Information Security Plan KU Leuven

advertisement

INFORMATION SECURITY PLAN FOR

THE PROCESSING OF PERSONAL

DATA

september 2015

1. Introduction

The information security plan for the processing of personal data (referred to as information security plan from here on out) clearly comprises the most important aspects of the information security policies observed by KU Leuven. As the term indicates, the plan especially focuses on those aspects that pertain to the protection of personal data. The requirement for an information security plan in place is one stipulated by the Privacy Commission.

The KU Leuven information security policies not only serve privacy objectives. The outlined measures also help protect valuable data against unintentional disclosure, theft and loss, in addition to ensuring company continuity. The full breadth of the information security policies thus extends beyond what is described throughout this document.

The objective of the information security plan is twofold. Since the information security plan can be consulted by the full KU Leuven community, it contributes to the awareness-building around information security and compliance with the observed policies. On the other hand, the information security plan contextualises the information security policies in force for external parties. The Privacy Commission and research funding companies, can verify the adequacy of the KU Leuven policies.

The policies around the processing of personal data at KU Leuven are based on the principles of the privacy legislation:

- declaration to the Privacy Commission of processing acts not exempted from declaration;

- providing information to those individuals whose personal data are subject to processing;

- ensuring that access to information is limited to those persons who legitimately require access (needto-know / need-to-have principles).

The information security plan is applicable at the university KU Leuven, i.e. including the processes at the different KU Leuven campuses, but excluding UZ Leuven.

The security plan should be seen as part of a university context, one that is characterised, among other things, by a complex structure with many decentralised competencies. Not all aspects of the security policies are consequently strictly enforceable. Parts of the security measures were developed and implemented in a decentralised manner.

KU Leuven strives towards guaranteeing the confidentiality of personal data at all times by means of the approach laid out in this document, and this without obstructing the dynamic nature of its academic processes.

2. Organisation and Policies

KU Leuven maintains information security policies that combine university-wide processes and procedures with decentralised initiatives, adjusted to particular academic needs.

This university-wide approach includes the operating framework of the security officer , whose role corresponds to the Privacy Commission ’s description. The master of the company data (which includes student and personnel data) are also subject to university-wide procedures through a centrally administered ERP system and a centrally administered IT infrastructure. The ICTS central service is responsible for the administration of these IT functionalities. ICTS also manages the personal computers of staff at the central and supporting services.

To a large extent, the decentralised responsibilities are situated at the level of the researchers, who manage research data of wide-ranging nature, often from their own IT infrastructure and with their own access rules. Company data can also be copied to local, personal storage devices. Local staff in this case become responsible for appropriate processing of the data, while local IT services offer support where needed. These practises are naturally less standardised but here too, KU Leuven strives towards a qualitative protection of the data. The Research Coordination Office for instance developed a comprehensive framework around information security, which includes protection of personal data.

The important actors who help develop the information security policies are:

- The Student Affairs vice rector, also competent for privacy matters. The vice rector is responsible for privacy-related policy decisions at KU Leuven. He signs all documents addressed to the Privacy Commission and sector committees (e.g. access to the national register, social security crossroads bank). His services also are the contact point for requests to access particular data.

- The security officer, recognised as such by the Privacy Commission. The security officer also fulfils the role of “data protection officer” in the context of research requests. He offers independent advice and support to both management and concerned individuals at the institution.

- The ICTS security coordinator who helps develop and monitor information security for KU

Le uven’s central IT services.

- Equivalent IT security functions have been designed for the decentralised IT services.

It is obvious that KU Leuven’s information security policies are the result of very wide-ranging initiatives launched at both central and decentralised levels. At the end of 2014, in view of the increasing importance of information security, KU Leuven decided to establish an Information Security Steering

Group in charge of developing and coordinating the main policies around privacy as well monitoring their enforcement. The following stakeholders are represented in the Information Security Steering Group:

- The vice rector responsible for privacy policies (chair)

- The security officer

- The ICTS security coordinator

- The group managers of the Humanities and Social Sciences, Biomedical Sciences and

Science, Engineering and Technology groups.

- Representative for the Research Policy area

- Representative for the Educational Policy area

- Representative for the HR Department

The following Information Security Plan was developed by the Information Security Steering Group.

