F.A.Q. - Frequently Asked Questions

What are the responsibilities of the information security team?

The information security team of the University of Paderborn

advises users of committees and departments as well as information, communication and media technologies on information security issues.
develops recommendations on technical, organizational and awareness measures and works intensively with the CIO, the IT operators, the data protection officer and the Presidential Board of the University of Paderborn.
is the central point of contact in the event of information security incidents and supports the responsible departments in coordination to limit damage to the University of Paderborn.

You can find more information here.

Who do I contact if I have a question?

Contact the data protection team with:

Organizational questions about data protection
Questions about the directory of processing operations
Requests for information according to Art. 15 DSGVO
Questions about training workshops
Reporting data breaches

Contact your data protection coordinators with:

General questions about data protection
Confidential inquiries and/or complaints about data protection
Questions about the rights of data subjects

Contact the information security team with:

Technical questions
- Point of contact for information security incidents
- Development and maintenance of an IT security concept
- Carrying out risk and threat analyses
Recommendations regarding technical and organizational measures, e.g., software procurement
Awareness campaigns and organization of training workshops for employees

What is an information security incident?

Information security incidents include all unexpected events that jeopardize the security of IT systems and the data on them.
So, for example, attacks on IT systems such as PAUL or research databases, the loss of smartphones or USB sticks, and the spying of passwords through phishing emails.

You can read about how you should respond to such an information security incident in the FAQ here and in our post on the topic here.

You can find more information on information security incidents here.

How do I report an information security incident?

If a suspected or actual information security incident has occurred - whether intentional or unintentional - please fill out the notification form immediately with all available information so that a report can be submitted to the supervisory authority within 72 hours and the affected parties can be informed.

You can find the notification form and further information here.

What do I do in the event of an IT emergency?

Stay calm, do not take any ill-considered measures
Disconnect device from WiFi/network (pull network cable)
Record what is happening if necessary (photo, video, etc.)
Leave everything as it is.
Do NOT turn off or disconnect device from power:
→ Important tracking data could be lost
Briefly jot down own assessment of incident and amount of damage
Report the incident by using the report form and thereby obtain assessment from incident team

Note:

Do not disclose information to third parties
Do not pay extortion money under any circumstances
Do not try to fix the problem yourself

Suspicion of virus infection on my personal system - What do I do?

If you suspect that your computer is infected with a virus - your antivirus program sounds an alarm or your system behaves strangely - the following checklist can help you to solve the problem.

First of all: Stay calm. Don't panic.
Inform our Information Security Team (IST) about the virus attack so they can block your network address.
Then physically disconnect the infected machine from the network (unplug the network cable). Do NOT disconnect it from the power supply.
If the virus has already been identified, you can find out if a "soft" repair is possible without reinstallation. Our IST and various virus libraries from for example NAI or Symantec can give you information about this.
Decide for yourself whether a reinstallation is necessary in your specific case, for example because the virus is difficult or impossible to remove or has already caused too much damage. In principle, you can perform reinstallations without losing your files. However, be aware of potentially infected files.
If possible, perform a local backup on secure storage media such as USB sticks or CDs. If you try to save your files on other computers or servers, you run the risk of infecting them with the virus as well.
Keep in mind that in case of a virus attack, all passwords on the affected system might be compromised. Change all passwords. Even a fresh system without new passwords can be infected again.

Are there any further education opportunities on the topic of awareness in IT security?

On our Training and Further Education page, you will find various options for further education in information security.

English versions are soon to come!

How do I work securely on my computer?

There are various ways to work on your computer as securely as possible.

We have summarized these as the Golden Rules of IT Security.

How do I create a secure password?

A secure password should be at least 10 characters long and contain lowercase and uppercase letters, numbers and special characters. The longer, the better.

Since these passwords are usually hard to remember, you can come up with mnemonic devices, such as using the first letters and special characters of a sample sentence.

Also, don't use a password twice or more than once. Once compromised, attackers will have access to all other accounts that use the same password.
This is where you can use a password manager to better manage this variety of passwords.

You can find more information about passwords on our help wiki page on the subject.

What is a password manager and what is it good for?

A password manager is a program that allows you to securely store and manage your passwords for various applications and online services. These managers can generate passwords and fill out online forms automatically. They can appear in the form of computer applications, mobile apps or web browser extensions.

The main function of a password manager is to solve the problem of password fatigue, where end users may have difficulty remembering multiple passwords for different services. With a password manager, they only need to create and remember a single "master" password to access all stored information.

Password managers usually use encrypted databases to ensure the security of stored passwords. In addition to passwords, other data such as credit card information, addresses and personal information can also be stored.

The use of multi-factor authentication with fingerprints or facial recognition can be optional, but is not mandatory. Password managers can be installed on computers or mobile devices as applications or browser extensions.

We provide instructions on how to install the password manager KeePass in our help wiki:
https://hilfe.uni-paderborn.de/Passwortmanager (german)

What is two-factor authentication?

Two-factor or multi-factor authentication (2FA; MFA) are electronic authentication methods in which a user is granted access to a website or program only if he or she can present two or more proofs (or factors) of access to an authentication mechanism. This usually involves entering a conventional password and an access code sent by e-mail or SMS, for example. They protect personal data from access by unauthorized third parties who, for example, could only find out the password.

