Document Feedback - Review and Comment
Step 1 of 4: Comment on Document
How to make a comment?
1. Use this to open a comment box for your chosen Section, Part, Heading or clause.
2. Type your feedback into the comments box and then click "save comment" button located in the lower-right of the comment box.
3. Do not open more than one comment box at the same time.
4. When you have finished making comments proceed to the next stage by clicking on the "Continue to Step 2" button at the very bottom of this page.
Important Information
During the comment process you are connected to a database. Like internet banking, the session that connects you to the database may time-out due to inactivity. If you do not have JavaScript running you will recieve a message to advise you of the length of time before the time-out. If you have JavaScript enabled, the time-out is lengthy and should not cause difficulty, however you should note the following tips to avoid losing your comments or corrupting your entries:
-
DO NOT jump between web pages/applications while logging comments.
-
DO NOT log comments for more than one document at a time. Complete and submit all comments for one document before commenting on another.
-
DO NOT leave your submission half way through. If you need to take a break, submit your current set of comments. The system will email you a copy of your comments so you can identify where you were up to and add to them later.
-
DO NOT exit from the interface until you have completed all three stages of the submission process.
(1) The purpose of this policy is to identify and outline the steps that are taken to ensure that malicious intrusion (including those associated with foreign interference) or accidental compromise of the security of Western Sydney University (the University) Information Technology (IT) Digital Services is prevented, reduced and managed. (2) This policy applies to the University and any entity or person associated with the University authorised for the use of Digital Services including internet and email. (3) Within Cyber Security Assurance and Operations, lead by the Chief Information and Security Officer, different sections are given responsibility for the controls necessary for the University's Cyber Security. For the purpose of expediency of language within this policy, CISO is used as a cover-all term for the department and the appropriate sections within it. (4) This policy is to be read in conjunction with the following University policies and guides: (5) The following definitions apply for the purposes of this policy: (6) The University is committed to ensuring information security by preventing unauthorised access to, and modification or impairment of, its Digital Services and the information stored within them; through a combination of preventative measures, Cyber Security Incident Management, and the participation of all Authorised Users in ensuring that security measures are not undermined. [Ref. Cybercrime Act 2001, section 476.2] (7) The University recognises foreign interference as a specific subset of cyber threat which is guarded against by instilling a positive security culture, embedding security awareness and decision making practices into all aspects of the University, as well as implementing preventative measures and risk mitigation practices. (8) The University acknowledges that a strong security culture requires all Authorised Users to be trained in and be aware of their Cyber Security responsibilities. (9) The University aims to maintain an appropriate level of Cyber Security to ensure the confidentiality, integrity, and availability of all Digital Services. (10) Preventative measures are in place to provide security controls around the University's Digital Services. These include the following: (11) Cyber Security Events or breaches of security controls must be reported to the IT Services Desk immediately, even if only suspected. [Ref. ISO 27002 section 7.2.2; ISM Control 0252]. (12) Any and all remote desktop software presents a significant threat to the security of the University's Digital Services. As such, the CISO(or nominee) must first authorise and approve any software solution that provides remote access, in order to ensure the confidentiality, integrity and availability of University Digital Services (see the Digital Information Security Policy for more details). [Ref. ISO 27002 section 6.2.2; ISM Control 1272]. (13) When using or accessing University Digital Services from off-site, using a University or personal device, be aware of the inherent risks to the privacy of confidential and sensitive information kept in those services. All remote access provisions are expected to be used for University business only, and certain controls will need to be in force at all times: (14) Through the Digital Security Steering Committee (DSSC), as established in the Digital Information Security Policy, defining and supporting a strong security culture. (15) Through the Audit and Risk Committee (ARC) ensuring the University has effective cyber security and foreign interference controls in place to protect the University. (16) Through the Office of Marketing and Communication, the review of digital material which can pose a risk to the University is performed as detailed in the Media, Social Media and Public Commentary Policy. (17) Providing appropriate training and awareness campaigns created to educate Authorised Users around Cyber Security Events and issues, as well as foreign interference awareness, in order to improve the effectiveness of the reporting and response processes. [Ref. ISO 27002 section 16.1.3; ISM Controls 0252] (18) Authorising the appropriate section(s) within CISO to perform specific procedures for ensuring the University's Cyber Security, including those identified within this policy. (19) All Cyber Security Events reported to CISO are evaluated to determine if a response is required. If a response is required, the Event becomes a Cyber Security Incident and will be managed by the appropriate response team in accordance with the steps outlined in the Cyber Security Incident Management Process (KB0014354, available to CISO Staff Only). This will ensure a consistent and effective approach to the management of Cyber Security Incidents, CISO including communications, and that the collection and analysis of evidence from the Cyber Security Incident occurs without compromising the integrity of the investigation or the Digital Service/s. [Ref. ISO 27002 section 16.1, 16.1.2, 16.1.3; ISM Control 0043 & 0125] (20) Logs are reviewed to identify and manage Cyber Security Incidents and/or breaches in the security of Digital Services, as well as create and manage records and documents associated with Cyber Security Incidents for further analysis. In the event of a breach in the University's Information Security, CISO will utilise the CISO Data Breach Incident Report Process (KB0014961, available to CISO Staff Only) to triage the event and notify appropriate parties within the University if personal data is involved, as defined in the Privacy Policy and Privacy Management Plan. [Ref. ISO 27002 16.1.5, 16.1.6; ISM Controls 0120 & 0133] (21) Controls and other preventative measures are put in place to avoid Cyber Security Incidents, either as a result of experience from previous Cyber Security Incidents or as a countermeasure or deterrent to likely Cyber Security Incidents. These measures are documented and regularly reviewed to ensure their validity and reliability. [Ref. ISO 27002 section 16.1.6] (22) Ensures the sharing of cyber intelligence with other Australian and New Zealand Universities and the Government to help build a common picture of interference threats across the sector and to share countermeasures, to the extent that it does not compromise the University’s security posture. (23) Nominated members of ITDS and CISO actively participate in higher education sector and government cyber security exercises, as appropriate. (24) In the event that a Cyber Security Incident is identified as originating from a state based foreign actor, escalation within and external to the University is considered appropriate in the interests of national security. (25) The University maintains a MOE to provide a consistent and secure IT environment across University Digital Services. This also allows the University to maintain better control over any technical vulnerabilities that are known, or that arise, impacting that environment. All computers procured by the University following its typical procurement process will have an appropriate MOE in place by default, if possible. It is recommended that all University Digital Services are part of a MOE wherever possible. (26) This Policy should be read in conjunction with the following: (27) This policy makes reference to the International Standard for Information Security, AS/NZS ISO/IEC 27002, which can be accessed under "Standards On-line Premium (SAI Global)" via the alphabetical listing in the e-Resources section of the University Library.Cyber Security Policy
Section 1 - Purpose and Context
Top of PageSection 2 - Definitions
Terms and Acronyms
Top of Page
Section 3 - Policy Statement
Preventative Measures
Top of PageSection 4 - Procedures
Responsibility of All Users
Responsibilities of the University
Responsibilities of the CISO
Section 5 - Guidelines