Beruflich Dokumente
Kultur Dokumente
1. INTRODUCTION
1.1 Definitions
In these rules, maintenance and administration refer to
a single data processing device or facility, or a system composed of such devices that are owned by
the University or are connected to the University network
the University computer network
software and services running in the University computer network, and
the information content of all the above-mentioned systems.
A University unit refers to a faculty, department, division or other functional unit of the University.
The responsible owner of a specific information system within the University refers to the unit for
which the information system has been acquired, and which designates the persons entitled to use the
information system. The owner of information materials may also be the author of the materials, as
defined in the Copyright Act.
The manager of an University information system is responsible for the management of said
information system unless the management responsibilities have been transferred to another unit
within the University or outsourced by contract. Usually, the manager of an information system is not
the system administrator.
System administration refers to persons responsible for the technical management of the
University’s information systems and to other University IT support personnel, who collaborate to
maintain the systems and provide user support and guidance. In a broad sense, the term ‘administrator’
refers to all persons having administrative rights in the system.
1.2 System administrators’ privileges
To ensure the functionality of information systems, an administrator has extensive rights to inspect
the status of the systems and, if necessary, to intervene in the function of the systems, in the actions
of individual users and in their data in the systems if there is reason to suspect that such data violate
current regulations or rules for the use of information systems (e.g. illegal copies of music or films).
To eliminate and fend off breaches of information security, an administrator has the right and
obligation to take necessary steps to ensure information security. Cases of information security
incidents shall be dealt with in accordance with the University of Helsinki Information Security
Policy and the instructions for responding to information security incidents.
To avoid a conflict between an administrator's privileges and the legal protection of the users of the
system, the application of an administrator's privileges is controlled by guidelines and rules based on
current regulations. The University’s IT Center is responsible for the University’s information
security policy, which, along with other valid regulations and instructions for the use of the
University’s information systems, will be posted on the University’s web site. Departments and units
may issue detailed system-specific rules and instructions.
These rules are binding for all system administrators at the University, including students, should they
be the administrator of an information system or part of such a system that is connected to the
University information network.
2. Responsibilities
A unit must document the information systems or system entities in its possession, prioritise them
when necessary, and assign and document the managers and administrators. The owner of the
information system is responsible for the existence, validity and availability of information system
documentation.
The owner of the information system and, ultimately, the head of unit are responsible for ensuring
that the system adheres to current legislation, good administrative practices and current guidelines
and regulations issued by the University. The owner is always ultimately responsible for the
maintenance of the system. The information systems manager is responsible for the technical
maintenance of the systems in accordance with good administrative practices. Every system must
have designated administrators. Administrative duties shall be distributed, if possible, to several
individuals with different access rights. The actions and procedures taken by administrators shall also
be logged.
The owner or manager of an information system is not responsible for the contents of an individual
user’s data. Users are personally responsible for the legality of their data and are required to protect
them in accordance with the guidelines issued by the University. The manager of an information
system has, however, the right and obligation to intervene with a user’s data if there is reasonable
cause to suspect that it contains information security hazards or illegalities.
If an administrator is suspected or has been found to have misused his or her privileges, the head of
the relevant unit or a contact person designated by the head shall be contacted. The head or the contact
person shall inform the Campus Information Security Officer. Further measures, if any, shall be taken
in accordance with the University of Helsinki Information Security Policy.
3. Policy of operation
When users request an administrator to handle their email or other files, the administrator must check
the person's identity in an appropriate manner, for example, by verifying their identity against an
official certificate of identification.
An administrator may contact a user either by calling a telephone number found in the University’s
information systems or by sending him or her an email. If, however, there is suspicion that the user
ID has fallen into the wrong hands, email should not be used.
3.3 Confidentiality
Administrators are bound by confidentiality and a ban on the exploitation of information not related
to work and of the existence of such information that they may learn while performing their
professional duties. Non-public work-related matters may be discussed only between individuals or
authorities that are bound by the same confidentiality and to whose professional duties the matter is
relevant.
Administrators in particular are bound by Section 40, Sub-Section 5 of the Penal Code, according to
which public officials must not deliberately, while in office or thereafter, unlawfully disclose a
document or information which under law is to be kept secret or not to be disclosed.
4. Practicalities
If the rectification of a problem requires the administrator to temporarily assume a user's identity, the
user must either be present to provide his or her password to the authentication service, or the
administrator must assume the user’s identity through administrators’ privileges. The user must be
informed of the latter beforehand or as soon as possible. The administrator must not retain the user’s
identity any longer than is necessary for rectifying the problem.
In situations described above, the administrator must verify the identity of the user in an appropriate
manner.
