Information Security Policy

Resolution CONSU-A-031/2020, of 04/08/2020 

Rector: Marcelo Knobel
General Secretary: Ângela de Noronha Bignami

Approves the Information Security Policy of the State University of Campinas – Unicamp.
 

The Rector of the State University of Campinas, as President of the University Council, in view of what was decided in the 167th Ordinary Session of 04.08.20/XNUMX/XNUMX, issues the following Resolution:
 
Article 1 – The “Information Security Policy of the State University of Campinas – Unicamp” is approved, which forms part of this Resolution as Annex I and which contains general principles and guidelines applicable to the security of information held or owned by the University.
 
Article 2 – The duties and responsibilities for implementing Unicamp's Information Security Policy will be entrusted to the Information Security Committee – CSI, which will report to the Integrated Coordination of Information and Communication Technology – CITIC and will be designated by Resolution of the Rector's Office.
 
Article 3 – This Resolution comes into force on the date of its publication, revoking any provisions to the contrary. (Proc. No. 01-P-10342/2020)
 
 
ANNEX I
 
UNIVERSITY INFORMATION SECURITY POLICY 
STATE OF CAMPINAS
 
Information and Communication Technology Coordination - CITIC
Information Security Committee - CSI
 
Legal and normative references:
 
ABNT ISO GUIDE 73:2009 – Risk management – ​​Vocabulary – Definitions of generic terms related to risk management.
ABNT NBR ISO/IEC 27001:2013 – Information technology – Security techniques – Information security management systems - Requirements.
ABNT NBR ISO/IEC 27002:2013 – Information technology – Security techniques – Code of practice for information security controls.
Internet Civil Landmarks (Law No. 12.965, of April 23, 2014) - Establishes principles, guarantees, rights and duties for the use of the Internet in Brazil.
Normative Instruction ConTIC IN-01/2019 - Provides standards and procedures for the use of Information and Communication Technology Resources at Unicamp.
 
Application field: 
This document applies within the scope of the State University of Campinas - Unicamp.
 
1. objective
Establish directions and values ​​for information security management within the scope of the State University of Campinas.
 
2. Description and Scope
This document contains principles and guidelines applicable to the security of information held or owned by the State University of Campinas, establishing directions and values ​​for information security management. 
 
3. Target audience
This document is intended for the entire academic community: active and inactive teachers (teachers, staff, researchers), students, former students, interns, patrollers, service providers, visitors and external users who make use of any Unicamp information system , each person being responsible for compliance.
 
4. Concepts and definitions
Information asset - is the asset made up of all data and information generated and manipulated during the execution of Unicamp's systems and processes.
 
Processing Asset - is the asset made up of all the hardware and software elements necessary for the execution of Unicamp's systems and processes, both those produced internally and those acquired, received by donation or incorporated.
 
CITIC - Integrated Coordination of Information and Communication Technology, established by Resolution GR-009/2020 .
 
CONSU - University Council 
 
5. Principles
Unicamp's Information Security Policy is based on the preservation of information necessary for the Institution's activities and on the following principles: 
 
Authenticity: guarantees the veracity of the authorship of the information.
Confidentiality: only duly authorized people should have access to the information.
Integrity: only authorized changes, deletions and additions must be made to the information.
Availability: information must be available to authorized people whenever necessary or requested.
Legality: the use of information must be in accordance with laws, regulations, licenses and contracts in force.
 
6. Values ​​and Guidelines
 
Institution-Focused Security
Ensure information security for both systems in the computing environment and conventional means of processing, communication and storage on paper.
 
Information is heritage
Consider that any and all information generated, acquired, used or stored by Unicamp is the institution's property and must be protected in terms of confidentiality, authenticity, integrity and availability.
 
Protection compatible with the risks
Dimension and apply the necessary investments in security measures, according to the value of the asset being protected and in accordance with the identification of risks of potential damage to the business, the core activity and institutional objectives.
 
Treatment according to classification
All information must be appropriately stored and protected in terms of use and access, as defined in its security classification.
 
Credential-Based Accountability
Holding people responsible, based on the use of the credential, which is characterized by being personal and non-transferable, qualifying those who are formally associated with it as responsible for all activities carried out using it.
 
Use restricted to activities
Manage access to and use of information and information assets in accordance with the duties necessary to carry out institutional activities. Any other form of use will require prior authorization.
 
Security-oriented use
Only allow the use of information assets or processing assets authorized by managers, always ensuring that they are identified, protected, inventoried and in accordance with current legislation.
 
Authorization defined by managers
Define and cancel access to resources and restricted locations based on the request of each agency's managers, who are also responsible for the assets made available for use.
 
Segregation of duties
Segregate the administration and execution of functions or areas of responsibility critical to the business, avoiding control of a process in its entirety, aiming to reduce the risk of accidental or deliberate misuse.
 
Education and Training
Continuously promote educational and training actions on information security to the target audience so that they can carry out their activities at the institution in a safe manner, using procedures that minimize risks and enable the correct use of information assets and tools.
 
Audit
Monitor and audit, by the competent area of ​​the University, the implementation and compliance with the Information Security Policy. Specialized external consultants may be used to evaluate the Information Security Policy and its compliance, as well as to validate special protocols and procedures, when necessary. 
 
Continuity applied to services
Plan and define strategies to reduce, to an acceptable level, the possibility of interruption caused by disasters or failures in resources that support work processes. The result of this planning must be documented, tested and revised as necessary, ensuring the necessary resources for its implementation.
 
Immediate notification of security incidents
Notify all security incidents to the Unicamp Security Incident Treatment and Response Team (CSIRT Unicamp) for investigation and incident management. The manager of each body must be involved to carry out the processes necessary to determine responsibilities.
 
7. Penalties
The target audience of this policy is subject to its rules and must fully comply with its provisions. Failure to comply with these rules will result in liability being assessed, in accordance with current legislation, which may result in criminal, civil and/or administrative liability.
 
8. Skills and Responsibilities
The target audience is not given the right to ignore this policy and must strictly follow the safety standards.
 
9. General Provisions
Any type of doubt about Unicamp's Information Security Policy and its documents must be immediately clarified with the Information Security Committee.
 
Omitted cases, which are not covered by this policy, must be submitted to the current Information Security Committee, for assessment and deliberation, thus defining whether the object will be included or will result in the change of any point in the current policy.
 
10. Term and update
 
Validity:
This document comes into force from the date of its publication and must be revised if any of the mandatory conditions for updating the document occur.
 
Update:
These guidelines were updated on 28/04/2020. 
 
Mandatory conditions for updating the document:
- Emergence or change of current laws and/or regulations;
- Strategic change of the institution;
- Change in technologies used at Unicamp.
 
11. Duties and Responsibilities
 
Responsible for updating this policy:
Information Security Committee – CSI
 
Responsible for approving this policy and updates proposed by the CSI:
University Council – Consu
 
Responsible for approving Information Security Normative Instructions:
Integrated Coordination of Information and Communication Technology – CITIC
 
12. Duties and Responsibilities
The Information Security Committee reports to CITIC and will be appointed by the Rector by Resolution.


Published in DOE on 08/08/2020.

PDF version

 

twitter_icofacebook_ico

Internal Community

Delegation learned about research carried out at Unicamp and expressed interest in international cooperation

The show class with chef and gastrologist Tibério Gil on the role of nutrition and gastronomy in contemporary women's health, this Thursday (7), opened the program that runs until Friday (8)