IT Services
Information security
policy
Strategy for integrated information security at ETH Zurich
Released
For internal use
Date: Dec. 15, 2013
Version: 2.0
Authors: Dieter Gut Reto Gutmann
IT Services, information security policy, version 2.0
page ii / iv
Additional information
Version control Version Comment Date Authors
1.0 Release Nov. 7, 2012
1.1 Correction, Chief Information Security Officer (CISO)
Nov. 13, 2012 Dieter Gut
1.2 Role of the IT Security Officer added. Explanation of how the role differs from that of the CISO. Feedback from Mrs. K. Timmel and Mrs. B. Schiesser incorporated.
Nov. 20, 2012 Dieter Gut
1.3 Feedback from Prof. R. Boutellier incorporated.
Nov. 27, 2012 Dieter Gut
1.4 Feedback from Dr. R. Perich and Mrs. K. Timmel (“School Administration, Risk Management Commission” chapter added; HSE chapter removed)
Nov. 30, 2012 Dieter Gut
1.5 Draft for the consultation process Feb. 5, 2013
1.6 Implementation of the feedback from the workshop with ISL
Aug. 14, 2013 Dieter Gut
1.7 Revision/editing by R. Gutmann Aug. 30, 2013 Reto Gutmann
1.8 Editorial corrections according to “Feedback Workshop” team
Sept. 17, 2013 Dieter Gut
1.9 Feedback from HSE and Legal Oct. 15, 2013 Reto Gutmann
2.0 Release for submission to the school administration
Dec. 15, 2013 Reto Gutmann
Table 1: Version control
IT Services, information security policy, version 2.0
page iii / iv
Releases Version Comment Date Released by
1.0 Release Nov. 7, 2012 Reto Gutmann
2.0 Release Dec. 15, 2013 Reto Gutmann
Table 2: Releases
Referenced documents
Title Version Author Date
[1] ISO/IEC 27001 Information Security Management System
SNV (Swiss Association for Standardization)
[2] Information Protection Regulation (ISchV) RS 510.411 Swiss Confederation June 30, 2010
[3] ISO/IEC 20000 IT Service Management System
SNV (Swiss Association for Standardization)
[4] User Regulations, Telematics, of ETH Zurich (BOT) RSETHZ 203.21
Partially revised draft in consultation process
ETH Zürich Jan. 15, 2013
IT Services, information security policy, version 2.0
page iv / iv
Table of Contents
Additional information .............................................................................................................. ii
Version control ....................................................................................................................... ii Releases ............................................................................................................................... iii Referenced documents ......................................................................................................... iii
Table of Contents ..................................................................................................................... iv
List of figures and tables ......................................................................................................... iv
Figures .................................................................................................................................. iv Tables ................................................................................................................................... iv
1. Introduction ......................................................................................................................... 1
1.1. Information security (IS) ................................................................................................. 1 1.2. Motivation and objectives ............................................................................................... 1 1.3. Basic principle for the implementation within ETH Zurich ............................................... 2 1.4. Risk assessment............................................................................................................ 2 1.5. Business risk management ............................................................................................ 2
2. The Information Security Management System (ISMS) .................................................... 3
2.1. The Standard ................................................................................................................. 3 2.2. Recommendations of the Standard ................................................................................ 3 2.3. A systematic and workable process ............................................................................... 3 2.4. Control of the ISMS ....................................................................................................... 3
3. Implementation of the information security policy at ETH Zurich ................................... 6
3.1. Roles ............................................................................................................................. 6 3.2. Tasks and organization .................................................................................................. 7
Abbreviations and terms .......................................................................................................... 9
List of figures and tables
Figures
Figure 1: PDCA cycle in information security ............................................................................... 4
Figure 2: Overview of roles ......................................................................................................... 7
Tables
Table 1: Version control ............................................................................................................... ii
Table 2: Releases ....................................................................................................................... iii
IT Services, information security policy, version 2.0
page 1 / 9
1. Introduction
1.1. Information security (IS)
Information security concerns the
availability
confidentiality
integrity
traceability 1
of information. Information security is the totality of all requirements and measures by means of which the confidentiality, integrity, availability and traceability of information as well as the availability and integrity of IT means and resources of ETH Zurich are protected.
Information security is based on the specifications of the owner or creator of the data (cf. Item 1.5). Regardless of the means and processes used, any editing of information at ETH Zurich is subject to the statutory rules and regulations (e.g. Federal Information Protection Regulation, Data Protection Act) as well as the internal regulations of ETH. The security process in place has two main aspects.
Governance process2
IT Security Management (ITIL process)3
The two versions differ in their areas of application. While the ITIL process addresses specifically and exclusively the risks associated with the IT services, the governance process deals with all IT risks to the “business processes” of ETH.
