F.A.Q. - Fre­quently Asked Ques­tions

The information security team of the University of Paderborn

  • advises users of committees and departments as well as information, communication and media technologies on information security issues.
  • develops recommendations on technical, organizational and awareness measures and works intensively with the CIO, the IT operators, the data protection officer and the Presidential Board of the University of Paderborn.
  • is the central point of contact in the event of information security incidents and supports the responsible departments in coordination to limit damage to the University of Paderborn.

You can find more information here.

Contact the data protection team with:

  • Organizational questions about data protection
  • Questions about the directory of processing operations
  • Requests for information according to Art. 15 DSGVO
  • Questions about training workshops
  • Reporting data breaches


Contact your data protection coordinators with:

  • General questions about data protection
  • Confidential inquiries and/or complaints about data protection
  • Questions about the rights of data subjects


Contact the information security team with:

  • Technical questions
    • Point of contact for information security incidents
    • Development and maintenance of an IT security concept
    • Carrying out risk and threat analyses
  • Recommendations regarding technical and organizational measures, e.g., software procurement
  • Awareness campaigns and organization of training workshops for employees

Information security incidents include all unexpected events that jeopardize the security of IT systems and the data on them.
So, for example, attacks on IT systems such as PAUL or research databases, the loss of smartphones or USB sticks, and the spying of passwords through phishing emails.

You can read about how you should respond to such an information security incident in the FAQ here and in our post on the topic here.

You can find more information on information security incidents here.

If a suspected or actual information security incident has occurred - whether intentional or unintentional - please fill out the notification form immediately with all available information so that a report can be submitted to the supervisory authority within 72 hours and the affected parties can be informed.

You can find the notification form and further information here.

  1. Stay calm, do not take any ill-considered measures
  2. Disconnect device from WiFi/network (pull network cable)
  3. Record what is happening if necessary (photo, video, etc.)
  4. Leave everything as it is.
  5. Do NOT turn off or disconnect device from power:
    → Important tracking data could be lost
  6. Briefly jot down own assessment of incident and amount of damage
  7. Report the incident by using the report form and thereby obtain assessment from incident team

Note:

  • Do not disclose information to third parties
  • Do not pay extortion money under any circumstances
  • Do not try to fix the problem yourself

If you suspect that your computer is infected with a virus - your antivirus program sounds an alarm or your system behaves strangely - the following checklist can help you to solve the problem.

  1. First of all: Stay calm. Don't panic.
  2. Inform our Information Security Team (IST) about the virus attack so they can block your network address.
  3. Then physically disconnect the infected machine from the network (unplug the network cable). Do NOT disconnect it from the power supply.
  4. If the virus has already been identified, you can find out if a "soft" repair is possible without reinstallation. Our IST and various virus libraries from for example NAI or Symantec can give you information about this.
  5. Decide for yourself whether a reinstallation is necessary in your specific case, for example because the virus is difficult or impossible to remove or has already caused too much damage. In principle, you can perform reinstallations without losing your files. However, be aware of potentially infected files.
  6. If possible, perform a local backup on secure storage media such as USB sticks or CDs. If you try to save your files on other computers or servers, you run the risk of infecting them with the virus as well.
  7. Keep in mind that in case of a virus attack, all passwords on the affected system might be compromised. Change all passwords. Even a fresh system without new passwords can be infected again.

On our Training and Further Education page, you will find various options for further education in information security.

English versions are soon to come!

There are various ways to work on your computer as securely as possible.

We have summarized these as the Golden Rules of IT Security.

 

A secure password should be at least 10 characters long and contain lowercase and uppercase letters, numbers and special characters. The longer, the better.

Since these passwords are usually hard to remember, you can come up with mnemonic devices, such as using the first letters and special characters of a sample sentence.

Also, don't use a password twice or more than once. Once compromised, attackers will have access to all other accounts that use the same password.
This is where you can use a password manager to better manage this variety of passwords.

You can find more information about passwords on our help wiki page on the subject.

A password manager is a program that allows you to securely store and manage your passwords for various applications and online services. These managers can generate passwords and fill out online forms automatically. They can appear in the form of computer applications, mobile apps or web browser extensions.

The main function of a password manager is to solve the problem of password fatigue, where end users may have difficulty remembering multiple passwords for different services. With a password manager, they only need to create and remember a single "master" password to access all stored information.

Password managers usually use encrypted databases to ensure the security of stored passwords. In addition to passwords, other data such as credit card information, addresses and personal information can also be stored.

The use of multi-factor authentication with fingerprints or facial recognition can be optional, but is not mandatory. Password managers can be installed on computers or mobile devices as applications or browser extensions.

We provide instructions on how to install the password manager KeePass in our help wiki:
https://hilfe.uni-paderborn.de/Passwortmanager (german)

Two-factor or multi-factor authentication (2FA; MFA) are electronic authentication methods in which a user is granted access to a website or program only if he or she can present two or more proofs (or factors) of access to an authentication mechanism. This usually involves entering a conventional password and an access code sent by e-mail or SMS, for example. They protect personal data from access by unauthorized third parties who, for example, could only find out the password.