3. Processing of personal data

3.1. Inventory

a. Company data

Company data are indispensable to fulfilment of KU Leuven’s core missions. They are unequivocally identifiable and, as a rule, are subject to standardised processes on a regular basis. The following distinctions apply:

(1) Student data: collected by the Student Administration services and complemented/completed by different services/ faculties.

(2) Personnel data: collected by the HR department.

(3) Supplier and customer information: collected by Central Financial Services.

In addition, KU Leuven submitted a number of declarations to the Privacy Commission that pertained to other data processing acts, namely:

- student housing data (collected by Student Services);

- an employment database for students (collected by Student Services);

- library data (collected by library services);

- the University Parish’ customer register (collected by the University Parish);

- temporary PR files created for study days etc. (collected by the organiser);

- alumni data (co-owned by the alumni groups and managed and updated by Alumni

Lovanienses);

- promotional data (collected by the Marketing Department). b. Research data

Personal data collected as part of research can be of a wide-ranging nature. Possible types include:

- information linked to concrete persons as a result of research (whether processed in an anonymous manner or not; whether pulled from the national register or sector databases or not);

- information that is so unique that it can easily be attributed to individual persons (e.g. DNA databases).

This data is collected, managed and updated by the researchers.

Note: Sensitive data

The previous categories also include data that absolutely warrant confidentiality because of their nature

(e.g. medical information). Additional security precautions apply to these types of data.

Note: Cookies

KU Leuven collects cookies to optimise the use of its website and to perform (generic) webpage use analyses.

The bottom section of KU Leuven’s webpages refers to the cookie policies in force 1 .

3.2. Administration

1 https://admin.kuleuven.be/icts/cookiebeleid/

The ICTS service is responsible for central IT support for education, research, administration and management. Among other things, ICTS manages the KU Leuven network, central IT infrastructure, company data appliances, and the personal computers used by the central and supporting services.

Through its service catalogue, ICTS also makes its product offer available to faculties and departments.

An increasing number of decentralised authorities have transferred (parts of) their IT management to

ICTS. a. Company data

KU Leuven has a central SAP environment for the administration of company data. The central ICTS service guarantees that this SAP environment is outfitted with appropriate security measures to keep it secure from third parties. Internally, strict authorisation policies determine which individuals can access and adjust particular data. This assignment process is determined by the roles that accompany the positions of the concerned parties.

Company data are ideally exclusively processed in SAP. Should the responsible authorising persons (at the level of the service, faculty, campus) choose to make copies to decentralised files, they shall be responsible for appropriately securing these data and for their authorised use.

A number of data groups are not managed in SAP, but rather in separate databases. This is especially the case for processes requiring particular declarations, as mentioned above (library data, promotional data, student’s employment data, alumni, …). These databases are also subject to the principle that access is limited to staff members whose position warrants access. b. Research data

In view of the wide diversity of research data, standardised administration of this information is not always feasible or desirable. It is the researcher’s responsibility to manage this information on appropriate storage devices and ensure their authorised use.

3.3. Use

As a general rule, KU Leuven does not communicate information to third parties. External communication only occurs upon explicit request from inspection authorities (police, courts) as well as in the event of the below particular circumstances.

The right to inspect and adjust information stored and processed by KU Leuven is subject to a strict procedure 2 . a. Company data

Use of company date is only allowed to support operational processes.

(1) Student data

This information is managed by different KU Leuven bodies: Education Policy Services, Student Affairs

Policies Services, faculties , … Their administration is part of the KU Leuven’s Education Mission:

2 https://admin.kuleuven.be/rd/privacy

maintaining a student administration and support as well as meeting the legal requirements with respect to e.g. attestation.

Faculty staff members also conduct research on student data with a view to optimising student support and flow.

Student data are communicated to external parties in the context of the Higher Education Database with a view to study funding as well as rules determined by decree visà-vis study progress monitoring. In addition, certain information regarding recruitment and transfer is shared with KU Leuven Association

KU Leuven and the KU Leuven Association university colleges based on a mutual agreement.

