Technical and Organizational measures

1. Introduction and scope

• 1.1. University of Tartu High Performance Computing Center (hereinafter UTHPC) technical and organizational measures are based on the requirements and rules established by the University of Tartu and from the obligations arising from the contracts.

• 1.2. The basis for ensuring information security at UTHPC is the continuous assessment and implementation of information security measures and the training of UTHPC employees.

• 1.3. All UTHPC employees are familiar and follow UTHPC technical and organizational measures.

• 1.4. Technical and organizational measures apply to all data and information assets belonging to UTHPC that UTHPC uses to achieve its objectives or that are connected to networks managed by UTHPC.

2. General principles

• 2.1. UTHPC, as the owner of the information assets, selects adequate and appropriate measures to protect them.

• 2.2. Data and information assets are protected in accordance with the policies and laws of the UTHPC and the University of Tartu, in particular those relating to data protection, human rights and freedom of information.

• 2.3. Each information asset has a designated UTHPC employee who is responsible for implementing appropriate security measures to protect the information asset.

• 2.4. Non-public information will be made available only to those who have a legitimate right to have access to that information.

• 2.5. Everyone who has been granted access to information assets and data is responsible for their proper handling in accordance with the confidentiality.

• 2.6. Data and information assets are protected from unauthorized access.

• 2.7. Information assets are only available to those who have the right to use them.

• 2.8. UTHPC provides necessary security training for its employees.

3. Obligation of confidentiality

• 3.1. The confidentiality requirement applies to confidential information and applies to UTHPC employees as a result of legislation and agreements.

• 3.2. Information that is accessed by contract or law or that has been declared non-public on any other basis is considered confidential.

• 3.3. All UTHPC employees who come into contact with confidential data shall as a minimum:

  • 3.3.1. not disclose confidential information which has become known to him or her, unless it is required by law or necessary for the performance of his or her duties;

  • 3.3.2. comply with applicable data protection legislation and procedures;

  • 3.3.3. comply with the requirements of the obligation of confidentiality both during and after employment relationships.

• 3.4. If the contractual obligation is performed by a third party:

  • 3.4.1 there will be a contract between the University of Tartu and a third party, which parties sign before the contractor is granted access to the information assets;

  • 3.4.2 the contract will contain provisions on the requirements of confidentiality.

• 3.5 Confidential data is processed on the UTHPC servers, data transportation on data carriers is not allowed.  

  4. Access Control

• 4.1. Access rights are determined on the basis of the minimum principle, which means that access is granted only to information assets to which access is necessary for the performance of work or use of the Services.

• 4.2. Granting, modifying and removing UTHPC employees’ access rights is governed by the UTHPC Access Rights Rules.

• 4.3. The access rights of UTHPC employees are audited regularly, at least once a year, and the result of the audit is recorded.

• 4.4. When UTHPC employee work responsibilities change, the access rights of the respective employee are reviewed and the rights that are not necessary for the performance of the new job responsibilities are removed.

• 4.5. Upon termination of employment of a UTHPC employee, all rights of the respective employee will be removed and the account will be closed immediately.

• 4.6. Administrative access to UTHPC resources is restricted to UTHPC employees.

• 4.7. Separated network and firewall rules and strong access credentials are used to protect unauthorized access.

• 4.8. All UTHPC resource users have user roles, which restrict their access only to data related to their projects.

• 4.9. UTHPC resource user representatives have access, read and necessary modification permissions to their resources to make necessary changes to resources.

• 4.10. UTHPC resource user representatives access is limited via firewall.

• 4.11. Support teams, both UTHPC internal and external, have read access to the resources they provide support.

5 System operations

• 5.1. UTHPC responsibility is to ensure that the service platform and components are updated.

• 5.2. Operating systems and applications are actively maintained. Unnecessary services are disabled or put behind the firewall.

• 5.3. UTHPC uses audit software to electronically monitor its networks, servers, routers, firewalls, and / or other UTHPC systems.

• 5.4. When making changes to hardware or software, the requirements established by the University of Tartu and the rules established by UTHPC are followed.

6. Physical security

• 6.1. All UTHPC network devices and servers are in a closed Data center hosted by the University of Tartu.

