Back to front page

Technical and Organizational measures

1. Introduction and scope

The following describes the general information security measures for the services provided by the University of Tartu High Performance Computing Center (hereinafter UTHPC), which are used to ensure the confidentiality, integrity and availability of data.

Technical and organizational measures apply to all data and information assets belonging to UTHPC that UTHPC uses to achieve its objectives or that are connected to networks managed by UTHPC.

2. General principles

2.1. UTHPC, as the owner of the information assets, selects adequate and appropriate measures to protect them.

2.2. Data and information assets are protected in accordance with the policies and laws of the UTHPC and the University of Tartu, in particular those relating to data protection, human rights and freedom of information.

2.3. Non-public information will be made available only to those who have a legitimate right to have access to that information.

2.4. Everyone who has been granted access to information assets and data is responsible for their proper handling in accordance with the confidentiality.

2.5. Data and information assets are protected from unauthorized access.

2.6. UTHPC responsibility is to ensure that the service platform and components are updated.

2.7. Operating systems and applications are actively maintained. Unnecessary services are disabled or put behind the firewall.

2.8. UTHPC uses audit software to electronically monitor its networks, servers, routers, firewalls, and / or other UTHPC systems.

2.9. When making changes to hardware or software, the requirements established by the University of Tartu and the rules established by UTHPC are followed.

2.10. UTHPC will ensure a sufficient number of employees to ensure that services are running and available in the event of planned and unplanned absences.

3. Obligation of confidentiality

3.1. The confidentiality requirement applies to confidential information and applies to UTHPC employees as a result of legislation and agreements.

3.2. Information that is accessed by contract or law or that has been declared non-public on any other basis is considered confidential.

3.3. All UTHPC employees who come into contact with confidential data shall as a minimum:

3.3.1. not disclose confidential information which has become known to him or her, unless it is required by law or necessary for the performance of his or her duties;

3.3.2. comply with applicable data protection legislation and procedures;

3.3.3. comply with the requirements of the obligation of confidentiality both during and after employment relationships.

3.4. If the contractual obligation is performed by a third party:

3.4.1. there will be a contract between the University of Tartu and a third party, which parties sign before the contractor is granted access to the information assets;

3.4.2. the contract will contain provisions on the requirements of confidentiality.

4. Access Control

The most basic rules for UTHPC access rights are:

4.1. Access rights are determined on the basis of the minimum principle, which means that access is granted only to information assets to which access is necessary for the performance of work or use of the Services.

4.2. Granting, modifying and removing UTHPC employees’ access rights is governed by the UTHPC Access Rights Rules.

4.3. The access rights of UTHPC employees are audited regularly.

4.4. When UTHPC employee work responsibilities change, the access rights of the respective employee are reviewed and the rights that are not necessary for the performance of the new job responsibilities are removed.

4.5. Upon termination of employment of a UTHPC employee, all rights of the respective employee will be removed and the account will be closed immediately.

4.6. Administrative access to UTHPC resources is restricted to UTHPC employees.

4.7. Separated network and firewall rules and strong access credentials are used to protect unauthorized access.

4.8. All UTHPC resource users have user roles, which restrict their access only to data related to their projects.

5. Logs

The most basic rules for UTHPC logs are:

5.1. By default, user, program, and system activities are logged.

5.2. By default, logs are only kept for two years.

5.3. Some special exceptions have been created for logging, in which cases user, program and system activities are not logged (e.g. logs would contain sensitive personal data, there is no need for logs, etc.).

5.4. The level of logging detail and the retention period for logs are agreed separately for each project/solution.

5.5. Users are notified of the logs and this also acts as a deterrent.

5.6. If an error occurs when writing logs or an anomaly is detected, UTHPC employees will be automatically notified.

5.7. Logging uses a data stream transmitted to a central log database, which only allows adding new documents (logs) and does not allow modifying already transmitted logs or removing any parts (individual log entries) from transmitted logs. The only way to delete a log is to delete the entire log, but this requires access to the respective machine and administrator rights there.

5.8. Project owners get access to a log monitoring web interface where they can see only their own project logs and can audit user activities.

6. Back-up

The purpose of backup is to provide a means to restore integrity in the event of hardware/software failures or physical disasters to systems, and to provide protection against human error or accidental deletion of important files. Backups are not intended to be used to meet archival or document retention requirements.

Backups are based on the UTHPC backup procedure and contractual obligations.

The most basic rules for UTHPC backup are:

6.1. Back-ups are kept in accordance with the time limits laid down in the contracts..

6.2. Only the last three backups are kept.

6.3. An incremental method is used when making backups and it is ensured that previous backups cannot be changed.

6.4. Backups are made to a UTHPC tape robot, which is physically located in a different location (another UTHPC data center). The corresponding UTHPC data center is located in another academic building of the University of Tartu, and the UTHPC data centers are geographically separated and located in different city districts.

6.5.Backup tapes are not physically removed from the tape robot, except in special cases.

6.6. The tape robot database is responsible for marking backup data (backup time, backed up files, etc.).

6.7. If the data volume of the back-up system increases to 80% of the maximum volume, an expansion or replacement of the back-up system will be arranged.

6.8. The operation of the back-up system is constantly checked.

6.9. Back-up system is monitored by the internal monitoring and by a monitoring system independent of the back-up server.

6.10. Failures in the backup system are responded to immediately.

6.11. Discarded back-up data will be deleted and the media will be reused.

6.12. Discarded tapes are physically destroyed by a special service provider. Until destruction, the tapes are kept in the tape robot’s room.

