{"id":8909,"date":"2024-03-12T12:16:27","date_gmt":"2024-03-12T10:16:27","guid":{"rendered":"https:\/\/oigusaktid.taltech.ee\/?p=8909"},"modified":"2025-05-28T14:06:49","modified_gmt":"2025-05-28T11:06:49","slug":"information-security-policy","status":"publish","type":"post","link":"https:\/\/oigusaktid.taltech.ee\/en\/information-security-policy\/","title":{"rendered":"Information Security Policy"},"content":{"rendered":"

1 General information<\/a>
\n2 Definitions<\/a>
\n3 Scope of application<\/a>
\n4 Principles<\/a>
\n5 Objectives<\/a>
\n6 Organisation and management of information security<\/a>
\n6.1 The rector<\/a>
\n6.2 The rectorate<\/a>
\n6.3 The information security manager<\/a>
\n6.4 A coordinator for protection of personal data and state secrets<\/a>
\n6.5 Infoturbeintsidendi lahendamisest<\/a>
\n6.6 An area manager (head of a structural unit)<\/a>
\n6.7 Members of the organisation<\/a>
\n7 Resolving an information security incident<\/a>
\n8 Compliance and non-conformities<\/a>
\n9 Review by the rectorate<\/a>
\n10 Implementation<\/a>
\nAnnex Figure 1 Chart of the information security management system<\/a><\/p>\n

1 General information<\/h1>\n

The Information Security Policy lays down the principles of information security at Tallinn University of Technology (hereinafter referred to as \u201cthe university\u201d)\u00a0 which are based on the requirements of the ISO 27001 standard and provide more precise conditions, bases and principles for ensuring strategic information security. The objective of the Information Security Policy is to set out the university’s strategic approach to ensuring information security.<\/p>\n

The university will launch an Information Security Management System (ISMS), which consists of the policies, procedures, guidelines, and associated resources and activities, collectively managed by the organization in the pursuit of protecting its information assets. An ISMS is a systematic approach for establishing, operating, monitoring, maintaining, and improving the organization\u2019s information security to achieve its objectives. It is based on a risk assessment and the organization\u2019s risk acceptance levels designed to effectively treat and manage risks.<\/p>\n

The information security policy is closely intertwined with the university\u2019s risk management procedures and its regulations governing data protection. Information security is a targeted action carried out to support the university\u2019s core processes, fulfil the objectives of information security and ensure the availability, integrity and confidentiality of information assets.<\/p>\n

2 Definitions<\/h1>\n

“Information security”<\/strong> means the protection of the three intrinsic properties of information\u00a0 \u2013\u00a0 availability, integrity and confidentiality, whereas:<\/p>\n

\u2022 availability \u2013\u00a0 data must be available in time and usable;
\n\u2022 integrity \u2013\u00a0 data must be reliable and authentic, and it must be possible to identify and eliminate unauthorised changes;
\n\u2022 confidentiality \u2013\u00a0 access to data is granted only to those with a justified need-to-know.<\/p>\n

\u201cInformation security management system\u201d<\/strong> means a framework of policies and procedures applied within an organisation to achieve the information security objectives. An information security management system consists of the policies, procedures, guidelines, and associated resources and activities, collectively managed by an organization in the pursuit of protecting its information assets. An ISMS is a systematic approach for establishing, operating, monitoring, maintaining, and improving an organization\u2019s information security to achieve its objectives. It is based on risk assessment and the organization\u2019s risk acceptance levels designed to effectively treat and manage risks.<\/p>\n

\u201cAsset\u201d<\/strong> means a resource that has value to its owner. Assets include information, data, software, physical assets (infrastructure, buildings, hardware, installations), financial assets, services, human resources (people, qualifications, skills, experience), know-how, non-material assets (reputation, image).<\/p>\n

\u201cInformation technology asset (IT asset)\u201d<\/strong> means a hardware or software within an IT environment that creates value for an organization. IT assets are integral components of the organization\u2019s systems and network infrastructure.<\/p>\n

\u201cInformation or information asset\u201d<\/strong> means a collection of knowledge or data, defined and managed as a single unit and that has value as well as risks to the organisation. Information or information assets are defined as assets and are related to information systems and processes.<\/p>\n

