(1) University of Western Sydney information resources are a valuable University asset and must be managed accordingly to ensure their integrity, security, and availability for lawful teaching, research and business activities. Of importance in carrying out this mission is to establish basic information security policies and standards for managing University of Western Sydney information, while providing both access and reasonable security at an acceptable cost. Also of importance is the underlying philosophy that these policies and procedures are in place to facilitate and support authorised access to university information. (2) Data: A representation of information, knowledge, facts, concepts, or instructions that is being prepared or has been prepared in a formalized manner and is intended to be stored or processed, is being stored or processed, or has been stored or processed in a computer. Data may take many forms, including but not limited to, computer printouts, magnetic or optical storage media, and punch cards, or it may be stored internally in computer memory. (3) Data Dictionary: A file, document, or listing that defines all items or processes represented in a data flow diagram or used in a system. (4) Data Owner: A person or entity designated to have access to, and possession of, authorised information. The Data Owner is responsible for providing proper protection, maintenance, and usage control of the information in an operational environment. In the event of confusion, the Data Owner is the Director of the Unit with primary responsibility for the Data in question until such time as a formal Data Owner is appointed. (5) The following security policy applies to all computing platforms, including local area networks, systems and applications owned or used by University of Western Sydney. It also applies to users of those systems and applications, including those who install, develop, maintain and administer those systems and applications for the University and its corporate adjuncts. All users of University-information technology facilities and resources will abide by all applicable University, Commonwealth and State guidelines, policies, regulations, statutes and procedures pertaining to confidentiality and privacy. (6) All data, programs, systems and procedures (hereafter called "information") gathered, stored or maintained for university business purposes, are the property of the University of Western Sydney, unless otherwise stated in a contractual agreement. Any person, group or custodian accessing University information must recognize their responsibility to preserve the security and confidentiality of this information. Such information shall be used only for conducting University business or as appropriately authorised. (7) Violation of any provision of this policy may result in: (8) Information Technology Services is responsible for administering this policy in consultation with the Audit and Risk Assessment Unit. (9) All exceptions to this policy and associated standards require the approval of all affected Data Owners and the Director Information Technology. If an exception is required, a written request including a description of and justification for the exception must be sent to the IT Security Coordinator, who will forward it to the Director Information Technology with technical comments and recommendations. IT Security will retain all such requests for regular review and audit purposes. (10) This is a summary of responsibilities of those units and/or individuals using or supporting University administrative information. (11) Anyone accessing University administrative data is personally responsible for the proper use of the resulting available information. University employees who access data are responsible for: (12) Information Technology Services is responsible for central security administration, including: (13) IT Security is the unit within Information Technology Services that is responsible for managing information security standards, procedures and controls intended to minimize the risk of loss, damage or misuse of Information Technology Services - supported electronic data. IT Security is responsible for: (14) The Data Owner functions as custodian of a portion of the University's information. The Director or Executive Dean of a business unit or College has authority to make decisions related to the development, maintenance and operation of, and access to, the applications and data associated with that units or college's business activity. Examples include Registrar's Office (RO) (student data), Finance Office (financial data), and Office of Human Resources (OHR) (personnel). An Executive Dean or Director may delegate custodial duties to an individual. (15) Data Owners are responsible for: (16) For those systems under its custodianship, Information Technology Services is responsible for the operating system and application components, including production, system and test libraries, system and test data, and data dictionaries. The end user/client area has ownership responsibility for production data, including test data. For systems not supported by Information Technology Services, custodial assignments are the responsibility of the end user/client department. (17) Any unit maintaining electronic administrative systems, applications or data is responsible for implementing a level of security consistent with that defined by the Data Owner. System Administrators fill this role. (18) The term "System Administrator" can apply to a single person, a group within the unit, or a consultant who acts for the unit. (19) For the purposes of this policy, the System Administrator's responsibilities may be shared between Information Technology Services and Business Units. It is the job of System Administrators to take reasonable action to assure the authorised use and security of data during storage, transmission and use. Where possible, a service agreement will clearly define the expectations of various Parties where the responsibilities are split across a number of areas. System Administrators are responsible (jointly or individually) for: (20) The Executive Dean, Director and above are responsible for ensuring that the security policy is implemented within their unit. These duties may be delegated. However, the Executive Dean, Director and above are responsible for: (21) Internal auditors are authorised to have inquiry-only access to all administrative information and systems, and are responsible for assisting University management in the effective discharge of its duties. Internal auditors are responsible for: (22) The University categorizes the information it collects and maintains, based on that information's sensitivity and importance to its operations. It should be noted that sensitivity is an attribute of the data itself, and not related to system or location. This classification system is used to determine adequate and appropriate protection controls. (23) The Data Owner must classify data, the Executive Dean, Director and above must ensure that the level of protection is consistent with the classification set and the system administrator is responsible for implementing the classification. (24) Not all information resources can be, or must be, equally protected. To ensure that University protection efforts are cost effective, all administrative information resources will be classified based on sensitivity and risk. Access control should be consistent with the classified value of the resources to be protected and the severity of the threat to them. (25) Information