Maatregelen
DS.4.001. Identification
Last updated: 30-10-2020
Before commencement of processing activities all individuals working with data and systems have been identified using a nationally issued Identification Document.
Technical specification:
All contracted UU employees and contractors have had their identities validated before accounts have been provisioned. So if you work with UU colleagues, this has already been taken care of. However, if you work with people from outside our organisation, make sure their identities have been sufficiently validated before you exchange information.
DS.16.002. Security in Projects
Last updated: 5-6-2020
Projects reserve sufficient time, manpower and budget to assess and adhere to information security policy.
Technical specification:
A rationale for the reservations for security needs to be present. Without a rationale, a 5% of project budget for security and privacy is a recommended minimum.
DS.16.001. Change Management
Last updated: 30-10-2020
Changes to processes are evaluated for security impact. There will be checked if there are reasons to update the classification of the data processing activity and appropriate measures are taken.
Technical specification:
–
DS.15.003. Business Continuity Management
Last updated: 30-10-2020
Critical processes are identified and there are plans for how to proceed under conceivable crisis-situations such as non-availability of supporting IT services. These plans are tested, and revised and updated every 3 years.
Technical specification:
–
DS.15.002. Incident Communication Policy
Last updated: 17-8-2020
After incidents are established, the University communicates as openly and truthfully to affected parties/subjects as is permissible without sharing details of active vulnerabilities.
At least this communication details the extent of the incident, the suspected causes, the steps taken to mitigate risks, what will be done in the future to prevent further incidents and what people can do themselves to further reduce their risks. Furthermore, contact details of the organisation will be given for questions regarding the incident.
Technical specification:
For data breaches involving personal data, see this page on what to do regarding communicating to data subjects: https://intranet.uu.nl/datalek-melden-aan-betrokkenen .
DS.15.001. Staff Involved in Risk Identification Workshop
Last updated: 30-10-2020
At least once every year, a workshop takes place with staff of the services to identify potential risks, attack vectors or improvements. Where possible, suppliers of supporting IT services are included in the workshops. The outcomes of the workshop are documented and identified risks are treated according to existing Risk Management practices. Recommendations to improvements to baselines are shared with the CISO Office.
Technical specification:
–
DS.14.003. Data Destruction Declaration
Last updated: 30-10-2020
When critical data is destroyed (either digitally or the storage medium), a declaration of data destruction has to be signed by the person executing the destruction that includes the identity of the destroyer, the date, the method used to destroy and a signature that destruction took place.
Data destruction declarations are stored and copies available on request.
Technical specification:
–
DS.14.002. Data Archiving Procedure
Last updated: 30-10-2020
There is a data archiving procedure detailing how certain documentation that may be needed beyond the data retention period can be archived. Note that archiving is a one-way procedure and meant for long-term storage in read-only repositories.
Technical specification:
–
DS.14.001. Data Retention Period
Last updated: 30-10-2020
Data has an identified and recorded period of time for which it is retained and available, which is set to the minimum of legal and business requirements. After this period, data is deleted and unrecoverable. Data deletion for different storage mediums must occur in line with the NIST standard for data deletion level ‘Clear’ or higher: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf.
This includes sensitive data stored hardcopy which needs to be properly shredded and destroyed.
Technical specification:
–
DS.13.009. Data Portability
Last updated: 30-10-2020
Supplier is contractually obligated to deliver the UU data in a convenient and portable format on request.
Technical specification:
–
DS.13.008. Certified Supplier
Last updated: 30-10-2020
Supplier is appropriately certified for information security by an independent third party auditor. The certification is a maximum of 2 years old.
Technical specification:
For ISO27001 certification the SoA needs to be confirmed by UU information security.
ISAE3402 statements are not sufficient for Information Security.
informatiebeveiliging@uu.nl determines if a certification and its scoping is sufficient for the intended services to be delivered by this supplier.
DS.13.007. Proven Supplier
Last updated: 30-10-2020
Supplier has existed for at least 3 years.
Supplier must have a proven solution in use at other organizations for comparable use cases. Supplier is able to give references that can be contacted regarding their use of the supplier’s solution.
