Skip to main content

Information security obligations

Tampere University and TAMK

General responsibility to maintain information security across Tampere Universities 

All members of our higher education community are expected to be aware of and adhere to the information security policy and guidelines that apply to their activities at Tampere Universities, help maintain a strong security culture and attend information security training targeted to their user group. You must report all information security risks and related incidents to our information security staff, IT staff or your supervisor.    

Information security is integrated into everything we do

The majority of work that is undertaken across Tampere Universities to maintain information security is integrated into the daily routines of our staff.

All staff members are expected to be familiar with their responsibilities to maintain the confidentiality and integrity of data, ensure the appropriate storage of data and provide authorised users with timely access to data. In addition, staff members must comply with the regulations regarding public access to data, confidentiality and data protection that apply to Tampere Universities.   

Besides the general responsibilities, certain roles and functions entail a broader set of responsibilities pertaining to information security. These are described below.

Special roles and responsibilities

Staff members who occupy the following positions have special roles and responsibilities pertaining to information security.

  • top management
  • ICT Services
  • information security manager
  • information security specialist
  • Information Security Team
  • head of unit
  • service owner
  • service administrator
  • external consultants and companies commissioned to provide services to Tampere Universities

The top management has the following duties

  • approve the information security policy
  • hold primary responsibility for enabling the implementation of the information security policy and providing the necessary resources
  • oversee external communications pertaining to information security

 ICT Services have the following duties

  • hold primary responsibility for the technical implementation of the information security policy and monitoring thereof
  • ensure and maintain the information security of its own services

 An information security manager has the following duties

  • develop, guide, monitor and oversee information security as a whole at the higher education institution
  • participate in managing risks associated with information security and data protection 
  • coordinate the information security dimension of procurements, projects and system development in collaboration with service owners and the information security organisation
  • participate in the activities of networks that have a strong focus on information security
  • collaborate with the information security organisation of the higher education institution
  • plan and coordinate information security training
  • coordinate information security audits
  • coordinate the processing of information security incidents
  • coordinate collaboration with public authorities
  • report to the top management
  • oversee internal communications pertaining to information security

An information security specialist has the following duties

  • monitor regulatory changes 
  • keep track of guidelines issued by the Finnish Government
  • prepare information security guidelines and news for the higher education institution and individual units
  • participate in planning information security training
  • participate in implementing the information security policy
  • participate in the activities of networks made up of higher education institutions, public organisations and other stakeholders that have a strong focus on information security (such as CERT-FI, FUNET-CERT, SEC group)
  • participate in contingency planning
  • participate in information security audits and provide consultancy services
  • participate in carrying out security assessments and risk analyses
  • participate in responding to information security incidents
  • serve as a technical specialist in matters relating to information security
  • participate in internal communications pertaining to information security

 The Information Security Team has the following duties

  • represent the views of different internal stakeholders with regard to information security
  • align security measures with the required level of information security
  • issue proposals for improving information security
  • participate in preparing the information security policy and contingency plan of the higher education institution
  • support the information security manager in the development of information security
  • monitor information security
  • issue proposals to raise awareness of information security among staff and suggest potential training

A head of unit has the following duties

  • hold primary responsibility for guiding, developing and allocating resources for information security activities in their unit
  • hold primary responsibility for ensuring that staff members are familiar with relevant guidelines and have received sufficient training in information security

A service owner has the following duties

  • hold primary responsibility for managing information security risks relating to the service
  • assign the persons responsible for the service, their deputies and administrators
  • report to the head of unit and the higher education institution’s information security organisation about factors that affect the information security of the service
  • ensure that the privacy notices required by law are appropriately prepared
  • hold primary responsibility for data protection, user permissions and backup copies relating to the service
  • implement and develop security measures relating to their service
  • monitor the information security of their service
  • hold primary responsibility for contingency planning relating to the service
  • be in charge of user training relating to the service
  • hold primary responsibility for preparing information security plans in collaboration with service developers
  • ensure that documentation relating to the service is up-to-date

A service administrator has the following duties

  • monitor and maintain the information security of the service
  • report on information security and related incidents to the service owner and the information security organisation
  • adhere to the standards of good practice in information security and data protection
  • apply and implement the information security policy of Tampere Universities by utilising his or her special expertise
  • prepare for and respond to information security incidents
  • prepare user instructions and keep them up to date
  • be in charge of the procedures set out in contingency plans concerning, for example, backup and recovery
  • take part in the activities of networks that have a strong focus on information security relating to the service

External consultants and companies will be expected to

  • adhere to the standards of good practice in information security and data protection
  • monitor and maintain information security relating to their own activities
  • report on information security and factors affecting it to the customer
  • comply with guidelines provided by the customer
Published: 4.2.2019
Updated: 11.1.2022