Information security
ETH Zurich handles information assets from research, teaching and management in such a way that their availability, confidentiality and integrity are always guaranteed as required.
All employees must comply with the:
- ETH Zurich Acceptable Use Policy for Information and Communications Technology (BOT),
- Directive on Information Security, in particular with regard to the implementation of information security objectives, roles and responsibilities and the classification of information resources, according to section 5 and the appendices,
- IT Guidelines and IT Baseline Protection Rules of ETH Zurich, including the regulations for the use of external cloud services,
- The Chief Information Security Officer’s (CISO) guidelines and directives,
- Provisions on data processing, storage and deletion of information.
All employees are responsible for handling information, applications and IT components with due care.
Each academic and administrative department has an Information Security Officer (ISO) who acts as a specialist contact point for all questions relating to information security.
The Chief Information Security Officer (CISO) is responsible for the coordination of information security throughout ETH Zurich.
- Download vertical_align_bottom ETH Zurich Acceptable Use Policy for Information and Communications Technology (RSETHZ 203.21, BOT)
- Download vertical_align_bottom Directive on Information Security at ETH Zurich (RSETHZ 203.25)
- Download vertical_align_bottom IT Guidelines and IT Baseline Protection Rules of ETH Zurich (RSETHZ 203.23)
- Download vertical_align_bottom Freedom of Information Act (FoIA)
- Advice on cyber attacks and cyber fraud
If you suspect any phishing, viruses, cyber or CEO fraud, contact the Service Desk or your department’s IT Service Group (ISG) immediately. Never give confidential information, passwords, money or financial data (even in the form of online gift cards), or access to sensitive premises to strangers. - Email security
Check sender of emails and links, e.g. by moving your mouse over them before clicking on links. Do not open attachments from unknown senders. If possible, use PKI certificates for emails (online application; your IT support can help you do this). - Classification
Label the confidentiality of documents, data collections, etc. as soon as they are created. In this way, you determine how strongly the respective document is to be protected. For support, contact the ISO. There are four classification levels:
PUBLIC, INTERNAL, CONFIDENTIAL and STRICTLY CONFIDENTIAL. Documents that are CONFIDENTIAL or STRICTLY CONFIDENTIAL must be marked as such. For further information, please refer to the Directive on Information Security. - Cloud services
Only store confidential data of ETH Zurich (e.g. research data subject to secrecy, financial data, personal employee or student data, expert opinions) in appropriately tested and approved cloud services or use the ETH Zurich polybox. For further information, see the IT Guidelines and IT Baseline Protection Rules of ETH Zurich. - Data on mobile devices
Smartphones, notebooks, tablets etc. can be tapped or lost and are not readily suitable for storing sensitive data. Mobile devices must be protected with at least a password or PIN. All business data should be securely encrypted using state-of-the-art technology. - Data backup
Make sure that the operators of your data storage devices back up your data regularly and that it can be recovered from the backup. - Current software
Ensure that the latest operating system and software versions are always installed on all your systems and that all security patches are installed immediately. Restart the systems after installations. Run an up-to-date anti-virus program on your systems. - Clear desk, clear screen
Protect your data from unauthorised access by activating the screen lock when you leave your workstation. Store confidential documents in lockable cabinets. - Passwords
Protect all your user accounts with secure and different passwords. Change your passwords if they have been viewed by others or if you suspect they have been stolen. Never divulge passwords and store them only securely and in encrypted form, e.g. in a password manager.