Information security

Here you can find the current document: Guideline on information security

1. Obligation to comply with laws and regulations
   As a public corporation, data protection and data security are relevant tasks for HdM. A large number of regulations apply and must be complied with by all employees.

   • the EU General Data Protection Regulation
   • the State Data Protection Act
   • the administrative regulation on information security (based on BSI standards)

   All employees are aware of their responsibility when dealing with IT. If you have any uncertainties, questions or training needs, please contact the above-mentioned officers immediately.

2. Importance of information processing
   Information processing plays a key role in the fulfilment of our tasks. All essential strategic and operational functions and tasks are significantly supported by information technology. It must be possible to compensate for a failure of IT systems at short notice. IZ-IT is responsible for the appropriate availability, integrity and confidentiality of the central systems.
   
3. Information security management
   The IT security officer must be involved in all projects at an early stage in order to take security-relevant aspects into account as early as the planning phase. If personal data is involved, the same applies to the data protection officer. All systems must be adequately documented in the form of procedure directories; in the case of commissioned data processing, data protection must be checked in advance by the legal advisor for data protection and information security issues. When introducing new systems, a data protection impact assessment must be carried out in advance by the head of IZ-IT. The criteria "privacy by design" and "privacy by default" must also be ensured by the providers. Preventive maintenance and risk analyses serve to ensure a high availability of critical systems for the operation of the university. Users can obtain information about stored data at any time upon request. Students can make changes to personal data in the self-service systems themselves at any time. Necessary training in the area of data security is guaranteed by the university management at all times.
   
4. Improving security
   The information security management system is regularly reviewed to ensure that it is up to date and effective. The management supports the continuous improvement of the security level. Employees are encouraged to pass on possible improvements or weaknesses to the relevant departments.
   
5. Handling of data
   The principle of data minimisation must be observed when storing and deleting data. The need to store and process data arises from the tasks of the university in accordance with the LHG. These are essentially teaching, applied research, the promotion of continuing education and business start-ups as well as the operation of a quality management system and student counselling.
   
6. Support in the fulfilment of tasks
   Support in the fulfilment of tasks is provided by various bodies and sources. These sources offer useful information and counselling services on the Internet. Contact should always be made via the IZ-IT.
   • BelWü-CSIRT (Computer Security Incident Response Team)
   • Zendas (central data protection centre of the Baden-Württemberg universities)
   • HSZ-BW (data protection services provided by the University Service Centre)