Information Security Policy

Information Security Policy of the High Performance Computing Center of the University of Tartu

1. Scope

This document establishes the information security policy of the High Performance Computing Center of the University of Tartu in a manner that ensures the confidentiality, integrity and availability of information assets under its responsibility and in accordance with the requirements of the ISO 27001 standard.

This information security policy applies to all employees of the High Performance Computing Center of the University of Tartu and third parties who provide contractual services to or use the services of the High Performance Computing Center of the University of Tartu.

2. Document information

• 2.1. Document classification:  TLP:CLEAR . The document can be shared with anyone without any restrictions.

• 2.2. Procedures for updating: The document’s up-to-dateness is assessed at least once a year by the Head of the High Performance Computing Center of the University of Tartu, who makes proposals to the Head of the Institute of Computer Science of the University of Tartu for the introduction of necessary changes.

3. Glossary

• 3.1. Data is the reinterpretable representation of information in a formalized form suitable for transmission, interpretation or processing.

• 3.2. Information security is the preservation of the confidentiality, integrity and availability of data.

• 3.3. Confidentiality means that data is not visible or accessible to unauthorized persons, entities or processes.

• 3.4. Integrity means that the reliability and authenticity of data is guaranteed and that unauthorized changes cannot be made.

• 3.5. Availability means that data is accessible and usable by authorized parties.

• 3.6. The information security management system determines the procedures for information security, risk assessment and management in the High Performance Computing Center of the University of Tartu in order to ensure the confidentiality, integrity and availability of information.

• 3.7. Information assets are information, data, information technology applications and hardware necessary for their processing.

• 3.8. A user is a person, company, organization or department using the resources of the High Performance Computing Center of the University of Tartu.

• 3.9. Infrastructure as a Service is a type of cloud service in which the user does not manage or control the underlying physical or virtual resources of the service, but controls the operating systems, storage, and applications that use these resources.

4. Introduction

The ever-increasing amount of data and diversity of requirements places different demands on information security, management and data protection. The High Performance Computing Center of the University of Tartu services users depend on the centre’s ability and skills to provide secure data processing services that meet the requirements set out in legislation and the best practices.

The information security management system of the High Performance Computing Center of the University of Tartu is designed to prevent and minimize security incidents and prevent the unauthorized disclosure of data that could cause commercial, personal or reputational damage.

5. Information Security Principles

• 5.1. The main principle of information security is to ensure the confidentiality, integrity and availability of information assets managed by the High Performance Computing Center of the University of Tartu.

• 5.2. The Head of the High Performance Computing Center of the University of Tartu is responsible for information security at the High Performance Computing Center of the University of Tartu. The Head of the High Performance Computing Center of the University of Tartu may establish additional information security regulations at the High Performance Computing Center of the University of Tartu for the purpose of better organizing information security. Additional information security regulations must be guided by this information security policy document.

• 5.3. The High Performance Computing Center of the University of Tartu will implement sufficient and appropriate measures to protect information assets.

• 5.4. The High Performance Computing Center of the University of Tartu will fulfill all information security obligations arising from legislation, regulations and contracts.

• 5.5. Information assets must be used for purposes related to the activities of the High Performance Computing Center of the University of Tartu.

• 5.6. A responsible chief administrator has been assigned to all critical and sensitive information assets of the High Performance Computing Center of the University of Tartu.

• 5.7. Access to information assets is guaranteed in case of a proven need. Information assets must be accessible only to those who have the right to use them.

• 5.8. Compliance with the information security policy and information security requirements is mandatory for all employees of the High Performance Computing Center of the University of Tartu and third parties who have direct contact with any information assets.

• 5.9. The Information Security Policy of the High Performance Computing Center of the University of Tartu is a public document and is available to university members and third parties.

• 5.10. An obligation of confidentiality applies to confidential information and is applied to users of the information assets of the High Performance Computing Center of the University of Tartu pursuant to legislation and contracts.

6. Information Security Objectives

• 6.1. Ensure the confidentiality and integrity of information assets managed by the High Performance Computing Center of the University of Tartu.

• 6.2. Ensure the availability of information assets managed by the High Performance Computing Center of the University of Tartu in accordance with the agreed upon service level agreements.

• 6.3. Ensure that information security considerations are an integral part of the activities of the High Performance Computing Center of the University of Tartu.

• 6.4. Ensure that risks related to information assets are analyzed, handled and monitored in accordance with the risk management procedures of the High Performance Computing Center of the University of Tartu.

• 6.5. Ensure that users of information assets, chief administrators and other persons who come into contact with the information assets of the High Performance Computing Center of the University of Tartu are aware of the obligations and rules related to information security.

• 6.6. Ensure compliance with the relevant legal regulations, rules and other obligations taken on by the High Performance Computing Center of the University of Tartu.

• 6.7. Ensure the continuous and sustainable development of the information security management system and organizational members of the High Performance Computing Center of the University of Tartu and, through this, the development of the general information security level of the High Performance Computing Center of the University of Tartu.

• 6.8. To review this information security policy and related procedures and regulations annually and make any necessary changes.

7. Roles and Responsibilities

Ensuring information security and implementing the information security management system is a collective activity, and all employees of the High Performance Computing Center of the University of Tartu have a general responsibility to follow the information security policy in their activities. In addition, depending on their role in the High Performance Computing Center of the University of Tartu, a person may also have specific information security responsibilities.

