Handout for TU Dresden's IT Regulations1 - as of March 10, 2021 Preamble - as of March 10 ...
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Handout for TU Dresden's IT Regulations1 - as of March 10, 2021
Preamble
The provision of an IT infrastructure at a higher education institution raises a substantial amount
of user-related questions, which need to be addressed by the IT regulations. Therefore, there is a
need to define fundamental rules, which guarantee an interruption-free, unhindered and secure
usage of the IT infrastructure. In this context questions arise, which define the fundamental rights
and duties of the operators and authorized users of the IT infrastructure, in addition to the respon-
sibilities within the institution.
The regulations serve the purpose of fundamentally defining the content of the public user rela-
tionship between the institution and the user who uses the IT infrastructure. Hence, they are of
particular importance for the user relationship at a higher education institution. As a binding set
of rules governing the user relationship, the regulations contain all rights, obligations and respon-
sibilities of all parties and define, in particular, the legal basis for sanctions, such as the banning of
users due to improper user behavior. For the purposes of legal classification as a legal or adminis-
trative norm, the naming of the regulations e.g. "user regulations", "usage guidelines" or "IT regu-
lations" bears no legal relevance.
User regulations which have been issued as official regulations constitute a binding legal frame-
work, which the university can enact as an administrative corporation under public law on the basis
of its legislative competence for self-governing tasks pursuant to the relevant higher education
acts of the federal states. They are legally binding for all university members and associate mem-
bers as well as other users who are authorized to use the IT infrastructure and IT service of the
institution2.
Consequently, TU Dresden's University Executive Board adopted the "Regulations for the infor-
mation-technological equipment and services and for information security of TU Dresden" pursu-
ant to §13 para. 5 of the Act on the Autonomy of Institutions of Higher Education in the Free State
of Saxony, to be effective as of February 18, 2021.
The present handout aims at helping the operators of the IT infrastructure and IT services, its users
and administrators to implement TU Dresden's IT Regulations. The respective paragraphs and sec-
tions are referenced using continuous margin numbers (mn.1 to 22). The corresponding explana-
tions are also referenced using margin numbers.
The following explanations pertain to queries by TU Dresden's members and associate members.
Should there be any further need for explanations, the handout shall be expanded and updated.
If necessary, please contact the Unit 3.5 Information Security (informationssicherheit@tu-dres-
den.de).
1
Regulations for the information-technological equipment and services and for information security of TU Dresden
(IT Regulations) as of February 18, 2021
2
DFN (German Research Network) legal guide I. User regulations
1Page Mn. Contents Section 1: General rules § 1 Scope of application 3 1-3 § 3 Definitions and contents of the regulations 3-5 4-7 Section 2: Responsibilities, powers and liability § 6 Unit Information Security 5 8 § 7 Center for Information Services and High-Performance Computing 6 9 § 8 Decentralized IT organization 6-7 10 § 9 Head of the Organizational Unit 7 11 § 10 Particular rights and obligations of administrators 7-10 12 Section 3: Usage § 15 User administration 10-11 13-14 Section 4: Special provisions for naming conventions, email and web applications § 16 Naming conventions 11-12 15 § 17 Special provisions for email 12-13 16-19 § 18 Guidelines for websites 13 20 Section 5: Information security and data protection § 19 Principles 13-14 21 Section 6: Software and hardware § 22 Hardware and software procurement, use and software licensing 14-16 22 Handout for TU Dresden’s IT Regulations (as of March 2021) / Unit 3.5 Information Security 2
Section 1: General rules
Excerpt from the IT Regulations
§ 1 Scope of application
(2) IT infrastructure is understood to mean all information-technical equipment, IT systems
(hardware and software) and IT communication networks as well as the services provided
on them (incl. VoIP).
(mn. 1)
(3) The present regulations may be substantiated by more extensive implementation regu-
lations, provided that these do not violate the provisions of the present regulations.
(mn. 2)
(5) The freedom of science, research and teachings remains unaffected by these regula-
tions, especially when the subject matter is IT research.
