Basic principles
Risks related to IT security at EPFL are increasing due to growing IT needs and the increasing number of interconnections, as well as system complexity.
The security of the EPFL information system – namely its availability, integrity, confidentiality and traceability – ensures the continuation of EPFL activities and protects the institution’s reputation. EPFL owns the product of the administrative work of its employees and members of teaching staff.
Responsabilities
The behaviour of employees and members of teaching staff has a significant impact on protecting the information system. EPFL is responsible for ensuring that its employees, teaching staff, student body, guests and service providers have access to reliable and efficient IT resources which are appropriate to their requirements. EPFL is required to provide appropriate training to its employees and members of teaching staff for the use of these IT resources.
In exchange, each user should:
- take all necessary measures to protect the information system available to him/her;
- immediately notify the Direction of the Information Systems Department (DSI) of any breach of information system security and refrain from disclosing this to unauthorised third parties;
- notify the Data Protection Officer (PDO) of any personal and/or sensitive data leaks without undue delay, using the ServiceNow form;
- only use the resources at his/her disposal to carry out the tasks entrusted to him/her under his/her contractual relationship with EPFL
- protect any information which he/she removes from the scope of the EPFL information system (USB flash drive, smartphone, etc.) or which he/she accesses from outside EPFL (via VPN, smartphone, etc.).
Heads of Unit are responsible for ensuring that the employees and members of teaching staff under their responsibility are aware of these directives and enforce them.
Each member of teaching staff is required to inform his/her students of their obligations regarding third-party rights (copyright, royalties, licences, etc.) for software, works of authorship, etc.
See also the “Research Data Management” and “Data Protection” chapters.
Legal basis
- LEX 1.0.1 “Loi fédérale sur les écoles polytechniques” (Arts 36a and 36b)
- LEX 4.1.0.1 “Loi sur le personnel de la Confédération” (Art. 22)
- LEX 4.1.0.4 “Ordonnance sur le personnel du domaine des Ecoles polytechniques fédérales” (Art. 57)
- LEX 6.5.1 “Information System Security Policy (PSSI)”
- LEX 6.1.4 “Directive on the Use of EPFL Electronic Infrastructure”
- LEX 6.1.3 “Directive on the Use of Private Computer Equipment for Professional Purposes”
- LEX 6.1.5 “Ordinance for the Use of Software Subject to a License Agreement”
- LEX 4.1.0.8 “Ordinance of the ETH Board on the Organisation of the Conciliation Commission under the Gender Equality Act for the ETH Domain”
- “Ordinance to the Federal Act on Data Protection”
Advice for day-to-day business
Refer to the basic training on IT security created by the Direction of the Information Systems Department and made available on the Human Resources website for training courses. In case of doubt, contact 1234 before attempting to solve the problem.
Laptop hard drives are not suitable for data storage. Ensure that data are regularly backed up so that they may be retrieved in case of equipment failure, deliberate alteration or human error. This data backup is guaranteed for data stored centrally by the Information Systems Department Direction based on the subscribed service level (system of “Common[unit]” drive). Regularly check that old data can be retrieved and remain aware of the terms/specifications for backups (frequency of backups, period during which data can be recovered, how to retrieve saved data).
Confidential data stored on removable storage media (USB drives, hard drives, etc.) must be encrypted. The encryption key must be safely stored and not on the encrypted medium, but accessible to employees and members of teaching staff and their unit to avoid losing access to data. If encryption is not possible, please keep data storage devices under lock and key.
Both the storage and the processing of sensitive and/or personal data in the cloud are subject to legal restrictions (the notion of professional secrecy and the Data Protection Act, for example). Likewise for support based abroad where there is the possibility of accessing these categories of data stored or processes in Switzerland. The DSI provides a guide for the use of the cloud in order to better understand the situation in relation to certain laws and regulations.
Mobile devices (phones, laptops, tablets, USB drives) can be tapped or lost and are therefore not appropriate for storing sensitive data. Any mobile device containing or giving access to EPFL data which is taken off the EPFL premises must be protected with a password, and hard drives must be encrypted. If encryption is not technically possible, they shall be protected from theft or loss at all times (they shall not be left unsupervised, for example).
Protect all accounts with secure passwords. A strong password:
- comprises at least 10 characters;
- contains none of the following: the user’s name, the name of someone in the user’s close circle, the name of EPFL or an EPFL unit, a word from a dictionary;
- does not contain a complete word;
- is completely different from the user’s previous passwords;
- includes uppercase and lowercase letters, numbers and special characters (£, !, /, etc.).
EPFL staff logins must not be released and the related password should never be disclosed on the phone, by email or on any website outside EPFL. The IT Support Service Desk and IT proximity support will never ask a user to share their password.
The EPFL password should not be used for other websites. It should be stored in encrypted form.
Users are responsible for any actions committed with their digital identity, and are personally liable for any damage to EPFL or to third parties.
Further informations
- About Information Systems, including IT security
- How to be prepared for cyber attacks
- Film for raising awareness about IT security
Contact
Jean-François Dousson
Information System Security Manager
Phone 021 693 70 74
[email protected]