Universities are particularly vulnerable due to their specific constitution: Freedom of research and teaching, global cooperation, high decentralization and autonomy of subjects/departments, work in project form, high staff turnover, complex roles and rights due to different status groups with internal and external partners. Information security initially encompasses the protection goals of confidentiality, integrity and availability; multi-lateral information security goes beyond this (e.g. authenticity, non-repudiation, accountability, resilience).

Examples of threats are

• Loss of integrity and availability of research data
• Compromise of personal data, especially student or staff data
• (Undetected) loss of confidentiality of (important) data, for example through espionage
• Attacks on the IT infrastructure with the aim of paralyzing it

Information security is based on three primary protection goals that ensure that information can be processed, stored and transmitted reliably and securely. The three primary protection goals of information security are

• Confidentiality
• availability
• Integrity

Confidentiality means that information can only be viewed or used by authorized persons. A breach of confidentiality occurs when information is disclosed or unauthorized access occurs.

Availability ensures that information and systems can be accessed and used by authorized persons when required. A breach of availability can occur through the destruction, loss or inaccessibility of data.

Integrity ensures that information remains complete and unchanged. Violations of integrity occur in the event of manipulation, partial deletion or addition of content.

Art. 36 sentences 1 and 2 BayDiG (formerly Art. 8 para. 1 BayEGovG with the same meaning):

1) The authorities shall maintain the digital administrative infrastructures required to fulfill their tasks.

2) They shall ensure their security and promote their mutual technical coordination and accessibility for people with a disability.

Art. 43 para. 1 BayDiG (formerly Art. 11 para. 1 BayEGovG with the same meaning):

1) The security of the information technology systems of the authorities shall be ensured within the framework of proportionality.

2) To this end, the authorities shall take appropriate technical and organizational measures within the meaning of Art. 32 of Regulation (EU) 2016/679 (General Data Protection Regulation) and Art. 32 of the Bavarian Data Protection Act and draw up the necessary information security concepts.

The ISB advises the University Board and departments, coordinates training courses and works closely with the IT management, the Data Protection Officer and the Data Protection Coordination staff unit. Its specific tasks include

• Supporting the management: the ISB supports the management level in the creation and implementation of the security guideline.
• Coordination of security concepts: It coordinates the development of the security concept and associated sub-concepts and guidelines.
• Planning and monitoring security measures: The ISB draws up implementation plans for security measures, initiates their implementation and checks their effectiveness.
• Reporting: It regularly informs the management level and other responsible parties about the current status of information security.
• Project coordination: The ISB coordinates security-related projects within the institution.
• Investigation of security incidents: It analyzes security-related incidents and initiates appropriate measures.
• Awareness-raising and training: The ISB initiates and coordinates training and awareness-raising measures on information security for staff.