(mn. 3)
Explanation
"IT infrastructure" defines, within the meaning of these regulations, the entirety of the 1
technical infrastructure (rooms, networks, servers, clients etc.) with all associated IT ser-
vices and the installed software, regardless of the manner in which services are provided
or hardware and software are operated. In the following text, the term IT infrastructure
is used in this sense.
For doctoral students please refer e.g. to the "Regulations for the processing of personal 2
data in the doctoral phase at TU Dresden". Further information is provided by the Grad-
uate Academy.
The provisions of these regulations do not apply in particular if the object of research 3
is information and data processing on the IT infrastructure provided specifically for this
purpose.
Excerpt from the IT Regulations
§ 3 Definitions and contents of the regulations
(2) The closed user group is composed exclusively of members and associate members of
TU Dresden as well as other natural persons (guests), who fulfil the prerequisites pursuant
to § 14 para. 2 sentence 2.
(mn. 4)
Handout for TU Dresden’s IT Regulations (as of March 2021) / Unit 3.5 Information Security 7(4) Administrators, as defined in these regulations, are responsible for content and tech-
nology as well as having the authorization to control the IT infrastructure of TU Dresden.
Only members or associate members of TU Dresden are authorized to work as administra-
tors. Exceptions are defined by § 13.
(mn. 5)
(8) DFN-PKI in the sense of these regulations is the Public Key Infrastructure of the German
Research Network in which TU Dresden participates. The advanced electronic signature is
provided. The certification guidelines of the DFN-PKI apply. The advanced signature of the
DFN-PKI has to be used at TU Dresden unless the written form is mandated or contractu-
ally agreed by a legal regulation or a contract.
(mn. 6)
(11) IT emergency means a prolonged failure of IT processes or IT resources with high or
very high damage.
(mn. 7)
Explanation
Operators of public internet services (e.g. ISPs such as Deutsche Telekom, Vodafone, 4
1und1 etc.) already have to fulfill extensive obligations to log connection data and to
provide possibilities of monitoring data traffic for state security institutions. In addition,
these providers have extensive reporting and authorization requirements with the Fed-
eral Network Agency (Bundesnetzagentur).
Universities are largely excluded from this provision because it is assumed that they
provide their services exclusively to a closed user group.
A closed user group is defined when the connected members pursue a common profes-
sional purpose. By contrast, the services in an open user group are available to any third
party. At universities, the use of the IT infrastructure is made available exclusively to
employees, scientific staff and students, but not to third parties, thus constituting a
closed user group. Universities are also public institutions of the Länder (Federal States
of Germany). Thus, articles 91 et seq. TKG (Telecommunications Act) apply. Therefore,
members and associate members of TU Dresden belong to the closed user group.
Guests of TU Dresden can also be members of this closed user group if they have to use
the TUD IT infrastructure for a limited time, e.g. guest scientists, employees of third party
funded partners, external administrators, etc. In this respect, these persons are not con-
sidered third parties.
In particular, due to further provisions of the TKG, considerable obligations and costs
might arise for the universities should they lose the status of the closed user group. This
must be avoided in all circumstances. Thus, the use by third parties, who are not part of
the closed user group, is prohibited.
Handout for TU Dresden’s IT Regulations (as of March 2021) / Unit 3.5 Information Security 4The responsibility of the administrators relates exclusively to the IT infrastructure to be 5
operated.
Electronic signatures serve the purpose of providing trustworthiness and identification 6
through the possibility of digitally authenticating persons.
An advanced signature of the DFN-PKI allows all members and associate members of
TU Dresden to digitally sign electronic documents and emails (digital signature). This
electronic signature may be used for all procedures in which the written form, in other
words, a personal signature, is not legally or statutorily determined.
Application, configuration and use of certificates
An emergency is a damaging event in which an institution's processes or resources do 7
not function as intended. The availability of the relevant processes or resources cannot
be restored within a required time. Business operations are severely impaired. Any
SLAs (Service Level Agreements) that may exist cannot be met. High to very high dam-
ages occur, which have a significant and unacceptable impact on the fulfillment of TU
Dresden's tasks. Emergencies can no longer be handled as part of general day-to-day
operations, but require a separate emergency response organization.
