IT Security Policy
IT Security Policy
Note:
- You can find the current policy in the MUG at the following link: Information Security Policy dated February 24, 2026 (German only).
§1 Subject Matter and Scope
For Justus Liebig University (JLU) Giessen, a research university with a long tradition, digital solutions based on reliable information technology (IT) are essential for continuously conducting and optimally supporting research, knowledge transfer, teaching, student studies, and administration at the highest level. The extensive use of IT gives rise to stringent requirements regarding the confidentiality, integrity, and availability of the information processed, as well as IT procedures and IT systems. These JLU Giessen Information Security Guidelines establish the framework for a uniform, university-wide security standard and apply to all departments and institutions, as well as to all members, affiliates, and guests of JLU Giessen.
§2 The Importance of Information Security
Ensuring information security is of fundamental importance to JLU Giessen in fulfilling its mission and is a central priority of the executive board, which establishes and monitors the principles and guidelines for information security. For this to be effective at JLU Giessen, it is also essential that all members, affiliates, and guests of JLU Giessen view themselves as an integral part of information security. Establishing such a culture is therefore crucial to making JLU Giessen permanently resilient against threats such as cyberattacks.
§3 Security Objectives
With its information security policy, JLU Giessen pursues the following objectives:
- Ensure high-quality research, knowledge transfer, teaching, student programs, and administration.
- Foster a culture of information security at JLU Giessen.
- Protect personal rights.
- Prevent property damage.
- Continuously improve information security.
§4 Security Strategy
To ensure it fulfills its responsibilities and achieves its security objectives, JLU Giessen pursues a comprehensive security strategy that aims to establish a uniform and robust level of security across the entire university. In doing so, it adheres to recognized standards and best practices and implements a university-wide information security management system (ISMS) in accordance with the basic IT security framework of the Federal Office for Information Security (BSI). Potential security risks to JLU Giessen’s information assets are then systematically identified, analyzed, evaluated, and assessed in terms of protection requirements. Based on this, tailored security measures are defined and implemented for all processes, procedures, and the necessary IT systems. To reflect the high priority of information security, the standard security measures under BSI's basic IT security framework are applied—wherever possible—as a uniform security standard across the university. Information assets requiring enhanced protection must be safeguarded with correspondingly enhanced security measures in accordance with BSI's basic IT security framework.
§5 Responsibilities and Structures
The University's executive board bears overall responsibility for information security at JLU Giessen and ensures that the necessary resources are available. The directors of each JLU Giessen facility are responsible for information security within their respective facilities. All users are responsible for handling the information, IT procedures, and IT systems they use in accordance with their intended purpose and in a proper manner. They are obligated to apply the principles, guidelines, standards, and requirements for information security at JLU Giessen within their area of work. The information security officer (ISO) is an independent position reporting directly to the executive board and is responsible for establishing, managing, and coordinating information security processes and measures at JLU Giessen in accordance with the legal framework and relevant guidelines and serves as the primary point of contact for all aspects of information security. He or she establishes guidelines for securely processing information and for securely operating IT procedures and systems at JLU Giessen, monitors their implementation, and works continuously to improve them. He or she regularly briefs the executive board on the current state of information security at JLU Giessen, is generally responsible for all matters related to information security, and is involved in all projects and measures that have an impact on information security. The ISB chairs the ITsec@JLU committee as part of the IT Governance Committee Structure. This committee ensures that appropriate information security measures are formulated, communicated, implemented, further developed, and monitored. The ISB is supported by the faculty information managers (FIMs) (see 6 of the Statutes of the IT Organization of Justus Liebig University Giessen dated October 14, 2025) in processes and measures to ensure and further develop information security at JLU Giessen. The FIMs are responsible for implementing the information security process within their respective facilities. As part of their duties, they are obligated to obtain up-to-date security-related information; the ISB supports them in this. Moreover, the system administrators provide the FIMs with all requested information necessary for reporting to internal and external higher-level authorities. Information must also be provided to JLU Giessen’s operational IT security team. The FIMs implement the necessary IT security measures within their area, and the directors of their facilities provide them with the necessary authority and resources to do so.
§6 Responding to Hazards
Information security at JLU Giessen is designed to prevent threats. Failure to comply with guidelines and measures for secure information processing can have significant consequences for the university. In the event of security-related misconduct resulting from violations of the its information security policy and related guidelines, members, affiliates, guests, and organizational units of JLU, as well as third parties, may be restricted or temporarily barred from using IT services.
§7 Entry into Force
This information security policy shall enter into force on the day following its publication, after the executive board of JLU Giessen has adopted it. It supersedes the existing IT security policy (as of January 7, 2014). Maintaining information security is an ongoing task and an explicit security objective. This guideline must therefore be reviewed regularly, at least every two years, to ensure it remains up to date with current information security requirements.