View Current

Digital Information Security Policy

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Purpose and Context

(1) Managing and protecting the confidentiality, integrity and availability of the University's research and information Digital Services is vital for delivering the University services, protecting the University's business and reputation, and allowing the University to meet its legal and ethical responsibilities.

(2) This policy provides the principles and procedures for protecting digital information, and Digital Services, and establishes the Digital Security Steering Committee (DSSC), which provides strategic direction, enables risk management, prioritises resource utilisation, measures performance, and defines the security culture that supports Digital Information Security Management at Western Sydney University.

(3) This policy applies to all Authorised Users of digital information, and Digital Services which are on University premises, belong to the University or are services or sites that are hosted for the University.

(4) The policy is to be used as the basis for developing any new information security related policies, procedures and standards.

(5) The policy is to be read in conjunction with the following University documents:

  1. Acceptable Use of Digital Services Policy;
  2. Email and Internet Policy;
  3. Cyber Security Policy;
  4. Digital Services Implementation Policy;
  5. Research Higher Degree Scholarship Policy;
  6. Disability Policy;
  7. Asset Management Policy;
  8. Intellectual Property Policy;
  9. Workplace Surveillance Policy
  10. Student Code of Conduct;
  11. Password Protection Guide;
  12. ITDS Staff Code of Ethics;
  13. Change Management Process (KB0010688, requires ITDS Staff Login); and
  14. Exemption Process (KB0013593, requires ITDS Staff Login).

(6) This policy should be read in conjunction with the following:

  1. The Australian Signals Directorate’s Information Security Manual
  2. The Australian Cyber Security Centre (ACSC) Essential 8
  3. The Cybercrime Act 2001 (Cth)
  4. The Higher Education Standards Framework (Threshold Standards) 2015

(7) This policy makes reference to the International Standard for Information Security, AS/NZS ISO/IEC 27002,both of which can be accessed under "Standards On-line Premium (SAI Global)" via the alphabetical listing in the e-Resources section of the University Library.

Top of Page

Section 2 - Definitions

(8) Words and Terms used in this policy are defined in Section 6 — Terms and Acronyms.

Top of Page

Section 3 - Policy Statement

(9) The University is committed to ensuring that access to and use of the University's digital information, and Digital Services are efficient, lawful, valid and ethical, and subject to appropriate security controls.

(10) The University aims to maintain a state of digital security where the risk of loss or damage to digital information and services is managed to an acceptable level.

(11) The University acknowledges that good security requires all Authorised Users to be trained in and be aware of their digital information security responsibilities.

Top of Page

Section 4 - Procedures

Part A - Responsibilities

(12) All Authorised Users must ensure that their use of University digital information:

  1. is for official business purposes only, and
  2. complies with University policies and procedures. (see the Acceptable Use of Digital Services Policy, the Email and Internet Policy, and the Cyber Security Policy for more details).

(13) All Authorised Users must take the following steps to reduce the risk of unauthorised access to digital information [Ref. Cybercrime Act schedule 1]:

  1. Use strong passwords (see Part I below);
  2. Never reveal or share passwords with others under any circumstances;
  3. Never ask for or use another user's password;
  4. Ensure that sensitive information cannot be observed from their workstation's screen;
  5. Log out or lock their workstation before leaving it unattended;
  6. Immediately change their password if there is any concern that their account has been compromised;
  7. Use University-approved methods to access University digital information when off campus (see the Digital Services Implementation Policy for more details);
  8. Take appropriate care when storing confidential or sensitive material on removable media or privately owned devices; and
  9. Ensure any third parties who are to handle University digital information are required to take appropriate security measures.

(14) Authorised Users are to immediately report security incidents to their supervisor, and the Information Technology Service Desk (IT Service Desk).

(15) Supervisors must immediately ensure that incidents referred to them are reported to the IT Service Desk.

(16) Authorised Users must not publicise security incidents, as publicity increases risks to the University.

(17) In accordance with the Cyber Security Incident Management Process (refer KB0014354 – requires staff login), only defined staff are to lead security incident investigations and evidence collection.

(18) All Authorised Users are required to understand their responsibilities regarding information security, including an awareness of those parts of the Information Security Management System (ISMS) relevant to their duties.

(19) The Vice-Chancellor and President is responsible for:

  1. ensuring this policy and associated policies, procedures, standards and guidelines are publicised to all Authorised Users; and
  2. establishing the DSSC.