1.2. Motivation and objectives
Information security is a topic whose relevance often becomes evident only when something unexpected occurs. The objective of this document is to establish a continuous improvement process within ETH Zurich that is based on a systematic approach and aims at strengthening the following themes:
Raising the awareness of and sensitivity to information security in general
Introducing a systematic assessment of information security risks involved in the relevant business processes of the individual units (departments or key bodies)
Conscious decisions with respect to information security risks can be derived from this – thus there will be fewer surprises
1 Traceability: Refers in this context to the capability of tracing accesses to and changes of information in terms of
“who changed or read what.”
2 Standard ISO 27000:1 [1]
3 Standard ISO 20000 [3] / Service Design / Information Security Management
IT Services, information security policy, version 2.0
page 2 / 9
Clearly defined decentralized responsibilities
Joint development of best practices or guidelines
It is not the objective of the policy for information security simply to increase it in general. A risk assessment is mandatory for each change. Statutory requirements that must be implemented constitute the sole exception to this.
Thus the purpose of the policy is to bring direct added value for ETH Zurich, taking into account the recommendations from the ETH Council audit on September 29, 2011, as well as any possible future federal requirements with respect to information protection.
1.3. Basic principle for the implementation within ETH Zurich
In order to achieve these objectives within ETH Zurich, the existing structures will be used.
1.4. Risk assessment
The risks to a business process1 or else to the reputation of ETH are determined by means of a business impact analysis (BIA).
Once you know the risks, you can assess and evaluate them. It is determined to what extent a risk can be reduced and by what measure it can be done. Subsequently, the costs and benefits are weighted. This continuous process aims at reaching a level where only accepted residual risks to the organization remain, whose impact is tolerable. Verification of this approach is demanded in audits.
1.5. Business risk management
Most business processes at ETH have an IT component. Any failure of this component causes a direct failure of one or more business processes. By definition, an interruption of availability is in the focus of information security.
Since only the owner of the business process himself is capable of assessing the impact of a failure on his process, he must conduct a so-called business impact analysis (BIA) himself. With it, he determines how long at the most he can afford for his business process to be interrupted. He informs the service provider of the components in his process of this time period. In particular, he stipulates this time period in the Service Level Agreement (SLA) with his IT provider, usually IT Services. The IT Services of ETH support the business process owners in this task.
The IT provider derives the requirement for his IT systems from it, defines measures for ensuring availability and arranges accordingly the contracts with his suppliers. The IT provider uses the specifications of his customers for the determination and evaluation of his own risks.
1 Business process: refers here to those activities that belong to the successful completion of the core tasks of a unit.
IT Services, information security policy, version 2.0
page 3 / 9
2. The Information Security Management System (ISMS)
2.1. The Standard
In order to create similar situations, an internationally applicable Standard has been established according to which many companies and administrations work and that is also checked by certification bodies. The currently applicable Standard is ISO/IEC 27000 [1] and consists of several books on various sub-topics of information security. The most important part, the ISO 27001 Standard, is concerned with the information security management system. This system allows ETH a traceable control of its information security.
2.2. Recommendations of the Standard
The Standard gives suggestions and guidelines as to which control parameters and processes are applicable and how they should be implemented. It is up to ETH which control parameters ought to be selected or how exactly the requisite processes will be implemented. However, the decisions must be documented and control elements selected such that malfunctions in the processes can be detected and corrected.
2.3. A systematic and workable process
In order to attain the objectives described in this document, ETH must implement an ISMS process. It is crucial that all members concerned with information security get actively involved in this process. This includes top management – the school administration. The school administration is responsible for information security and communicates its commitment to and support of it.
2.4. Control of the ISMS
The international standard uses the model of “Plan-Do-Check Acts (PDCA)1, also referred to as the Deming cycle, to structure the processes of ISMS.
Plan: Determination of which objectives are to be attained and derivation of measures
Do: Implementation of the defined measures
Check: Verification based on indicators as to whether the objectives have been attained
Act (conclusion and improvement): Evaluation of the findings and derivation of corrections
1 Deming cycle (William Edwards Deming, 1900-1993)
IT Services, information security policy, version 2.0
page 4 / 9
PLANFremde Richtlinien, Gesetze
Eigene Richtlinien
Verträge mit Dritten
Verträge mit Angestellten
CHECKInterne Audits
Externe Audits
Self Assessments
Messungen
Analyse von Vorfällen
Risiken
ACTQualitative Aussagen aufbereiten
Management Reviews
Verbesserungsmassnahmen
bestimmen
Risikoreduktionsmassnahmen
bestimmen
DOAwareness sicherstellen
Klassifizieren von Informationen
Berechtigungsvergabe
Prozeduren zur Behandlung von
Vorfällen
Risiken erkennen und festhalten
SteuernProzessrahmen
Rollen
Verantwortungen
Figure 1: PDCA cycle in information security
ACT
Prepare qualitative statements
Management reviews
Determine measures for improvement
Determine risk reduction measures
PLAN
External guidelines, laws
In-house guidelines
Contracts with third parties
Contracts with employees
Control
Process framework
Roles
Responsibilities
CHECK
Internal audits
External audits
IT Services, information security policy, version 2.0
page 5 / 9
Self-assessments
Measurements
Analysis of incidents
Risks
DO
Ensure awareness
Classification of information
Granting of authorizations
Procedures for handling incidents
Identifying and writing down risks
IT Services, information security policy, version 2.0
page 6 / 9
3. Implementation of the information security policy at ETH Zurich
3.1. Roles
Roles already existing at ETH will be supplemented by tasks having to do with information security so as to achieve the objectives mentioned in this document. The new role of ISO (Information Security Officer) is a supplementary role for the existing functions of ISL (Head of IT Support). The arrows in the chart represent information flows and not an organizational hierarchy.
