government
  • drawing up information security instructions and bulletins for the Tampere University community and its units
  • participating in the planning of information security training
  • participating in the implementation of the information security plan
  • participating in the networks of higher education institutions, the government and other networks important for information security (such as CERT-FI, FUNET-CERT, the SEC group)
  • participating in the work on continuity planning
  • participating in information security audits and consultations
  • participating in drawing up safety reports and risk analyses
  • participating in the handling of information security incidents
  • acting as a technical expert in information security
  • participating in the internal communications related to information security

The duties of the Information Security Group include

  • representing the views on information security of different parties in the Tampere University community
  • matching the required security level with security measures
  • making proposals to improve information security
  • participating in the preparation of the Tampere University community’s information security plan and continuity plan
  • supporting the information security manager with developing information security
  • monitoring information security
  • making proposals on increasing the information security awareness of the personnel and their information security training

The duties of the director of the unit include

  • being responsible for the guidance, development and resourcing of the information security of their unit
  • ensuring that the personnel of the unit are familiar with the information security instructions and that they have sufficient information security training

The duties of the service owner include

  • being responsible for the management of the service’s data security risks
  • appointing the persons responsible for the service and their deputies as well as the administrators
  • reporting the factors affecting the service’s information security to the director of the unit as well as the information security organisation of the Tampere University community
  • being responsible for the descriptions of the service in accordance with the law
  • being responsible for protecting the service and its information, access rights, backups and safe copies
  • implementing the security measures related to their service and developing them
  • monitoring the information security of the service
  • being responsible for the continuity planning related to the service
  • taking care of the training related to using the service
  • being responsible for drawing up the information security plans together with the service developer
  • ensuring that up-to-date documentation of the service is maintained

The duties of the service administrator include

  • monitoring and maintaining the safety of the service
  • reporting on information security and related incidents to the service owner and the information security organisation
  • complying with good information management and information security practice
  • applying and implementing the information security policy of the Tampere University community by utilising their own special expertise
  • preparing for incidents and the measures they require
  • drawing up operating instructions and ensuring that they are up to date
  • taking care of the instructions for continuity planning concerning issues such as the backup and restoration procedures of the service
  • participating in networks important for the information security of the service

Consultants and service companies are required to

  • comply with good information processing and information security practice
  • monitor and maintain information security in their own activities
  • report to the customer on information security and factors affecting it
  • follow the customer’s instructions