(20) The Chief Information and Digital Officer, or their nominated representative, is responsible for:

  1. applying this policy and the ISMS;
  2. managing information security incidents in accordance with the ISMS;
  3. making recommendations to the DSSC; and
  4. ensuring that third party access to University Digital Services is approved by the system business application owner and conforms with the ISMS.

Part B - Information Security Awareness

(21) ITDS will publish IT Security Advisories to raise awareness of security issues.

(22) The University will provide access to training and advice to Authorised Users to raise awareness of their digital information security responsibilities. See the Cyber Security Policy and University Cyber Security website for more details. [Ref. ISO 27002 section 7.2.2; ISM Control 0252].

Part C - Configuration Management

(23) ITDS will maintain a Configuration Management Data Base of all University Digital Services assets, including business ownership and support details. While hardware components may be listed as part of a service provided, the physical hardware has a separate Asset Management Policy that must be followed from a purchasing and financial perspective. [Ref. ISM Controls 0289, 0291].

(24) The CIDO, or their nominated representative, will ensure that University digital information has a defined data classification that includes a consistent assessment of legal and regulatory requirements, business sensitivity, criticality and proprietary information. [Ref. ISO 27002 section 8.2.1; ISM Control 0293].

Part D - Business Continuity Management

(25) Business application owners of University Digital Services are to ensure that the development and testing of Business Continuity Plans include how their area(s) of responsibility will continue to function in the case of service interruptions or failure of Digital Services or other critical technology. [Ref. ISO 27002 section 17.1; ISM Control 0118, 0193].

Part E - User Awareness and Responsibilities

(26) Managers and supervisors, in conjunction with the business application owner, Privacy Officer, and the Chief Information and Digital Officer, shall ensure that all Authorised Users accessing Digital Services are made aware of their responsibility regarding data privacy and security.

(27) The ITDS Staff Code of Ethics is provided to assist ITDS staff in managing their responsibilities for safe use and provision of IT digital services.

Part F - Access Control

(28) The business application owner and/or service delivery manager, in consultation with the CIDO (or nominee), is responsible for ensuring that:

  1. physical access to digital information and information processing facilities is restricted.
  2. information processing facilities are secured against damage.

(29) To prevent unauthorised logical access to data and services, ITDS will:

  1. segregate systems containing sensitive or critical information to secure hardware and networks or otherwise configure them to meet security and legislative requirements;
  2. restrict access at network and application levels.
  3. restrict access to source code to only those with a valid requirement;
  4. generally ensure all access to University Digital Services is based on the principle of least privilege (the minimum level of access that can be provided whilst still allowing the Authorised User to perform their role and/or studies); and
  5. remove access when it is no longer required or authorised [Ref. ISO 27002 sections 9.1.2, 13.1.2, 13.1.3; ISM Control 0413; ACSC Essential 8].

Part G - Maintenance and Review

(30) The University will review ITDS Digital Services as follows:

  1. ITDS will:
    1. adopt change management processes, as described in the ITDS Change Management Process Document (accessible through the ServiceNow Knowledge Base, article 0010688), for all identified Digital Services; [Ref ISM Control 1121];
    2. regularly review Digital Service capacity, to ensure continued adequate capacity;
    3. maintain backups and test the restoration of backups at least twice yearly;
    4. log and audit use of and changes to ITDS Digital Services; and
    5. retain logs for routine reviewing and maintenance purposes [Ref ISO 27002 section 12.4]
  2. Digital Services administrators and ITDS staff are to maintain reviewable activity logs.

Part H - Compliance

(31) The University will ensure:

  1. breaches of legal, civil, regulatory or contractual obligations are avoided, wherever possible.
  2. policy, statutory, regulatory and contractual requirements are explicitly defined and documented for each Digital Service in use. [Ref ISO 27002 section 18.1.1].
  3. audits of operational Digital Services must actively minimise the risk of disruption, be conducted in accordance with the University's Audit Plan, and be non-intrusive, unless otherwise approved by the business application owner.
  4. Digital Services audit tools are used only with permission of the CIDO.

(32) Policy breaches may result in disciplinary action being taken in accordance with relevant misconduct policies or staff agreements.

(33) Any deviation from ITDS policies and processes must involve an Approved Exemption Process to address the technical reasons and/or legitimate business requirements, and related potential risks to ITDS or the University as a whole. An exemption request must be completed by the relevant Service Delivery Manager (or delegate). See the Exemption Process (as attached ServiceNow Knowledge Base KB0013593 — requires staff login) for more details. [Ref. ISO 27002 section 5.1.1].