School administration The school administration is responsible for information security. It issues guidelines that apply throughout ETH. The implementation of the guidelines in the departments and key bodies is done through the department heads and infrastructure areas.
Risk Management Commission
As a permanent commission of the school administration, the Risk Management Commission advises the President and the school administration in all questions of risk management (Organization Regulation ETHZ, Item 28 [1], Letter e).
It supports the units with the coordination and organization of information security as part of a comprehensive risk management.
Department head The head of the department is responsible for information security within his/her unit. If necessary, he/she determines individual guidelines for his/her unit.
IT security officer (HSE)
The HSE Manager currently fulfils the role of IT security officer.
The IT security officer is responsible for the legally permissible and proper use of the IT systems of ETH by users at the university and by authorized third parties (e.g. spin-off companies). She is the contact person in the event of misuse. She coordinates the checks and measures for prevention of misuse.
Chief Information Security Officer (CISO)
IT Services is responsible for and has assumed the role of CISO at ETH.
The CISO coordinates the meetings with the ISOs. In consultation with the ISOs and the school administration, the CISO determines the information security strategy of ETH.
The CISO supports the ISOs in conducting the business impact analysis.
In conjunction with the ISOs, the CISO prepares the annual information security targets with respect to the PDCA cycle.
Information Security Officer (ISO)
The role of Information Security Officer (ISO) is new. This role is assumed by the ISL.
The ISO coordinates the individual information security needs of his
IT Services, information security policy, version 2.0
page 7 / 9
unit. He is the contact person for the CISO. He advises the interest groups in his unit in terms of the identification and assessment of security risks.
He supports his unit in conducting the BIA.
Together with the other ISOs and the CISO, he prepares the annual information security targets with respect to the PDCA cycle.
He communicates with the users of his area in the event of IS system failures.
End user/operator Is informed about best practices and guidelines. Contacts ISO/CISO proactively if risks and problems have been identified.
The following Figure shows the functional interaction of the roles.
Figure 2: Overview of roles
School administration Risk Management Commission
Departments ID in the role of CISO HSE as IT security officer Infrastructure areas
ISL in the role of ISO, ISO Committee, departments ISO of the infrastructure areas, ISO Committee, key bodies
3.2. Tasks and organization
The ISOs are organized in two committees chaired by the CISO: The “ISO Committee, departments” and the “ISO Committee, key bodies.” Since the needs of the departments and of units of the key bodies can diverge, the two bodies usually convene in separate coordination meetings.
The ISO bodies have no authority to give directives. Their purpose is the improvement of the information security of ETH.
Decisions on the implementation are approached in the regular process at ETH, i.e. via the school administration.
IT Services, information security policy, version 2.0
page 8 / 9
The ISO bodies usually meet quarterly; an additional separate meeting between ISO and CISO serves the purpose of reviewing the BIA at yearly intervals. The CISO is responsible for the invitations. Every ISO can request an additional special meeting, if necessary.
The content of the respective meeting normally encompasses:
Time of the meeting: Contents
Q1 (optional) Determination of how to implement the set targets (DO)
Q2 (optional) Intermediate results, new findings (DO)
Q3 Verification of what has been achieved. Evaluation of the latest needs and registration of new needs (CHECK)
Q4 Establishment of new IS measures for the coming year based on a risk assessment or specific order by the school administration (ACT/PLAN)
Once a routine has been developed, the number of meetings can be reduced from 4 to 2. The dates for the meetings can be set flexibly over the calendar year and adapted to requirements.
IT Services, information security policy, version 2.0
page 9 / 9
Abbreviations and terms
Term Meaning
BIA Business impact analysis
BOT User Regulations, Telematics
CISO Chief Information Security Officer;
IS Information security
ISL Head of IT Support
ISO Information Security Officer; is responsible for the information security (IS) of a sub-division; the ISO reports to the top management of his/her organizational unit
ITIL IT Infrastructure Library
SLA Service Level Agreement; Service agreement between a service provider and a service recipient.