IT Service Maintenance Policy
Contents
1 Version
2 Scope
2.1 Purpose
2.2 Applicability
2.3 Definitions
3 Administrator
3.1 Authorisations of an administrator
3.1 Administrator’s responsibilities
4 Operating principles
4.1 Respecting privacy
4.2 Confidentiality
5 Operating practices
5.1 Identities and passwords
5.2 Restricting access rights
5.3 Handling email
5.4 Handling other files
5.5 Monitoring directories and file lists
5.6 Monitoring software and processes
5.7 Monitoring the communications network
5.8 Handling and monitoring log data
5.9 Storing data
6 Other provisions
6.1 Coming into force
6.2 Amendments
6.3 Exceptions to this Policy
6.4 Supervision
6.5 Governing law
2. Scope
2.1 Purpose
This document describes the responsibilities related to the management of IT services.
2.2 Applicability
This policy applies to all technical maintenance personnel (hereinafter referred to as ‘administrator’) of Tampere Universities, which consists of Tampere University and Tampere University of Applied Sciences, and, where applicable, to students.
2.3 Definitions
Information management practice refers to the management of data sets used in connection with the operations of Tampere Universities, including their processing phases and the information included in the data sets throughout their life cycle regardless of the method of storing or otherwise handling the data sets.
Service is a broad term that encompasses specific technology, people and processes provided by a service provider or producer. In some cases, the term information system or simply system can also be used to refer to an IT service, for instance, when referring to the technical implementation thereof.
Administrator refers to all people who are responsible for the technical maintenance of the services of Tampere Universities as well as other people responsible for activities related to system management, user support and guidance. Broadly speaking, the term administrator refers to every person with extensive rights to a system, regardless of the purpose of the system.
Students are also considered administrators if they manage an information system or service of Tampere Universities.
Unit refers to a faculty or other specific area of responsibility within Tampere Universities.
Service owner is a unit at Tampere Universities for which a service has been acquired. The service owner determines the people authorised to use the service.
3. Administrator
3.1 Authorisations of an administrator
An administrator has sufficient rights to study the status of systems and services to ensure the functioning of an IT service and to intervene in the operation of a service or system, the use of systems by an individual user, and user’s data stored in the systems, if necessary.
In order to prevent breaches of information security and other information security incidents, administrators will have the right to take immediate action to safeguard information security.
The special rights of an administrator are regulated by rules and guidelines to ensure that they are not in conflict with the legal protection or data protection of users. These guidelines are based on EU regulations and the laws of Finland as well as the Terms of Use, Information Security Policy and Data Protection Policy of Tampere Universities.
3.1 Administrator’s responsibilities
A unit must document the information systems and service packages it owns, specify how critical they are and appoint administrators to oversee them. The owner will be responsible for the existence and availability of any information system descriptions and privacy policies.
The service owner, and ultimately the head of unit, will be responsible for ensuring that the service complies with the law, good information management practice, and the rules and regulations of Tampere Universities. Good information management practice requires the service management to include various roles, such as main user (person responsible for the service), technical administrator, etc. depending on the service and provider in question.
As far as possible, service management will be divided between several people with different levels of authorisation. Necessary log data must also be collected on the management measures taken.
The service owner or administrator will not be responsible for the content of the users’ personal material; instead, the users themselves are responsible for ensuring that their materials are legal and for protecting them, if necessary, in accordance with the instructions provided by Tampere Universities. However, the service administrator is entitled and obligated to process users’ materials, if there is a justified reason to suspect that they contain threats to information security or violate legal regulations (see the Policy on Consequences of Breaches of IT Security).
If an administrator is suspected or found to have misused their special rights, the head of unit will be contacted; together with the information security manager, they will decide on the necessary protective and further measures in accordance with the Policy on Consequences of Breaches of IT Security. Administrator’s rights will be considered an aggravating circumstance when assessing a violation.
If, for some reason, an administrator has access rights to services or systems to which they should not be able to access, they do not have the right to use the access right for purposes such as browsing information if it is not connected with their duties or for solving problems. In these cases, administrators will be obligated to notify the service owner about the unnecessary rights.
The management tasks and responsibilities between the service provider and the customer must always be defined in the service. They must be taken into account in connection with outsourced providers in particular.
