Skip to main content
Search

Non-compliance with IT regulations and potential consequences

Tampere University and TAMK

Policy on Consequences of Breaches of IT Security

1 Scope

1.1 Purpose

This document contains descriptions of the measures taken against a person in case a breach of IT security is detected or there is good reason to suspect it.  The measures have been divided into restrictions on authorisation for the time of the investigation of the breach and the possible consequences laid down for the breach.

1.2 To whom does this policy apply?

This Policy applies to and binds all members of the higher education community of Tampere that comprises the University of Tampere and Tampere University of Applied Sciences (hereinafter "University"), the users of the IT services and information systems of the universities and their various units.

1.3 Why is this policy necessary?

Policies, terms of use and guidelines are used to ensure that the University’s information property shall remain confidential, intact and available, in order to protect the legality of data processing and the legal obligations set forth by laws and decrees (such as the General Data Protection Regulation of the EU and statutes related to information and communication crimes).

The University processes materials that are classified for the use of authorities, which means that a certain level of information security requirements must be followed (such as Section 8031, Level II of the Katakri auditing tool).

2 Breach of information security

Deeds in conflict with the terms of use and regulations concerning the University’s information systems or usage of information systems in ways that constitute a breach of Finnish legislation are considered breaches of information security.

2.1 Reporting duty

The duty to report any possible breaches and suspicions thereof to an information security specialist, to administration or in accordance with other types of guidelines provided binds everyone.

2.2 Restrictions of rights

When a breach has been detected or one is suspected, a decision of a restriction of user rights is made. Authorisation is always restricted when it is suspected, with good reason, that the user is guilty of wrongful actions or if it is possible that the authorisation may compromise the investigation of the breach or minimisation of resulting damages.  If needed, the user will be called in to be heard.

The owner of the IT service, the head of the unit in question, the Chief Information Officer or other person appointed for the task will make the decision on the restriction of authorisation. The administrator of the service will implement the restrictions.

It is possible to revoke the restrictions once the investigation has been completed and the restoration of authorisation does not cause evident harm.

2.3 Urgent cases

Cases in which there is reason to believe that the breach will have a substantial effect on the information security of the University or the data protection of an individual, the Chief Information Officer and/or administrator can make the decision to restrict a user’s authorisation for no longer than five (5) working days, of which the owner of the service and Director of IT Services must be informed immediately.

3 Consequences 

In less severe cases, the user will be reprimanded for inappropriate conduct.

A user may become liable for damages to the resources (servers, information network, etc.) he/she has used wrongfully, the direct damages and the expenses generated by the investigation.

3.1 Consequences for students

Consequences for a student may include the revocation or restriction of authorisation for a fixed term, administrative measures taken by the University (written warning, temporary suspension), and the offence being reported to the police (if the deed is punishable by law).

The Chief Information Officer will make decisions pertaining the measures on authorisation. The time of the investigation will not be counted in the period of time of the restrictions of authorisation.  The decision on issuing a written warning to a student will be made by the rector of the University, whereas the University Board will decide on a temporary suspension.  The individual’s authorisation will be revoked for the duration of the suspension.

The total time that a user’s authorisation is restricted must comply with the minimum time indicated in the table of breaches of IT security (Appendix A).

3.2 Consequences for members of staff

Consequences for a member of staff may include legal consequences in accordance with labour legislation by the University (written warning, dismissal or termination of employment) and the offence being reported to the police (if the deed is punishable by law).

Authorisation to use a certain system can be revoked temporarily or permanently, due to a lack of confidence resulting from the breach.  The Chief Information Officer, the owner of the service or head of unit will make decisions pertaining to measures concerning authorisation.

3.3 Consequences for other users

Consequences for users who are not staff or degree students of the University may include the revocation or restriction of authorisation and reporting the offence to the police (if the deed is punishable by law).

Authorisation to use a certain system can be revoked temporarily or permanently, due to a lack of confidence resulting from the breach. The Chief Information Officer, the owner of the service or head of unit will make decisions pertaining to measures concerning authorisation.