Supplier can demonstrate measures taken to guarantee continuity of business operation.
Technical specification:
References from successful implementations for comparable use cases are contacted to ask for their experience with the product and supplier.
Measures to account for business continuity may include a large enough workforce with knowledge of the solutions and tools, extensive documentation, separate holdings for intellectual property and financial flows.
DS.13.006. Monitoring & Auditability
Last updated: 30-10-2020
Supplier will provide periodic reports to show that agreements and service levels are attained.
Suppliers will allow and facilitate the UU to perform audits to ascertain that the contractual agreements with regards to information security are adhered to and to gain further insight into information security risks related to the continued usage of the IT service or product.
Technical specification:
–
DS.13.005. Supplier Vulnerability Management
Last updated: 30-10-2020
Contractually, suppliers are obligated to inform the UU if vulnerabilities are found in contracted IT services. This notification does not need to include technical details, but at least contain an indication of the risk to the UU due to the vulnerability, expected timelines for addressing the vulnerability, a comprehensive overview of steps the UU can take to mitigate the risk posed by the vulnerability and if there are indications the vulnerability has been abused.
Contractually, in the event of indications of compromise, supplier is obligated have digital forensics performed by an independent party to determine the extent to which UU data has been exposed or compromised.
Technical specification:
–
DS.13.004. Supplier Incident Management
Last updated: 30-10-2020
Contractually, suppliers are obligated to inform the UU of any breach to their information security that could potentially affect the UU as soon as possible but at least within 72 hours of establishing the incident.
Technical specification:
–
DS.13.003. Supplier Data Access
Last updated: 30-10-2020
Supplier is contractually disallowed from accessing organisational data in any other way than upon specific request of the organisation. This request must be demonstratable and actions taken by supplier logged.
Technical specification:
–
DS.13.002. Validation of Supplier Information Security
Last updated: 30-10-2020
Before new suppliers of Information Technology products or services are contracted or engaged for the purpose of supporting processing activities with this classification or higher, official advice must be requested on the Information Security risks as seen by the CISO Office. The CISO Office can request additional documentation, certifications or conversations with the supplier to formulate a non-open-ended advice whether or not we can continue with this supplier or under what circumstances.
Technical specification:
Before a new service is contracted or used, follow the steps outlined on this page to make sure that information security risks of the supplier and the product are identified.
DS.13.001. Suppliers & Partner Information Security
Last updated: 30-10-2020
Suppliers are contractually obligated to adhere to the information security policies of the UU. All agreements made with the supplier apply to sub-contractors equally and are under the responsibility of the supplier.
Agreements with partners (including external researchers) include appropriate data management and security controls for the classification of the processing activity.
Technical specification:
–
DS.12.003. Signed Data Transport
Last updated: 5-6-2020
The identity of receiving and originating party is verified using (digital) signatures.
Technical specification:
Digital signatures must use cryptographic standards and public/private keypairs to sign documents, so they cannot be repudiated or tampered with.
S/MIME may be used for digital signing/verification. Contact secops@uu.nl for help with setting up your data transport in a secure manner.
DS.12.002. Terms of Use for Data & Access
Last updated: 30-10-2020
For the processing of data other than the primary process for which this data is collected, Terms of Use and agreements are available that detail how the data can and must be treated, also for internal processes. These Terms of Use have to be agreed to before the processing of data and the data owner remains responsible for the data and monitoring that the Terms of Use are adhered to.
Technical specification:
Data-owners are responsible for the data and remain so, even after granting access to others. This can be the case for developing new software or for research purposes. It is important that there are clear agreements on how data is handled when data classified as Critical on C-I-or -A is shared with others outside the process itself.
These agreements should look a lot like a Data Processing Agreement and contain many of the same clauses, such as how the information is secured and how incidents are treated.
DS.12.001. Encrypted Portable Storage
Last updated: 17-8-2020
Data stored on portable storage devices is stored encrypted according to modern standards.
Technical specification:
Encryption of portable storage must follow the Dutch NCSC advice for bulk data encryption as described in the guideline on TLS, which can be found here: https://www.ncsc.nl/documenten?trefwoord=TLS%20versleuteling .
