(1) Preventing misuse and managing the integrity, confidentiality and availability of the University's research, information resources and assets is vital for the continued delivery of University services, protecting the University's business and reputation, and allowing the University to meet its legal and ethical responsibilities. (2) The University aims to maintain a state of security where the risk of loss or damage to information is managed to an acceptable level. (3) This policy establishes the Information Security Steering Committee (ISSC), which will develop and manage an Information Security Management System to address risk evaluation and management of processing and storage of information. (4) This policy applies to all users of University information, information systems and applications. (5) This policy is to be read in conjunction with the IT Acceptable Use of Resources Policy, IT Systems Approval and Implementation Policy and other relevant University policies and is to be used as the basis for developing any new information security related policies, procedures and standards. (6) The following definitions apply for the purpose of this policy: (7) To ensure that access and use of the University's information is efficient, lawful, appropriate and ethical, the University will develop, implement and review security controls for information services and resources, including establishing the ISSC and developing an ISMS. (8) All users must ensure that their use of University information complies with University policies and procedures, which essentially make University information available for official business purposes only. (9) All users must take the following steps to reduce the risk of unauthorised access to information: (10) Users are to immediately report security incidents to: (11) Supervisors must immediately report incidents referred to them to the IT Security Coordinator, or the CIDO. (12) Users must not publicise security incidents, as publicity increases risks to the University. (13) In accordance with Australian Guidelines for the Management of IT Evidence, HB171-2003, only trained security investigators are to collect security incident evidence. (14) All users need to understand their responsibilities regarding information security, including an awareness of those parts of the ISMS relevant to their duties. (15) The Vice-President, Finance and Resources is responsible for: (16) The Chief Information and Digital Officer is responsible for: (17) Information Technology and Digital Services will publish IT Security Bulletins to raise awareness of security issues. (18) The University acknowledges that good security requires all users to be trained to be aware of their information security responsibilities. The University will provide access to training and advice to raise awareness. (19) Information Technology and Digital Services will maintain an inventory including ownership details of important University information system assets. (20) The CIDO, in consultation with the Manager, Records and Archives Management Services, will ensure that University information is classified by value, legal requirements, sensitivity and importance. (21) Managers are to ensure that Business Continuity Plans within their areas of responsibility address interruptions from information system failure, including timely resumption of services. (22) The Director, Audit and Risk Assessment is responsible for; (23) Managers and supervisors, in conjunction with the Director, Organisational Development and the CIDO, shall ensure that all users accessing information systems, including staff, contractors, third party users and students, are made aware of information security responsibilities and roles. (24) The Academic Registrar, in consultation with the CIDO, is responsible for ensuring that: (25) To prevent unauthorised access to information services: (26) Change management processes as described in the ISMS are to be adopted for all identified systems. (27) System capacity is to be reviewed quarterly, to ensure continued adequate capacity. (28) Backups are to be maintained and regularly tested. (29) The University logs and audits use of IT systems and services. Logs are retained for monitoring and investigations and may be subpoenaed as evidence. (30) Systems administrators and systems staff are to maintain reviewable activity logs. (31) Routine monitoring of IT systems/services is undertaken by authorised University staff. Extraordinary monitoring may only be undertaken in accordance with University policies. (32) The University will ensure: (33) The chair of the Information Security Steering Committee (ISSC) will be nominated by the Vice-President, Finance and Resources, and the committee will include representation from schools, divisions, Information Technology and Digital Services, and Office of Audit and Risk Assessment. The ISSC will report to the University Executive and have the following terms of reference: (34) The ISSC will: (35) ISSC meetings will be held quarterly, or as initiated by any member. (36) The ISSC will develop an ISMS based on Australian and international standards. (37) The ISMS will address security controls and practices to be implemented by the University, ensuring: (38) The ISMS will specify the responsibilities and approach to be taken to manage security incidents. (39) The Australian Guidelines for the Management of IT Evidence, HB171-2003, and Australian Standard AS/NZS ISO/IEC 27001:2006 can be accessed under "S" via the alphabetical listing in the e-Resources section of the University Library.Information Security Policy
Section 1 - Purpose and Context
Section 2 - Definitions
Top of PageSection 3 - Policy Statement
Section 4 - Procedures
Responsibilities
Information Security Awareness
Asset Management
Business Continuity Management
User Awareness and Responsibilities
Access Control
Monitoring
Compliance
Terms of Reference - Information Security Steering Committee (ISSC)
Information Security Management System (ISMS)
Section 5 - Guidelines
View Current
This is not a current document. To view the current version, click the link in the document's navigation bar.