Policy for network security (A.13)

Networks shall be managed and controlled to protect information in systems and applications. (A.13.1.1)

AU IT have overall responsibility for providing, operating and protecting Aarhus University's networks, unless otherwise agreed in management agreements.

Therefore, units at Aarhus University that need to establish/change networks must always contact AU IT and set up a management agreement on how networks can be established/changed without compromising operations and information security.

Equipment such as servers, network hard disks, printers or similar may only be connected to AU's network after prior agreement with AU IT. Even if permission has been obtained, AU IT may require the equipment to be disconnected if it interferes with normal operations.

It is not permitted to install equipment or software that makes it possible to establish remote access to AU's networks or machines on AU's network.

Remote management tools are permitted if access is via an encrypted connection using technologies such as SSH, VPN or SSL/TLS. Remote management set-up must be agreed with AU IT. The owner of the equipment concerned is responsible for any security breaches related to remote management.

AU's guest network may only be used for internet access, and, with the exception of services specifically designed for guests, it may not provide direct access to internal systems.

AU IT is responsible for registering the primary domain names.

With regard to remote access to data on the university's networks, the individual user must ensure that sensitive/confidential information is not stored on private equipment and that the rules for classification of data and storage are followed.

Security mechanisms, service levels and management requirements of all network services shall be identified and included in network services agreements, whether these services are provided in-house or outsourced. (A.13.1.2)

AU IT is responsible for establishing network services agreements at AU. AU IT ensures that all necessary security requirements are met when entering into network services agreements.

Groups of information services, users and information systems shall be segregated on networks. (A.13.1.3)

AU IT must segregate networks into logically or physically separated networks to establish appropriate separation between different user groups or systems.

With regard to the use of network segregation, academic freedom can be supported in the organisation with a higher risk tolerance, as long as it does not result in an increased risk for the other IT systems and applications at AU

---

Other policies and rules:

The following rules apply at Aarhus University regarding the use of internet access:

• Access to the internet and other online services is primarily intended for activities which are directly related to work/studies, but AU’s network connection may be used for private purposes.
• However, private activities must never be such that they could interfere with other employees’ or students’ legitimate work or study-related activities.
• AU IT reserves the right to cancel user accounts and immediately disconnect a user's computer if deemed necessary in order to maintain network security or in any other way secure operations.
• Files and programs may be downloaded from the internet, provided that the information security policy, license terms and applicable purchasing rules are observed.
• Use of AU's internet connection for criminal activities of any kind is prohibited.
• Access to services in a person’s own business (outside Aarhus University) is permitted provided it does not pose a security risk to Aarhus University.
• Students and employees may under no circumstances operate private businesses from equipment on AU's networks as there is a risk that the business may be associated with Aarhus University.
• If AU equipment is used to carry out private financial transactions through AU's internet connection, Aarhus University is free from liability for any errors or losses.
• When accessing the internet from AU's local networks, users must ensure that their online behaviour does not compromise security or damage Aarhus University's reputation.
• Attempts to circumvent security mechanisms from AU's internet connection are prohibited.
• When using external networks, a VPN connection is recommended. Always be extra careful on smartphones, tablets and similar.
• Employees, students and guests may only use the official wireless networks. Installing or using equipment that provides other wireless access to AU's networks is not allowed.
• Please note that for some machines (for example servers, control computers for laboratory and clinical equipment, etc.), there should be restrictions on network access. For example, this type of equipment should not be used to surf the internet or the like.
• Computers connected to AU's local networks have access to the internet and will usually display identities that refer to au.dk or another AU domain. Therefore, the individual user must ensure that their online behaviour neither compromises security nor Aarhus University's reputation.
• It is important to assess risk scenarios when using cloud services. The data processing basis must be assessed, and the services must be used with care. In general, cloud services should be regarded as a supplement to the services provided by Aarhus University.

If systems and services offered by AU IT are used, the following are secured centrally: Re. A.13.1 Network security: As a network provider, AU IT is responsible for ensuring that the solutions it offers comply with the above requirements.  This means that if you keep your critical, confidential or sensitive information stored in the solutions offered centrally, the above compliance is ensured by Aarhus University.   If you have other needs based on your risk assessment, this must be ensured locally.

Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities. (A.13.2.1)

Any communication facilities installed in exceptional circumstances in connection with projects related to AU must comply with the information security policy.

Agreements shall address the secure transfer of business information between the organization and external parties. (A.13.2.2)

If sensitive or confidential information is exchanged between Aarhus University and any third party, this must be covered by a written agreement.

The unit manager must ensure that the information is managed in accordance with relevant legislation, e.g. by entering into a data processing agreement.

Information involved in electronic messaging shall be appropriately protected. (A.13.2.3)

All incoming electronic messages/emails must be scanned for spam and phishing. Messages marked as spam or phishing must be deleted, quarantined or moved to the users' spam folder.

Messages, emails and data containing confidential information, including personal data, must always be encrypted during transmission over open networks.

Aarhus University's email policy also applies.

Requirements for confidentiality and non-disclosure agreements reflecting the organization's needs for the protection of information shall be identified, regularly reviewed and documented. (A.13.2.4)

When integrating Aarhus University's systems and processes with a third party, the system owner must ensure that security risks are assessed and documented.

Requirements for confidentiality statements must comply with applicable legislation and regulations (see A.18.1) and must be reviewed periodically, especially when changes affect the requirements. 

If systems and services offered by AU IT are used, the following are secured centrally: Re. A.13.2 Informations transfer: AU IT provides central solutions for use in information transfer in accordance with data classification and is therefore responsible for ensuring that the solutions it offers comply with the above requirements. This means that if you keep your critical, confidential or sensitive information stored in the solutions offered centrally, the above compliance is ensured by Aarhus University.   If you have other needs based on your risk assessment, this must be ensured locally.