Universities are particularly vulnerable due to their specific nature: freedom of research and teaching, global cooperation, high degree of decentralisation and autonomy of subjects/departments, project-based work, high staff turnover, complex roles and rights due to different status groups with internal and external partners. Information security initially encompasses the protection goals of confidentiality, integrity and availability, while multi-faceted information security goes beyond this (e.g. authenticity, non-repudiation, accountability, resilience).

Examples of threats include:

• Loss of integrity and availability of research data
• Compromise of personal data, especially student or employee data
• (Unnoticed) loss of confidentiality of (important) data, for example through espionage
• Attacks on the IT infrastructure with the aim of paralysing it

Primary protection objectives

Information security is based on three primary protection objectives that ensure that information can be processed, stored and transmitted reliably and securely. The three primary protection objectives of information security are

Confidentiality

Availability
Integrity

Confidentiality means that information can only be viewed or used by authorised persons. A breach of confidentiality occurs when information is disclosed or unauthorised access occurs.

Availability ensures that information and systems are accessible and usable by authorised persons when needed. A breach of availability can occur through destruction, loss or unavailability of data.

Integrity ensures that information remains complete and unchanged. Breaches of integrity occur when content is manipulated, partially deleted or added.

Legal basis for digital infrastructure and information security in Bavaria

Art. 36 sentences 1 and 2 BayDiG (formerly Art. 8 (1) BayEGovG with identical meaning):

1) The authorities shall maintain the digital administrative infrastructures necessary for the performance of their tasks.

2) They shall ensure their security and promote their mutual technical coordination and accessibility.

Art. 43 (1) BayDiG (formerly Art. 11 (1) BayEGovG, with identical meaning):

1) The security of the authorities' information technology systems shall be ensured within the bounds of proportionality.

2) To this end, the authorities shall take appropriate technical and organisational measures within the meaning of Art. 32 of Regulation (EU) 2016/679 (General Data Protection Regulation) and Art. 32 of the Bavarian Data Protection Act and shall draw up the necessary information security concepts.

The ISO advises the university management and departments, coordinates training courses and works closely with the IT management, the data protection officer and the data protection coordination unit. Its specific tasks include:

Supporting management: The ISO supports the management in drawing up and implementing security guidelines.

• Coordination of security concepts: The ISO coordinates the development of the security concept and associated sub-concepts and guidelines.
• Planning and monitoring of security measures: The ISO draws up implementation plans for security measures, initiates their implementation and reviews their effectiveness.
• Reporting: The ISO regularly informs management and other responsible parties about the current status of information security.
• Project coordination: The ISO coordinates security-related projects within the institution.
• Investigation of security incidents: It analyses security-related incidents and initiates appropriate measures.
• Awareness raising and training: The ISO initiates and coordinates training courses and awareness-raising measures on information security for employees.