Contacts and organisation

The following information describes the organisation and structures in the field of IT security at ETH. Roles and responsibilities are also described.

Contact

The IT Services Service Desk is the first point of contact for all inquiries and reports regarding to security incidents. Outside office hours, the ETH Zurich Emergency Desk is available in case of emergencies.

Responsible security contacts

The CISO is responsible for coordinating information security across the university, providing advice to information owners and Information Security Officers (ISOs) and reporting to the Risk Management Commission on a regular basis regarding his/her activities.

Enforcement of Compliance with legal requirements relating to information security and preserving the availability, confidentiality and integrity of information, processes, applications and IT components.

The heads of administrative departments, heads of staff units, heads of academic departments and heads of teaching and research facilities outside the academic departments shall each appoint an Information Security Officer (ISO) for their particular areas of responsibility.

Unless otherwise specified, the IT Support Lead (ISL) within the academic departments shall discharge the function of ISO.

ISO responsibilities include keeping inventory of information requiring a high level of protection, first point of contact for advice, reporting and participating in ISO working groups.

Committees

The Risk Management Commission (RMC) group of experts for information security is a working group of risk management specialists.

The working group shall assist the CISO in the development of information security and operate, alongside the ISOs and ITSO ITS, as an expert review body.

The committees consisting of the “departmental ISOs” and the “ISOs of the central administrative units and teaching and research facilities outside the academic departments” are responsible for coordinating cross-cutting projects, sharing information and conducting technical reviews.

The implementation of IT and information security cannot be delegated to a single security officer as a subject area.

Security must be an integral part of all phases of the lifecycles of (IT) services and be implemented as a permanent task of the groups concerned with service provision.

Accordingly, the security organisation in the ID was not set up as an additional unit to the previous sections and groups, but was implemented as a matrix organisation with an integral approach: Employees with security function units in their respective specialist groups ensure that security aspects are clearly perceived as part of the daily work of all teams.

JavaScript has been disabled in your browser