Administrators shall resort to main user privileges only when their maintenance duties so require. In
all other cases, they shall use their own personal user IDs.
The investigation shall be carried out and consequent further measures shall be taken in accordance
with the University of Helsinki Information Security Policy.
4.3 Processing of emails
According to the Constitution of Finland, the secrecy of correspondence, telephony and other
confidential communications is inviolable, unless otherwise provided by law. An email message is
analogous to a letter in that it is confidential unless it has been intended for public distribution.
The principles for processing email are laid out in the Rules for processing email. The present Rules
for the maintenance of University of Helsinki information systems provide rules for special
circumstances in which an administrator must intervene with email communications to ensure the
service level or security of the system.
An administrator has no right to view a user’s email. An administrator may be required to open files
containing a user's email in the following situations:
A user requests this from the administrator. For example, the request can be made in a situation where
the user's mailbox cannot be opened with the software at the user's disposal. The authorisation to open
files containing a user's email concerns only that one instance. If the user asks for information about
the contents of the mailbox, the administrator must, without exception, verify his or her identity (see
Section 3.2).
A user's mailbox causes a disturbance because of, for example, its large size or damaged structure.
o A mailbox that disturbs the flow of e-mail due to its large size must be transferred to another location
without opening it. The user must be notified of the new location of the mailbox if the mail system
cannot automatically find it. If the mailbox cannot be placed in a location accessible to the user
because of its large size, a method for transferring the messages to the user must be agreed upon with
the user. A transferred mailbox may be compressed to a less space-consuming format, provided that
the user receives detailed instructions for accessing the emails. A large mailbox may also be deleted
in exceptional circumstances if no other reasonable action can be taken. The decision to delete a
mailbox will be made by the head of the unit administering the system.
o An administrator is allowed to repair a structurally damaged mailbox without asking the user's
permission. However, the administrator is not allowed to read any textual contents addressed to the
recipient.
o The user shall be immediately notified of any non-standard procedures performed on his or her
mailbox.
The email system cannot deliver a message due to its insufficient or damaged structure. In such a
situation, the administrator is authorised to examine and repair the technical guidance data of the
message. However, the administrator must not, as far as possible, read the textual contents addressed
to the recipient of the message.
An administrator also has the right to purge mail that is being delivered of any messages that
jeopardise the proper functioning of the email system, as well as of messages generated by a technical
error that are thus obviously unnecessary.
However, an administrator has the right to open files owned by users under the following
circumstances:
Access and modify initialisation files, email forwarding or sorting files as well as other files in the
users’ home directories that affect the functioning of the system if such files are found to threaten the
functionality or security of the system or the information security of users. If modifications cannot be
performed without erasing the modifications made by the users themselves, the old version made by
the user must be transferred to another file name and the user must be notified of this.
Verify that common disk areas do not contain files that are illegal or threaten the functionality or
security of the system or the information security of users. Such files include, for example, malware,
recordings that violate copyrights and illegal data as defined by the Penal Code.
Manually or automatically delete files from disk areas that have been assigned for temporary storage.
This deletion must take place in accordance with previously-agreed principles, which are also
available to users. However, the users need not be informed of these deletions.
Delete documents from print queues if they hamper the operations of the print services. Users need
not be informed of these deletions.
If an administrator finds that the protection of a file or a directory is insufficient in relation to its
nature, he or she has the right to upgrade the protection to the necessary level.
In carrying out maintenance and administrative duties, administrators shall take care to not display
file names and equivalent information unnecessarily. For example, when file listings are needed to
solve a problem, if possible, those file names that do not pertain to the matter at hand will be deleted
from the list.
The monitoring of network traffic does not involve the contents of the information transferred, but
rather the amount and nature of the traffic. The monitoring of source and target computers is statistical
in nature and does not focus on an individual user, except in cases of disturbances. However, the
traffic of an individual system can be monitored in greater detail if anomalies, such as excessive traffic
load, are being investigated.
An administrator of the data communications network may deny a computer or a part of the network
access to data communications or the use of a certain service if this computer or part of the network:
Causes traffic that jeopardises the high level of service or security of the network,
Gives cause to suspect that a computer or computers have fallen into the wrong hands or are infected
by malware.
Breaches the Rules for the use of University of Helsinki information systems
Is not properly maintained and administrated, especially in view of information security.
In all of the above cases, the administrator responsible for the computer or part of the network shall
be contacted without delay once access to data communications has been denied.
Backup copies shall be stored in an appropriate manner, and the administrator shall ensure that they
are accessible. The processing of data on backups shall comply with the same principles as the
processing of equivalent data in information systems. The deletion of backups shall take place in such
a manner that the confidentiality of the data in them will not be compromised.