28 November 2022 – IT SecurityA New Basis for IT Security at the University

Whether its stealing data, espionage or extortion - universities and research institutes are attractive targets for cyber criminals. This is especially true for research-intensive institutions such as Heidelberg University. With the introduction of new information security guidelines, the university has established a legal framework for proactively addressing the complex challenges of the digital age.

A large padlock on a laptop, surrounded by colorful beams of light.

The new guidelines were approved by the Senate on 04.10.2022 and are effective immediately. The need for this development arose from the increasingly extensive digitization at universities, most recently accelerated by the coronavirus pandemic. Digital services, processes and data are now as integral to everyday study, research and work as lecture halls, seminar rooms and offices. For the latter, there have always been safety requirements, such as fire and accident prevention. The guidelines provide the basis for establishing and enforcing protective and behavioral measures in the form of regularly implemented policies for digital spheres of operation at the university.

The goal: accessibility, confidentiality, integrity

Achieving information security is a highly complex, university-wide process that involves scrutinizing and revising organizational processes as well as technical realities (through IT security). These guidelines are the first step in this process: they define the target security level for the entire university, specify the standards on which this level is based and regulate the responsibilities for enforcing them.

“We have naturally always protected information and the systems that store and process that information,” explains Prof. Dr. Vincent Heuveline, Executive Director of the URZ and Chief Information Officer (CIO) of the university. “However, the new policy harmonizes and further enhances this protection university-wide. We're defining a gold standard of security that we must all collectively uphold.”

This gold standard has three clear goals for protecting information: to maintain accessibility, to preserve confidentiality, to ensure integrity. The basic protection standards of the German Federal Office for Information Security (BSI) and the international standards DIN ISO/IEC 27001 ff. serve as the benchmark for our guidelines. In addition, we take a holistic approach to information security as recommended by the BSI. The protection of non-digitally recorded information, such as notes, letters or conversations, will also be taken into account.

What you can expect: Guidelines, support and training

Based on these guidelines, concrete policies are now being devised under the leadership of the CIO and CISO (Chief Information Security Officer) which will provide specifications and best practices for highly specific areas of work, thus initiating the implementation of defined security standards.

What does this mean for you as a user? Don't worry. In the future, you won't be forced to read complex legal texts or regulations to be able to ensure information security in your workspace. The measures are designed with user acceptance in mind. Understandable and easy-to-implement handouts based on these guidelines will be made for all university users, and training and support for information security will be offered.

Information security: A collective undertaking

Important consulting, training and support services will also be provided by the state federation for information security, bwInfoSec . Since universities in the state of Baden-Württemberg face similar challenges when it comes to information security, the bwInfoSec federation has been in operation since 2019. The core teams of this federation provide guidance to participating universities as well as training and information services to their users. The core team responsible for universities is located at the URZ.

We can only achieve information security as a university through collective effort. Every single one of you will be able to help - we will explain exactly how in future articles, tutorials and training sessions. We thank you in advance for your assistance!