UU offers tools that are considered suitable, when used right, for the encryption of data on portable storage devices. See this page for an overview of services (encrypted USB/HDD, winzip with right settings, BoxCryptor, Bitlocker, ….). See this intranet page for more on encrypting your information: https://intranet.uu.nl/informatiebeveiliging-hoe-ga-ik-om-met-externe-harddisks-en-usb-sticks .
DS.11.002. Key Personnel Management
Last updated: 30-10-2020
Individuals in teams that are the only ones capable of performing specific tasks need to be identified as Single Points of Failure. Team leaders are responsible for identifying these individuals and transferring this knowledge to other employees and procedures. If this knowledge is non-transferable, more capable staff or a retainer with a supplier that can provide this expertise needs to be arranged.
Technical specification:
–
DS.11.001. Team Capacity Monitoring
Last updated: 30-10-2020
Teams plan to have sufficient capacity to execute important tasks, also during holidays. There is monitoring on the capacity of the team and structural understaffing gets flagged and addressed. There are procedures in case of unplanned absence of team-members to continue with important processes.
Technical specification:
–
DS.10.001. Signed Non-Disclosure Agreements
Last updated: 30-10-2020
Before processing sensitive data, individuals working with the data must agree to non-disclosure agreements that limit the legal room for distributing the data during and for a period after the activities take place. NDA’s also specify consequences of breaches of the agreement and are signed by the individuals.
Technical specification:
UU contracted employees adhere to the Code of Conduct that states they will treat information with the appropriate care and keep it secret. So if you only work with UU colleagues, you do not need NDA’s. If you work with external parties though, make sure they are contractually obligated to keep sensitive information secret.
Contact HRservicedesk@uu.nl for help with NDA’s for contractors.
DS.9.002. Official Charges
Last updated: 30-10-2020
Police reports will be filed when willfully breaking of the law or actions with criminal intent are ascertained with regards to data handling. A record of this will be placed in the personnel file. The case will immediately be presented to a committee consisting of representation of the Organizational Unit, CISO and HR that will determine the disciplinary action.
Technical specification:
–
DS.9.001. Staged Warning Model
Last updated: 30-10-2020
Upon noting deviations from information security policy and inappropriate handling of data, initially an informal warning will be given by the supervisor. If a second case presents itself within a year, a formal warning will be given and logged in personnel files. If within a year of the last formal warning a new situation presents itself, a final formal warning will be given. If within a year of the final formal warning a new situation presents itself, the case will be presented to a committee consisting of representation of the Organizational Unit, CISO and HR that will determine the disciplinary action.
Technical specification:
–
DS.7.006. Access to Data in Special Cases
Last updated: 30-10-2020
In exceptional cases, such as the unexpected death of employees or contractors, access to data that has not yet been deleted can be requested by people other than the data owner or individuals who had already been granted access.
The process owner for the data must have a documented procedure available for this which is approved by the CISO Office and the DPO.
Technical specification:
If no other documented and approved procedure is available, the protocol for deceased employee is applicable to all cases of Access to Data in Special Cases. Contact informatiebeveiliging@uu.nl to follow this procedure.
DS.7.005. Returning Data and Equipment
Last updated: 30-10-2020
When data carrying devices or sensitive data is given to employees, they must sign for the appropriate handling. This information must be logged in personnel files. Equipment and data must be returned upon termination or role changes. Successful intake of data and equipment shall be registered in personnel files.
Technical specification:
Responsibility of manager or the individual that contracted services. Personnel files are the best location to store agreements and sign-offs that equipment has been returned.
DS.7.004. Access After Changes
Last updated: 30-10-2020
If revocation of access takes place after the date access was no longer needed according to the data owner (applicable to both role changes and termination of relations), logs must be inspected to determine if inappropriate actions have been performed during this window. If so, this is treated as a security incident. The outcome of the inspection is logged.
Technical specification:
–
DS.7.003. Access Revocation on Changes
Last updated: 30-10-2020
After role changes or upon termination of contractual or formal relations between the organisation and the individual, access to data that is no longer part of your role is revoked at first opportunity.