When exactly an event is deemed an emergency for TU Dresden or one of its organiza-
tional units must be assessed and defined on the basis of the respective business pro-
cesses.
Section 2: Responsibilities, powers and liability
Excerpt from the IT Regulations
§ 6 Unit Information Security
(2) The Unit Information Security organizationally comprises at least TU Dresden's Data
Protection Officer, TU Dresden's IT Security Officer, and TUD-CERT.
(mn. 8)
Explanation
The Computer Emergency Response Team of TU Dresden (TUD-CERT) has the task and 8
objective of optimally supporting all members of TU Dresden in the prevention and
detection of cyber attacks and the handling of security incidents. This is realized in
particular through preventive (warnings, training), reactive (incident management) and
forensic (digital forensic investigations after incidents) measures.
Handout for TU Dresden’s IT Regulations (as of March 2021) / Unit 3.5 Information Security 5Excerpt from the IT Regulations
§ 7 Center for Information Services and High-Performance Computing (ZIH)
(3) The setting up and operation of active network components in decentralized administra-
tion and responsibility shall be permitted only in consultation with the ZIH and in agreement
with the CDIO. If VoIP equipment is operated in data distribution rooms, these rooms are
assigned to the ZIH and are used exclusively for the purpose of operating the data commu-
nications network. Access to these data distribution rooms shall be determined by the ZIH
at its due judgment and in particular pursuant to § 19 para. sentence 1. If TU Dresden infra-
structure is not provided centrally, it can be operated under the responsibility of the Schools
in agreement with the ZIH and the Unit Information Security as well as in agreement with
the CDIO.
(mn. 9)
Explanation
After the switch to Voice over IP (VoIP), no other uses are permitted in data distribu- 9
tion rooms. The ZIH provides advice on the migration of decentralized services to the
centralized facilities and assists in the establishment of the service concept. For hous-
ing servers and IT components of TU structural units that are necessary for providing
services and for which the ZIH does not offer an alternative central service, the hous-
ing area of the ZIH is available. The use requires prior arrangement with the ZIH.
Excerpt from the IT Regulations
§ 8 Decentralized IT organization
(2) The CDIOs of the Schools and of the Central Academic Units shall be nomi-
nated by the respective management of the structural unit to which they belong
and shall be appointed by the CDIO. For issues relating to digitalization and in-
formation security, the managements of the Schools involves the School's CDIO.
Accordingly, the CDIOs of the Central Academic Units shall coordinate with their
management. The management of the Schools and the Central Academic Units
shall support the CDIOs of the Schools and the Central Academic Units in imple-
menting the digitalization strategy and safeguarding the IT-based services.
(mn. 10)
(5) The IT Advisor is authorized to give instructions to the IT service teams (which
are composed of the IT administrators of the structural units), if any, for the im-
plementation of the tasks of the CDIOs of the Schools and the Central Academic
Units as mentioned in paragraph 1.
(mn. 10)
Handout for TU Dresden’s IT Regulations (as of March 2021) / Unit 3.5 Information Security 6Explanation
Within the framework of the global budget available to the Schools, the Schools' CDIOs 10
are involved in decisions on IT procurement measures exceeding 25 000 EUR.
The Schools' CDIOs shall be involved in the relevant committees and processes of the
School, in particular in the School Council.
The users as defined in these regulations are obliged to support the CDIOs of the
Schools and the Central Academic Units as well as their representatives in fulfilling
their tasks and to observe their instructions and stipulations.
The IT Advisors are directly supervising the IT Administrators of a School/Central Aca-
demic Unit/Central University Administration, for these persons in the direct subordi-
nate relationship the authority to give instructions applies to the extent of that of a su-
pervisor/managerial staff (Führungskraft). In addition, the IT Advisors have the author-
ity to issue technical instructions to the IT administrators who are organizationally
linked to the faculties, Chairs or institutes. Thus, all IT administrators of a School con-
stitute the IT Service Team.
