Versions Compared

Old Version 1

changes.mady.by.user Kalevi Lehto

Saved on

compared with

New Version Current

changes.mady.by.user Roope Rannikko

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

1) General Information about IT Offences and security breaches

Contents

Table of Contents
indent20px
styledisc

Acting against the rules and regulations concerning university university’s information systems and using the informations systems other IT services as well as acting against Finnish laws are , governing information security, data privacy and cybersecurity, will be treated as IT offences or violations at Metropolia University of Applied Science.

This document outlines the actions taken against a person an individual when an IT offence offense has been discovered or there is reason to believe that an offence offense has occurred. The actions are divided on the one hand to user permission limitations and on the other hand possible consequences imposed for offences.

The document concentrates primarily on degree seeking students and staff at the university.

User accounts at university systems may also have been given to

  • members of interest groups
  • students in continuing studies and at the university

sanction practices vary from minor user permission restrictions to more severe penalties, depending on the nature of the action, whether the offense results from negligence, deliberate actions, or criminal intent. 

Info
titleThe definition on security breach.

Security breach is prohibited by law because it involves attempting unauthorized intrusion into a computer system, service, or device, or unauthorized use of an application with obtained credentials.


The guideline concerns primarily on the university’s degree students and personnel.  

User credentials and permissions to access university systems may also be given to:

  • Interest groups and stakeholders.
  • students in further education and open university studies.

Due to Because of the group's heterogeneity, decisions pertaining to it regarding IT violations will require more case by case consideration.individual considerations. Instead of providing general one-size-fits-all solutions for IT offenses, the principle of discretion applies to the case at hand. 

All occurred All IT offences and actions taken because of them must be reported to the Head of IT ServicesChief Information Security Officer.

2) Restricting user permissions on pending

...

investigations

User permissions can may be restricted by either by disabling some or all or some of a person's user accounts or by other means preventing the use of employing other methods to prevent access to an information system (e.g. by , removing the modify permissionpermissions) . During during the investigation:

  • As a standard procedure,

...

  • a student's user accounts are as a rule disabled and she or he will be called to a discussion with account is disabled, and the student will be contacted to meet with either the Chief Information Security Officer or the person in charge of responsible for the system.
  • the user User permissions of a for staff member members will be restricted as needednecessary. In the event of a network violation incident, user permission restriction may also involve include disconnecting the user's workstation from the network.

User permission must permissions will be restricted whenever in cases where there are reasonable grounds to believe that the user has misused suspect misuse of university IT resources and it is possible that user action impedes the investigation or the minimizing of damages, when access rights hinder the investigation of an offense, or to prevent potential further harm.

The decision to restrict user permissions is made by the owner of the information system in question, the head of the unit leader, or someone else appointed to the taskan appointed individual. The restrictions are carried out by implementation of these restrictions falls under the responsibility of the administrator. In an urgent situationsituations, the administrator may independently autonomously restrict user permissions for a maximum of three days at maximum, and will immediately promptly report it this action to the person in charge of restrictionsdesignated authority.

...

3) Consequences 

In minor offences the user admonished is verbally reprimanded for improper action.

The person committing an IT offence is liable for the costs incurred from the use of resources (e.g. computer time) as well as for the costs incurred from the investigation.

...

3.1 To the students

A student may be subject to the following consequences: restriction of user permissions (disabling of user accounts) (General Policy of the Use of Information Systems), the university's internal administrative actions (a written warning, a temporary dismissal) (Polytechnics Act , secion 2814.11.2014/932), and reporting a crime (actions punishable by law).

The university teachers or the other representative of the university, such as the staff, the teacher’s supervisor or the Board of Examiners, are standardly responsible for handling a student’s IT offence at Metropolia. In minor cases and due to negligence, the student is simply addressed verbally.

The decision to disable a user account is made by the university's President or someone else appointed by the President. The restriction time does not include the time that the account is disabled pending investigation.

The decision to give a written warning is made by the university's President. The decision of a temporary dismissal is made by the Board of Management.

Staff

A staff member may be subject to the following consequences: the university's judiciary action as defined in labor law (a written warning, dismissal, termination of the contract of employment) (Employment Contracts Act, Chapter 7, Section 2, Chapter 8, Section 1) and reporting a crime (actions punishable by law). A warning is given by the head of the unit or the director of administration. Access to specific information systems can be disabled temporarily or permanently on the grounds of a lack of trust resulting from misuse. When determining the consequences, the intent and the seriousness of the offence are considered.

Examples of offences

Distributing material subject to criminal law

  • material subject to criminal law includes child pornography, bestiality, aggressive violence, cruel violence, racist material and incitation to crime.

Unlawful distribution of material subject to copyright law

  • Copyrighted material includes music, videos, cartoons, games and software.

Giving one's login credentials to someone else

  • Giving login credentials includes giving one's password to another user or leaving a session open so that someone else can use the credentials unsupervised.

Risking data integrity

  • handing over information classified as non-public to a person who is not authorized to having it, e.g. handing over server user data
  • negligence of information security in the case of information classified as non-public - e.g. insufficient protection of an information system
  • breach of confidentiality
  • breaking the personal data act

Negligence of personal information security

...