Communication to external parties on an individual basis is only possible according to the rules stipulated in the education and exam regulations that students agree to when they register. In particular, this concerns confirmation at the request of third parties of the veracity of the documents issued to them by

KU Leuven (purportedly).

Student data are shared with alumni associations solely upon student graduation. This information is either updated by au thorised individuals at the alumni association in KU Leuven’s central SAP file (but separately from other data), or independently processed by the alumni association, with possible feedback to KU Leuven through a CRM system. An agreement framework exists for alumni associations

(in those cases when associations largely process data in an independent manner) as well as a deontological code signed by staff members.

(2) Personnel information

Personnel data pertain to active employees as well employees who have left the institution; they are processed with a view to comply with legal requirements and the awarding of personnel benefits.

Personnel information is externally communicated to a social secretary and insurance providers with a view to preserving the rights of personnel members and complying with the accompanying administrative requirements.

(3) Supplier and customer information

Supplier and customer information are managed by Central Financial Services with a view to meeting the financial administrative requirements. b. Research data

Research serve the research mission of KU Leuven.

Research data are shared with other research institutions as part of specific research projects. Personal information may also be collected and shared with the particular party that commissioned the research.

In this case, efforts are made to verify that the concerned researchers received the needed information with regard to obtaining informed consent.

3.4. Guidelines & Communication

The most important information with respect to the privacy policies in force can be found at one central webpage 3 .

In addition, ICT guidelines have been developed for both personnel 4 and students 5 . Disciplinary consequences are attached to non-compliance with these guidelines. a. Company data

In addition to the above guidelines, specific rules apply to a number of specific processing operations on company data. For example, together with the education services, an agreement framework was for instance developed for handling of information as part of follow-up research on education improvement.

A specific code was developed for IT personnel with access to confidential data. b. Research data

The Research Coordination Office and LRD services, as well as the ethical committees, fulfil an important monitoring role with respect to research data.

It is the researcher’s responsibility to verify whether his/her research projects present privacy-sensitive or ethical concerns. Through a webpage 6 , researchers are briefed on the step-by-step process they need to complete when submitting a declaration to the Privacy Commission.

The application forms of the KU Leuven Internal Funds, FWO and EU Horizon 2020, explicitly alert researchers to its importance and also include a questionnaire. The project can only launch after completion of the questionnaire and after all the necessary steps have been completed (e.g. authorisation ethical committee(s), declaration to Privacy Commission).

Other research-related measures are included in a policy plan that is applicable across the university.

This policy plan clearly outlines the responsibilities of as well as guidelines for researchers. The below initiatives for instance are meant to promote awareness around data integrity and data management:

- Development of a website with data management guidelines 7

- Tool to draw up a data management plan to handle and secure research information

- A mandatory lecture for first-year doctoral students that includes awareness-raising around securityrelated subjects such as data management

- Organise a supervisor training that also covers aspects of academic integrity for all (co-) supervisors new to this role.

- Schedule consultation moments with deans and department chairs to create awareness around data management and data integrity.

- An online academic integrity tool (LIRICS, can be consulted through a Toledo community) has been developed that makes it possible to build awareness around management and protection of research data among researchers today.

3.5. Special attention to sensitive information

3 https://admin.kuleuven.be/rd/privacy

4 https://admin.kuleuven.be/personeel/ict-gedragslijn-personeel

5 http://www.kuleuven.be/studenten/ictgedragslijn.html

6 https://admin.kuleuven.be/rd/privacy/onderzoeker#stappenplan

7 https://www.kuleuven.be/onderzoek/intern/datamanagement/index.html

Both the HR Department and the Student Affairs services manage personal information of a very sensitive nature: medical and social data. This information is not stored on the ERP system, but rather on stringently protected (e.g. digital) folders with limited access. Both services enforce a specific deontological framework that determines handling of this sensitive information. Doctors and confidential advisers are subject to the obligation of professional secrecy.

The procedures also require notifications to the following committees, which monitor appropriate handling of the information:

- The Medical Ethics Committee offers a binding advice on human trials, and especially in the case of clinical research performed on patients and volunteers.

- The Social and Societal Ethics Committee has the authority to subject research proposals with human participants to an ethical-deontological review insofar that they do not pertain to health sciences practices and medical or pharmacological procedures.

