View Current

Information Security Policy

This is not a current document. To view the current version, click the link in the document's navigation bar.

Section 1 - Purpose and Context

(1) University of Western Sydney information resources are a valuable University asset and must be managed accordingly to ensure their integrity, security, and availability for lawful teaching, research and business activities. Of importance in carrying out this mission is to establish basic information security policies and standards for managing University of Western Sydney information, while providing both access and reasonable security at an acceptable cost. Also of importance is the underlying philosophy that these policies and procedures are in place to facilitate and support authorised access to university information.

Top of Page

Section 2 - Definitions

(2) Data: A representation of information, knowledge, facts, concepts, or instructions that is being prepared or has been prepared in a formalized manner and is intended to be stored or processed, is being stored or processed, or has been stored or processed in a computer. Data may take many forms, including but not limited to, computer printouts, magnetic or optical storage media, and punch cards, or it may be stored internally in computer memory.

(3) Data Dictionary: A file, document, or listing that defines all items or processes represented in a data flow diagram or used in a system.

(4) Data Owner: A person or entity designated to have access to, and possession of, authorised information. The Data Owner is responsible for providing proper protection, maintenance, and usage control of the information in an operational environment. In the event of confusion, the Data Owner is the Director of the Unit with primary responsibility for the Data in question until such time as a formal Data Owner is appointed.

Top of Page

Section 3 - Policy Statement

Part A - Scope

(5) The following security policy applies to all computing platforms, including local area networks, systems and applications owned or used by University of Western Sydney. It also applies to users of those systems and applications, including those who install, develop, maintain and administer those systems and applications for the University and its corporate adjuncts. All users of University-information technology facilities and resources will abide by all applicable University, Commonwealth and State guidelines, policies, regulations, statutes and procedures pertaining to confidentiality and privacy.

Part B - Ownership

(6) All data, programs, systems and procedures (hereafter called "information") gathered, stored or maintained for university business purposes, are the property of the University of Western Sydney, unless otherwise stated in a contractual agreement. Any person, group or custodian accessing University information must recognize their responsibility to preserve the security and confidentiality of this information. Such information shall be used only for conducting University business or as appropriately authorised.

Part C - Violations

(7) Violation of any provision of this policy may result in:

  1. initiation of legal action by the University including, but not limited to, criminal prosecution under appropriate State and Commonwealth laws;
  2. a requirement that the violator make restitution for any improper use of a service; or
  3. disciplinary sanctions in accordance with University policy and applicable employment agreement.

Part D - Policy Administration

(8) Information Technology Services is responsible for administering this policy in consultation with the Audit and Risk Assessment Unit.

Part E - Exceptions to Policy and Standards

(9) All exceptions to this policy and associated standards require the approval of all affected Data Owners and the Director Information Technology. If an exception is required, a written request including a description of and justification for the exception must be sent to the IT Security Coordinator, who will forward it to the Director Information Technology with technical comments and recommendations. IT Security will retain all such requests for regular review and audit purposes.

Part F - Information Security Responsibilities

(10) This is a summary of responsibilities of those units and/or individuals using or supporting University administrative information.

Information Usage and User Responsibilities

(11) Anyone accessing University administrative data is personally responsible for the proper use of the resulting available information. University employees who access data are responsible for:

  1. complying with any relevant security standards and procedures (examples would include password policies, IT Acceptable Use of Resources Policy, Email Policy, Technical Standard Operating Procedures) in the use, storage, dissemination and disposal of data.
  2. protecting data from unauthorised access.
  3. reporting information security violations to their Executive Dean or Director for action in accordance with clause (17)(c).
  4. reporting data integrity errors to the appropriate management level.
  5. maintaining the accurate presentation of data, and for the consequences of any intentional misrepresentation of that data.

Enterprise-wide Security Administration

(12) Information Technology Services is responsible for central security administration, including:

  1. Providing University-wide leadership, guidance and coordination of security policies for administrative information.
  2. Helping units to comply with any relevant standards and policies necessary to ensure data integrity.
  3. Managing agreed or approved security standards, procedures and controls for IT - supported University information.
  4. Assisting in the preparation, periodic updating and regular testing of disaster recovery plans. These plans must ensure that all critical information services remain available or can be rapidly recovered.
  5. In conjunction with the Audit and Risk Assessment Unit, providing expert technical advice and assistance in the investigation of security incidents.