Technical specification:
–
DS.7.002. Registration of Access Requests / Revocations
Last updated: 30-10-2020
The requests of individuals that want access to information assets or authorisations to do so are logged and kept for at least 1 year. It includes the requester, and the approval (or rejection) of the appropriate data owner. Revocation requests, end of employment notifications and changes are recorded and kept for at least 1 year.
Technical specification:
–
DS.7.001. Access Approval
Last updated: 30-10-2020
Data should have a data owner. Access to data can only be given after approval of the appropriate data owner (which can be mandated or given based on roles, as long as this is documented).
Technical specification:
–
DS.5.003. Travel to High Risk Countries
Last updated: 17-8-2020
When travelling to certain countries, appropriate additional information security measures must be followed.
Technical specification:
The CISO Office will monitor a list of countries for which negative travel advice with regards to data security is published. This list will be made known and published to the organisation. There will be tailored and specific advice and facilities to support data security during travel to these locations.
See this page for advice on travelling to high-risk countries: https://intranet.uu.nl/informatiebeveiliging-reizen-naar-het-buitenland
DS.5.002. Personnel Threats
Last updated: 30-10-2020
Threats to the (online) security of affiliates of the University are reported to cert@uu.nl and appropriate custom protective measures are taken to address the risks.
Technical specification:
–
DS.5.001. Espionage and State Actor Monitoring
Last updated: 30-10-2020
Organisational processes and research that may attract Nation State actors or Corporate Espionage need to proactively monitor for signs indicative of ongoing intelligence activities, and take additional and tailored actions to protect against potential threats.
Technical specification:
When there is potential threat of espionage, appropriate measure must be taken in consultation with the CISO Office, UU Security Operations and UU FSC Security.
DS.4.005. External Visitors to Non-Public Spaces
Last updated: 30-10-2020
Non-contracted visitors into non-public areas are always accompanied by UU staff.
There must be a procedure for employees from contracted partners to commence activities on site. This procedure includes that contractors must be announced beforehand, identified, be clearly recognisable while performing work.
Technical specification:
If someone visits you, make sure that you are always with them as they navigate non-publicly accessible areas.
When a supplier sends out people to perform activities in non-public spaces, they need to register these activities with us before they start, so that we can validate anyone trying to gain access to non-public locations is authorized for that. Contact FSC Security (Tel: 4444) if you suspect someone may not be authorized to be in this location.
DS.4.004. Visible Organizational Identity Cards
Last updated: 5-6-2020
In areas designated only for employees only, employees should be clearly recognisable, carry their corporate identification card visibly and be able to demonstrate said identification upon entry and on request in the working area.
Technical specification:
UU campus cards must be worn visible in locations designated for employees only. Contractors and guest must wear a visible guest card.
DS.4.003. Extensive Background Screening
Last updated: 30-10-2020
Background verification is performed through a trusted third party that involves extensive screening for financial, national, criminal and other relevant factors that could influence the integrity and reliability of personnel before processing activities start. Background screening needs to be repeated every 10 years. If a screening finds issues, processing activities and access need to be revoked immediately and treated as a potential incident.
Technical specification:
We need to ensure that the integrity of people working in Critical roles is appropriate for their critical access. Contact HR and informatiebeveiliging@uu.nl to determine the appropriate level of screening.
DS.4.002. Background Check
Last updated: 5-6-2020
Before commencement of processing activities all individuals working with sensitive data and systems have basic background checks performed to determine integrity, suitability for the tasks and secure behaviour.
Technical specification:
At least 2 references are confirmed and contacted before the start of employment to attest to the integrity and qualities of the candidate.
Personnel is required to deliver a VOG (Dutch for: Verklaring Omtrent Gedrag, Declaration about Behaviour) covering relevant criminal history to this processing activity, or an international equivalent from local law enforcement.
A new VOG is required every 5 years. If a VOG cannot be obtained, the processing activities need to be ceased and the access of the individual revoked at first opportunity.