4. Technical aspects

The governance model KU Leuven developed for IT processes leaves room for domain-specific interpretation: the scope and degree of enforceability of the central IT functionalities varies depending on the domain. In this way, optimal complementarity between the central and decentralised IT services is aimed for.

As explained earlier, KU Leuven’s company data are centrally managed. For research data, several possibilities exist. Some research groups outsource (parts of) their IT processes to the central ICTS service. Other research groups independently manage the data using their own infrastructure.

Alternatively, the decentralised responsibles can make copies of the company data and subsequently independently manage this information.

The aspects outlined below only apply to the central networks and data. An identical standard is aspired to for the decentralised levels. An exhaustive list of the technical aspects is however impossible due to the large diversity in processes.

4.1. Physical security of the environment

KU Leuven is an open institution with a large flow of individuals and a number of buildings with a semipublic purpose. It is consequently impossible to strictly limit access to all rooms. To manage the complex stream of users in a safe and user-friendly way, two access control systems are used at KU Leuven:

• A mechanical access control system with keys;

• An electronic access control system with access badges.

The central information systems in which both centrally managed personnel information as well as centrally managed student information are entered, processed and stored are located in two central data centres in Heverlee and Leuven. Both data centres are located at a sufficient distance from each other and are equipped with the usual security measures against physical threats and interruptions (such as e.g. emergency generators). The data centres can consequently be considered backups for each other at the level of the critical central information systems and information carriers.

Physical access to these data centres is regulated by virtue of an access control with a badge system.

A log is moreover kept of all access movements at the data centre; these log entries are analysed by supervisors at the data centres at regular intervals. The entry doors of the data centres are moreover filmed so that all access is also registered in this additional manner.

Backups are also made of the information systems and the accompanying data at regular intervals. The backups can only be accessed by administrators, enabling them to restore these backups in the event of a problem.

4.2. Network security

The KU Leuven network is secured via a layered structure. Internet access and access to the KU Leuven network is managed by a central firewall,.

The KU Leuven network itself includes zone divisions that for instance limit students’ access to the student network. As the KU Leuven network continues to develop, the development of additional zones to limit access to for instance new, critical information is constantly analysed.

KU Leuven’s ERP system (SAP), which includes among other things personnel and student information, is located in a separate zone of the network that is shielded from the remainder of the network through its own firewall, which has very stringent parameters.

All the servers moreover are outfitted with their own individual firewall, which depending on the needs of and data on the servers, can be programmed according to very stringent parameters. These centrally administered servers are also equipped with antivirus software.

At the network level, network activity is logged and monitored. Both systems and users can be blocked on the network in the event of suspicious network activity; a thorough root cause analysis is subsequently performed to monitor and solve the incident in such cases. KU Leuven continues to invest in improving both proactive and reactive measures to secure its network activity.

For the different security layers of the central KU Leuven network, most actions are registered in logs on a SYSLOG server, which also allows proper monitoring of an incident after the facts.

At the network level an Intrusion Detection System is also in place that uses up-to-date rule sets to check for misuse patterns in network activity. The suspicious activity is analysed and appropriate action is taken when necessary should such patterns be found.

As a general rule, all centrally managed computers are outfitted with a virus scanner that automatically downloads updates so that the active version is always the most recent one.

In addition, KU Leuven offers all personnel and students a campus licence for this virus scanner so that it can also be installed free of charge on appliances that are not centrally managed.

The central mail infrastructure is moreover outfitted with SPAM filters.

4.3. Logical access security

End users need to be registered in AD and/or LDAP before they can be granted access to applications and data from the centrally managed information systems. Users are required to sign into a central login application at all times.

Users who are granted access to the KU Leuven network agree with the ICT guidelines for students or personnel at KU Leuven, depending on the type of user.

By synching the central IAM system to the organisational chart, users are automatically granted specific access rights to central systems that are indispensable to particular positions and/or roles. This means that these rights are also withdrawn when a user leaves KU Leuven or takes up a different position and/or role at KU Leuven.

Additional application-specific authorisations are also often required to receive access to an application and its accompanying data. Only the application and/or data owners can attribute these specific, manually granted authorisations to specific centrally managed systems to the end users.

The SAP system uses such an authorisation management system.