• 7.1. The Head of Institute of Computer Science of the University of Tartu
  • 7.1.1. approves the Information Security Policy of the High Performance Computing Center of the University of Tartu.
• 7.2. The Head of the Performance Computing Center of the University of Tartu
  • 7.2.1. supports the implementation, development and improvement of the information security management system;
  • 7.2.2.ensures the necessary resources for the information security management system;
  • 7.2.3.ensures that the information security management system complies with relevant requirements;
  • 7.2.4.requires the employees of the High Performance Computing Center of the University of Tartu to comply with the requirements of the information security management system;
  • 7.2.5.supports the employees of the High Performance Computing Center of the University of Tartu in fulfilling their obligations arising from the information security management system;
  • 7.2.6.ensures that information security is part of the future strategy of the High Performance Computing Center of the University of Tartu;
  • 7.2.7.approves the necessary regulations, rules, instructions and principles.
• 7.3. The Information Security Specialist of the High Performance Computing Center of the University of Tartu
  • 7.3.1. is responsible for the development of information security at the High Performance Computing Center of the University of Tartu;
  • 7.3.2. coordinates the development of the information security management system;
  • 7.3.3. documents and makes proposals for improving the regulations, rules, instructions and principles related to information security;
  • 7.3.4. coordinates the analysis and management of information security risks at the High Performance Computing Center of the University of Tartu;
  • 7.3.5. coordinates the information security training of the employees of the High Performance Computing Center of the University of Tartu;
  • 7.3.6. helps the employees of the High Performance Computing Center of the University of Tartu to implement security measures and raise awareness of information security;
  • 7.3.7. provides the Head of the High Performance Computing Center of the University of Tartu with an overview of the current information security situation at least once a year;
  • 7.3.8. organizes the personal data protection at the High Performance Computing Center of the University of Tartu in accordance with relevant requirements and legislation;
  • 7.3.9. constantly monitors that the activities of the High Performance Computing Center of the University of Tartu comply with all applicable regulations and laws;
  • 7.3.10. if necessary, communicates with Estonian authorities on information security topics;
  • 7.3.11. if necessary, communicates with other structural units of the University of Tartu on information security topics.
• 7.4. An employee of the High Performance Computing Center of the University of Tartu
  • 7.4.1. is aware of the Information Security Policy and the information security procedures and regulations applicable to him/her;
  • 7.4.2. complies with legal, regulatory and contractual obligations;
  • 7.4.3. informs the information security specialist of the High Performance Computing Center of the University of Tartu of violations of information security requirements and suspected information security weaknesses;
  • 7.4.4. is aware of the possible consequences of non-compliance with the requirements.

8. Review of the Information Security Management System

The Head of the High Performance Computing Center of the University of Tartu reviews the information security management system at planned intervals, checking its up-to-dateness and functionality.

During the review, the Head of Centre checks and assesses the following aspects:

• 8.1. Status of activities resulting from previous reviews.
• 8.2. Changes in external and internal factors affecting the information security management system.
• 8.3. Changes in the needs and expectations of stakeholders regarding the information security management system.
• 8.4. Feedback on the functioning of the information security management system, including non-conformities and corrective actions, monitoring and measurement results, audit results, fulfillment of information security objectives.
• 8.5. Results of the risk assessment process and status of the risk management plan.
• 8.6. Opportunities for improving the information security management system.

The review for the Head of the High Performance Computing Center of the University of Tartu is prepared by the information security specialist of the High Performance Computing Center of the University of Tartu. The results of the review must include decisions on the possibilities for continuous improvement of the information security management system and on necessary changes. Documents related to the review, including the results of the review, are documented and retained.

9. Concessions and Exceptions

All exceptions to this Information Security Policy and to the regulations, rules, instructions and principles established on its basis are reviewed and approved by the information security specialist of the High Performance Computing Center of the University of Tartu.

The information security specialist of the High Performance Computing Center of the University of Tartu must document and justify each exception to the management. In addition, the information security specialist of the High Performance Computing Center of the University of Tartu is obliged to monitor and periodically review whether the exception has been justified and is still necessary.

10. Implementation

The Information Security Policy of the High Performance Computing Center of the University of Tartu is publicly available on the website of the High Performance Computing Center of the University of Tartu.

The following regulations, rules, instructions and principles have been developed based on the Information Security Policy of the High Performance Computing Center of the University of Tartu, which are confirmed by the Head of the High Performance Computing Center of the University of Tartu and are available as separate documents:

• 10.1. Scope of the Information Security Management System;
• 10.2. Backup Regulations;
• 10.3. Audit Trail and Incident Management Regulations;
• 10.4. Information and Information Asset Classification Regulations;
• 10.5. Risk Management Regulations;
• 10.6. Principles of Managing and Using Employee Devices;
• 10.7. Cryptography Management;
• 10.8. Work Regulations;
• 10.9. Access Management;
• 10.10. Physical Security Regulations;
• 10.11. Change Management Regulations;
• 10.12. Continuity and Disaster Recovery Procedures;
• 10.13. Third-Parties Management Regulations;
• 10.14. Internal Audit Regulations.

This Information Security Policy, along with the regulations, rules, instructions, and principles derived from it, have been developed in both Estonian and English. In case of any discrepancies between these versions, the Estonian version shall be considered correct.

In addition to this Information Security Policy, and the regulations, rules, instructions and principles developed on its basis, the High Performance Computing Center of the University of Tartu is also obliged to comply with the relevant legal acts established by the University of Tartu.

This Information Security Policy and the regulations, rules, instructions and principles established on its basis are available at the following locations:

• 10.15. In the office of the information security specialist of the High Performance Computing Center of the University of Tartu (paper copy);
• 10.16.In the private documentation environment of the High Performance Computing Center of the University of Tartu;
• 10.17. In the document management system of the University of Tartu (https://dok.ut.ee/wd/);
• 10.18. On the website of the High Performance Computing Center of the University of Tartu (Information Security Policy of the High Performance Computing Center of the University of Tartu).