ADOPTION AND IMPLEMENTATION
Text approved by the Security Committee on 12 April 2018.
This Information Security Policy will come into effect once it is approved and replaced by a new policy.
Any provisions of equal or lower rank that contradict or conflict with the provisions of this Law to the provisions of this Information Security Policy are repealed.
This Information Security Policy is issued in accordance with the provisions of the following laws and royal decrees:
- Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (Reglamento general de protección de datos).
- Organic Law 15/1999, of 13 December, on the Protection of Personal Data (LOPD).
- Royal Decree 1720/2007 of 21 December, approving the implementing Regulation for Organic Law 15/1999 of 13 December, on the Protection of Personal Data.
- Law 34/2002 of 11 July 2002 on Information Society Services and Electronic Commerce (LSSICE).
- Royal Legislative Decree 1/1996 of 12 April, approving the revised Law on Intellectual Property, regularising, clarifying and harmonising the applicable statutory provisions.
- All the rules, of a general or internal nature, that are applicable to the University within the framework of this Information Security Policy.
- Workers’ Statute.
AIM OF THE INFORMATION SECURITY POLICY
The aim of this policy is to establish the Information Security Policy of the University of Deusto (hereinafter Deusto), which ensures adequate protection of information and the continued provision of services, in such a way that Deusto is prepared to prevent, detect, react and recover from security incidents.
To do this, it must have the necessary security measures to maintain an acceptable level of risk, as well as continuously monitor the levels of service provision, analyse reported vulnerabilities, and prepare an effective response to incidents.
Deusto's information services must perform their functions and safeguard the information in accordance with their functional specifications, without interruptions or uncontrolled modifications, and without the information reaching unauthorized persons.
Accordingly, the capacity of Deusto’s networks and information systems must be sufficient to withstand, with the level of trust required, accidents or illicit or malicious actions that may endanger access, availability, authenticity, confidentiality, traceability and retention of stored or transmitted data, as well as of the electronic services.
Deusto must ensure that ICT security is an integral part of each stage of the lifetime of information systems, from the design stage through to their withdrawal, including development or purchase decisions, and exploitation activities. The security requirements and financing needs derived from each stage must be identified and included in the planning, the competitive tender process for ICT projects.
To comply with the provisions of this Information Security Policy and thus meet the security level required by the University, the Information Security Committee will prepare an annual report that will specify the security measures that, according to the risk management principle, have been approved by the Committee and that should be necessarily implemented during the following fiscal year, as well as those measures that should be included to promote the security strategy drawn up by the Committee.
SCOPE OF APPLICATION
Pursuant to this Information Security Policy and its implementing legislation, a number of security measures will be defined that will be applied, as determined in such regulations, to all the ICT services, systems and resources available at Deusto that support their processes and that affect the different information assets being held by them.
Deusto’s ICT resources include central and departmental systems, workstations, desktop computers, printers and other peripherals and output devices, location systems, internal and external networks, multi-user systems and communications services (telematic transmission of voice, image, data or documents) and storage systems owned by you.
This policy also applies to all persons, institutions, entities or units and services, whether internal or external, that use Deusto's ICT resources, either through direct or indirect connection, remote connection or through third-party devices, expressly including the services provided through the Internet. These will be hereinafter referred to as “users”.
KEY PRINCIPLES OF SECURITY
Deusto's Information Security Policy, and the regulations implementing it, is based on the basic protection principles whose purpose is to ensure that an organisation can meet its objectives using information systems.
These basic principles, which should be taken into account whenever decisions are taken regarding information security, are the following:
a) Integral security.
Security must be understood as an integral process that involves each and every one of the human, technical, material and organisational elements related to the system.
b) Risk management.
Risk analysis and management is an essential part of the security process. The risk levels must be kept within acceptable minimum levels, by deploying the appropriate and permanently updated security measures to ensure balance and proportionality is maintained between the nature of the data and the processing performed, the risks to which they are exposed and the security measures applied.
c) Prevention and recovery of systems and data against disasters.
The security of the system must consider aspects such as prevention, detection and recovery, to ensure that threats to it do not materialise or do not seriously affect the data handled by the information systems or the services they provide.
The system will guarantee the conservation of data and information in electronic format and will keep the services available throughout the life cycle of digital information.
d) Lines of defence.
The system must have a protection strategy consisting of multiple layers of security, arranged in such a way that, if one of them fails due to an incident that could not be avoided, time will be gained to take appropriate action, thus reducing the possibility that the overall system is jeopardised, and the final impact on it can be minimised.
