Information Security

Technical and Organizational measures

1. Introduction

  • 1.1. The technical and organizational measures of the University of Tartu High Performance Computing Center (hereinafter UTHPC) are based on the requirements and regulations established by the University of Tartu and UTHPC, as well as obligations arising from contractual agreements.

  • 1.2. The basis for UTHPC’s information security is an information security management system compliant with ISO/IEC 27001 standards.

  • 1.3. The objective of UTHPC’s information security management system is to prevent and mitigate security incidents, ensure the availability and integrity of data and services, and prevent unauthorized disclosure of data that could result in business, personal, or reputational damage.

  • 1.4. All UTHPC employees are aware of UTHPC’s technical and organizational measures and adhere to them in the performance of their duties.

  • 1.5. UTHPC’s information security assurance is based on continuous assessment and implementation of security measures, as well as ongoing employee training.

  • 1.6. The technical and organizational measures apply to all data and information assets under UTHPC’s administration that are used to achieve UTHPC’s objectives.

2. General Principles

  • 2.1. The fundamental principle of information security is to ensure the confidentiality, integrity, and availability of information assets managed by the UTHPC.

  • 2.2. As the owner of information assets, UTHPC ensures the selection and implementation of adequate and appropriate security measures for their protection.

  • 2.3. Data and information assets are protected in accordance with applicable UTHPC and University of Tartu policies, procedures, and legal regulations, particularly requirements governing data protection, human rights, and freedom of information.

  • 2.4. All critical and sensitive UTHPC information assets are assigned a chief administrator who is accountable for implementing and supervising the security measures necessary to protect the information asset.

  • 2.5. Access to non-public information and information assets is granted only to individuals who have a legal basis and a work-related need for such access.

  • 2.6. Every individual granted access to information assets and data is responsible for their proper handling and compliance with confidentiality requirements.

3. Confidentiality Obligation

  • 3.1. The confidentiality obligation applies to confidential information and is binding on UTHPC employees pursuant to legal regulations and contractual obligations.

  • 3.2. Information is considered confidential if access to it is restricted by law or contract, or if it has been designated as non-public on other legitimate grounds.

  • 3.3. UTHPC treats all data that becomes known or is processed during service provision as confidential.

  • 3.4. All UTHPC employees who encounter confidential information in the performance of their duties are required to, at minimum:

    • 3.4.1. refrain from disclosing any confidential information that becomes known to them, except when legally mandated or to the extent necessary for the performance of their duties;

    • 3.4.2. comply with applicable data protection legislation, internal procedures, and established protocols;

    • 3.4.3. adhere to confidentiality obligation requirements both during employment and after its termination.

  • 3.5. When contractual obligations are transferred to a third party:

    • 3.5.1. a written agreement must be concluded between the University of Tartu and the third party before the contractor is granted access to UTHPC information assets;

    • 3.5.2. the agreement must include provisions governing confidentiality.

  • 3.6. Confidential data may only be processed on UTHPC servers, and transmission of data on physical media is prohibited.

4. Access Management

  • 4.1. Access rights are granted based on the principle of least privilege, whereby access is provided only to those information assets and resources that are necessary for the performance of work duties or use of services.

  • 4.2. The granting, modification, and revocation of access rights for UTHPC employees is governed by UTHPC’s applicable access management procedure.

  • 4.3. When a UTHPC employee’s duties or role changes, their access rights are reviewed and any rights that are not necessary for the performance of new duties are revoked.

  • 4.4. Upon termination of a UTHPC employee’s employment, all access rights granted to them are revoked and their user account is closed immediately.

  • 4.5. Administrative access rights to UTHPC resources are granted only to UTHPC employees authorized for this purpose.

  • 4.6. To prevent unauthorized access, separate network and firewall rules are implemented, and strong authentication and access credentials are required.

  • 4.7. All users of UTHPC resources are assigned user roles that restrict their access exclusively to data and resources related to their projects.

  • 4.8. Designated representatives of UTHPC resource users have access, read, and necessary modification rights to their resources to the extent required for resource management and project-related activities.

5. System Operations

  • 5.1. UTHPC ensures the up-to-date status and secure operation of the service platform and its components.

  • 5.2. Operating systems and applications are maintained continuously. Unnecessary and/or insecure services are disabled or their access is restricted using firewall rules.

  • 5.3. UTHPC uses appropriate software for electronic monitoring and auditing of its networks, servers, routers, firewalls, and other managed systems.

  • 5.4. The planning and implementation of hardware and software changes follows the requirements established by the University of Tartu and UTHPC’s internal rules and procedures.

6. Physical Security

  • 6.1. UTHPC has two data centers located in physically separate University of Tartu academic buildings. The data centers are geographically separated and located in different districts of the city.

  • 6.2. All network equipment and servers are housed in secure UTHPC data centers within University of Tartu academic buildings.

  • 6.3. Fire suppression systems used in the data centers operate automatically, utilize gas-based solutions, and are specifically designed for data center use.

  • 6.4. The use of combustible materials (such as wood, textiles, etc.) has been minimized in the construction and furnishing of the data centers.

  • 6.5. Flammable or fire-hazardous items and materials are not stored in the data centers.

  • 6.6. Data center security is maintained through technical surveillance and access control systems, as well as video monitoring.

  • 6.7. The surveillance and access control system records data on access card usage and data center security operations.

  • 6.8. Physical access to the data centers is granted only to selected UTHPC employees with personal access authorization.

  • 6.9. Individuals with personal access authorization enter the data centers using an employee ID card and security code.