DS.3.005. Clear Working Space
Last updated: 30-10-2020
Desks and working spaces should be void of sensitive information, documents and portable data storage devices. This includes post-its with passwords, documents and equipment lying around.
Technical specification:
Clear your desk and working space after you are done. This applies both to the office environment and your home environment. Note that a regular locked door in the office is not sufficient protection for the information in that room. Put sensitive information under lock and key that only authorized people have access to.
DS.3.004. Enhanced Physical Protection of Information
Last updated: 30-10-2020
Information carriers, the working spaces and personal physical security are all appropriately protected, in accordance with UU FSC Security.
UU areas where processing activities take place are reported to UU FSC Security for appropriate physical protection of assets and people involved in the activity.
Technical specification:
Contact FSC security via Topdesk if you wish to check if your working space is appropriately secured.
DS.3.003. Physical Protection of Information in Working Spaces
Last updated: 5-6-2020
Information is stored appropriately in locked cabinets in working spaces.
Physical working spaces not intended to be open and publicly accessible need to be secured appropriately.
Technical specification:
For non-public workspaces, University buildings need to be protected according to the appropriate operational standards of UU FSC Security, corresponding to “Standard Area” or higher.
Contact FSC security via Topdesk if you wish to check if your working space is appropriately secured.
DS.3.002. Lock Screen
Last updated: 30-10-2020
All systems and devices that are not actively manned and used, need to be locked when leaving the working space unattended.
Technical specification:
Windows key + L, or Ctrl + Cmd + Q on Mac.
DS.3.001. Clear Screen
Last updated: 5-6-2020
Individuals are responsible for maintaining a clear and secure digital working space. This means no text files with passwords or sensitive information, cleaning up data and archiving historic data appropriately and no installing of excessive programs and tools.
Individuals that work from public locations use privacy screens when accessing information.
Technical specification:
Keep your screen clear and be aware of your surroundings and who may be able to see what you are doing. If you frequently have to work with sensitive information in (semi)-public spaces, consult with your manager if you can obtain a ‘privacy-screen’ for your laptop.
DS.2.007. Learning From Incidents
Last updated: 30-10-2020
Where there are repeated security incidents, lessons will be drawn and the source of (repeated) incidents addressed in a structural manner, changing processes and supporting IT where appropriate.
Technical specification:
It can always happen that something goes wrong by accident, but if a process goes wrong in the same way multiple times, that is a good reason to critically evaluate if there are other ways to perform this process. If assistance is desired in seeing if there are more secure (and often more efficient) ways to perform a process, please consult informatiebeveiliging@uu.nl
DS.2.006. Social Media Policy
Last updated: 30-10-2020
The organization has a social media policy. The CISO Office is consulted for the policy to address security aspects.
The Social Media policy distinguishes between acceptable and representative uses of Social Media for private use, and how Social Media representing the organization must be managed.
Social Media software is subject to the Information Security policies.
All individuals are informed of and adhere to the Social Media Policy.
Technical specification:
Remember when using Social Media that you are considered a representative of the organization. When in doubt whether statements may be considered offensive, local communication experts can always be consulted.
Scraping Social Media is a data processing activity that should not be performed without following the necessary steps listed in DS.1.002 and having performed the necessary Privacy checks.
DS.2.005. Appropriate Handling of Information
Last updated: 30-10-2020
Information is only distributed to people that have a legitimate need for it. Authentication details and tokens are never shared (not to colleagues or secretarial staff). Only the minimum amount of information that is needed for a purpose is shared, through channels appropriate for the level of data classification.
Technical specification:
Do not share credentials, logins or unnecessary information from your applications with anyone. This includes colleagues that may have to perform certain tasks or favours for you, use appropriate ways to achieve those goals.
DS.2.004. Security Awareness Review
Last updated: 30-10-2020
In performance reviews, secure behaviour is discussed and part of the evaluation.
Technical specification:
Managers should make sure that working securely and attentively is something that is monitored and part of feedback. Reporting of (potential) risks and incidents should never be punished but rewarded and motivated, and are part of a positive review. Demonstrating the behaviours listed in DS.2.002 should be actively encouraged.
Last updated: 30-10-2020
Data can only be moved to hardcopy with express permission of the data owner.