Part I - Authorised User Credentials

(34) The University uses password(s) as the primary protection for its User accounts, including Privileged Access Users. A poorly chosen password may result in the compromise of the user’s credentials and can put the Digital Services of the entire University at risk. As such, all Authorised Users are responsible for taking the appropriate steps to select, secure, and manage their passwords. See the Password Protection Guide for more information.

(35) Any and all Credentials assigned to Authorised Users are for their individual use only. Authorised Users must not share or disclose their Credentials to anyone, including supervisors, colleagues, friends, family, or IT staff. [Ref. ISO 27002 section 9.3].

(36) Any misuse of User Credentials to Elevate a User's Digital Service privileges above what has been authorised for their use will be considered to be a breach of policy and an act of misconduct.

(37) ITDS will place controls around the level of complexity that passwords require, to ensure all Users have strong passwords [Ref. ISO 27002 section 9.3]. Strong passwords have the following characteristics: [Ref. ISO 27002 section 9.4.3].

  1. A minimum of 8 characters
  2. Contains characters from at least three of the four groups below:
    1. Upper case letters [A, B, C...]
    2. Lower case letters [a, b, c...]
    3. Numbers [0, 1, 2, 3...]
    4. Special characters [!@#$%^*()_+=[]{}?] (Do not use '"&\<>)
  3. Is not a password that has been recently used (within the last 5 passwords)

(38) All passwords must be changed regularly, through the password management web applications for students and staff accessible through the University's website, or the appropriate application. Forced password reset periods will be determined as needed. Passwords can be changed more frequently if desired, and should be changed immediately if there is any possibility that the password or account may have been compromised. [Ref. ISO 27002 section 9.4.3].

(39) Passwords or login Credentials shall not be stored in clear text in electronic documents, on electronic locations (such as personal drives, shared drives, applications, SharePoint), or on paper in an unsecured location (such as a post-it note on a monitor, under a keyboard, or in an unlocked filing cabinet). [Ref. ISO 27002 section 9.3] Making use of a corporate encrypted password vault solution is acceptable as long as it has been assessed for security by ITDS and approved by the CIDO (or nominee).

Part J - Privileged User Credentials

(40) Privileged Access Users are expected to use stronger passwords than those required by Authorised Users (see the Password Protection Guide for more details).

(41) Privileged Access Users should use Credentials with administrative or elevated privileges to perform Administration or role-related activities only, and must use their regular Authorised User Credentials for all other activities. [Ref. ISO 27002 section 9.2.3e; ISM Control 1381; ACSC Essential 8]. In particular, internet access while using a privileged account must be limited to what is needed for the administration or support activities for which the privileged account was provided.

(42) The University may review the use of access accounts used for Privileged Access.

Part K - Remote Access

(43) The University provides some remote access capability where it is satisfied this is necessary for University purposes; however, it is not required to provide remote access to its Digital Services to any Users. [Ref. ISO 27002 section 6.2.2] This may include:

  1. The provision of web applications to allow students and staff to access University Digital Services remotely (such as the student management system, the learning and teaching system, digital library access; Student Email; tutorial registration), and
  2. ITDS approved remote desktop software solutions. The approved software used may be reviewed and changed periodically to ensure that security controls are still valid and up-to-date.

(44) Acquisition, installation or use of any remote access software without the authorization, approval and support of ITDS is considered a breach of policy. See the Digital Services Implementation Policy for more information.

(45) The University does not provide, fund, or subsidise off-campus access to the internet wherever other alternatives are present, except as required or allowed by the Research Higher Degree Candidature Essential Resources PolicyDisability Policy or Higher Education Standards Framework (Threshold Standards) 2015 (section 3.3(3)).

(46) Unless otherwise provided by the University, it is the responsibility of the Authorised User to ensure they have the necessary computer, modem, connection media and software to connect to the internet.

  1. Where such equipment is provided, the University's usual process for procurement will be followed (see the Digital Services Implementation Policy for more details).
  2. Where such equipment is provided, the University's usual processes for security and privacy will be followed (see the Cyber Security Policy for more details).
  3. Where such equipment is provided by the University, it remains the property of the University, and all relevant policies and processes (including the Acceptable Use of Digital Services Policy) remain in effect at all times, regardless of the location of the equipment.

Part L - Digital Security Steering Committee (DSSC)

(47) The University has established the Digital Security Steering Committee (DSSC) to advise the University Executive Committee and the University Audit and Risk Committee on matters relating to the security of the University's digital information.

