The administrative regulation on information security prescribes the introduction of an information security management system (ISMS), based on standards 200-1 to 200-3 of the German Federal Office for Information Security (BSI).
An ISMS specifies the regulations and methods used to initiate, control and monitor the tasks and activities relating to information security. The initialization phase of the ISMS includes the assumption of responsibility by the university management, the establishment of the organization, the planning of the security process, the decision on how to proceed, and the creation of the guideline that defines the university’s security strategy. In the implementation phase of the security process, planning and design, implementation, performance review and monitoring, and optimization and improvement of the information security concept take place. After the first successful run, the measures for maintaining and continuously improving information security are reviewed again for their effectiveness. The introduction of an ISMS should thus be viewed as a process and not as a goal. It is important to note that it is not just a matter of introducing individual technical measures, but a holistic and comprehensive approach that enables the protection of all information, regardless of its type and origin. To increase information security and achieve an appropriate level of security, a systematic approach is necessary. This holistic and comprehensive approach also encompasses the governance for providing information to a university. The core team supports universities in setting up an ISMS on the one hand by providing a central service: hosting and maintaining a Hiscout instance, and on the other hand by providing conceptual support in the use of HiScout within the framework of a working group.