\u201cInformation system\u201d<\/strong> means a system that stores and processes information. An information system may consist of several interconnected components or assets (such as functional modules, applications, web services, networks, servers (including virtual ones), computers, operating systems, software and databases), which together form a conceptually complete system.<\/p>\n

\u201cApplication\u201d<\/strong> means a set of various programs designed to perform specific tasks. A set of applications can form an information system.<\/p>\n

\u201cSoftware\u201d<\/strong> means the programs, procedures, rules, and associated documentation of an information processing system.<\/p>\n

\u201cProcess (business process)\u201d<\/strong> means a series of activities, actions, or procedures performed within an organisation that produce an outcome contributing to the goal and creating value (e.g. products or services) for the customer. Each process has an owner and a process manager. A process involves strategic goals, legislation, key inputs and outputs, services (including customers and related target groups), indicators, risks, information systems and information assets.<\/p>\n

\u201cService\u201d<\/strong> means a value created for a customer, a (potential) result of a process.<\/p>\n

\u201cIncident\u201d<\/strong> means an unplanned interruption or reduction in the quality of a service, which causes (or may cause) disruption to a service.<\/p>\n

\u201cInformation security incident (cyber incident)\u201d<\/strong> means a special type of incident related to a successful or unsuccessful attempt or attack to destroy, alter, disable, steal or gain unauthorized access or make unauthorized use of an IT asset.<\/p>\n

\u201cData breach\u201d<\/strong> means a special type of information security incident involving a breach of security, accidental or unlawful destruction, loss, alteration, unauthorised access to or disclosure of personal data transmitted, stored or otherwise processed.<\/p>\n

3 Scope of application<\/h1>\n

The Information Security Policy and the supporting control measures, processes and procedures apply to all information used at the university. This includes information processed by other organisations when interacting with the university.<\/p>\n

The Information Security Policy and the supporting control measures, processes and procedures apply to all persons who have access to university information and technologies, including external persons who provide services to the university or process information in the framework of other forms of cooperation.<\/p>\n

The detailed scope, including the breakdown of users, information assets and information processing systems, is laid down in the accompanying documentation outlining the scope of the information security management system.<\/p>\n

4 Principles<\/h1>\n

\u2022 The university as the owner of information assets shall select adequate and appropriate measures to protect the information assets.
\n\u2022 In the course of the risk assessment of information assets, the level of significance is determined based on the university\u2019s core activities and objectives.
\n\u2022 Information assets shall be used for purposes related to the activities of the university.
\n\u2022 All the employees must comply with the information security requirements.
\n\u2022 Access to information assets is granted based on a justified need-to-know.
\n\u2022 Tasks or responsibilities that conflict with each other shall be kept separate.
\n\u2022 The obligation to maintain confidentiality applies to confidential information and is applied to persons using the university’s information assets in accordance with legislation and the contracts entered into.<\/p>\n

5 Objectives<\/h1>\n

The university\u2019s information security objectives are the following:<\/p>\n

\u2022 To provide reassurance to the members of the university (the staff, students and alumni) and its cooperation partners that the university keeps and processes the information assets (data, information) related to them in adherence to legislation and ensures the security (confidentiality, integrity and availability) of the information.
\n\u2022 Information security is an integral part of the university\u2019s core and support activities.
\n\u2022 Risks related to information assets are identified, analysed, evaluated and treated in accordance with the agreed risk tolerance level.
\n\u2022 Requirements arising from information security standards are taken into account when developing or procuring information systems and applications.
\n\u2022 The persons managing the university\u2019s information assets are aware of their information security responsibilities and obligations. Contractual and legal obligations relating to information security are understood and met.
\n\u2022 The organisational, physical, procedural and technical controls balance user experience.
\n\u2022 Authorised users can securely access and, if necessary, share information in order to perform their roles.
\n\u2022 Efforts are made to minimize incidents affecting the information assets, continuously learning from them and, as a result, improving various information security measures.<\/p>\n

The security of information assets is ensured and information security objectives are achieved by implementing a set of Information security management components, including controls, policies, rules, guidelines, processes, organisational structures, resources, actions, software and hardware solutions, in adherence to the Information Security Standard and regulations.<\/p>\n

