Versions Compared

Old Version 3

changes.mady.by.user Kalevi Lehto

Saved on

compared with

New Version Current

changes.mady.by.user Roope Rannikko

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

1) General Information about IT Offences and security breaches

Contents

...

Acting against the rules and regulations concerning university university’s information systems and using the informations systems other IT services as well as acting against Finnish laws are , governing information security, data privacy and cybersecurity, will be treated as IT offences or violations at Metropolia University of Applied Science.

This document outlines the actions taken against a person an individual when an IT offence offense has been discovered or there is reason to believe that an offence offense has occurred. The actions are divided on the one hand to user permission limitations and on the other hand possible consequences imposed for offences.

The document concentrates primarily on degree seeking students and staff at the university.

User accounts at university systems may also have been given to

  • members of interest groups
  • students in continuing studies and at the university

sanction practices vary from minor user permission restrictions to more severe penalties, depending on the nature of the action, whether the offense results from negligence, deliberate actions, or criminal intent. 

Info
titleThe definition on security breach.

Security breach is prohibited by law because it involves attempting unauthorized intrusion into a computer system, service, or device, or unauthorized use of an application with obtained credentials.


The guideline concerns primarily on the university’s degree students and personnel.  

User credentials and permissions to access university systems may also be given to:

  • Interest groups and stakeholders.
  • students in further education and open university studies.

Due to Because of the group's heterogeneity, decisions pertaining to it regarding IT violations will require more case by case consideration.individual considerations. Instead of providing general one-size-fits-all solutions for IT offenses, the principle of discretion applies to the case at hand. 

All occurred All IT offences and actions taken because of them must be reported to the Head of IT ServicesChief Information Security Officer.

2) Restricting user permissions on pending

...

investigations

User permissions can may be restricted by either by disabling some or all or some of a person's user accounts or by other means preventing the use of employing other methods to prevent access to an information system (e.g. by , removing the modify permissionpermissions) . During during the investigation:

  • As a standard procedure,

...

  • a student's user accounts are as a rule disabled and she or he will be called to a discussion with account is disabled, and the student will be contacted to meet with either the Chief Information Security Officer or the person in charge of responsible for the system.
  • the user User permissions of a for staff member members will be restricted as needednecessary. In the event of a network violation incident, user permission restriction may also involve include disconnecting the user's workstation from the network.

User permission must permissions will be restricted whenever in cases where there are reasonable grounds to believe that the user has misused suspect misuse of university IT resources and it is possible that user action impedes the investigation or the minimizing of damages, when access rights hinder the investigation of an offense, or to prevent potential further harm.

The decision to restrict user permissions is made by the owner of the information system in question, the head of the unit leader, or someone else appointed to the taskan appointed individual. The restrictions are carried out by implementation of these restrictions falls under the responsibility of the administrator. In an urgent situationsituations, the administrator may independently autonomously restrict user permissions for a maximum of three days at maximum, and will immediately promptly report it this action to the person in charge of restrictionsdesignated authority.

...

3) Consequences 

In minor offences the user admonished is verbally reprimanded for improper action.

The person committing an IT offence is liable for the costs incurred from the use of resources (e.g. computer time) as well as for the costs incurred from the investigation.

...

3.1 To the students

A student may be subject to the following consequences: restriction of user permissions (disabling of user accounts) (General Policy of the Use of Information Systems), the university's internal administrative actions (a written warning, a temporary dismissal) (Polytechnics Act , secion 2814.11.2014/932), and reporting a crime (actions punishable by law).

The university teachers or the other representative of the university, such as the staff, the teacher’s supervisor or the Board of Examiners, are standardly responsible for handling a student’s IT offence at Metropolia. In minor cases and due to negligence, the student is simply addressed verbally.

The decision to disable a user account is made by the university's President or someone else appointed by the President. The restriction time does not include the time that the account is disabled pending investigation.

The decision to give a written warning is made by the university's President, while the temporary suspension of the student decides the Board of Directors. Access rights into the university’s IT services will be withdrawn during the suspension period.

The IT Services do not serve as a disciplinary measure. Instead, instances of IT violations by students will be addressed according to the university's disciplinary guidelines.

Info
titleThe definition on the minor IT violation of the students

A student insults or bullies other students, staff, visitors or other people he or she works with in connection with studies or a work placement, or reveals their personal data to a third party or otherwise acts in violation of data protection rules and guidelines. A student intentionally or through gross negligence damages property at Metropolia or at a work placement or property belonging to a partner.

...


Info
titleThe definition on the severer IT violation of the students

A student poses a threat to public safety or causes significant damage to Metropolia. A student reveals to a third party the personal data, including sensitive personal data, of other students, staff, visitors or other people he or she works with in connection with studies or a work placement, or otherwise acts in violation of data protection rules and guidelines, and does so repeatedly or in a manner that can be considered deliberate or gross. A student accesses a forbidden domain in an information network, causes an information security threat or causes damage to an information system.

Examples on the scale of the IT offences made by the students

Image Added

3.2. To the staff

...

A staff member may be subject to face the following consequences: the university's judiciary action as defined disciplinary actions outlined in labor law (including a written warning, dismissal, or termination of the employment contract of employment) (as per the Employment Contracts Act , (Chapter 7, Section 2, ; Chapter 8, Section 1), and reporting a crime (actions punishable by law). A warning is given to law enforcement for criminal actions. Warnings are issued by the head of the unit or the director of administration. Access to specific information systems can may be disabled temporarily or permanently on the grounds of a lack of trust disabled based on trust concerns resulting from misuse. When determining the consequences, the intent and the seriousness severity of the offence offense are considered.

Examples on the scale of the IT offences conducted by the personnel 

Image Added


4. Examples of offences

Distributing material subject to criminal law such as:

  • Cruel material subject to criminal law includes child pornography, bestiality, aggressive violence, cruel violence, racist material and incitation incitement of the masses to crime.

Unlawful distribution of material subject to copyright law such as:

  • MusicCopyrighted material includes music, videos, cartoons, games and software.

Giving one's login credentials to someone else:

  • Giving login credentials includes giving one's password to another user or leaving a session open so that someone else can use the credentials unsupervised.

Risking data integrity:

  • handing over information classified as Disclosing non-public to a person who is not authorized to having it, e.g. handing over information to unauthorized individuals, such as providing access to server user data
  • negligence of Neglecting information security in the case of information classified as for non-public - e.g. insufficient information, such as inadequate protection of an information system
  • breach of Breaching confidentiality agreements.
  • breaking the personal data act

...

  • Violating the Data Protection Act
  • Neglecting personal information security

...

  • , for example, by leaving passwords exposed.

Image Added


Tietotekniikkarikkomusten seuraamuskäytäntö