  • 6.10. Electronic surveillance of the data centers is deactivated only when someone is physically present in the data center, entering, or exiting. Data center surveillance is activated even during brief departures from the data center.

  • 6.11. Individuals without personal access authorization may enter the data centers only when accompanied by a person with data center access rights.

  • 6.12. The data centers are equipped with uninterruptible power supply (UPS) systems, and power to the data centers is also ensured by diesel generators located in the same building as the data centers, which activate automatically in the event of a power outage.

  • 6.13. Optimal temperature and humidity levels are maintained in the data centers. Temperature and humidity sensors are installed in the data centers, which automatically send alerts to the mobile phones of predetermined UTHPC employees when temperature or humidity exceeds established thresholds.

7. Availability and Integrity

  • 7.1. To ensure availability and integrity, security measures are monitored continuously, including assessment of their continued appropriateness, periodic review of applicable regulations, daily monitoring of information assets, conducting information security compliance audits, and responding to changes and security incidents.

  • 7.2. Business continuity and disaster recovery processes are documented, tested, and reviewed at least annually or when significant changes occur.

  • 7.3. UTHPC ensures high availability of critical systems and services by implementing redundancy, load balancing, and other technical solutions as necessary.

  • 7.4. To ensure data integrity, appropriate mechanisms are employed, including access rights management, logging, and control mechanisms that enable the detection of unauthorized modifications.

  • 7.5. Regular backups of critical data are performed in accordance with the established backup policy, and the recoverability of backups is verified periodically.

  • 7.6. Risks of service disruptions and data loss are assessed regularly, and appropriate preventive and mitigating measures are implemented to address them.

  • 7.7. Incidents affecting availability and integrity are recorded, analyzed, and used as a basis for implementing corrective and preventive measures.

  • 7.8. Relevant parties are notified of significant disruptions and incidents.

8. Security Incidents

  • 8.1. Security incidents are managed in accordance with the procedures in effect at the University of Tartu and UTHPC’s security incident handling procedures.

  • 8.2. Security incidents are handled in a manner that ensures rapid response and minimizes potential damage resulting from the incident.

  • 8.3. Information collected during the resolution of a security incident is documented and analyzed with the objective of preventing the recurrence of similar incidents and assessing the need for implementing additional security measures.

  • 8.4. If, during the handling of a security incident, indications of a criminal offense, misdemeanor, disciplinary violation, or breach of employment contract emerge, the case is forwarded for further proceedings to the appropriate competent authority or authorized person.

  • 8.5. The security incident handling process and the appropriateness of implemented security measures are reviewed at least annually or following significant changes and major incidents.

9. Logs

  • 9.1. By default, logs are retained for two years.

  • 9.2. By default, user, application, and system activities are logged. Certain deliberate exceptions have been established for specific cases where user, application, and system activities are not logged (e.g., logs would contain sensitive personal data, logging is not necessary, etc.).

  • 9.3. For each project/solution, the level of logging detail and log retention period are agreed upon separately.

  • 9.4. Users are informed about logging, which also serves as a deterrent measure.

  • 9.5. In the event of a failure in log writing or detection of any other anomaly, UTHPC staff are automatically notified.

  • 9.6. Logging uses a data stream transmitted to Elasticsearch that only allows the addition of new documents (logs) and does not permit modification or deletion of logs already transmitted.

10. Backup

  • 10.1. The purpose of backup is to ensure data preservation and recoverability in the event of failure, human error, or other unexpected events.

  • 10.2. The UTHPC manager is responsible for organizing, managing, and ensuring the operation of backups for UTHPC-managed resources.

  • 10.3. Backups are created and retained according to the timeframes specified in contracts or terms of service.

  • 10.4. Backups are performed using the incremental method, and it is ensured that previous backups cannot be modified.

  • 10.5. Backups are made to tapes that are physically located in a different data center. The respective UTHPC data center is located in a different University of Tartu academic building, and the UTHPC data centers are geographically separated and located in different districts of the city.

  • 10.6. Backup tapes in the tape library are not physically removed except in exceptional cases.

  • 10.7. The tape library database is responsible for labeling backup data (backup time, backed-up files, etc.).

  • 10.8. When the backup system data volume reaches 80% of maximum capacity, expansion or replacement of the backup system is arranged.

  • 10.9. The operational status of the backup system is monitored continuously.

  • 10.10. The backup system is monitored both through the backup system’s internal monitoring and through a monitoring system independent of the backup server.

  • 10.11. Backup system failures are responded to immediately.

  • 10.12. Obsolete backed-up data is deleted and storage media is reused.

  • 10.13. Decommissioned tapes are physically destroyed using a specialized service provider, and until destruction, tapes are stored in the tape library room.

  • 10.14. Invalidated backups have a lifecycle of 90 (ninety) calendar days, after which the backups are deleted.

  • 10.15. In the event of large-scale data restoration, backup creation may be temporarily suspended for the corresponding period (with prior approval from the UTHPC manager).

  • 10.16. If special agreements regarding backups have been concluded and documented in a contract, contract appendix, or memorandum, the creation of corresponding backups may be temporarily suspended only with the written consent of the other party.

  • 10.17. Data restoration from backups is performed as needed.

  • 10.18. At least once a year, data restoration from backups is tested. If there is no operational need for data restoration, a separate restoration training exercise is organized.

11. Employees

  • 11.1. UTHPC ensures a sufficient number of employees to maintain service operation and availability during both planned and unplanned absences.

  • 11.2. UTHPC employees receive continuous training on information security topics.

13 January 2026

UTHPC cluster Rocket, its file systems, and the cluster cooling system will undergo scheduled maintenance (will not be available) during the period of January 12-18, 2026. Read more »