Sophos Central is a cloud-based anti-virus solution from Sophos, which is offered by RWTH to staff and students in varying degrees. The use is enabled by a NRW state license.

The services offered are provided on servers located in cloud data centers of Sophos and not in the data center of RWTH Aachen University. Therefore, RWTH Aachen University does not have physical access to the hardware, but only provides access to the software via a central instance.

RWTH administrators - deployment of Sophos Central for one institution

In some RWTH institutions, Sophos is used as the central anti-virus software on workstations and servers. If you as an administrator want to use this solution in your institution, the following obligations and general conditions apply. These result directly from the license conditions of Sophos as well as measures for compliance with data protection and data security:

• There is only the authorization to use the software and services during the licensed period. All software must be deleted or services may no longer be used if RWTH Aachen University or NRW terminates the contract or does not sign a follow-up contract before the end of the licensed period, depending on which event occurs first. Current end of contract is 30.09.2024.
• The initial setup of a Sophos Central instance is performed centrally by the IT Center. You are responsible for configuring and managing the deployed instance. Please note that the IT Center's default setting for automatic mailware sample submission ( Global settings -> Malware sample submission ) must not be changed.
• The Web Control policy is centrally specified and the component is thus disabled by default. If you have a specific need and have carried out a thorough check, you can overwrite this setting with your own policy. In this case, however, the "Log events" setting must be switched off.
• During provisioning, users must be informed accordingly about the transfer of data to Sophos Central by you / the institution.
• Inactive accounts and accounts that are no longer needed must be deleted immediately.

RWTH employees - use in the context of working at an RWTH institution

If your organization uses Sophos Central, the following obligations and conditions apply to you. These result directly from data protection and data security compliance measures:

It is possible to submit individual suspicious files to Sophos Central for examination ("samples"). Please note that the submission of highly confidential data as a sample is not permitted due to the very high level of protection required. These include in particular:

• Data containing information that, if disclosed or lost, could result in harm or liability to the University, and personal data for which compliance with privacy regulations or information disclosure requirements cannot be assured. Examples include:
  • Personal data (attendance lists or lists of participants in an event), in particular data on racial or ethnic origin, political opinions or religious or ideological beliefs
  • Travel or payroll data (financial data, social data, data related to the personnel file)
  • Research data that is not already intended for public use
  • Technical data (construction plans of sensitive rooms; network plans)
  • Protected data (sick notes, draft certificates, contracts)
  • Examination (expert opinions and corrections)
• Data containing information for which unauthorized inspection must be prevented. This includes, in particular, information that must be kept secret due to contractual obligations or information that is subject to the duty of confidentiality.

Employees and students of RWTH - private use

It is generally possible to use a free version of Sophos Home Premium privately as part of the license agreement. The instructions for this can be found here: Registring Sophos Home

The following obligations and general conditions apply to use. These result directly from the license conditions of Sophos as well as measures for compliance with data protection and data security:

• Use is only permitted for active employees and students. Use after leaving RWTH is not permitted.
• There is only the authorization to use the software and services during the licensed period. All software must be deleted or services may no longer be used if RWTH Aachen University or NRW terminates the contract or does not sign a follow-up contract before the end of the licensed period, depending on which event occurs first. Current end of contract is 30.09.2024.
• Business use of Sophos Home Premium is not permitted
• Deployment, operation and support is provided exclusively by the special department for Sophos.
• Es gelten die Lizenzbestimmungen zu Sophos Home Premium und Datenschutzhinweise des Herstellers
• The Sophos Home Premium license terms and privacy policy of the manufacturer apply.

In order to use the functionality of Sophos Central, data is transferred to Sophos for analysis. This is done either automatically by the software, or e.g. in the context of a manual transmission of a file to be checked ("sample"). A list of the specific data can be found in the following list:

1. Automatic transmission of samples, switched on by default, has been switched off centrally, but the administrator can technically switch it on again.
2. Email data may accrue as part of file content samples
3. The data is usually collected temporarily as part of the live protection and only stored permanently in the form of a log entry when an incident is detected or in the event of an active rule compliance (e.g., when an element that would otherwise be classified as unwanted is explicitly allowed ("PSexec.exe allowed").
4. This data is only transferred if the administrator has set up automatic synchronization of the objects with the institute's local user administration; in the default case, only the user name is collected.
5. The Sophos Web Control feature that collects this data is disabled by default, but can be re-enabled by an administrator. Logging of blocked URLs must be turned off according to the terms of use for administrators described above.
6. Logging must be actively turned on and is required if there is to be a restriction on the peripherals that may be connected to a device. (e.g. registered USB sticks only).

Who has access to the data?

The collected data can be viewed by a facility administrator for devices and users at their facility in the form of log entries, a dashboard showing active "alerts" (critical events requiring attention), and specific reports based on the log. These include, in particular, reports on

• virus detections and their technical context (file and registry accesses registered in connection with the critical process, network connections)
• detections of allowed/blocked applications
• connected devices
• summaries of user/device specific events.

IT Center administrators, who are responsible for setting up Sophos Central instances and managing licenses, also technically have access to the instances of the facilities and thus to the data they contain.

How long is the data beig stored?

Log data is retained for 90 days. Data about objects that are necessary for operation (e.g. user names, device names) are permanently deleted after 90 days, once they have been deleted by the setup administrator in Sophos Central.

Where else is the data processed?

The following table is an excerpt from the list of Sophos sub-processors and represents only the content relevant for use at RWTH. A complete list can be found here: https://www.sophos.com/en-us/legal/sub-processor

* Here, the location can be determined when creating a tenant. We have set this to "Germany".