4 Operating principles
4.1 Respecting privacy
When managing the services of Tampere Universities, the right to privacy and the confidentiality of communications must be respected. However, while taking these basic rights into account, Tampere Universities will have the right to determine the data content and purpose of use of the services it owns. This will also apply to traffic in the communications network owned by Tampere Universities.
More detailed regulations on the purpose of use can be found in the Terms of Use of IT Services or in the service-specific rules of Tampere Universities.
When a user asks an administrator to process his or her email or other files, the administrator must verify the identity of the user in an appropriate manner, such as checking a valid identity card, if the administrator does not know the user.
If necessary, the administrator must contact the user. If there is reason to suspect that a user account has fallen into the wrong hands, the email services provided by Tampere Universities may not be used.
4.2 Confidentiality
Administrators have a duty of confidentiality concerning information that is not related to their duties and that they come into contact with while carrying out their duties. The use of such information for any purpose is prohibited.
Non-public issues related to job duties may only be discussed with persons or authorities who are bound by the same duty of confidentiality and to whose duties the issue being discussed is related.
Administrators will, in particular, be bound by Chapter 40, Section 5 of the Criminal Code of Finland. According to this piece of legislation, an administrator may not unlawfully disclose or make use of confidential information or other information that may not be disclosed in accordance with the law that they have discovered during or after their employment as a result of their duties or position.
Such information includes users’ private information.
The administrators’ duty of confidentiality must be ensured by having them sign a separate non-disclosure agreement or similar, such as a non-disclosure clause included in the employment agreement.
5. Operating practices
5.1 Identities and passwords
Administrators do not need a user’s password to carry out their duties and must not ask users for their password under any circumstances.
The user must be present in person to type the password to the authentication service, or the administrator must take over the user’s identity with the administrator’s special rights, if solving the problem briefly requires it. The identity may not be used for any longer than necessary to solve the problem. The user must be notified as soon as possible of his or her identity being taken over with the administrator’s special rights, and a log entry or other traceable information must remain of the process. When the user is present, the administrator must verify the user’s identity in an appropriate manner.
In situations in which the user has personally authorised the administrator to make changes and the user’s identity has been verified, changes can be made to things such as email settings (such as redirecting, filtering or setting an automatic reply). However, there must be a documented request for the authorisation.
The rights of a main user may only be used when necessary for management tasks.
5.2 Restricting access rights
The restriction of access rights during an investigation is described in the Policy on Consequences of Breaches of IT Security.
5.3 Handling email
Guidelines for handling email are set out in the Email Policy.
5.4 Handling other information
Administrators do not have a general right to read or otherwise process the contents of files owned by users.
However, administrators have the right to process files in the following cases:
- When a user gives written permission to solve a problem.
- Upon specific written request (for example, if there is a chance that the performance of the duties of Tampere Universities may be hindered due to an absence, it may be necessary to process the restricted-access files owned by an absent employee/student. The head of unit or similar may order an administrator to give a named person the right to access the necessary files)
- Software or configuration files under a username cause disturbances to the functioning or safety of the system or the data protection of other users. In that case, the administrator may check the content of the files and prevent them from operating, if necessary.
- If there is reason to suspect that a username has fallen into the wrong hands, the administrator is obliged to block the username during an investigation. Otherwise, the Policy on Consequences of Breaches of IT Security will apply. The aim will be to contact the user before taking measures, but it may also be necessary to carry out protective and corrective measures immediately before making contact.
- There is a justified reason to suspect that the possessor of a username is guilty of misuse, and it may be assumed that certain files owned by the user contain evidence of such misuse.
The procedure for responding to suspected misuse is set out in the Terms of Use and the Policy on Consequences of Breaches of IT Security of Tampere Universities.
Administrators will have the right to prevent the visibility of websites that are against the law or violate the Terms of Use.
In addition, administrators shall always have the right to:
- read and change the configuration, email redirect or sorting files as well as other files in users’ home directories that affect the operation of the service, if they are found to threaten the operation or safety of the service or the data protection of users. If a possible change cannot be made without losing the changes the user has made, the old version created by the user will be transferred under a different name and the user will be notified thereof.
- check that common disk regions do not contain files that are illegal or threaten the operation or safety of the service or the data protection of users. Such files include, for example, malware, recordings that violate copyright, or data specified as illegal in the Criminal Code of Finland.