maintained by Information Technology Services will be classified in accordance with the security levels described in this document. IT Security will manage and coordinate this activity with the Data Owners and will maintain authorisation, access and audit records. These classifications will be maintained throughout the University. (26) Different types of data require different levels of security. It is the Data Custodian's responsibility to establish authentication and authorization guidelines for custodial data. The University classifies data into three categories: Public, Proprietary, and Restricted, as follows: (27) All users of University data must be authorised to access the appropriate systems and their resources. Access is controlled and monitored in accordance with University policy. Copies of data, regardless of location, have the same data security and access control requirements as the original data. The elements involved in controlling and monitoring this access include identification, authentication and authorisation. (28) Access control will be consistent with the assigned classification. The following generalizations apply: (29) Access by University employees, or those in University related entities, to Proprietary or Restricted data, requires approval of the appropriate Data Owners. (30) An identifier (ID) can be used to identify people, data, and resources. All system users will be assigned the same ID to use, to the extent possible, in accessing all systems, program products and applications. Additional user IDs will be limited but can be assigned when necessary for work-related assignments. User IDs are not to be shared. Users are responsible for maintaining the security of their IDs and all activity occurring under those IDs. IDs will be issued in accordance with approved standards. (31) Only those users who have valid business reasons (as determined by the Data Owner) for accessing information will be granted access privileges appropriate to that user's job function. Access is to be used only for the specific business purposes required for processing the data. Access is granted by means of a computer account, which serves as identification. (32) Authentication ensures an identity. Each ID requires a technique for validating identity. (33) In consultation with Data Owners, the requirement for event logging should be assessed and where appropriate the following should be applied. (34) Violations will be handled through normal University procedures. (35) Units supporting Internet, EDI, LANs and WANs that access and use university information, must observe appropriate data transport controls, to ensure that the information is protected in a manner consistent with that prescribed by Commonwealth and State laws, University regulations, and Data Owner requirements. (36) System Administrators are responsible for implementing software and hardware security operational controls that provide the level of security required to protect information, as defined by the Data Owner. These controls must be tested and the test results formally accepted by the Data Owner. Residual risks should be understood and approved by the Data Owner. (37) All critical University information must be backed up on a regular basis. The frequency established by the System Administrator is influenced by the Data Owners requirements and after taking into account the frequency with which the data changes and the effort required to recreate information if it is lost. (38) All backups of critical data must be tested periodically to ensure that they still support full system recovery. System Administrators must document all restore procedures and test them annually. Backup media must be retrievable within 24 hours, 365 days a year. (39) All backup copies destined for off-site storage must be moved within 24 hours of origination. Off-site is synonymous with "out of the building". The off-site storage location must provide adequate fire and theft protection and environmental controls. (40) Data Custodians in conjunction with the Records and Archives Management Services Unit are responsible for defining and documenting the length of time data must be retained. The retention period, legal requirements, responsible Parties, and applicable legislation should be specified. System Administrators are responsible for ensuring that these requirements are implemented. (41) Each unit that maintains University data must possess a documented and tested contingency and disaster recovery plan which addresses the possibility of short and long term loss of computing services. Such a plan should include all procedures and information necessary to return computing systems to full operation in the event of a disaster. For systems under Information Technology Services control, the Information Technology Services Disaster Recovery Plan will fulfil this role. The plan must be communicated to, and approved by, the Data Owners and Director Information Technology. (42) Access to every office, computer room and work area containing sensitive information must be physically restricted. All multi-user computing, and/or communications equipment must be housed in locked rooms to prevent tampering and unauthorised access. (43) There shall be a distinct separation of job duties and responsibilities so that no one person has the authority and the ability to circumvent normal checks and balances. For applications containing mission-critical, financial, or confidential data, responsibility for maintaining the database and the system software will be separated. (44) All data shall be properly disposed of when it has exceeded its required retention period and when it is no longer needed for the operation of the University. Disposal of data is subject to the State Record Retention Schedules. (45) A formal change control process that complies with the IT Systems Implementation Policy must be used to ensure that all business application software that is migrated to production is authorised by Information Systems management and the Data owner. Documentation should be retained for audit purposes as evidence that changes were authorised. (46) In addition to the information listed below there are a number of other references contained in the Associated Information page: (47) AS/NZS ISO/IEC 17799:1999 Information Technology - Code of practice for information security management (48) AS/NZS 4360/;1999 Risk Management (49) RFC 2196 Site Security Handbook (Standards)Information Security Policy
Section 1 - Purpose and Context
Section 2 - Definitions
Section 3 - Policy Statement
Part A - Scope
Part B - Ownership
Part C - Violations
Part D - Policy Administration
Part E - Exceptions to Policy and Standards
Part F - Information Security Responsibilities
Information Usage and User Responsibilities
Enterprise-wide Security Administration
IT Security
Data Owner
System Administrator
Executive Deans, Directors and above
Manager of Audit and Risk Assessment Unit
Part G - Data Classification
General
Categories of Data
Part H - Access Control
Protection Level
Legally Restricted or Limited-access Data
Identification
Authorisation
Part I - Authentication
Security Monitoring
Part J - Data Transport Controls
Part K - Operational Controls
Backup
Recovery
Off-site Storage
Data Retention
Contingency and Disaster Planning
Physical Security
Separation of Duties
Data Disposal
Change Control
Section 4 - Guidelines
View Current
This is not a current document. To view the current version, click the link in the document's navigation bar.
Record Keeping Manual - Sentencing & Destruction of Records