IT Security

(13) IT Security is the unit within Information Technology Services that is responsible for managing information security standards, procedures and controls intended to minimize the risk of loss, damage or misuse of Information Technology Services - supported electronic data. IT Security is responsible for:

  1. Developing and maintaining an information security policy.
  2. Establishing and maintaining high-level standards and related procedures for access to University information and systems.
  3. Securing information managed by Information Technology Services and implementing access as authorised by Data Owners.
  4. Assisting Data Owners in identifying and evaluating information security risks.
  5. Providing expert technical advice and assistance with the investigation of Security incidents in conjunction with the Audit and Risk Assessment Unit.
  6. Selecting, implementing and administering controls and procedures to manage information security risks.
  7. Distributing security report information in a timely manner to Information Technology Services management, Unit Security Contacts, Data Owners and appropriate University administrators.
  8. Serving as the Information Technology Services focal point for reviewing data security issues that have campus and University wide impact.
  9. Promoting security awareness to the University computing community.

Data Owner

(14) The Data Owner functions as custodian of a portion of the University's information. The Director or Executive Dean of a business unit or College has authority to make decisions related to the development, maintenance and operation of, and access to, the applications and data associated with that units or college's business activity. Examples include Registrar's Office (RO) (student data), Finance Office (financial data), and Office of Human Resources (OHR) (personnel). An Executive Dean or Director may delegate custodial duties to an individual.

(15) Data Owners are responsible for:

  1. Understanding the legal and administrative consequences of maintaining and disseminating data within their custody.
  2. Maintaining a knowledge of the nature of the data.
  3. Applying pertinent laws and University policies to classify data and define its level of sensitivity.
  4. Defining required levels of security, including those for data transmission.
  5. Developing and administering guidelines for requesting access.
  6. Establishing measures to ensure data integrity and access to data.
  7. Providing data descriptions to inform data users about available shareable data, how to access the data, and what the data means.
  8. Promoting accurate interpretation of administrative data and publicizing the rules and conditions that could affect the accurate presentation of that data.
  9. Reviewing usage information.
  10. Assisting with disaster recovery planning within the broader context of their business continuity plans.
  11. Defining criteria for archiving data that to satisfy retention requirements.

(16) For those systems under its custodianship, Information Technology Services is responsible for the operating system and application components, including production, system and test libraries, system and test data, and data dictionaries. The end user/client area has ownership responsibility for production data, including test data. For systems not supported by Information Technology Services, custodial assignments are the responsibility of the end user/client department.

System Administrator

(17) Any unit maintaining electronic administrative systems, applications or data is responsible for implementing a level of security consistent with that defined by the Data Owner. System Administrators fill this role.

(18) The term "System Administrator" can apply to a single person, a group within the unit, or a consultant who acts for the unit.

(19) For the purposes of this policy, the System Administrator's responsibilities may be shared between Information Technology Services and Business Units. It is the job of System Administrators to take reasonable action to assure the authorised use and security of data during storage, transmission and use. Where possible, a service agreement will clearly define the expectations of various Parties where the responsibilities are split across a number of areas. System Administrators are responsible (jointly or individually) for:

  1. Developing, maintaining, and documenting an internal security plan to that provides for data integrity, authentication, recovery, and continuity of operations that support administrative data.
  2. Ensuring that access to data and applications is secured in accordance with the requirements defined by the Data Owner.
  3. Providing adequate operational controls to ensure data protection.
  4. Ensuring that access requests are appropriately authorised.
  5. Communicating appropriate use, and consequences of misuse, to users who access the systems or data.
  6. Modifying/Revoking access when employees terminate or transfer.
  7. Protecting sensitive files and access control files from unauthorised activity whether that activity is performed by an authorised or unauthorised user.
  8. Securing data transmissions within the levels defined by the Data Owner.
  9. Ensuring LAN and workstation integrity through virus protection measures and policies.
  10. Performing day-to-day security administration including application of appropriate security patches.
  11. Maintaining access and audit records.
  12. Creating, distributing and following up on security violation reports.

