Division of Buildings and ServicesCONTROL DOCUMENT
Leif Bouvin 24-05-07 ref. no. A 13 349 / 07
031-789 58 98
Policy for IT security
Date of PublicationJune 2007
Published
Decision-makerVice-Chancellor
Date of decision11-06-2007
Person responsible for
document Leif Bouvin
Period of validityUntil further notice
Summary”Policy for IT security” at GöteborgUniversitysets out the overall focus and goals, along with the overall responsibility and organisation, for IT security work.
Division of Buildings and Services
Karl Gustavsgatan 12 B, Box 100, SE 405 30 Göteborg
031786 0000, 031 786 1142 (fax)
June 2007
Policy for IT security
Work shall be actively carried out on IT security and risk analysis to enable the University to perform its functions within education, research and cooperation with the surrounding society effectively and at a high level of quality. The University shall be, and be perceived to be, a secure collaborative partner.
IT security work shall be focused on ensuring
- a high level of accessibility to information and services
- correctness of the information through protection against unintentional and intentional misrepresentation
- authorization checks based on classification of the sensitivity of the information
- traceability
- secrecy and the possibility of protected communication.
It is the responsibility of every user that current policy and regulations for IT security are applied within their area.
External activities that are connected to the University’s IT facilities shall comply with the University’s regulations and policy for IT security.
Responsibility and organisation
The Vice-Chancellor has the overall responsibility for IT security. Below the Vice-Chancellor responsibility follows the line organisation.
The Vice-Chancellor appoints persons with technical responsibility for security and operation of the University’s common IT systems and communication networks.
The Dean, the Chief Librarian and the Head of Administration shall appoint technical managers for security and operation of the IT system and communication network within their respective areas of responsibility.
System- and operational responsibility
System owner
A system owner (official with responsibility for the system) shall be appointed for each IT system. System owners shall attend to the users’ requirements and have overall responsibility that the IT system supports the activity and the goals of the activity.
It is the responsibility of system owners that
- analysis of security requirements are carried out with respect to information content and operational requirements. The security requirements must be set out with the focus on accessibility, correctness, secrecy and traceability
- guidelines for allocation of authorizations are drawn up
- technical managers’ security requirements are met.
Technical manager
An officer with technical responsibility shall be appointed to ensure technical reliability.
It is the responsibility of the technical manager that
- analyses of technical security are carried out with respect to accessibility, correctness, secrecy and traceability, and that any shortcomings revealed are rectified.
- the system owner’s security requirements are fulfilled technically.
Responsibility for authorization
Authorization managers decide on allocation of access rights to the university’s common and local systems, and are also responsible for follow-up of authorizations that have been allocated. Allocation and follow-up must comply with guidelines set by the system owner and technical manager.
Authorization managers are head of department, head of division in university-wide administration units, head of section for libraries within the University Library, head of faculty office and equivalent.
______
Page 1 of 3