6 Organisation and management of information security<\/h1>\n

Introduction of information security policy involves planning, creation, implementation, management of security measures and designation of areas of responsibility. The information security roles have been defined for information security purposes. Information security is a collective action of the organisation and a responsibility of all the data users.<\/p>\n

The responsibility for information security is divided into general and specific responsibilities:<\/p>\n

\u2022 data users have general responsibility for information security, which is to comply with information security regulations and to notify of information security incidents;
\n\u2022 specific responsibilities for information security arise from the position in the university structure and the duties. The rector, the structural units and each employee are personally responsible for proper fulfilment of their obligations.<\/p>\n

6.1 The rector<\/strong><\/h2>\n

\u2022 Approves the university\u2019s information security policy;
\n\u2022 Approves the university\u2019s information security manager.<\/p>\n

6.2 The rectorate<\/h2>\n

\u2022 Shall demonstrate leadership and commitment with respect to the information security management system;
\n\u2022 Shall make sure that the information security policy is up-to-date and the information security objectives are compatible with the university\u2019s goals;
\n\u2022 Shall make sure that information security requirements are integrated into the university\u2019s processes;
\n\u2022 Shall make sure that resources required for the information security management system are provided based on risk management principles;
\n\u2022 Shall ensure compliance with the information security management system requirements;
\n\u2022 Shall make sure that the information security management system achieves its intended outcomes and assess the achievement of the objectives;
\n\u2022 Requires members of the organisation to adhere to the Information Security Policy as well as the procedures, guidelines and regulations drawn up within the framework of the information security management system;
\n\u2022 Directs and supports persons to contribute to the effectiveness of the management system;
\n\u2022 Promotes continual improvement;
\n\u2022 Supports other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility;
\n\u2022 Shall review the organisation\u2019s information security management system at regular intervals to ensure that it remains suitable, adequate and effective.<\/p>\n

6.3 The chief information security officer<\/h2>\n

\u2022 Is responsible for developing, reviewing and enforcing the information security policy, standards, guidelines and controls to ensure compliance with relevant legislation and regulations;
\n\u2022 Shall make sure that information security measures are implemented and conducts a security audit at least once a year;
\n\u2022 Shall organise information security monitoring and incident response:
\n\u2022 Is responsible for increasing the information security awareness at the university;
\n\u2022 Shall inform, provide advice and training to employees for the implementation of security measures;
\n\u2022 Shall monitor the execution of controls and provide reviews to the relevant parties;
\n\u2022 Shall provide the rectorate an overview of information security at least once a year;
\n\u2022 Is responsible for organizing communication related to the information security management system at the university;
\n\u2022 Identifies and defines the parties involved in the information security management system and their respective needs and requirements;
\n\u2022 Is the contact person in communication with authorities concerning information security;
\n\u2022 Shall make sure that appropriate flow of information takes place at the university with respect to information security (in cooperation with special interest groups, specialist forums, etc.).
\n\u2022 Shall provide input on information security threats for risk management;
\n\u2022 Shall ensure continual improvement of the ISMS.<\/p>\n

6.4 A coordinator for protection of personal data and state secrets<\/h2>\n

\u2022 Shall organise the protection of personal data in accordance with the legislation applied to the field;
\n\u2022 Shall organise the protection of state secrets and classified information of foreign states in accordance with the legislation applied to the field.<\/p>\n

6.5 An area manager (head of a structural unit)<\/h2>\n

\u2022 Is responsible for implementing the components of the information security management system in his\/her field;
\n\u2022 Fulfils the role of the owner regarding the information systems or applications within his\/her area of responsibility;
\n\u2022 Appoints the business project manager and superuser of the information systems or applications in his area of responsibility;
\n\u2022 Shall make sure that the personnel within his\/her area of responsibility have the necessary competence to maintain information security;
\n\u2022 Shall plan and ensure the availability of resources required for information security in his\/her area of responsibility.<\/p>\n

6.6 A process manager<\/h2>\n

\u2022 Is responsible for implementing the components of the information security management system within his\/her process;
\n\u2022 Shall identify, analyse and assess risks related to the information systems and applications within his\/her process in collaboration with the business project manager, the superuser, the IT project manager, and the system manager;
\n\u2022 Is the owner of the data or information generated during the process.<\/p>\n