The lines of defence must comprise measures of an organizational, physical and logical nature.
e) Regular reassessment.
The security measures adopted by Deusto will be regularly reassessed and updated to adapt its effectiveness to the constant evolution of risks and protection systems.
ORGANISATION OF SECURITY
To ensure that all stages of the information protection life cycle are carried out properly and the responsibilities for their implementation are appropriately assigned, Deusto has established a structure that allows to ensure the consistent application of this policy and effectively adapt the frequent technological and organizational changes.
In this regard, the following Committees and general roles are defined relating to their participation in the management and supervision of information security:
- Information Security Committee.
- Vice-Rector's office for Academic Organisation, Educational Innovation and Quality, responsible for the ICT and Quality area.
- Computer Service.
- Data Protection Officer (DPO)/Responsible for Information Security.
Deusto performs processing operations that use personal data.
Deusto's Record of Processing Activities contains records of personal data and processing activities and the parties concerned.
All of Deusto's information systems will be adapted to the security levels required by the regulations for the nature and purpose of the personal data collected in the aforementioned security document.
ACCESS TO INFORMATION
Those who process information from Deusto that is not of public access, must be properly identified and have access privileges to information that are strictly necessary to perform the activity.
This is why access to information systems must be controlled and exclusively limited to authorised users processes, devices and information systems so that access is restricted exclusively to permitted functions.
MANAGEMENT OF SECURITY INCIDENTS
The Information Technology department must have a cyber-security incident response (CSIR) service, equipped with the means to implement and manage each and every security measure required for each information system and to respond to any security incidents that may occur.
This service may carry out security audits that may be deemed necessary on any equipment connected to the university network, and may disconnect or isolate any IT system in those cases that pose a potential or real risk to the rest of Deusto's IT systems.
Security incidents can be detected by the IT system manager or administrator, by inspection or warning by the CSIR service or communicated from outside Deusto. The users' request management system (CAU) must collect, analyse and manage identified incidents.
Likewise, any user can send suggestions, report incidents and/or weaknesses that may be related to information security and the guidelines contained in this policy to the CAU.
Security decisions should be based on the analysis and management of risks as an essential security process, which should be permanently updated.
Risk assessment identifies threats and vulnerabilities and should be broad enough to cover the main internal and external factors, such as technological, physical and human, political aspects and third-party services with security implications.
Risk management allows to maintain a controlled environment, minimising risks to acceptable levels. The reduction of these levels will be carried out through the deployment of security measures, which will establish a balance between the nature of data and the processing operations, the risks to which they are exposed and the security measures.
Due to the increasing interconnection of information systems, risk assessment must include the consideration of potential damages that may result from others or be caused by third parties.
All the systems under this Policy must undergo risk assessment, evaluating the threats and risks to which they are exposed.
All Deusto members have the obligation to know and comply with this Information Security Policy and the Security Regulations contained in it, being the Information Security Committee responsible for providing the necessary means so that the information can reach those concerned.
All the University's staff must be aware of the need to guarantee the security of information systems as well as of the fact they are also key to maintaining and improving security.
An ongoing awareness programme will be established to assist all Deusto members, particularly new members.
Those responsible for the use, operation or administration of ICT systems will receive training for the safe management of the systems inasmuch as they need it to carry out their work.
RELATIONSHIP WITH THIRD PARTIES
When Deusto provides services to other organisations or manages information about them, the person in charge of that relationship will inform them of this security policy and the regulations and derived instructions.
Communication and coordination channels will be established between the respective Information Security Committees, and action procedures will be set out to respond to security incidents.
Likewise, when Deusto uses third-party services or transfers information to third parties, the person responsible for that relationship will also inform them about this security policy and the security regulations and instructions that pertain to said services or information. Such third party will be subject to the obligations and security measures established in said regulations and instructions, and may develop its own operating procedures to comply with them. A number of specific procedures for prevention, detection, reporting and resolution of incidents will be established. It will be ensured that the staff of third parties is adequately aware of security, at least at the same level as that established in this security policy.
Specifically, third parties must ensure compliance with security policies based on auditable standards and undergo controls and reviews by third parties that certify compliance with these policies. Likewise, an audit report or certificate of destruction and deletion will be provided to ensure that the third party cancels and deletes the data owned by Deusto once the contract is terminated.