Contacts and organisation
The following information describes the organisation and structures in the field of IT security at ETH. Roles and responsibilities are also described.
Contact
The IT Services Service Desk is the first point of contact for all inquiries and reports regarding to security incidents. Outside office hours, the ETH Zurich Emergency Desk is available in case of emergencies.
Responsible security contacts
The CISO is responsible for coordinating information security across the university, providing advice to information owners and Information Security Officers (ISOs) and reporting to the Risk Management Commission on a regular basis regarding his/her activities.
Enforcement of Compliance with legal requirements relating to information security and preserving the availability, confidentiality and integrity of information, processes, applications and IT components.
The CITSO shall have professional responsibility for IT security in relation to the services provided by ITS to the centralised and decentralised organisational units of ETH Zurich and shall serve as the main IT security contact to the CISO.
In addition, the ITSO ITS shall provide advice on IT security issues to the CISO and ISOs as required.
The heads of administrative departments, heads of staff units, heads of academic departments and heads of teaching and research facilities outside the academic departments shall each appoint an Information Security Officer (ISO) for their particular areas of responsibility.
Unless otherwise specified, the IT Support Lead (ISL) within the academic departments shall discharge the function of ISO.
ISO responsibilities include keeping inventory of information requiring a high level of protection, first point of contact for advice, reporting and participating in ISO working groups.
Committees
The Risk Management Commission (RMC) group of experts for information security is a working group of risk management specialists.
The working group shall assist the CISO in the development of information security and operate, alongside the ISOs and ITSO ITS, as an expert review body.
The committees consisting of the “departmental ISOs” and the “ISOs of the central administrative units and teaching and research facilities outside the academic departments” are responsible for coordinating cross-cutting projects, sharing information and conducting technical reviews.
The information security concept aims to establish a continuous improvement process by means of a systematic approach within ETH Zurich and to strengthen the following topics:
- sensitivity to information security
- systematic assessment of information security risks
- risk minimization in the case of information risks
- joint development of guidelines
The role of the ISO in the departments is performed by the Head of IT Support (ISL), the role of the Chief Information Officer (CISO) by the Director of IT Services.
The implementation of IT and information security cannot be delegated to a single security officer as a subject area.
Security must be an integral part of all phases of the lifecycles of (IT) services and be implemented as a permanent task of the groups concerned with service provision.
Accordingly, the security organisation in the ID was not set up as an additional unit to the previous sections and groups, but was implemented as a matrix organisation with an integral approach: Employees with security function units in their respective specialist groups ensure that security aspects are clearly perceived as part of the daily work of all teams.