Main Content

Guideline for the Administration of IT Systems and IT Services

The policy for the administration of IT systems and IT services in the university network can be viewed as a full text (Eng.) or downloaded as a PDF document (Ger.). The English full text below is a reading version. The German version is binding.

Guideline for the Administration of IT Systems and IT Services in the network of Philipps Universität - PDF Download (Ger.)

  • 1 Goals

    According to the Information Security Guideline of Philipps Universität, confidentiality, integrity and availability of IT systems and IT services are the most important protection goals of information security. Improper administration of IT systems facilitates attacks on various information networks and directly affects these protection goals. This guideline is intended to support IT administrators in properly administering the IT systems and services entrusted to them so that the protection goals of information security and data protection are achieved and maintained. This guideline does not replace more detailed regulations that must be made, for example, in IT security concepts for IT systems and IT services. The marking of the binding nature of requirements by "must", "must not" and "should" is based on the definition of the Federal Office for Information Security (BSI, Ger.).

  • 2 Definitions and scope of application

    2.1 IT-Administrators

    IT administrators are persons who set up or operate an IT system or an IT service for use by other persons. Persons who provide support for specialist applications or subsystems are also IT administrators within the meaning of this guideline.

    2.2 IT system

    IT systems are technical systems that serve to process information and form a self-contained functional unit. Typical IT systems are servers, clients, cell phones, smartphones, tablets, IoT components, routers, switches and firewalls.

    2.3 IT service

    An IT service is an electronic information and telecommunication service as defined by the Telemedia and Telecommunications Act (Cf. Section 1, Paragraph 2, lit. c of the Regulations of the Philipps Universität for the Use and Operation of Information Technology/IT Management and Regulations).

    2.4 Authentication

    Authentication refers to the proof or verification of authenticity. Authentication of an identity can be done by password entry, smart card or biometrics, among others; authentication of data can be done by cryptographic signatures, for example. Authentication of an identity can also be done by cryptographic signatures.

    2.5 Authorization

    Authorization involves checking whether a person, IT component or application is authorized to perform a particular action.

    2.6 Scope of application

    This policy applies to all IT administrators at Philipps-Universität Marburg.

  • 3 Organizational requirements

    Administrative roles must be separated from controlling roles (e.g., auditing).
    If several IT administrators jointly administer a system, the distribution of tasks must be regulated: The specific tasks of the IT administrators should be documented in writing to avoid mutual interference as well as ambiguities about areas of responsibility. In addition, fixed contact persons and communication interfaces should be defined to facilitate professional exchange.
    In the event of illness or vacation, a substitute for administration should be named and instructed.

  • 4 General tasks and responsibilities

    IT administrators ensure that IT systems and IT services operate as smoothly as possible. It must be possible to achieve the protection goals of IT security and data protection and to monitor compliance with these protection goals. The implementation of the measures required for this depends on the protection needs of the data being processed.
    IT administrators should inform themselves continuously and on an event-driven basis about security-relevant and system-stabilizing patches, updates and other measures for dealing with security risks and implement them. When gathering information, it makes sense to rely on at least two sources. Some sources of information include:
    - Federal Office for Information Security (BSI)
    - Warnings of the CERT Bund (Ger.) – The Computer Emergency Response Team of the BSI
    - Heise-Security newsletter (Ger.)
    - Manufacturers or distributors of applications and operating systems

    4.1 Secure configuration of IT systems and IT services

    Before productive use, IT administrators should inform themselves about the measures required to comply with the protection goals. This applies in particular to systems on which data with a high protection requirement in terms of confidentiality, integrity and availability is processed. In addition, the hardware and software should be tested.
    IT administrators must implement suitable and appropriate security solutions for the system (e.g., antivirus software, firewalls, etc.). They should use centralized configuration management and automated software distribution. Only necessary IT services, ports and permissions should be enabled.
    For the automation of administration tasks, passwords should only be stored if there is no other (technical) solution. (The storage of passwords conveys a false signal for the secure handling of passwords).