6.7 Members of the organisation<\/h2>\n

\u2022 Shall be aware of the information security policy and the information security procedures and regulations that apply to them;
\n\u2022 Shall understand their role within the information security management system and adhere to the policies, rules, guidelines, controls, organisational structures, and processes arising from the system in their work as well as recognise the benefits of enhancing information security performance;
\n\u2022 Shall be aware of the consequences of non-compliance with the requirements of the information security management system;
\n\u2022 Contribute to the continual improvement of information security activities.<\/p>\n

7 Resolving an information security incident<\/h2>\n

\u2022 A data user must notify the IT Helpdesk of any information security incident as soon as possible.
\n\u2022 The resolution of information security incidents is conducted in accordance with the established incident resolution procedure.
\n\u2022 To resolve an information security incident, parties related to the information assets must grant the information security manager and authorized personnel access to information required to resolve the incident.
\n\u2022 The information security manager shall inform the relevant parties, including external parties about information security incidents as required by regulations.
\n\u2022 If elements of criminal offence, misdemeanour or disciplinary offence are discovered in the course of solving a security incident, the case is referred to the authority who has the right to conduct the relevant proceedings.
\n\u2022 The information collected in the course of solving an incident shall be documented, analysed and used to prevent similar incidents in future.<\/p>\n

8 Compliance and non-conformities<\/h1>\n

The university ensures compliance with its information security policy and management system through regular reporting, feedback from information asset owners, risk assessment, and internal and external audits.<\/p>\n

All deviations and exceptional cases in the implementation of information security measures shall be documented and approved by the information security manager before their implementation.<\/p>\n

In the event of non-compliance:<\/p>\n

\u2022 react and take action to control and correct it and deal with the consequences;
\n\u2022 assess the situation, determine if any similar non-conformities exist elsewhere and, if necessary, address the root cause to eliminate it;
\n\u2022 review effectiveness of the corrective action;
\n\u2022 if necessary, make changes to the information security management system (e.g. by supplementing procedures, rules, guidelines, etc.);
\n\u2022 document the non-conformities (incl. the nature of the non-conformity, the steps and measures to be taken, and the results of corrective actions).<\/p>\n

The information security manager is responsible for documenting non-conformities.<\/p>\n

Members of the organization who have violated the principles of the information security policy will be subject to disciplinary action as outlined in the applicable procedures.<\/p>\n

9 Review by the rectorate<\/h1>\n

The rectorate shall review the organisation\u2019s information security management system at regular intervals to ensure that it remains suitable, adequate and effective.<\/p>\n

A rectorate\u2019s review must include at least the following:<\/p>\n

\u2022 The status of actions from previous management reviews;
\n\u2022 Changes in the internal and external issues that are relevant to the purpose of the information security management system;
\n\u2022 Changes in the information security management system related to the needs and expectations of interested parties;
\n\u2022 Feedback on the information security performance, including trends (non-conformities and corrective actions; monitoring and measurement results; audit results; fulfilment of information security objectives).
\n\u2022 Feedback from stakeholders;
\n\u2022 Results of risk identification, analysis and assessment and a risk treatment plan;
\n\u2022 Opportunities for continual improvement.<\/p>\n

The rectorate\u2019s review of the ISMS shall be prepared by the information security manager. The outputs of the rectorate\u2019s review should include decisions related to continual improvement opportunities and any needs for changes to the information security management system.<\/p>\n

10 Implementation<\/h1>\n

The Information Security Policy is a public document published on the university website at oigusaktid.taltech.ee. The Information Security Policy shall be made available to all the persons within the scope of application of the ISMS.<\/p>\n

The annexes to the Information Security Policy and information security management system include the following procedures and instructions, approved separately from the Policy. It is crucial to ensure consistency\u00a0 across the entire information security management system, various policies, regulations, procedures, and guidelines. The procedures and guidelines of the information security management system shall be approved by an order of the Director for Administration.<\/p>\n

\u2022 The scope of information security
\n\u2022 Administrative management
\n\u2022 Data protection and exchange of information
\n\u2022 Rules for information technology development work
\n\u2022 Physical security
\n\u2022 Management of IT assets
\n\u2022 Access management
\n\u2022 Remote work and mobile devices
\n\u2022 Crisis management
\n\u2022 Cryptographic operations
\n\u2022 Logging policy
\n\u2022 Principles of the management and use of end user devices
\n\u2022 Change management
\n\u2022 Partnerships and agreements
\n\u2022 Human resource management
\n\u2022 Enquiry, incident, event and problem management
\n\u2022 Risk management
\n\u2022 Basis of server and network management
\n\u2022 Internal audit and compliance
\n\u2022 Service continuity<\/p>\n