3.4 Tables of consequences

The tables appended to this document include guidelines for the consequences of breaches of IT security to students of the University (Appendix A), University staff (Appendix B) and other users (Appendix C).

The tables include examples of typical breaches that take place when information systems are used, and these are classified according to the severity of the breach. In addition to the severity of the deed, its intent is a factor that impacts the severity of consequences. In addition to the severity of the deed, its intent is a factor that impacts the severity of consequences.

3.5 Examples of the abuse of IT services

Unlawful processing of material subject to the penal code and copyright laws

  • Materials subject to the penal code include, but are not limited to, materials containing brutal violence, racist materials and demagogic materials·
  • Processing activities include, but are not limited to, the distribution and possession of the materials

.Materials subject to copyrights include music, videos, comics, films, games and software, etc.

Disclosure of user account data includes, for example,

  • sharing a password with another user
  • leaving a computer logged in so that another person can access someone else’s user account

Risking the confidentiality of information includes, for example,

  • disclosing confidential or otherwise legally protected information to a person who is not entitled to receive it (for example disclosing information about users of the servers)
  • neglecting to abide by the information security requirements of confidential information (passive failure to operate)
  • intentional breaches of confidentiality (active operation)
  • breaches of the Data Protection Act·

Negligence of personal data protection include, for example,

  • leaving a password unprotected
  • negligence of University data back-up practice

A service refers to a function that can be used in a location other than a certain computer.  For example:

  • email services
  • data transfer services
  • peer-to-peer network for data transfer

4 Other provisions

4.1 Coming into force

This Policy will be valid as of 1 January 2019.

4.2 Managing changes

This document will be revised when necessary to ensure compliance with the valid services and legislation.

Any significant amendments will be processed in a cooperation procedure. The IT Administration will decide on the need to amend this Policy.

Information on the amendments will be provided via the normal channels of communication but not personally.

4.3 Exceptions to this Policy

Permission for exceptions to the Policy can be granted for compelling reasons upon written application.

Permits for exceptions are granted by the IT Administration.  The permit may include additional terms and conditions, restrictions and responsibilities.

4.4 Supervision

The responsibility for the supervision of this Policy is determined in the Information Security and Data Protection Policies of the University.
 

Potential consequences

Potential consequences of IT breaches (tables A, B and C)

Potential consequences for members of staff (Appendix A):           

  

LEVEL OF  INTENT

  
  

Ignorance
Incompetence
Negligence
Accident
Unintentional breach

  
  

Recklessness
Gross negligence
Indifference
Will to impress
Intentional breach
Repeated breach

  
  

Criminal intent (malicious damage, unlawful, espionage, violation of confidentiality, misuse of power, etc.)
Intention to obtain an advantage

  

SEVERITY OF  THE BREACH

 

 

 

Severe offence (a deed that is punishable according to law as an offence or a crime), including
  * hacking, unauthorised access
  * unlawful processing of materials subject to the penal code
  * unlawful distribution of materials subject to the penal code
  * intentional and unlawful port scanning
  * intentional distribution of malware
  * denial-of-service attack

The reporting of the offence to the police will be considered                      

Written warning

The offence reported to the police

Dismissal/termination of employment

Criminal intent (malicious damage, unlawful, espionage, violation of confidentiality, misuse of power, etc.)

Intention to obtain an advantage

Offence   (severe misuse or security violation), including
  * unlawful copying of software and games
  * installation of unlawful software
  * hacking / unauthorised possession of admin tools
  * building a service unlawfully
  * disclosure of user account data
  * compromising the confidentiality of data

Written reprimand

The reporting of the offence to the police will be considered                      

Written warning / termination of employment

The offence reported to the police

Dismissal/termination of employment

Minor offence   (misuse), including
  * failure to protect your personal data due to negligence
  * inappropriate conduct
  * harmful conduct
  * unlawful or unauthorised sending of mass emails
  * wasteful use of IT resources
  * prevention of the installation of antivirus software or security upgrades
  * unauthorised commercial or political activities
  * violation of access control regulations

Reprimand

Written reprimand / Written warning

The reporting of the offence to the police will be considered                      

Written warning / termination of employment

 

 

 