    4.2 Secure operation of IT systems and IT services

    Only IT systems and IT services for which security patches are provided and installed may be operated on the university data network. IT administrators must inform superiors and the Staff Unit Information Security of systems in their area of responsibility for which security patches can no longer be provided or installed.
    IT administrators must perform regular data backups (also to offline media, depending on the need for protection) of the IT systems. A data backup plan should be created for this purpose. IT administrators should ensure that particularly sensitive backup copies are kept locked away. Electronic media that are no longer needed must be segregated and securely erased or destroyed before disposal.
    To keep downtime of IT systems and IT services low and to monitor their functionality, IT administrators should use appropriate monitoring. When creating log files for IT systems and IT services, attention must be paid to data protection and co-determination aspects as well as to the principle of data economy. Inspection of log files is only permitted to safeguard operations and for error analysis. IT administrators must limit access rights to and the retention periods of log files to what is necessary.
    To prevent malfunctions, IT administrators must perform maintenance work on a regular basis. IT administrators must perform security-relevant maintenance immediately. If preparations are necessary, they must start immediately. Maintenance work should be carried out in such a way that ongoing operations are disrupted as little as possible. IT administrators should announce maintenance and repair work to the affected persons in good time. Maintenance work on IT systems should be documented. Administrative procedures that may have a critical impact on IT systems or IT services should not be carried out before the responsible IT administrator is absent for an extended period of time.
    Maintenance work should be carried out by competent persons. Maintenance and repair work by external parties should be supervised. If this work is carried out as remote maintenance, the regulations of the remote maintenance guideline for IT systems (Fernwartungsrichtlinie für IT-Systeme, Ger.) of Philipps-Universität Marburg apply.
    IT administrators must rectify faults in IT systems and services immediately. Serious malfunctions must be analyzed and improvement options for avoiding the malfunctions in the future must be worked out. These should be documented.

    4.3 Dokumentation

    Changes made to an IT system should be documented by IT administrators in a log. (This includes, for example, changes to hardware, software, configuration or location). This makes it easier for replacements and successors to get started in their jobs. In addition, it makes it easier to resolve or track security incidents.
    The documentation should show
    - what changes have occurred,
    - when the changes were made
    - who made the changes
    - on what basis or for what reason the changes were made.
    The type of documentation should be defined in a security concept. Existing logging mechanisms of systems and IT services should be used to a suitable extent. For example, system logbooks, ticket systems or similar can be used for documentation.

    4.4 Authentisierung und Autorisierung

    Authentication with administration and user accounts on IT systems and IT services must be performed via encrypted network connections. To prevent the entry of authentication data in fraudulent IT systems and IT services, the authenticity of the IT system or IT service must be clearly verified before authentication. Passwords must be protected with a state-of-the-art hashing or encryption method. IT administrators must secure access to an account using a suitable authentication procedure. If the authorization to use an account has expired, IT administrators must block access. Administration and user accounts should only be used by one person.

    For administrative accounts applies:

    • Passwords for administrators must be more complex (e.g., longer passwords, more different character categories, 2-factor authentication) than passwords for user accounts. IT administrators must change pre-set default passwords from the manufacturer of hardware and software before going live. A copy of administration account credentials should be kept in a locked envelope in a safe.
      IT administrators must use accounts with tiered privileges for administration tasks. The administration account may only be used for administration tasks. In particular, it may not be used for everyday tasks such as processing e-mails or surfing the Internet. Logging in with an administration account may only take place on trustworthy systems that are specially protected. Systems intended exclusively for administration should be used for this purpose. In particular, paragraph 5 (3) and (4) of the IT Management and Regulations must be observed.
    • If an IT system or an IT service is managed by several IT administrators, each IT administrator should use a separate administration account. If IT administrators are responsible for different tasks (database, system administration, etc.), the permissions should be adjusted so that each IT administrator only has the permissions required for his or her task. When an administration account is taken over, the associated password must be changed, e.g. at the beginning and end of a substitution or when a person who had knowledge of this password leaves the company.

    For user accounts applies:

    • Users may only have access to data that they need for their work. Attention should also be paid to the type of access (e.g., read, write, execute).
    • IT administrators should support users in preventing unintentional file sharing and settings that jeopardize data security.

  • 5 Data protection requirements

    All information that IT administrators become aware of as a result of their increased authorizations to IT systems in the course of their activities must always be treated confidentially. Unauthorized access by third parties must be prevented. (A third party is a natural or legal person, authority, institution or other body other than the data subject, the controller, the processor and the persons authorized to process the personal data under the direct responsibility of the controller or processor (GDPR Art. 4, Para. 10)). The obligation to maintain data secrecy remains in effect even after termination of employment at the University of Marburg.
    For existing and newly introduced systems that process personal data, IT administrators must coordinate the need for appropriate data protection documentation with the legal department. If personal data is processed by external service providers, a contract processing agreement must also be concluded.
    According to Art. 5 GDPR, personal data may not be processed for any purpose other than that which is part of the respective lawful performance of tasks. The inspection of other content (in particular e-mails) is not permitted without a corresponding legal basis.
    If electronic data carriers are given to external third parties as part of warranty or maintenance services, IT administrators must ensure that they cannot access the data.
    IT administrators must report data protection incidents to the data protection officer immediately (datenschutz@uni-marburg.de, +49 6421 28-26484).

  • 6 Behavior in case of security incidents

    In the case of serious security incidents, e.g. running malware, breaking into a system or unauthorized manipulation, IT administrators must immediately disconnect the affected system from the Philipps-Universität data network.
    IT administrators must immediately report security incidents to the Staff Unit Information Security (it-sicherheit@uni-marburg.de, +49 6421 28-28281).