Information security policies, along with supplementary procedures and guidelines, are reviewed annually and amended as needed based on various impact factors (e.g. changes in objectives, the external environment, information security risks, etc.) and the outputs of reviews or audits conducted by the rectorate.<\/p>\n

\n

Annex 1<\/h1>\n

Figure 1 Chart of the information security management system<\/p>\n

\"\"<\/p>\n","protected":false},"excerpt":{"rendered":"

1 General information 2 Definitions 3 Scope of application 4 Principles 5 Objectives 6 Organisation and management of information security 6.1 The rector 6.2 The rectorate 6.3 The information security manager 6.4 A coordinator for protection of personal data and state secrets 6.5 Infoturbeintsidendi lahendamisest 6.6 An area manager (head of a structural unit) 6.7 […]<\/p>\n","protected":false},"author":4,"featured_media":0,"parent":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"smart_processes":["https:\/\/smart.taltech.ee\/en\/process\/data-protection-and-information-security-management\/","https:\/\/smart.taltech.ee\/en\/process\/it-management\/"],"footnotes":""},"categories":[182],"tags":[],"legislation_type":[150],"legislation_approval":[152],"subdivision":[209,210],"faculty":[],"division":[222],"department":[264],"class_list":["post-8909","post","type-post","status-publish","format-standard","hentry","category-legislation","legislation_type-directive","legislation_approval-rector","subdivision-it-en","subdivision-data-protection","division-general-management","department-information-technology-services"],"acf":{"smart_processes":["https:\/\/smart.taltech.ee\/en\/process\/data-protection-and-information-security-management\/","https:\/\/smart.taltech.ee\/en\/process\/it-management\/"]},"_links":{"self":[{"href":"https:\/\/oigusaktid.taltech.ee\/en\/wp-json\/wp\/v2\/posts\/8909","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/oigusaktid.taltech.ee\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/oigusaktid.taltech.ee\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/oigusaktid.taltech.ee\/en\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/oigusaktid.taltech.ee\/en\/wp-json\/wp\/v2\/comments?post=8909"}],"version-history":[{"count":1,"href":"https:\/\/oigusaktid.taltech.ee\/en\/wp-json\/wp\/v2\/posts\/8909\/revisions"}],"predecessor-version":[{"id":11094,"href":"https:\/\/oigusaktid.taltech.ee\/en\/wp-json\/wp\/v2\/posts\/8909\/revisions\/11094"}],"wp:attachment":[{"href":"https:\/\/oigusaktid.taltech.ee\/en\/wp-json\/wp\/v2\/media?parent=8909"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/oigusaktid.taltech.ee\/en\/wp-json\/wp\/v2\/categories?post=8909"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/oigusaktid.taltech.ee\/en\/wp-json\/wp\/v2\/tags?post=8909"},{"taxonomy":"legislation_type","embeddable":true,"href":"https:\/\/oigusaktid.taltech.ee\/en\/wp-json\/wp\/v2\/legislation_type?post=8909"},{"taxonomy":"legislation_approval","embeddable":true,"href":"https:\/\/oigusaktid.taltech.ee\/en\/wp-json\/wp\/v2\/legislation_approval?post=8909"},{"taxonomy":"subdivision","embeddable":true,"href":"https:\/\/oigusaktid.taltech.ee\/en\/wp-json\/wp\/v2\/subdivision?post=8909"},{"taxonomy":"faculty","embeddable":true,"href":"https:\/\/oigusaktid.taltech.ee\/en\/wp-json\/wp\/v2\/faculty?post=8909"},{"taxonomy":"division","embeddable":true,"href":"https:\/\/oigusaktid.taltech.ee\/en\/wp-json\/wp\/v2\/division?post=8909"},{"taxonomy":"department","embeddable":true,"href":"https:\/\/oigusaktid.taltech.ee\/en\/wp-json\/wp\/v2\/department?post=8909"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}