Potential consequences for students (Appendix B):           

  

LEVEL OF INTENT

  
  

Ignorance
Incompetence
Negligence
Accident
Unintentional breach

  
  

Recklessness
Gross negligence
Indifference
Will to impress
Intentional breach
Repeated breach

  
  

Criminal intent (malicious damage, unlawful, espionage, violation of confidentiality, misuse of power, etc.)
Intention to obtain an advantage

  

SEVERITY OF  THE BREACH

 

 

 

Severe offence (a deed that is punishable according to law as an offence or a crime), including
  * hacking, unauthorised access
  * unlawful processing of materials subject to the penal code
  * unlawful distribution of materials subject to the penal code
  * intentional and unlawful port scanning
  * intentional distribution of malware
  * denial-of-service attack

The reporting of the offence to the police will be considered   

Written warning and restriction of user rights 
1-3 months

Offence reported to the police

Temporary suspension and restriction of user rights for the period of   suspension                    

Offence reported to the police

Temporary suspension and restriction of user rights for the period of   suspension                       

Offence   (severe misuse or security violation), including
  * unlawful copying of software and games
  * installation of unlawful software
  * hacking / unauthorised possession of admin tools
  * building a service unlawfully
  * disclosure of user account data
  * compromising the confidentiality of data

Reprimand and restriction of user rights 

1 week - 2 months

The reporting of the offence to the police will be considered   

Written warning and restriction of user rights 

1-3 months

Offence reported to the police

Temporary suspension and restriction of user rights for the period of   suspension

Minor offence   (misuse), including
  * failure to protect your personal data due to negligence
  * inappropriate conduct
  * harmful conduct
  * unlawful or unauthorised sending of mass emails
  * wasteful use of IT resources
  * prevention of the installation of antivirus software or security upgrades
  * unauthorised commercial or political activities
  * violation of access control regulations

Reprimand

Reprimand and restriction of user rights 

1 week - 2 months

The reporting of the offence to the police will be considered   

 Written warning and restriction of user rights 
 1-3 months

 

A user’s right to access a given system may be revoked temporarily or permanently due to a breach of information security.

 

Potential consequences for other users (Appendix C):           

  

LEVEL OF  INTENT

  
  

Ignorance
Incompetence
Negligence
Accident
Unintentional breach

  
  

Recklessness
Gross negligence
Indifference
Will to impress
Intentional breach
Repeated breach

  
  

Criminal intent (malicious damage, unlawful, espionage, violation of confidentiality, misuse of power, etc.)
Intention to obtain an advantage

  

SEVERITY OF   THE BREACH

 

 

 

Severe   offence (a deed that is punishable according to law as an offence or a   crime), including
  * hacking, unauthorised access
  * unlawful processing of materials subject to the penal code
  * unlawful distribution of materials subject to the penal code
  * intentional and unlawful port scanning
  * intentional distribution of malware
  * denial-of-service attack

The reporting of the offence to the police will be considered   

Written warning and restriction of user rights 

 1-3 months

Offence reported to the police

User rights revoked       

Offence reported to the police

User rights revoked          

Offence   (severe misuse or security violation), including
  * unlawful copying of software and games
  * installation of unlawful software
  * hacking / unauthorised possession of admin tools
  * building a service unlawfully
  * disclosure of user account data
  * compromising the confidentiality of data

Reprimand and restriction of user rights 

1 week - 2 months

The reporting of the offence to the police will be considered   

 Written warning and restriction of user rights 
 1-3 months

Offence reported to the police

User rights revoked

Minor offence   (misuse), including
  * failure to protect your personal data due to negligence
  * inappropriate conduct
  * harmful conduct
  * unlawful or unauthorised sending of mass emails
  * wasteful use of IT resources
  * prevention of the installation of antivirus software or security upgrades
  * unauthorised commercial or political activities
  * violation of access control regulations

Reprimand

Reprimand and restriction of user rights 
 1 week - 2 months

The reporting of the offence to the police will be considered   

 Written warning and restriction of user rights 
 1-3 months

 

 

 

 

 

 

Published: 4.2.2019
Updated: 25.5.2022