It is advisable to use two-factor authentication wherever possible, as it provides another layer of security that makes it all the more difficult for attackers to spy on your data.

How do I handle data via cloud services, messenger services or groupware services (e.g. Skype, WhatsApp, Dropbox, OneDrive, Facebook, Skype, Gmail)?

The use of external cloud services (e.g. Dropbox, OneDrive), messenger services (e.g. WhatsApp) or groupware services (e.g. gmail, icloud) is often very questionable from a data protection perspective.
This is because it is often not apparent what data is transmitted when using such services, which of it is encrypted, and whether the providers are subject to or comply with the data protection regulations applicable in the EU.

Therefore, only cloud, messenger, and groupware services that comply with data protection regulations should be used. These include:

How do I dispose of data storage media?

Physical destruction is usually carried out by mechanically destroying (shredding) the data storage media into small to very small particles. Locked collection containers with a slot are available in certain rooms of the university for removed data storage media to be destroyed. The data storage media to be destroyed are to be deposited there during office hours. Until the time of destruction, the data storage media are stored in such a way that they are protected from unauthorized access by third parties. At regular intervals, the containers are emptied on site by a specialized company and the data storage media are destroyed securely and in compliance with data protection regulations. The exact procedure is described in a corresponding leaflet from Department 5.

Further information can be found here.

https://www.uni-paderborn.de/universitaet/datenschutz/informationen-und-hilfsmaterialien (german)

Deletion and destruction of data media including deletion protocol for de-inventorying and internal reuse of end devices used for business purposes (german)

How do I erase data storage media?

The irretrievable deletion of the data on the data storage media simultaneously takes into account the sustainability aspect if these data storage media continue to be used elsewhere in the university or can be sold, for example, as part of a de-inventory.

The following link describes the relevant deletion methods under points 1.4 and 1.5 of the Appendix: Secure Deletion of Data Storage Media (Guideline for Secure Deletion or Destruction of Information):
https://www.upb.de/universitaet/informationssicherheit/dokumente (german)

Both in the case of intended de-inventorying and in the case of internal further use of IT hardware and/or transportable data storage media, the secure deletion of data must be carried out in the respective areas in accordance with points 1.4 and 1.5 of the above-mentioned appendix and confirmed on the enclosed form by the responsible administrator.

Further information can be found here.

https://www.uni-paderborn.de/universitaet/datenschutz/informationen-und-hilfsmaterialien (german)

https://www.uni-paderborn.de/fileadmin/datenschutz/uni-intern/Vorlagen/Datenschutzkonforme_Datentraegerloeschung_und_-vernichtung_2021-12-06.pdf (german)

What is phishing and how do I recognize it?

Phishing e-mails are a method of attack to obtain user names and passwords. Phishing refers to attempts to obtain an Internet user's data via fake websites, e-mails or short messages and thus commit identity theft. The aim of the fraud is to use the data obtained, for example, to plunder the bank account and harm the person in question.

This may well include targeted attacks, which may be embedded in conversation histories. Therefore, you should use the checklist below for every e-mail. With a little routine, just a few seconds are enough to prevent immense damage.

Further information on phishing can be found here.

https://hilfe.uni-paderborn.de/Hinweise_zu_Phishing-E-Mails/en

https://www.uni-paderborn.de/universitaet/informationssicherheit/goldene-regeln/e-mails

What are Technical Organizational Measures (TOM)?

Anyone who processes personal data must protect it through technical and organizational measures.

TOMs include:

Access control
Access control data processing facility at network and server level
Access control data processing system
Transfer control
Input control
Order control
Availability
Separation
Integrity
Confidentiality

The TOMs must be documented accordingly and reviewed on an ongoing basis (at least annually). If necessary, this information must be passed on in order to prove the security measures taken (e.g. in the case of order processing).

What are processors and processing contracts?

Processor:
A processor under Article 28 GDPR is a natural or legal person, public authority, agency or other body that processes personal data on behalf of a controller.

Processing contract:
A processing contract is a contract for an activity involving personal data that is subject to instructions and that is carried out by a service provider for a company. A processing contract must therefore be agreed upon by every company and its service provider that processes personal data on behalf of the company. Existing contracts must be adapted to the new requirements of the GDPR.

What is a register of processing activities?

Article 30 of the GDPR obliges every controller and processor, i.e. anyone who decides on the processing of personal data, to keep a register of all processing activities.

Among other things, this must record which data is stored in which systems and how further processing is carried out. Controllers also include small and medium-sized enterprises, associations, liberal professions and public bodies.

What are email certifications?

E-mail certifications are an additional protection instance to verify the sender address and the content of the message.
This especially helps to unmask phishing e-mails posing as popular services (e.g., online banking, parcel services, e-mail providers, etc.).
More information about phishing including detailed examples can be found here: Notes on phishing emails

If you receive a certified e-mail, you can rely both on the sender address displayed and on the fact that the content of the e-mail was not manipulated during transmission.

Therefore, pay attention to the sender address! It should not say benutzerberatung@upb.de.hackerparadies.com or anything similar.

The IMT sends e-mails under imt@uni-paderborn.de or imt@upb.de.

How e-mail signatures are created, who is allowed to use them and what they look like in different mail programs can be learned from our help wiki page on the subject:
https://hilfe.uni-paderborn.de/Signierte_E-Mails/en