Information Security policy and controls are equally applicable to hardcopy data.
Technical specification:
Do not print critically sensitive information, unless you have explicit permission to do so. You need to treat printed information as secure as digital information.
DS.2.002. Secure Behaviour
Last updated: 30-10-2020
Everyone working with UU data consistently demonstrates secure behaviour.
Technical specification:
Secure behaviour includes at least the following:
• Knowledge and awareness of policies
• Follow University Information Security policy
• Knowledge of who in the organisation can be contacted for help
• Alertness and reporting of phishing and suspicious behaviour
• Reporting of data breaches and security incidents (also on personally owned hard- and software if it contains organisational data)
• Approach and inform colleagues when they demonstrate unsafe behaviour
All (suspected) information security incidents are reported to CERT at cert@uu.nl. Follow-up steps suggested by CERT to mitigate the damage will be followed.
DS.2.001. Secure Working Training
Last updated: 30-10-2020
People must receive instructions and training on how to work securely using most common organisational IT services before processing data.
Technical specification:
As a manager you need to ensure that individuals working under you have received the right instructions and training to perform their work activities in a secure manner. When in doubt, contact informatiebeveiliging@uu.nl about training options.
DS.1.005. Responsible Emailing
Last updated: 17-8-2020
Users should adhere to best internal practices regarding email to avoid causing data breaches, to limit the impact in case data breaches happen and to support forensics and impact if a data breach does happen.
Technical specification:
• Do not forward mails to private email addresses;
• Do not synchronize sensitive mails to devices without appropriate security;
• Check recipients and make sure to use official work addresses for work-related matters (not private emails);
• If not necessary for recipients to respond to all other recipients, send emails with recipients in the BCC;
• Do not email sensitive documents but use other more suitable means when available;
• Where possible:
o Use only links to internal and official UU pages. If necessary, include external links but warn recipients in the email that URL’s are to non-affiliated external entities;
o Do not use URL shorteners in emails. If necessary, attach anchors/links to shorter pieces of text but include the full URL;
o If URL shorteners are necessary, use the official Edu.nl shortener (NB: External link: https://edu.nl) ;
o Set retention policies on mail archives and folders to delete no longer needed information automatically.
DS.1.004. Usage of Organisationally Managed Systems
Last updated: 30-10-2020
Data processing activities should be processed and stored exclusively on organisationally managed (either contracted or governed by the organisation) hard-and software.
Technical specification:
Use only official UU managed hardware and supplied facilities to process Critical information.
DS.1.003. Usage of Suitable IT
Last updated: 30-10-2020
IT services used in the processing activity are considered suitable according to their communicated IT Security Capability level.
Operating procedures for correct and secure usage of the IT services, delivered by the service, are followed.
The IT service offers appropriate functionality for uptime (Recovery Time Objective) and backups (Recovery Point Objective) for the data processing activity.
Technical specification:
When processing information, you normally make use of 1 or more IT services. For example, you could receive information in your email, store it locally on your managed laptop, modify it in an application and upload it to SharePoint. Each of the services you use needs to be appropriate for use.
What is appropriate is determined by the classification of the processing activity and the Security Level of the services you are using. UU services should be offered with a specific Security Level.
DS.1.002. Registration of Processing Activities
Last updated: 30-10-2020
All processing activities (with and without PII) need to be registered and maintained, this is the responsibility of the process owner.
The registration contains at least the classification of the processing activity, the process owner and a description of the IT services used for the activity.
Technical specification:
On this page (internal) it is explained how to add processing activities to the processing registry. Classification is a part of that process.
DS.1.001. Classification of Processing Activities
Last updated: 30-10-2020
All information processing activities have an owner, the process owner.
All processing activities need to be registered and maintained, this is the responsibility of the process owner.
All processing activities need to be classified to determine the potential impact to the organization.
The CISO Office will publish and maintain a classification procedure.
Classifications are updated every 2 years or when major changes to the processing activity warrant re-classification.
Technical specification:
On this page (internal) it is explained how to add processing activities to the processing registry. Classification is a part of that process.