• Section 1 - Purpose and Context
• Section 2 - Definitions
• Section 3 - Policy Statement
• Section 4 - Procedures
• Responsibilities
• Information Security Awareness
• Asset Management
• Business Continuity Management
• User Awareness and Responsibilities
• Access Control
• Monitoring
• Compliance
• Terms of Reference - Information Security Steering Committee (ISSC)
• Information Security Management System (ISMS)
• Section 5 - Guidelines

Section 1 - Purpose and Context

(1) Preventing misuse and managing the integrity, confidentiality and availability of the University's research, information resources and assets is vital for the continued delivery of University services, protecting the University's business and reputation, and allowing the University to meet its legal and ethical responsibilities.

(2) The University aims to maintain a state of security where the risk of loss or damage to information is managed to an acceptable level.

(3) This policy establishes the Information Security Steering Committee (ISSC), which will develop and manage an Information Security Management System to address risk evaluation and management of processing and storage of information.

(4) This policy applies to all users of University information, information systems and applications.

(5) This policy is to be read in conjunction with the IT Acceptable Use of Resources Policy, IT Systems Approval and Implementation Policy and other relevant University policies and is to be used as the basis for developing any new information security related policies, procedures and standards.

Section 2 - Definitions

(6) The following definitions apply for the purpose of this policy:

1. User: any person accessing the University's Information Technology (IT) systems.
2. Security incident: Any actual or suspected breach, threat, event, risk, or security weakness.
3. University information: Information stored and used by and on behalf of the University in the conduct of its business.

Section 3 - Policy Statement

(7) To ensure that access and use of the University's information is efficient, lawful, appropriate and ethical, the University will develop, implement and review security controls for information services and resources, including establishing the ISSC and developing an ISMS.

Section 4 - Procedures

Responsibilities

(8) All users must ensure that their use of University information complies with University policies and procedures, which essentially make University information available for official business purposes only.

(9) All users must take the following steps to reduce the risk of unauthorised access to information:

1. Use strong passwords, as defined in the ISMS.
2. Never reveal or share your passwords with others, under any circumstances.
3. Ensure that sensitive information cannot be observed from their workstation's screen and that they log out or lock their workstation before leaving it unattended.

(10) Users are to immediately report security incidents to:

1. Their supervisor,
2. The IT Security Coordinator; or,
3. The CIDO.

(11) Supervisors must immediately report incidents referred to them to the IT Security Coordinator, or the CIDO.

(12) Users must not publicise security incidents, as publicity increases risks to the University.

(13) In accordance with Australian Guidelines for the Management of IT Evidence, HB171-2003, only trained security investigators are to collect security incident evidence.

(14) All users need to understand their responsibilities regarding information security, including an awareness of those parts of the ISMS relevant to their duties.

(15) The Vice-President, Finance and Resources is responsible for:

1. Ensuring this policy and associated policies, procedures, standards and guidelines are publicised to all users.
2. Establishing the ISSC.
3. Ensuring compliant procedures are implemented and maintained.

(16) The Chief Information and Digital Officer is responsible for:

1. application of the Information Security Policy and ISMS
2. managing information security incidents in accordance with the ISMS
3. making recommendations to the ISSC
4. ensuring that third party access to University information systems is approved by the system owner and conforms with the ISMS.

Information Security Awareness

(17) Information Technology and Digital Services will publish IT Security Bulletins to raise awareness of security issues.

(18) The University acknowledges that good security requires all users to be trained to be aware of their information security responsibilities. The University will provide access to training and advice to raise awareness.

Asset Management

(19) Information Technology and Digital Services will maintain an inventory including ownership details of important University information system assets.

(20) The CIDO, in consultation with the Manager, Records and Archives Management Services, will ensure that University information is classified by value, legal requirements, sensitivity and importance.

Business Continuity Management

(21) Managers are to ensure that Business Continuity Plans within their areas of responsibility address interruptions from information system failure, including timely resumption of services.

(22) The Director, Audit and Risk Assessment is responsible for;

1. Developing and maintaining a business continuity framework to ensure priorities are identified and addressed consistently.
2. Ensuring information security risks are included in Business Continuity Plans.
3. Ensuring Business Continuity Plans are regularly reviewed and tested so they continue to remain effective.

User Awareness and Responsibilities

(23) Managers and supervisors, in conjunction with the Director, Organisational Development and the CIDO, shall ensure that all users accessing information systems, including staff, contractors, third party users and students, are made aware of information security responsibilities and roles.

Access Control

(24) The Academic Registrar, in consultation with the CIDO, is responsible for ensuring that:

1. Physical access to information and information processing facilities is restricted.
2. Information processing facilities are secured against damage.

(25) To prevent unauthorised access to information services:

1. Systems containing sensitive or critical information will be segregated to secure hardware and networks.
2. Access will be restricted at network and application levels.

Monitoring

(26) Change management processes as described in the ISMS are to be adopted for all identified systems.

(27) System capacity is to be reviewed quarterly, to ensure continued adequate capacity.

(28) Backups are to be maintained and regularly tested.

(29) The University logs and audits use of IT systems and services. Logs are retained for monitoring and investigations and may be subpoenaed as evidence.

(30) Systems administrators and systems staff are to maintain reviewable activity logs.

(31) Routine monitoring of IT systems/services is undertaken by authorised University staff. Extraordinary monitoring may only be undertaken in accordance with University policies.

Compliance

(32) The University will ensure:

1. Breaches of legal, civil, regulatory or contractual obligations are avoided.
2. Policy, statutory, regulatory and contractual requirements are explicitly defined and documented for each Information System in use.
3. Conformance with industry accepted technical benchmarks is reviewed annually.
4. Audits of operational systems must actively minimise the risk of disruption. Audits are to be conducted in accordance with the University's Audit Plan and must be non-intrusive, unless otherwise approved by the System Owner.
5. System audit tools are used only with permission of the CIDO.
6. Policy breaches may result in action under law, misconduct policies or staff agreements.

Terms of Reference - Information Security Steering Committee (ISSC)

(33) The chair of the Information Security Steering Committee (ISSC) will be nominated by the Vice-President, Finance and Resources, and the committee will include representation from schools, divisions, Information Technology and Digital Services, and Office of Audit and Risk Assessment. The ISSC will report to the University Executive and have the following terms of reference:

1. Develop and implement the ISMS.
2. Authorise and publicise changes to the ISMS.
3. Consider and determine actions regarding sensitive IT security issues.
4. Provide a forum to raise information security concerns when all other avenues of rectification appear to have failed;
5. Relate information security issues to the user community; and,
6. Establish working groups as required;
7. Recommend changes to policy as required.

(34) The ISSC will:

1. review and approve initiatives, procedures and documentation
2. review incidents and monitor significant changes
3. review and update the ISMS annually
4. receive information on systems developments.

(35) ISSC meetings will be held quarterly, or as initiated by any member.

Information Security Management System (ISMS)

(36) The ISSC will develop an ISMS based on Australian and international standards.

(37) The ISMS will address security controls and practices to be implemented by the University, ensuring:

1. Security incidents are contained, reported, analysed, and assessed, based on incident type, volume and impact.
2. Incident related data, logs and forensic IT information are collected as soon as possible.

(38) The ISMS will specify the responsibilities and approach to be taken to manage security incidents.

Section 5 - Guidelines

(39) The Australian Guidelines for the Management of IT Evidence, HB171-2003, and Australian Standard AS/NZS ISO/IEC 27001:2006 can be accessed under "S" via the alphabetical listing in the e-Resources section of the University Library.