It is advisable to use two-factor authentication wherever possible, as it provides another layer of security that makes it all the more difficult for attackers to spy on your data.

The use of external cloud services (e.g. Dropbox, OneDrive), messenger services (e.g. WhatsApp) or groupware services (e.g. gmail, icloud) is often very questionable from a data protection perspective.
This is because it is often not apparent what data is transmitted when using such services, which of it is encrypted, and whether the providers are subject to or comply with the data protection regulations applicable in the EU.


Therefore, only cloud, messenger, and groupware services that comply with data protection regulations should be used. These include:

Physical destruction is usually carried out by mechanically destroying (shredding) the data storage media into small to very small particles. Locked collection containers with a slot are available in certain rooms of the university for removed data storage media to be destroyed. The data storage media to be destroyed are to be deposited there during office hours. Until the time of destruction, the data storage media are stored in such a way that they are protected from unauthorized access by third parties. At regular intervals, the containers are emptied on site by a specialized company and the data storage media are destroyed securely and in compliance with data protection regulations. The exact procedure is described in a corresponding leaflet from Department 5.

Further information can be found here.

https://www.uni-paderborn.de/universitaet/datenschutz/informationen-und-hilfsmaterialien (german)

Deletion and destruction of data media including deletion protocol for de-inventorying and internal reuse of end devices used for business purposes (german)

The irretrievable deletion of the data on the data storage media simultaneously takes into account the sustainability aspect if these data storage media continue to be used elsewhere in the university or can be sold, for example, as part of a de-inventory.

The following link describes the relevant deletion methods under points 1.4 and 1.5 of the Appendix: Secure Deletion of Data Storage Media (Guideline for Secure Deletion or Destruction of Information):
https://www.upb.de/universitaet/informationssicherheit/dokumente (german)

Both in the case of intended de-inventorying and in the case of internal further use of IT hardware and/or transportable data storage media, the secure deletion of data must be carried out in the respective areas in accordance with points 1.4 and 1.5 of the above-mentioned appendix and confirmed on the enclosed form by the responsible administrator.

Further information can be found here.

https://www.uni-paderborn.de/universitaet/datenschutz/informationen-und-hilfsmaterialien (german)

https://www.uni-paderborn.de/fileadmin/datenschutz/uni-intern/Vorlagen/Datenschutzkonforme_Datentraegerloeschung_und_-vernichtung_2021-12-06.pdf (german)

Phishing e-mails are a method of attack to obtain user names and passwords. Phishing refers to attempts to obtain an Internet user's data via fake websites, e-mails or short messages and thus commit identity theft. The aim of the fraud is to use the data obtained, for example, to plunder the bank account and harm the person in question.

This may well include targeted attacks, which may be embedded in conversation histories. Therefore, you should use the checklist below for every e-mail. With a little routine, just a few seconds are enough to prevent immense damage.

Further information on phishing can be found here.

https://hilfe.uni-paderborn.de/Hinweise_zu_Phishing-E-Mails/en

https://www.uni-paderborn.de/universitaet/informationssicherheit/goldene-regeln/e-mails

 

 

 

 

Anyone who processes personal data must protect it through technical and organizational measures.


TOMs include:

  • Access control
  • Access control data processing facility at network and server level
  • Access control data processing system
  • Transfer control
  • Input control
  • Order control
  • Availability
  • Separation
  • Integrity
  • Confidentiality

The TOMs must be documented accordingly and reviewed on an ongoing basis (at least annually). If necessary, this information must be passed on in order to prove the security measures taken (e.g. in the case of order processing).

Processor:
A processor under Article 28 GDPR is a natural or legal person, public authority, agency or other body that processes personal data on behalf of a controller.

Processing contract:
A processing contract is a contract for an activity involving personal data that is subject to instructions and that is carried out by a service provider for a company. A processing contract must therefore be agreed upon by every company and its service provider that processes personal data on behalf of the company. Existing contracts must be adapted to the new requirements of the GDPR.

 

Article 30 of the GDPR obliges every controller and processor, i.e. anyone who decides on the processing of personal data, to keep a register of all processing activities.

Among other things, this must record which data is stored in which systems and how further processing is carried out. Controllers also include small and medium-sized enterprises, associations, liberal professions and public bodies.

E-mail certifications are an additional protection instance to verify the sender address and the content of the message.
This especially helps to unmask phishing e-mails posing as popular services (e.g., online banking, parcel services, e-mail providers, etc.).
More information about phishing including detailed examples can be found here: Notes on phishing emails

If you receive a certified e-mail, you can rely both on the sender address displayed and on the fact that the content of the e-mail was not manipulated during transmission.

Therefore, pay attention to the sender address! It should not say benutzerberatung@upb.de.hackerparadies.com or anything similar.

The IMT sends e-mails under imt@uni-paderborn.de or imt@upb.de.

 

How e-mail signatures are created, who is allowed to use them and what they look like in different mail programs can be learned from our help wiki page on the subject:
https://hilfe.uni-paderborn.de/Signierte_E-Mails/en