Non-compliance with IT regulations and potential consequences
Policy on Consequences of Breaches of IT Security
1 Scope
1.1 Purpose
This document contains descriptions of the measures taken against a person in case a breach of IT security is detected or there is good reason to suspect it. The measures have been divided into restrictions on authorisation for the time of the investigation of the breach and the possible consequences laid down for the breach.
1.2 To whom does this policy apply?
This Policy applies to and binds all members of the higher education community of Tampere that comprises the University of Tampere and Tampere University of Applied Sciences (hereinafter "University"), the users of the IT services and information systems of the universities and their various units.
1.3 Why is this policy necessary?
Policies, terms of use and guidelines are used to ensure that the University’s information property shall remain confidential, intact and available, in order to protect the legality of data processing and the legal obligations set forth by laws and decrees (such as the General Data Protection Regulation of the EU and statutes related to information and communication crimes).
The University processes materials that are classified for the use of authorities, which means that a certain level of information security requirements must be followed (such as Section 8031, Level II of the Katakri auditing tool).
2 Breach of information security
Deeds in conflict with the terms of use and regulations concerning the University’s information systems or usage of information systems in ways that constitute a breach of Finnish legislation are considered breaches of information security.
2.1 Reporting duty
The duty to report any possible breaches and suspicions thereof to an information security specialist, to administration or in accordance with other types of guidelines provided binds everyone.
2.2 Restrictions of rights
When a breach has been detected or one is suspected, a decision of a restriction of user rights is made. Authorisation is always restricted when it is suspected, with good reason, that the user is guilty of wrongful actions or if it is possible that the authorisation may compromise the investigation of the breach or minimisation of resulting damages. If needed, the user will be called in to be heard.
The owner of the IT service, the head of the unit in question, the Chief Information Officer or other person appointed for the task will make the decision on the restriction of authorisation. The administrator of the service will implement the restrictions.
It is possible to revoke the restrictions once the investigation has been completed and the restoration of authorisation does not cause evident harm.
2.3 Urgent cases
Cases in which there is reason to believe that the breach will have a substantial effect on the information security of the University or the data protection of an individual, the Chief Information Officer and/or administrator can make the decision to restrict a user’s authorisation for no longer than five (5) working days, of which the owner of the service and Director of IT Services must be informed immediately.
3 Consequences
In less severe cases, the user will be reprimanded for inappropriate conduct.
A user may become liable for damages to the resources (servers, information network, etc.) he/she has used wrongfully, the direct damages and the expenses generated by the investigation.
3.1 Consequences for students
Consequences for a student may include the revocation or restriction of authorisation for a fixed term, administrative measures taken by the University (written warning, temporary suspension), and the offence being reported to the police (if the deed is punishable by law).
The Chief Information Officer will make decisions pertaining the measures on authorisation. The time of the investigation will not be counted in the period of time of the restrictions of authorisation. The decision on issuing a written warning to a student will be made by the rector of the University, whereas the University Board will decide on a temporary suspension. The individual’s authorisation will be revoked for the duration of the suspension.
The total time that a user’s authorisation is restricted must comply with the minimum time indicated in the table of breaches of IT security (Appendix A).
3.2 Consequences for members of staff
Consequences for a member of staff may include legal consequences in accordance with labour legislation by the University (written warning, dismissal or termination of employment) and the offence being reported to the police (if the deed is punishable by law).
Authorisation to use a certain system can be revoked temporarily or permanently, due to a lack of confidence resulting from the breach. The Chief Information Officer, the owner of the service or head of unit will make decisions pertaining to measures concerning authorisation.
3.3 Consequences for other users
Consequences for users who are not staff or degree students of the University may include the revocation or restriction of authorisation and reporting the offence to the police (if the deed is punishable by law).
Authorisation to use a certain system can be revoked temporarily or permanently, due to a lack of confidence resulting from the breach. The Chief Information Officer, the owner of the service or head of unit will make decisions pertaining to measures concerning authorisation.
3.4 Tables of consequences
The tables appended to this document include guidelines for the consequences of breaches of IT security to students of the University (Appendix A), University staff (Appendix B) and other users (Appendix C).
The tables include examples of typical breaches that take place when information systems are used, and these are classified according to the severity of the breach. In addition to the severity of the deed, its intent is a factor that impacts the severity of consequences. In addition to the severity of the deed, its intent is a factor that impacts the severity of consequences.
3.5 Examples of the abuse of IT services
Unlawful processing of material subject to the penal code and copyright laws
- Materials subject to the penal code include, but are not limited to, materials containing brutal violence, racist materials and demagogic materials·
- Processing activities include, but are not limited to, the distribution and possession of the materials
.Materials subject to copyrights include music, videos, comics, films, games and software, etc.