• 6.2. Only authorized necessary UTHPC personnel have physical access to the Data center with special permit.

• 6.3. Data center is located behind two fireproof doors that can only be opened with a personal smart card.

• 6.4. Data center is under electronic surveillance, and when entering the Data center, the security must be deactivated using a personal code.

• 6.5. Data center electronic surveillance can be deactivated only if someone is physically present in the server room.

• 6.6. All Data center entries and electronic security deactivations/activations are logged.

• 6.7. To ensure fire safety, fire safety rules of the University of Tartu are followed.

7. Availability and integrity

• 7.1. Maintenance of security measures, periodic reviews of regulations, daily monitoring of the working environment, periodic compliance checks of information security, response to changes and handling of information security incidents are necessary to ensure the continued appropriateness of security measures.

• 7.2. Continuity and disaster recovery processes are documented and reviewed yearly.

8. Security incidents

• 8.1. Security incidents are managed in accordance with the University of Tartu’s information security policy and the UTHPC security incident procedures.

• 8.2. Security incidents are handled in a way that minimizes the damage that may occur during the incidents.

• 8.3. The information collected in the course of resolving an incident is documented and analyzed in order to prevent similar incidents from occurring in the future and to decide on the need for additional security measures.

• 8.4. If signs of a criminal offense, misdemeanor, disciplinary offense or breach of an employment contract are discovered in the course of resolving a security incident, the case will be forwarded to an institution or person entitled to conduct the respective proceedings.

• 8.5. Security incident handling process and the selection of security measures are reviewed annually.

9. Emergency

• 9.1. An emergency is an incident that is caused by an unexpected turn of events beyond the control of UTHPC - in particular, fire, flood, bomb threat, long-term disruption of core services, or any other major damage that UTHPC alone cannot be expected to repair.

• 9.2. In the event of an emergency, the University of Tartu’s fire safety rules, evacuation plans, emergency plans and other rules governing emergencies will apply.

• 9.3. Recovery from major physical damage (fire, flood, burglary, etc.) is based on the relevant University of Tartu guidelines.

• 9.4. If necessary and possible, UTHPC will provide assistance in resolving the emergency.

• 9.5. After an emergency, the UTHPC manager organizes the restoration of UTHPC working conditions in cooperation with the head of the Institute of Computer Science, ITO and other University of Tartu units.

• 9.6. When recovering from an emergency, services will be restored in order of priority, if possible.

• 9.7. UTHPC users are temporarily directed to use the resources of UTHPC partners, if possible and necessary.

• 9.8. If it is not possible to use the UTHPC office premises for work, the work will be continued remotely.

10. Back-up

• 10.1. The purpose of back-up is to ensure that data is preserved in the event of data loss due to failure or human error.

• 10.2. UTHPC manager is responsible for organizing and operating the back-ups for UTHPC resources.

• 10.3. The back-up type is incremental, that means only changed information is backed up.

• 10.4. A tape robot is used for back-up, which is physically located in another location.

• 10.5. The back-up system is located in another Data center, the back-up tapes are not physically removed from the tape robot, except in special case (eg. data transport, etc,).

• 10.6. The tape robot database is responsible for marking the back-up data (back-up time, files to be backed up, etc.).

• 10.7. If the data volume of the back-up system increases to 80% of the maximum volume, an expansion or replacement of the back-up system will be arranged.

• 10.8. Systems are in an automatic back-up process.

• 10.9. System logs are backed up along with the back-up of the log servers.

• 10.10. Back-ups are kept in accordance with the time limits laid down in the contracts.

• 10.11. Discarded back-up data will be deleted and the media will be reused.

• 10.12. Discarded tapes are physically destroyed by a special service provider.

• 10.13. Until destruction, the tapes are kept in the tape robot’s room.

• 10.14. The data on the tapes will be erased before destruction.

• 10.15. The operation of the back-up system is constantly checked.

• 10.16. Back-up system is monitored by the internal monitoring and by a monitoring system independent of the back-up server.

11. Personnel

• 11.1. UTHPC will ensure a sufficient number of employees to ensure that services are running and available in the event of planned and unplanned absences.