6.13. The lifespan of invalidated backup copies is 90 (ninety) calendar days, after which the backup copies will be deleted.

6.14. If a large-scale data recovery is taking place, backups may be temporarily suspended for the appropriate period.

6.15. If special agreements have been concluded regarding backups, which are set out in the contract, annex to the contract or memo, then backups may be temporarily suspended for the relevant backup only with the written consent of the other party to the contract/agreement.

6.16. Data restoration from backup is performed as needed.

6.17. Data recovery from backup is tested at least once a year. If there is no need for data recovery for work purposes, a separate recovery drill is organized.

7. Physical security

Various physical security measures are used in UTHPC data centers, the most basic of which are:

7.1. UTHPC has two data centers, which are located in physically separate academic buildings of the University of Tartu. The data centers are geographically separated and located in different city districts.

7.2. All network devices and servers are located in closed UTHPC data centers in the academic buildings of the University of Tartu.

7.3. Fire extinguishing systems used in data centers operate automatically, are gas-based solutions, and are intended for use in data centers.

7.4. The use of flammable materials, such as wood, textiles, and synthetics, in data center structures and furnishings has been minimized.

7.5. A technical security and access system as well as video surveillance are used to ensure the security of data centers.

7.6. The security and access system records data on the use of access cards and the security of data centers.

7.7. Only authorized necessary UTHPC personnel have physical access to the Data center with special permit.

7.8. Individuals with personal access rights can access the data center using their work ID and security code.

7.9. All entries into the data center and deactivations and activations of electronic surveillance are logged.

7.10. The data centers are under electronic surveillance, and upon entering the data center, the electronic surveillance must be deactivated using a personal code.

7.11. When leaving the data center, electronic security is activated immediately using a personal code. Data center security is also activated briefly when leaving the data center.

7.12. The data center’s electronic surveillance is deactivated only when someone is physically present in, entering, or leaving the data center.

7.13. Persons without personal access rights may enter the data center only in the presence of a person with access to the data center.

7.14. The data centers are equipped with an uninterruptible power supply (UPS), and power to the data centers is also ensured by diesel generators located in the same building as the data center, which start automatically in the event of a power outage.

7.15. The data centers are located behind two fireproof doors that can only be opened with a personal smart card or a special key.

7.16. Optimal temperature and humidity are ensured in the data centers. Temperature and humidity sensors are installed in the data centers, which automatically transmit an alarm to pre-determined UTHPC employees when the temperature or humidity exceeds predetermined limits.

8. Information technology security measures

Various organizational security measures are used in UTHPC’s operations and data centers, the most basic of which are:

8.1. UTHPC employees are consistently trained on information security topics and UTHPC employees also regularly participate in relevant exercises.

8.2. UTHPC treats all data obtained/processed during the provision of the service as confidential.

8.3. Security testing, updating, and monitoring of resources are performed regularly.

8.4. Monitoring, machine learning, and various penetration tests are used to identify vulnerabilities.

8.5. Continuity and recovery processes are documented, tested regularly, and reviewed at least once a year.

8.6. Different resources are allocated at the network and user rights level.

8.7. Each information asset has a designated chief administrator who is responsible for implementing the security measures necessary to protect the information asset.

8.8. High-criticality environments are located behind a separate firewall.

8.9. Before each new project/solution, more detailed security measures and requirements are agreed with the client, which a specific solution must additionally meet. For example:

8.9.1. all user activities are logged,

8.9.2. save users’ screenshots,

8.9.3. all potential security incidents and attempts to find security vulnerabilities are logged (for example, login attempts, access to different ports, changes in user rights, etc.,

8.9.4. the solution has closed access to the internet and it is not possible to make queries to the internet,

8.9.5. etc.

8.10. Data transmission is encrypted through a secure S3 and/or SFTP server set up by UTHPC.

8.11. External storage media are not usually used for data transfer.

8.12. Continuity and disaster recovery processes are documented and reviewed annually.

9. Security incidents

A security incident is a subset of an incident that involves a loss of integrity or confidentiality or creates a corresponding threat. A security incident includes, among other things, actions that are not in accordance with UTHPC, the University of Tartu, or national legislation regulating the field of information security.

The most basic rules for UTHPC security incidents are:

9.1. Security incidents are managed in accordance with the University of Tartu’s information security policy and the UTHPC security incident procedures.

9.2. Security incidents are handled in a way that minimizes the damage that may occur during the incidents.

9.3. The information collected in the course of resolving an incident is documented and analyzed in order to prevent similar incidents from occurring in the future and to decide on the need for additional security measures.

9.4. If signs of a criminal offense, misdemeanor, disciplinary offense or breach of an employment contract are discovered in the course of resolving a security incident, the case will be forwarded to an institution or person entitled to conduct the respective proceedings.

10. Emergency

An emergency is an incident that is caused by an unexpected turn of events beyond the control of UTHPC – in particular, fire, flood, bomb threat, long-term disruption of core services, or any other major damage that UTHPC alone cannot be expected to repair.

The most basic rules for a UTHPC emergency are:

10.1. In the event of an emergency, the University of Tartu’s fire safety rules, evacuation plans, emergency plans and other rules governing emergencies will apply.

10.2. When recovering from an emergency, services will be restored in order of priority, if possible.

10.3. UTHPC users are temporarily directed to use the resources of UTHPC partners, if possible and necessary.