Excerpt from the IT Regulations
§ 9 Head of the Organizational Unit
(1) The Heads of the Organizational Units are responsible for compliance with the provisions
of these regulations within their area of responsibility.
(mn. 11)
For the effective implementation of the IT system at all levels of TU Dresden, it is indis- 11
pensable that the heads of the organizational units pay particular attention to the com-
pliance with the IT Regulations within their area ofresponsibility, in order to primarily
safeguard the university's ability to function, to ensure the careful handling of work
equipment, and to prevent damage to TU Dresden (obligation to safeguard the inter-
ests of TU Dresden).
Excerpt from the IT Regulations
§ 10 Particular rights and obligations of administrators
(1) The administration of the IT infrastructure according to § 1 para. 1 must be managed
cooperatively, appropriately and be tied to a specific purpose. The provisions of data and
telecommunication secrecy as well as the principles of data avoidance and data minimi-
zation must particularly be observed.
(mn. 12)
(2) Administrators are obliged to stay informed regarding security issues and follow advice
on removing security vulnerabilities.
(mn. 12)
(3) Administrators are responsible for the organization and implementation of data protec-
tion and data backup measures.
Handout for TU Dresden’s IT Regulations (as of March 2021) / Unit 3.5 Information Security 7(mn. 12)
(4) In case of a decentralized user administration pursuant to § 15 para. 5, the administrator
manages the granted user authorizations and user master data within their area of re-
sponsibility.
(mn. 12)
(5) Administrators are also entitled to use automated methods to document and evaluate
the use of the data processing systems and software by individual users, but only to the
extent that this is
1. to ensure proper system operation,
2. for resource planning and system administration,
3. to protect the personal data of other users,
4. for billing purposes,
5. for the timely detection and elimination of system vulnerabilities and malfunctions,
or for troubleshooting or,
6. necessary for the purpose of clarifying and preventing unlawful or abusive use.
(mn. 12)
(6) If it is necessary for the purposes of troubleshooting, system administration and devel-
opment, or for reasons of system security, protection of user or other data, as well as for
investigation and prevention of abuses, the administrators may temporarily restrict the
use of resources or temporarily block individual user identifiers. The affected users shall
be informed immediately of the measures taken, if this is feasible with reasonable effort.
Informing the user can be omitted, in particular, for the investigation and prevention of
abuses. Actual and documented evidence must be presented in order to prove abuse.
(mn. 12)
(7) The relevant legal and statutory provisions apply to the logging, inspection and trans-
mission of personal user data.
(mn. 12)
(8) Insofar as this is necessary for troubleshooting, system administration and develop-
ment, or for reasons of system security, for protection of the user's own or other data,
as well as for clarification and prevention of abuses, administrators may, providing there
are no contradicting legal reasons and in consultation with the data protection officer,
have access to user data. If possible, the prior consent of the affected users is to be ob-
tained. In any case, the affected users must be informed without delay of the measures
taken. The information of users may be omitted in order to clarify and prevent abuses
or as far as necessary for the prosecution of criminal offenses. There must be actual and
documented evidence for misuse or offence.
(mn. 12)
(9) Administrators are obligated to transparently document all measures, in particular
those pursuant to § 10 para. 5, 6 and 8.