Executive Deans, Directors and above

(20) The Executive Dean, Director and above are responsible for ensuring that the security policy is implemented within their unit. These duties may be delegated. However, the Executive Dean, Director and above are responsible for:

  1. Taking reasonable steps to help unit employees understand security policies, procedures, and responsibilities.
  2. Approving appropriate data access that allow staff to complete business related assignments.
  3. Reviewing, evaluating, notifying the IT Security Coordinator and responding to all security violations reported against staff, and taking appropriate action.
  4. Communicating to appropriate campus and University departments when employee departures, arrivals, and changes effect computer access.
  5. Assigning a liaison between the Data Owners and System Administrators.
  6. Ensuring security procedures are in place to protect information assets under their control. Such procedures should include access control and virus protection for workstations, applications, local area networks, etc.

Manager of Audit and Risk Assessment Unit

(21) Internal auditors are authorised to have inquiry-only access to all administrative information and systems, and are responsible for assisting University management in the effective discharge of its duties. Internal auditors are responsible for:

  1. Evaluating, through operational and administrative audits, University departments' information security policy and procedures compliance.
  2. Evaluating the effectiveness of security procedures and other internal controls.
  3. Reviewing audit trails provided by System Administrators to determine whether activity is adequately documented.
  4. Assisting management in the investigation of suspected incidents of security breach or improper activity.
  5. Reviewing and giving advice regarding internal controls relevant to new systems being developed or considered for purchase.

Part G - Data Classification

(22) The University categorizes the information it collects and maintains, based on that information's sensitivity and importance to its operations. It should be noted that sensitivity is an attribute of the data itself, and not related to system or location. This classification system is used to determine adequate and appropriate protection controls.

General

(23) The Data Owner must classify data, the Executive Dean, Director and above must ensure that the level of protection is consistent with the classification set and the system administrator is responsible for implementing the classification.

(24) Not all information resources can be, or must be, equally protected. To ensure that University protection efforts are cost effective, all administrative information resources will be classified based on sensitivity and risk. Access control should be consistent with the classified value of the resources to be protected and the severity of the threat to them.

(25) Information maintained by Information Technology Services will be classified in accordance with the security levels described in this document. IT Security will manage and coordinate this activity with the Data Owners and will maintain authorisation, access and audit records. These classifications will be maintained throughout the University.

Categories of Data

(26) Different types of data require different levels of security. It is the Data Custodian's responsibility to establish authentication and authorization guidelines for custodial data. The University classifies data into three categories: Public, Proprietary, and Restricted, as follows:

  1. Public data can generally be made available or distributed to the general public.
  2. Proprietary data is for internal University use and not for external distribution.
  3. Restricted (moderately or highly sensitive) data is to be used only by individuals who require it in the course of performing their University responsibilities, or data which is protected by University, Commonwealth and/or state regulations

Part H - Access Control

(27) All users of University data must be authorised to access the appropriate systems and their resources. Access is controlled and monitored in accordance with University policy. Copies of data, regardless of location, have the same data security and access control requirements as the original data. The elements involved in controlling and monitoring this access include identification, authentication and authorisation.

Protection Level

(28) Access control will be consistent with the assigned classification. The following generalizations apply:

  1. Public data may not require an authentication, although authentication may be used to track resource usage.
  2. Authentication is required for access to Proprietary data; however, it is possible that authorisation may not be required.
  3. Access to Restricted data requires both authentication and authorisation. Depending on the sensitivity of the data, several authorisations may be required before access is granted.

Legally Restricted or Limited-access Data

(29) Access by University employees, or those in University related entities, to Proprietary or Restricted data, requires approval of the appropriate Data Owners.

Identification

(30) An identifier (ID) can be used to identify people, data, and resources. All system users will be assigned the same ID to use, to the extent possible, in accessing all systems, program products and applications. Additional user IDs will be limited but can be assigned when necessary for work-related assignments. User IDs are not to be shared. Users are responsible for maintaining the security of their IDs and all activity occurring under those IDs. IDs will be issued in accordance with approved standards.