, while the temporary suspension of the student decides the Board of Directors. Access rights into the university’s IT services will be withdrawn during the suspension period.

The IT Services do not serve as a disciplinary measure. Instead, instances of IT violations by students will be addressed according to the university's disciplinary guidelines.

Info
titleThe definition on the minor IT violation of the students

A student insults or bullies other students, staff, visitors or other people he or she works with in connection with studies or a work placement, or reveals their personal data to a third party or otherwise acts in violation of data protection rules and guidelines. A student intentionally or through gross negligence damages property at Metropolia or at a work placement or property belonging to a partner.


Info
titleThe definition on the severer IT violation of the students

A student poses a threat to public safety or causes significant damage to Metropolia. A student reveals to a third party the personal data, including sensitive personal data, of other students, staff, visitors or other people he or she works with in connection with studies or a work placement, or otherwise acts in violation of data protection rules and guidelines, and does so repeatedly or in a manner that can be considered deliberate or gross. A student accesses a forbidden domain in an information network, causes an information security threat or causes damage to an information system.

Examples on the scale of the IT offences made by the students

Image Added

3.2. To the staff

A staff member may face the following consequences: disciplinary actions outlined in labor law (including a written warning, dismissal, or termination of employment contract) as per the Employment Contracts Act (Chapter 7, Section 2; Chapter 8, Section 1), and reporting to law enforcement for criminal actions. Warnings are issued Contents
Acting against the rules and regulations concerning university information systems and using the informations systems against Finnish laws are treated as IT offences.
This document outlines actions taken against a person when an IT offence has been discovered or there is reason to believe an offence has occurred. The actions are divided on the one hand to user permission limitations and on the other hand possible consequences imposed for offences.
The documents concentrates primarily on degree seeking students and staff at the university.
User accounts at university systems may also have been given to
- members of interest groups
- students in continuing education and at the university
Because of the group's heterogeneity, decisions pertaining to it will require more case by case consideration.
All IT offences and actions taken because of them must be reported to the Head of IT Services.
Restricting user permissions pending investigation
User permissions can be restricted either by disabling all or some of a person's user accounts or by other means preventing the use of an information system (e.g. by removing the modify permission). During the investigation,
- a student's user accounts are as a rule disabled and she or he will be called to a discussion with the Chief Information Security Officer or the person in charge of the system
- the user permissions of a staff member will be restricted as needed. In a network violation incident, user permission restriction may also involve disconnecting the user's workstation from the network.
User permission must be restriced whenever there is reasonable grounds to believe that the user has misused university IT resources and it is possible that user action impedes the investigation or the minimizing of damages.
The decision to restrict user permissions is made by the owner of the information system in question, the head of the unit, or someone else appointed to the task. The restrictions are carried out by the administrator. In an urgent situation, the administrator may independently restrict user permissions for three days at maximum, and will immediately report it to the person in charge of restrictions.
Consequences
In minor offences the user admonished for improper action.
The person committing an IT offence is liable for the costs incurred from the use of resources (e.g. computer time) as well as for the costs incurred from the investigation.
Students
A student may be subject to the following consequences: restriction of user permissions (disabling of user accounts) (Metropolia käyttösäännöt), the university's internal administrative actions (a written warning, a temporary dismissal) (Ammattikorkeakoululaki 28§), and reporting a crime (actions punishable by law).
The decision to disable a user account is made by the university's President or someone else appointed by the President. The restriction time does not include the time that the account is disabled pending investigation.
The decision to give a written warning is made by the university's President. The decision of a temporary dismissal is made by the Board of Management.
Staff
A staff member may be subject to the following consequences: the university's judiciary action as defined in labor law (a written warning, dismissal, termination of the contract of employment) (Työsopimuslaki 7 luku, 2§ 8 luku, 1§) and reporting a crime (actions punishable by law). A warning is given by the head of the unit or the director of administration. Access to specific information systems can may be disabled temporarily or permanently on the grounds of a lack of trust disabled based on trust concerns resulting from misuse. When determining the consequences, the intent and the seriousness severity of the offence is offense are considered.

Examples on the scale of the IT offences conducted by the personnel 

Image Added


4. Examples of offences

Distributing material subject to criminal law
- material subject to criminal law includes child pornography, bestiality, aggressive violence, cruel violence, such as:

  • Cruel violence, racist material and

...

  • incitement of the masses to crime.

Illigal Unlawful distribution of material subject to copyright law
- Copyrighted material includes musicsuch as:

  • Music, videos, cartoons, games and software.

Giving one's login credentials to someone else:-

  • Giving login credentials includes giving one's password to another user or leaving a session open so that someone else can use the credentials unsupervised.

Risking data integrity, e.g.
- handing over information classified as :

  • Disclosing non-public

...

  • information to unauthorized individuals, such as providing access to server user data

...

  • Neglecting information security

...

  • for non-public

...

  • information, such as inadequate protection of an information system

...

  • Breaching confidentiality agreements.

...

  • Violating the Data Protection Act
  • Neglecting personal information security, for example, by leaving passwords exposed.

Image Added


Tietotekniikkarikkomusten seuraamuskäytäntö
- e.g. leaving one's password in the open