(mn. 12)
Handout for TU Dresden’s IT Regulations (as of March 2021) / Unit 3.5 Information Security 812
In the model describing job roles at TU Dresden, various IT roles are described, with
different roles being defined for administrators/supervisors/contacts:
IT contact person
Workplace advisor
Pool administrator
Pool dispatcher
Pool supervisor
Server administrator
Network contact person
Domain administrator
Duties of the above mentioned job roles are in particular:
IT contact person:
General point of contact for IT related topics (e.g. inquiries regarding hardware
needs)
Multiplier for relevant information from the CDIO strategy council and the IT
coordinating team
First, local point of contact for security incidents (e.g. disconnection of a PC
from the network)
Workplace advisor:
Implementation of guidelines for IT-related topics
Provision and support of IT technology for end users
Initial installation of PCs
Installation of software
Implementation of software updates
Connection of peripheral terminals
Pool administrator:
Implementation of guidelines for IT-related topics
Development and implementation of a computer-aided pool concept geared
towards subject-specific requirements
Installation, maintenance and ensuring the availability of workstations, servers,
network components and peripheral terminals
Planning and implementation of specific mechanisms for flexible software dis-
tribution, management of software updates, data protection and data security,
and support for lecturers and students
Development of an organizational model for pool operation
Instruction of pool dispatchers and pool supervisors
Pool dispatcher:
Organization of pool operation
o Office hours
o User regulations
o Concept regarding opening and locking of the PC pool
o Administration of access control
Organization of pool advisory service
o Student assistant/research assistant (German = SHK/WHK) contracts
o Training
Handout for TU Dresden’s IT Regulations (as of March 2021) / Unit 3.5 Information Security 9Pool supervisor:
Subject-specific and technical support of lecturers and students
Organizational tasks and ensuring regulated pool operation
First point of contact for pool users
Server administrator:
Implementation of guidelines for IT-related topics
Selection, procurement of server components or selection of a suitable virtual
environment
First installation
Installation of software
Implementation of software updates
Configuration of services
Operation of servers
Monitoring of servers
Documentation of the server landscape
Network contact person:
Local IP address management, if delegated
Coordination with other contact persons and network technicians
Patching and connection of terminals
First contact for network problems
Dyport administration, if not administered by a superordinate entity
VoIP coordination with the central VoIP administrator
Domain administrator:
Implementation of guidelines for IT-related topics
Administration of authorizations in the assigned organizational units
Allocation of group policies
Software distribution from repository
Administration of group rights and memberships
Further information on job roles at TU Dresden is provided by Directorate 6.
Guidelines for administrators (contact: Dr. Lohse)
Legal references of the DFN Association for IT administrators
Handout for TU Dresden’s IT Regulations (as of March 2021) / Unit 3.5 Information Security 10Section 3: Usage
Excerpt from the IT Regulations
§ 15 User administration
(4) Users are obliged to work exclusively with those user IDs, whose usage has been au-
thorized under the approval. Users must ensure that unauthorized persons do not get ac-
cess to the user account. This includes careful selection of a password that cannot easily
be guessed, according to the password policy of the ZIH. Sharing of the password is not per-
mitted. Users are not allowed to identify and use IDs of other users.
(mn. 13)
(5) A decentralized user administration is permitted, if the central user administration, pur-
suant to § 1-5 para. 1, does not have the necessary functionalities for the fulfillment of the
tasks of the organizational units. Regarding information security, the same requirements
apply to decentralized user administrations and the central user administration of the ZIH.
The concept is to be submitted for approval to the Unit Information Security and the CDIO
in advance.
(mn. 14)
Explanation
One particularity are the so-called functional logins, e.g. directorateX@tu-dresden.de. 13
The responsible persons for the functional login (the persons who applied for the func-
tional login) must ensure that only authorized members (e.g. several offices) have ac-
cess to this login. In this case, the ZIH login and password can be shared with the au-
thorized members.
The TU Dresden Service Desk provides further, detailed information on this subject.
In particular, an operations and security concept together with a vote by the Unit 3.5. 14
Information Security has to be presented.
The user management guarantees the restriction of usage to the "closed user group",
for which the TU Dresden DFN association has provided an internet access. An anony-
mized access by random users to TUD resources and to the internet is to be excluded.
Section 4: Special provisions for naming conventions, email and
web applications
Handout for TU Dresden’s IT Regulations (as of March 2021) / Unit 3.5 Information Security 11Excerpt from the IT Regulations
§ 16 Naming conventions
(2) For all domains pursuant to § 16, the name service (DNS) shall be implemented by the
ZIH.