Authorisation

(31) Only those users who have valid business reasons (as determined by the Data Owner) for accessing information will be granted access privileges appropriate to that user's job function. Access is to be used only for the specific business purposes required for processing the data. Access is granted by means of a computer account, which serves as identification.

Part I - Authentication

(32) Authentication ensures an identity. Each ID requires a technique for validating identity.

Security Monitoring

(33) In consultation with Data Owners, the requirement for event logging should be assessed and where appropriate the following should be applied.

  1. Event Logging: All accesses that are denied by a network security system will be logged. Each denied access is considered a security "event", but not necessarily a security "violation". System administrators will produce a daily log of all security events from the prior day's activities. The logs will display events chronologically and by ID. System Administrators will then conduct a weekly review of each log for unusual security events and will further investigate unusual events.
  2. Violation Response: A security violation is any event which fails to comply with data security standards and/or represents an apparent or real effort to undermine, override or otherwise circumvent security standards or controls.

(34) Violations will be handled through normal University procedures.

Part J - Data Transport Controls

(35) Units supporting Internet, EDI, LANs and WANs that access and use university information, must observe appropriate data transport controls, to ensure that the information is protected in a manner consistent with that prescribed by Commonwealth and State laws, University regulations, and Data Owner requirements.

Part K - Operational Controls

(36) System Administrators are responsible for implementing software and hardware security operational controls that provide the level of security required to protect information, as defined by the Data Owner. These controls must be tested and the test results formally accepted by the Data Owner. Residual risks should be understood and approved by the Data Owner.

Backup

(37) All critical University information must be backed up on a regular basis. The frequency established by the System Administrator is influenced by the Data Owners requirements and after taking into account the frequency with which the data changes and the effort required to recreate information if it is lost.

Recovery

(38) All backups of critical data must be tested periodically to ensure that they still support full system recovery. System Administrators must document all restore procedures and test them annually. Backup media must be retrievable within 24 hours, 365 days a year.

Off-site Storage

(39) All backup copies destined for off-site storage must be moved within 24 hours of origination. Off-site is synonymous with "out of the building". The off-site storage location must provide adequate fire and theft protection and environmental controls.

Data Retention

(40) Data Custodians in conjunction with the Records and Archives Management Services Unit are responsible for defining and documenting the length of time data must be retained. The retention period, legal requirements, responsible Parties, and applicable legislation should be specified. System Administrators are responsible for ensuring that these requirements are implemented.

Contingency and Disaster Planning

(41) Each unit that maintains University data must possess a documented and tested contingency and disaster recovery plan which addresses the possibility of short and long term loss of computing services. Such a plan should include all procedures and information necessary to return computing systems to full operation in the event of a disaster. For systems under Information Technology Services control, the Information Technology Services Disaster Recovery Plan will fulfil this role. The plan must be communicated to, and approved by, the Data Owners and Director Information Technology.

Physical Security

(42) Access to every office, computer room and work area containing sensitive information must be physically restricted. All multi-user computing, and/or communications equipment must be housed in locked rooms to prevent tampering and unauthorised access.

Separation of Duties

(43) There shall be a distinct separation of job duties and responsibilities so that no one person has the authority and the ability to circumvent normal checks and balances. For applications containing mission-critical, financial, or confidential data, responsibility for maintaining the database and the system software will be separated.

Data Disposal

(44) All data shall be properly disposed of when it has exceeded its required retention period and when it is no longer needed for the operation of the University. Disposal of data is subject to the State Record Retention Schedules.

Change Control

(45) A formal change control process that complies with the IT Systems Implementation Policy must be used to ensure that all business application software that is migrated to production is authorised by Information Systems management and the Data owner. Documentation should be retained for audit purposes as evidence that changes were authorised.

Top of Page

Section 4 - Guidelines

(46) In addition to the information listed below there are a number of other references contained in the Associated Information page:

(47) AS/NZS ISO/IEC 17799:1999 Information Technology - Code of practice for information security management

(48) AS/NZS 4360/;1999 Risk Management

Record Keeping Manual - Sentencing & Destruction of Records

(49) RFC 2196 Site Security Handbook (Standards)