Academic Staff Council
New guidelines for employees on information security in everyday working life
Several WU Policies (WUPOLs) on information security were published at the beginning of September. These WUPOLs implement the requirements of the Rector's Council's Directive on Information Security Management at WU and are aimed at all WU employees and the responsible service units (IT-SERVICES, IT-S) with specific regulations and instructions. Some of these regulations and instructions are new and some are an update of existing regulations. A transition period of six months from publication applies to new measures, i.e. until the end of February 2024.
The publication of these WUPOLs has already been announced and briefly commented on in the WU memo. At this point, we would like to highlight key content from the perspective of the Academic Staff Council, briefly summarize it and provide further reading references. Note: The references to further sources (e.g. WU Wiki) require that you are in the WU network (also via VPN).
Passwords
According to the WUPOL “Information Security Guidelines for User Account Security” (English translation is not yet available, see the German version here), there are specific requirements regarding the length and nature of the password for the WU account. Every "normal" password must have at least 12 characters, contain upper and lower case letters and at least one number or special character. This password must be changed once a year, unless it is additionally protected by two-factor authentication (2FA). According to the WUPOL “Information Security Guidelines for Employees”, this password may not contain any connection to existing public information about the employee (username, first or last name, birthday, etc.), may not be passed on and may not be used for privately used accounts. If the password is to be saved, a password manager that enables encrypted storage must be used. WU recommends and provides the open source product KeePass with certain basic settings for this purpose. Important: The use of self-selected password managers (such as those of the web browser) does not automatically ensure that the requirements are met. If in doubt, it is advisable to contact the alternative password manager at hotline@wu.ac.at. At the request of IT-S or if there is a suspicion that the WU account is no longer sufficiently secure, the password must be changed, whereby the new password must differ from the previous password by at least three characters. It should be noted that these requirements for the choice of passwords in principle also apply to the use of WU-external cloud services (e.g. if you maintain a WU account with a third-party service using the WU email address) and to the choice of access passwords for secure data carriers. Stricter requirements apply to WU accounts with privileged access rights to a WU device (e.g. administrator rights to a workstation), to WU data and/or to WU services. The password can be changed via the Controlpanel application. However, due to the transition period, only a password of at least 10 characters is currently required. It can be assumed that the information there will be updated shortly.
What to do if you leave your workplace – even if only for a short time
If you leave your workstation, the screen of the workstation computer must be locked (Windows: Windows key + "L", macOS: Ctrl + Command key + "Q"). This is particularly important if you are connected to a WU service via your own WU account (mail client, Canvas, SAP, BACH, LEARN, etc.). If it is not possible to lock the screen, as is the case with the course instructor PCs in the auditoriums, and you leave the room e.g. during a course unit, you must end all sessions based on your WU account (like Canvas, owncload, owa) by logging out. This is to prevent misuse by unauthorized persons. However, it is obvious that this can be difficult to implement during courses with short breaks and time-consuming registration with a second factor in Canvas, for example. However, a corresponding exception for these cases is not provided for in the guidelines.
Basic rules of conduct
The WUPOL “Information Security Guidelines for Employees” also state that any activities that could circumvent the security software of a device (e.g. deactivation of security measures, attempts to circumvent security measures) should be avoided and that no programs should be used to find vulnerabilities or passwords in end user devices or servers or that could compromise a person's privacy. Regardless of whether data is handled digitally or physically, access should only be granted to those persons who are authorized to do so. This means that all actions that would allow unauthorized persons to gain access to protected data should be avoided.
Incoming mails should always be checked carefully, in addition to and independently of technical countermeasures by the mail client (e.g. Outlook, Thunderbird). The WUPOL or an additional checklist provided offer check steps for this. In case of uncertainty, suspicion of a phishing mail or suspected loss of data, you should contact hotline@wu.ac.at directly. In principle, all information security breaches should be reported via this contact, although the WUPOL itself lists further contact options.
Scope of the WUPOLs
Finally, it should be noted that these guidelines are binding for WU employees who work with a WU device in the WU network. WU employees who have not been provided with a WU device by their employer and therefore have to work with a private device (e.g. teaching tutors) are generally not covered by the WUPOLs. In this regard, it should be emphasized that not being provided with a WU device is actually not intended by IT-S and you should contact your supervisor, the department head or the IT-S in such a case. In principle, every employee should be equipped with a WU device.
In principle, the WUPOL “Information Security Guidelines for Employees” also applies in the context of teaching and research. However, if an exception is required for research and/or teaching purposes, the responsible organizational unit (e.g. institute, department) must take appropriate compensatory protective measures or an implementation plan must be drawn up and approved by the CISO. If this does not lead to an agreement, an exception can be approved by the Rector's Council.
Finally, it should be emphasized that these and all other requirements of the WUPOLs are binding instructions from the employer. If they are disregarded, this may result in a breach of duty, which may also have individual consequences. Should any questions or problems arise in connection with these requirements, we will be happy to help you find a solution. You are welcome to send your inquiries to wiss.betriebsrat@wu.ac.at.
19.12.2023