(mn. 15)
Explanation
The ZIH is exclusively responsible for the provision of domains. It obtains the domains 15
via the external domain service providers (DFN and INWX). The application for a new
domain is controlled via the web support websupport@tu-dresden.de in order to have
any deviations from the naming convention clarified with a respective draft resolution
and to clarify any further requirements, if necessary. Following the consultation there,
the complete service is provided by the ZIH up to the point of provision.
Subdomains and hostnames under tu-dresden.de can be applied for via the Service
Desk (servicedesk@tu-dresden.de) at the ZIH. Further information is available in the
ZIH service catalog under DNS.
Excerpt from the IT Regulations
§ 17 Special provisions for email
(7) Each incoming email is checked for SPAM by default before its further processing. Users
can configure the recognition themselves and specify whether the emails recognized as
SPAM should be rejected or delivered with a SPAM rating.
(mn. 16)
(8) Outgoing emails sent by academic and non-academic staff (from the domain @tu-dres-
den.de) must be signed with an electronic signature in accordance with § 3 para. 8, and must
always be encrypted. It is not allowed to send out sensitive personal data and any other data
requiring a high level of data protection in unencrypted form.
(mn. 17)
(9) Automated forwarding of incoming emails, for official purposes, to mailboxes outside the
infrastructure of TU Dresden is not permitted. It is also not allowed to request setting up the
automated forwarding of emails.
(mn. 18)
(10) For scientific purposes, forwarding of emails after the user has left is permitted upon
request. The ZIH provides a dedicated service (forwarding portal) for this purpose. Auto-
mated forwarding for other purposes or using other communications equipment or ser-
vices is not permitted.
(mn. 19)
Explanation
Handout for TU Dresden’s IT Regulations (as of March 2021) / Unit 3.5 Information Security 12Each incoming email is checked for SPAM by the ZIH using up-to-date tools and is as- 16
sessed according to different criteria. Through the settings in their email client, users
have the possibility of deciding how to proceed with the categorized messages. Advice
on these settings is available here.
Outgoing emails are always ("as a general rule") to be encrypted, if technically possible. 17
This is the intended definition of the term "as a general rule" (German: "grundsätz-
lich").
Further information (esp. the usage of the OWA Web App) is available on the ZIH Ex-
change website.
Should the recipient not be a TUD member or associate member and not be in posses-
sion of an encryption certificate (e.g. industry partners, applicants), the SecureMail ser-
vice is available for encrypted communication.
Further information on SecureMail is available here:
https://tu-dresden.de/securemail
Automated forwarding of work emails can result in sensitive information and data 18
leaving TU Dresden's sphere of influence and be processed by third parties who are
not subject to TU Dresden's control. Furthermore, it is to be assumed that the sender
normally is unaware of the fact that their email, which has been sent to a TU Dresden
recipient, is being forwarded to an external service provider.
Detailed information is available here.
More detailed information on the forwarding portal is available here. 19
Excerpt from the IT Regulations
§ 18 Guidelines for websites
(1) TU Dresden's structural units are requested to present themselves via TU Dresden's cen-
tral websites. For cooperation projects with external partners and for special functional re-
quirements, exceptions are permitted, provided that the respective specifications of TU
Dresden regarding corporate design as well as applicable legal regulations (especially re-
garding imprint, data protection and accessibility) are observed. The Unit Web and Video
provides advice and support on these requirements, in case of data protection issues in co-
operation with the Unit Information Security. The final decision on permissible exceptions
is made by the CDIO, based on a draft decision submitted by the Unit Web and Video.
(mn. 20)
Handout for TU Dresden’s IT Regulations (as of March 2021) / Unit 3.5 Information Security 13Explanation
Any requests for exceptions must be directed to the web support websupport@tu- 20
dresden.de. It is advisable to include a short explanation or first information on the
project (e.g. on the partners and the role of TU Dresden). Based on the subsequent
consultation and clarification of all required aspects of the website, a recommenda-
tion will be made for decision by the CDIO. The requested exception can only be im-
plemented following written approval by the CDIO. A final review of the website may
be conducted after the website has gone live to verify that accessibility and other re-
quirements have been implemented.