Disclosure of user account data includes, for example,
- sharing a password with another user
- leaving a computer logged in so that another person can access someone else’s user account
Risking the confidentiality of information includes, for example,
- disclosing confidential or otherwise legally protected information to a person who is not entitled to receive it (for example disclosing information about users of the servers)
- neglecting to abide by the information security requirements of confidential information (passive failure to operate)
- intentional breaches of confidentiality (active operation)
- breaches of the Data Protection Act·
Negligence of personal data protection include, for example,
- leaving a password unprotected
- negligence of University data back-up practice
A service refers to a function that can be used in a location other than a certain computer. For example:
- email services
- data transfer services
- peer-to-peer network for data transfer
4 Other provisions
4.1 Coming into force
This Policy will be valid as of 1 January 2019.
4.2 Managing changes
This document will be revised when necessary to ensure compliance with the valid services and legislation.
Any significant amendments will be processed in a cooperation procedure. The IT Administration will decide on the need to amend this Policy.
Information on the amendments will be provided via the normal channels of communication but not personally.
4.3 Exceptions to this Policy
Permission for exceptions to the Policy can be granted for compelling reasons upon written application.
Permits for exceptions are granted by the IT Administration. The permit may include additional terms and conditions, restrictions and responsibilities.
4.4 Supervision
The responsibility for the supervision of this Policy is determined in the Information Security and Data Protection Policies of the University.
Potential consequences
Potential consequences of IT breaches (tables A, B and C)
Potential consequences for members of staff (Appendix A):
|
LEVEL OF INTENT |
Ignorance |
Recklessness |
Criminal intent (malicious damage, unlawful, espionage, violation of confidentiality, misuse of power, etc.) |
|
SEVERITY OF THE BREACH |
|
|
|
|
Severe offence (a deed that is punishable according to law as an offence or a crime), including |
The reporting of the offence to the police will be considered Written warning |
The offence reported to the police Dismissal/termination of employment |
Criminal intent (malicious damage, unlawful, espionage, violation of confidentiality, misuse of power, etc.) Intention to obtain an advantage |
|
Offence (severe misuse or security violation), including |
Written reprimand |
The reporting of the offence to the police will be considered Written warning / termination of employment |
The offence reported to the police Dismissal/termination of employment |
|
Minor offence (misuse), including |
Reprimand |
Written reprimand / Written warning |
The reporting of the offence to the police will be considered Written warning / termination of employment |
Potential consequences for students (Appendix B):
|
LEVEL OF INTENT |
Ignorance |
Recklessness |
Criminal intent (malicious damage, unlawful, espionage, violation of confidentiality, misuse of power, etc.) |
|
SEVERITY OF THE BREACH |
|
|
|
|
Severe offence (a deed that is punishable according to law as an offence or a crime), including |
The reporting of the offence to the police will be considered Written warning and restriction of user rights |
Offence reported to the police Temporary suspension and restriction of user rights for the period of suspension |
Offence reported to the police Temporary suspension and restriction of user rights for the period of suspension |
|
Offence (severe misuse or security violation), including |
Reprimand and restriction of user rights 1 week - 2 months |
The reporting of the offence to the police will be considered Written warning and restriction of user rights 1-3 months |
Offence reported to the police Temporary suspension and restriction of user rights for the period of suspension |
|
Minor offence (misuse), including |
Reprimand |
Reprimand and restriction of user rights 1 week - 2 months |
The reporting of the offence to the police will be considered Written warning and restriction of user rights |
A user’s right to access a given system may be revoked temporarily or permanently due to a breach of information security.
Potential consequences for other users (Appendix C):
|
LEVEL OF INTENT |
Ignorance |
Recklessness |
Criminal intent (malicious damage, unlawful, espionage, violation of confidentiality, misuse of power, etc.) |
|
SEVERITY OF THE BREACH |
|
|
|
|
Severe offence (a deed that is punishable according to law as an offence or a crime), including |
The reporting of the offence to the police will be considered Written warning and restriction of user rights 1-3 months |
Offence reported to the police User rights revoked |
Offence reported to the police User rights revoked |
|
Offence (severe misuse or security violation), including |
Reprimand and restriction of user rights 1 week - 2 months |
The reporting of the offence to the police will be considered Written warning and restriction of user rights |
Offence reported to the police User rights revoked |
|
Minor offence (misuse), including |
Reprimand |
Reprimand and restriction of user rights |
The reporting of the offence to the police will be considered Written warning and restriction of user rights |