Chair and Members

(48) The chair of the DSSC is the Associate Director, Digital Security and Risk, and the committee includes representation from schools, divisions, Information Technology and Digital Services, and the Privacy Officer and the Office of Audit and Risk Assessment.

Terms of Reference

(49) The terms of reference of the DSSC are to:

  1. oversee risk management by recommending appropriate measures to identify and mitigate risks and where appropriate advise the Executive Committee and the ARC;
  2. manage the high level digital security strategy and agenda, enabling strategic alignment with business strategy to support the University's objectives;
  3. oversee and recommend key information security projects in line with strategic intent;
  4. drive the development and renewal of information security policies and recommendations including the evaluation of impacts on the business;
  5. make recommendations for implementing security practices into business processes (administration, teaching, research);
  6. monitor the effectiveness of information security management frameworks;
  7. routinely review and benchmark organisational information security practices and policies through audits and reviews;
  8. actively develop and champion at all levels of the University an awareness of Information Security principles; and
  9. routinely assess the digital landscape in the industry and amongst peers with the view of identifying opportunities and/or threats.

(50) The group will correspond via email and meet face to face at least three times a year.

Part M - Information Security Management System (ISMS)

(51) The DSSC will review an ISMS based on Australian and international standards.

(52) The ISMS will address security controls and practices to be implemented by the University, including:

  1. Cyber Security Incidents are contained, reported, analysed, and assessed, based on incident type, volume and impact.
  2. Incident related data, logs and forensic IT information are collected as soon as possible.
  3. A robust CMDB is in place to support the University's digital information needs.

(53) The ISMS will specify the responsibilities and approach to be taken to manage Cyber Security Incidents or Investigation. Investigations into people shall only be permitted with the appropriate approvals as defined in the Workplace Surveillance Policy; for students as defined in the Student Code of Conduct.

Top of Page

Section 5 - Guidelines

(54) Nil.

Top of Page

Section 6 - Terms and Acronyms

(55) The following definitions apply for the purposes of this policy:

  1. Authorised User: a person who is a currently enrolled or attending student, a current employee or contractor, or a formal supplier, joint venture partner, affiliate or associate of the University who is granted access and provided with authentication Credentials by the University. Eduroam users are also Authorised Users.
  2. Business Application Owner: the person with primary responsibility for the Digital Service who is within the business unit that is the primary user of the Digital Service.
  3. Business Continuity Plan: As relates to this policy, a documented plan for how a business will continue to function in their required capacity in the event of a technology component failure, until such time as the technology is restored to functional service.
  4. CIDO: Chief Information and Digital Officer
  5. CMDB: Configuration Management Data Base; the computerised Digital Service that is used in IT to manage the inventory, deployment, support, ownership and other pertinent information for the overall management of University applications and services during the Digital Service’s lifecycle.
  6. Confidential and Sensitive Material: any information or material that a person knows or ought reasonably to know is confidential or sensitive, including but not limited to:
    1. The Personal Information of staff or students
    2. Student, staff or research subject health information
    3. Unpublicised financial information
    4. Unpublicised strategic, legal, financial, or research information
    5. Any data that could compromise any facet of the University, including reputation
  7. Cyber Security Event: any actual or suspected breach, threat, event, risk, vulnerability, or security weakness relating to University Digital Services.
  8. Digital Services: synonymous with IT Resources; all services (e.g., data, voice, video) delivered through electronic means. This includes the capture, storage, retrieval, transfer, communication and/or dissemination of information electronically and the technologies used in support of these activities. Such technologies encompass systems, software, hardware, communications and network facilities. The method of delivery may be hosted within University IT facilities, externally or a combination. They may be paid or free, subscribed or purchased, provided through a cloud or as a managed service.
  9. DSSC: Digital Security Steering Committee.
  10. ISMS: Information Security Management System.
  11. ITDS: Information Technology and Digital Services.
  12. IT Resources: refer to Digital Services.
  13. Privileged Access user: an Authorised User who has been provided with additional access privileges (often taking the form of an Administrator account and Credentials) in addition to their Authorised User account, in order to be able to access protected University Digital Services.
  14. Remote Desktop Software:an application,protocol,or other software solution that allows a computer or similar device to connect to the University's hardware or network without being on-site. This does not include the University's Wi-Fi network.
  15. Service Delivery Manager: the person in an IT or IT-like position that has primary responsibility for the IT support of the Digital Service.
  16. University digital information: any data stored electronically, or used by, or on behalf of, the University in the conduct of its teaching, research, business. University information is the property of the University. See the Intellectual Property Policy for more information.