Section 5: Information security and data protection
Excerpt from the IT Regulations
§ 19 Principles
(1) The effort required for the state-of-the-art protection of personal data or other particu-
larly protection-worthy data must be in a reasonable relation to the intended purpose of
the protection. The relevant legal and statutory provisions apply to the processing of per-
sonal data. For the proof of the concerned protection measures according to sentence 1, in
particular the standards of the Federal Office for Information Security (Bundesamt für Sicher-
heit in der Informationstechnik - BSI) are binding in their currently valid version.
(mn. 21)
Explanation
Appropriate, i.e. proportionate protection measures corresponding to the state-of-the- 21
art are to be taken. The protection measures to be taken are primarily dependent on
the protection needs of the data to be processed. These are described in the Guide-
lines for Information Security in the notification by the Vice-Rector for University Devel-
opment 5/2017.
Further, detailed information is provided by the Unit 3.5 Information Security.
Section 6: Software and hardware
Excerpt from the IT Regulations
§ 22 Hardware and software procurement, management, use and software licensing
(1) The procurement of hardware and software is governed by TU Dresden's Procurement
Guidelines (this does not apply to the Carl Gustav Carus Faculty of Medicine).
(mn. 22)
Handout for TU Dresden’s IT Regulations (as of March 2021) / Unit 3.5 Information Security 14(2) All software products to be procured for official use at TU Dresden need to be requested
in consultation with the Directorate Planning and Organization via the ZIH. Autonomous ac-
quisition of small software (apps) is permitted if it has been checked before purchasing that
the software is not already a subject of existing campus contracts and sufficient funds are
available. Members, staff members and guests of TU Dresden with an own cost center are
entitled to procure software, as far as this fits the manufacturer's contract conditions.
(mn. 22)
3) The strategic and technical responsibility of campus contracts and framework agree-
ments is always with the CDIO, the Directorate Planning and Organization, and the ZIH.
(mn. 22)
(13) When using software, documentation and other data, the legal requirements, in partic-
ular those relating to copyright protection and accessibility, must be complied with and the
license conditions under which software, documentation and data are made available must
be observed.
(mn. 22)
Explanation
22
Software procurement is governed by the TUD Procurement Guidelines.
Prior to procurement, the ZIH needs to be consulted in terms of software needs and
when it comes to software, intended for use in the administration, Directorate 6 must
be consulted. Both organizational entities provide consultation regarding already avail-
able software as well as regarding the selection of new products. In particular, in the
administrative use, an assessment needs to be conducted to verify if existing IT sys-
tems already cover the new demands for software. This pertains to existing licenses as
well as to usable functionalities (e.g. new SAP functions).
For the procurement of new software requiring a tender, an extensive tender docu-
mentation pursuant to EVB-IT is required (EVB-IT = "Supplementary terms of contract
for the procurement of IT services"). Unit 1.2 and Directorate 6 offer consultations on
the compilation of the required documents.
Further information:
ZIH Software Procurement
Directorate 6
Unit 1.2 Central Purchases and Asset Accounting
When using officially provided software for private purposes, it must be ensured that
the respective license conditions allow for this. For example, the Sophos software (vi-
rus protection) provided by the university can also be used privately. Further infor-
mation is available on the Sophos website of the ZIH.
For open source software, there are usually no procurement steps because it can be
used free of charge. If support contracts are required for open source software, the
above-mentioned procurement guidelines apply accordingly.
Handout for TU Dresden’s IT Regulations (as of March 2021) / Unit 3.5 Information Security 15In addition to the right to use the software free of charge, some open source licenses also include obligations that must be complied with. This holds true in particular for the obligation to publish the sources in the GPL licenses (GNU Public License, different versions exist) as soon as the software is published or distributed in any form. Handout for TU Dresden’s IT Regulations (as of March 2021) / Unit 3.5 Information Security 16
You can also read