- automatically or manually delete files in disk regions intended for temporary storage based on predetermined principles. The deletion principles must be available to users, but the users do not have to be notified of deletions in accordance with the principles.
- concerning services to which Tampere Universities do not have similar rights as to the services they produce, the administrator will have the right to ask the service provider to carry out the aforementioned measures.
5.5 Monitoring directories and file lists
Processing directory structures, filenames, dates of changes made, size and security level as well as other information on the file is part of normal management, which is carried out in accordance with good information management practice.
If the security of a file or directory is too weak compared to its nature, the administrator will have the right to upgrade security to the appropriate level.
The administrator has a duty of confidentiality. In taking care of management tasks, the aim will be to ensure that the names of files and similar items are not exposed unnecessarily. For example, if file lists are required for handling problem cases, the text ‘-private-’ or some other text in accordance with the practice agreed upon will be printed instead of those user file names that are not connected to the issue being dealt with.
5.6 Monitoring software and processes
The administrator will specify which software is made available through the service. Software may be prohibited or removed from use if its use is not necessary for the operations of Tampere Universities and if it poses a threat to safety or the service level. Such a decision will be made by the relevant head of unit.
The administrator will monitor the software being run in the services as part of normal management procedures.
The administrator may change the priority of a process being run, if it consumes an unreasonable amount of service resources.
The administrator may terminate the process if:
- the functioning of the process is clearly disturbed
- the process causes extra load that impedes the functioning of the rest of the service
- the process is not justified with regard to the operations of the Tampere Universities
- the process is linked to software, the use of which is against the rules and instructions issued by the administrator
- the process endangers data protection or information security
The user will be notified of the process being terminated and the cause of termination.
5.7 Monitoring the communications network
The communication network administrator of Tampere Universities will monitor traffic in the network and external connections in order to ensure safety and a reasonable service level and to enable the use of external connections.
When monitoring traffic, the amount of traffic and the operating methods will be primarily observed. Content monitoring will only be possible in exceptional cases in compliance with applicable legislation.
The monitoring of source and target devices will be statistical and not focused on individual users.
However, traffic may also be monitored more carefully with regard to an individual service when investigating traffic-related deviations, such as the cause of a particularly high load.
Automatic intrusion detection systems may analyse all traffic.
The administrator may contact the person responsible for a device that has caused a large amount of traffic or some other deviation in order to investigate a potential incident or misuse.
The administrator will be permitted to block or limit communications or prevent the use of a certain service completely concerning a device or part of a network that causes traffic that threatens the safety or service level of network traffic. This may be done if there is a justified reason to suspect that a device or devices have fallen into the wrong hands or is/are contaminated by malware that violates the Terms of Use or is/are not appropriately managed with regard to information security in particular.
The administrator responsible for the device or part of the network must be contacted immediately after traffic has been blocked.
5.8 Handling and monitoring log data
The services of Tampere Universities record log data in order to document the operation of the service, investigate potential incidents or misuse, and collect invoicing information.
Log data may constitute a personal data file. A personal data file will be handled in accordance with data protection laws.
The administrator must be familiar with the policy of Tampere Universities on logs and the related instructions.
5.9 Storing data
The service provider or producer will be required to back up its services.
Backups must be stored appropriately, and the administrator must ensure that the backups are legible. The information on the backups must be handled in accordance with the same principles as similar information in the information systems. Backups must be destroyed in a way that does not endanger the confidentiality of the information they contain.
6 Other provisions
6.1 Coming into force
This policy will become effective on 1 January 2019.
6.2 Amendments
This policy will be amended when necessary to ensure compliance with applicable laws.
Any significant amendments will be processed through a cooperation procedure between employee and employer representatives.
The information security manager of Tampere Universities will be responsible for the content and maintenance of this policy.
Information about any amendments will be provided to users via the normal channels of communication but not personally.
6.3 Exceptions to this policy
Permission to make exceptions to this policy may be granted for compelling reasons upon written request. ICT Services of Tampere Universities will be responsible for monitoring the policy together with the service owner and provider.
The permit may include additional terms and conditions and impose additional restrictions and obligations.
6.4 Supervision
The responsibilities for the supervision of this policy are described in the Information Security and Data Protection Policies of Tampere Universities.
6.5 Governing law
Tampere Universities carry out all their operations in full compliance with all applicable laws and regulations.
Inquiries: tietoturva [at] tuni.fi