ICTS has a Privileged Access Management Tool for use of generic users at the server level, which includes both a procedure for use of these users as well as a very stringent password policy for this type of users.

4.4. Access logs, tracking and analysis

The different security components of the KU Leuven network produce logs that are saved in syslog files.

These log files are on the one hand used to monitor the performance and availability of the different network components.

On the other hand, these logs are also used in the event of incidents or in research projects that aim to guarantee the integrity of the data across the network.

Changes to certain critical information such as personnel and student information is also recorded and monitored in the applications themselves.

SAP, KU Leuven’s ERP system, moreover offers the possibility to keep revision documents and table logs of the most critical data. In addition, a four-eyes principle is enforced by means of workflows and authorisations for changes to critical information and/or processes. The business partners always assess the risks in the SAP processes to verify which method will be used to secure the data and the accompanying processes.

4.5. Monitoring, review and maintenance

A clearly outlined change management process has been developed for all changes to the centrally managed applications and corresponding network components with respect to information that is managed by KU Leuven’s central IT service, with testing of the changes and the integrity and availability of the data treated as absolute priorities. Sufficient authorisations are required for both the concerned application teams as well as the business partners before the changes can be transferred to the productive environment.

A project methodology is always used during the implementation phase of new IT projects and new IT applications of KU Leuven’s central IT department. Aside from the functional requirements, this methodology also takes the required minimal security precautions into consideration as well as authentication of the end users and sufficient shielding of the data through authorisations.

4.6. Managing security incidents and continuity

Monitoring and logs have been put in place for the different network components of the central KU

Leuven network. In the event of suspicious network activity and/or actions, appropriate measures will be taken to monitor and solve the security incident. Depending on the type of incident, the components will warrant particular types of action (e.g. patching); or the infected components may be isolated and blocked. If necessary, all concerned (de)central IT administrators will be notified so they can analyse the security measures for the network components they are responsible for and adjust those where necessary.

The ICTS Technical Cell will open a case to investigate the actual events should there be reason to believe that an incident may have jeopardised the confidentiality and integrity of personal data.

Temporary precautionary measures can immediately be adopted while this investigation is on-going to prevent further irregularities.

Depending on the cause behind the incident, either the supervisor for HR policies or the supervisor for student affairs will be informed through this case file. If necessary, these supervisors can launch a followup procedure that can include subsequent steps and/or disciplinary measures.

KU Leuven has a recovery and continuity plan in place for all centrally managed critical applications and data. The university relies on two central data centres in Heverlee and Leuven for this; they are capable of functioning as back-ups for each other in the event of problems.

Both central data centres are outfitted with the necessary facilities to provide maximal business continuity

(e.g. emergency generators, …).

In addition, back-ups are made of all critical applications and data so that appliances and data can be restored using these backups should specific servers shut down.

5. Compliance and monitoring

As indicated above, KU Leuven has taken far-reaching measures to guarantee appropriate processing of company data. The data and processing acts are known and, when necessary, have been reported to the Privacy Commission. The information is collected on a legal ground and to serve specific objectives that have been defined by law, and in instances where this is not the case, on the basis of informed consent. The information is also subject to a clear containment policy: it stipulates who can be granted access to the information and it is also stored and processed in sufficiently secure environments. This information is only shared with third parties in the scenarios described above.

A range of management measures apply to research data and other types of data managed by decentralised supervisors. There is no standardised approach however.

We do strive toward university-wide compliance through the collaborative efforts of the following actors:

- The security officer: university-wide role and powers.

- The ICTS security coordinator: authorised for information security at the central IT services.

- Decentralised IT staff: authorised for information security at the decentralised IT services.

- The Research Coordination Office that develop a framework with guidelines for researchers.

- The Information Security Steering Group, which develops and coordinates the major policies around privacy, and also monitors their implementation.

Finally, the above mentioned parties and processes are subject to the oversight of the Internal Audit

Office, which monitors risk and control management at KU Leuven at the order of the Board and the

Auditing Committee. The Internal Audit Office regularly audits the internal processes at KU Leuven, including the ‘Information Security’ process. When auditing officers lack the needed expertise, the help of external consultants is enlisted for these audits.

Download