• Section 1 - Purpose and Context
• Section 2 - Definitions
• Section 3 - Policy Statement
• Section 4 - Procedures
• Part A - Responsibilities
• Part B - Information Security Awareness
• Part C - Configuration Management
• Part D - Business Continuity Management
• Part E - User Awareness and Responsibilities
• Part F - Access Control
• Part G - Monitoring
• Part H - Compliance
• Part I - Digital Security Steering Committee (DSSC)
• Chair and members
• Terms of reference
• Part J - Information Security Management System (ISMS)
• Section 5 - Guidelines

Section 1 - Purpose and Context

(1) Managing and protecting the integrity, confidentiality and availability of the University's research and information resources and assets is vital for delivering the University services, protecting the University's business and reputation, and allowing the University to meet its legal and ethical responsibilities.

(2) This policy provides the principles and procedures for protecting digital information, services and resources, and establishes the Information Digital Security Steering Committee (DSSC), which provides strategic direction, enables risk management, prioritises resource utilisation, measures performance and defines the security culture that supports Digital Information Security Management, at Western Sydney University.

(3) This policy applies to all users of digital information, information systems and applications which are on University premises, belong to the University or are services or sites that are hosted for the University.

(4) The policy is to be used as the basis for developing any new information security related policies, procedures and standards.

(5) The policy is to be read in conjunction with the IT Acceptable Use of Resources Policy, Records and Archives Management Policy, Email Policy and Asset Management Policy.

Section 2 - Definitions

(6) The following definitions apply for the purpose of this policy:

1. Business Application Owner: the person with primary responsibility for the computer system who is within the business unit that is the primary user of the computer system.
2. Business Continuity Plan: A documented plan for how a business will continue to function in their required capacity in the event of a technology component failure, until such time as the technology is restored to functional service.
3. CIDO: Chief Information and Digital Officer
4. CMS: Configuration Management System; the computerised system that is used in IT to manage the inventory, deployment, support, ownership and other pertinent information for the overall management of the application during and after its use
5. Confidential and Sensitive Material: data that contains any of the following characteristics
   1. Personal student or staff information
   2. Student, staff or research subject health information
   3. Unpublicised financial information
   4. Unpublicised strategic, legal, financial, or research information
   5. Any data that could compromise any facet of the University, including reputation
6. DSSC: Digital Security Steering Committee
7. ISMS: Information Security Management System
8. ITDS: Information Technology and Digital Services
9. Security incident: any actual or suspected breach, threat, event, risk, or security weakness relating to University digital information or services
10. Service Owner: the person in an IT position that has primary responsibility for the IT support of the computer system
11. University digital information: digital information stored and used by and on behalf of the University in the conduct of its business.
12. User: any person accessing any information that is stored on the University's Information Technology (IT) systems.

Section 3 - Policy Statement

(7) The University is committed to ensuring that access to and use of the University's digital information, services and resources are efficient, lawful, appropriate and ethical, and subject to appropriate security controls.

(8) The University aims to maintain a state of digital security where the risk of loss or damage to digital information and services is managed to an acceptable level.

(9) The University acknowledges that good security requires all users to be trained in and be aware of their digital information security responsibilities.

Section 4 - Procedures

Part A - Responsibilities

(10) All users must ensure that their use of University digital information:

1. is for official business purposes only, and
2. complies with University policies and procedures.

(11) All users must take the following steps to reduce the risk of unauthorised access to digital information:

1. Use strong passwords;
2. Never reveal or share passwords with others under any circumstances;
3. Ensure that sensitive information cannot be observed from their workstation's screen;
4. Log out or lock their workstation before leaving it unattended;
5. Immediately change their password if there is any concern that their account has been compromised;
6. Use University approved methods to access University digital information when off campus (e.g. Outlook Web Access or Citrix Access);
7. Take appropriate care when storing confidential or sensitive material on a memory stick or on privately owned devices; and
8. Ensure any third parties who are to handle University digital information are required to take appropriate security measures.

(12) Users are to immediately report security incidents to their supervisor, and the Information Technology Service Desk (IT Service Desk)

(13) Supervisors must immediately ensure that incidents referred to them are reported to the IT Service Desk.

(14) Users must not publicise security incidents, as publicity increases risks to the University.

(15) In accordance with Australian Guidelines for the Management of IT Evidence, HB171-2003, only defined security investigators are to collect security incident evidence.

(16) All users are required to understand their responsibilities regarding information security, including an awareness of those parts of the ISMS relevant to their duties.

(17) The Vice-Chancellor and President is responsible for:

1. Ensuring this policy and associated policies, procedures, standards and guidelines are publicised to all users.
2. Establishing the DSSC.

(18) The Chief Information and Digital Officer, or their nominated representative, is responsible for:

1. applying this policy and the ISMS;
2. managing information security incidents in accordance with the ISMS;
3. making recommendations to the DCSS;
4. ensuring that third party access to University information systems is approved by the system business application owner and conforms with the ISMS.

Part B - Information Security Awareness

(19) ITDS will publish IT Security Advisories to raise awareness of security issues.

(20) The University will provide access to training and advice to users to raise awareness of their digital information security responsibilities.

Part C - Configuration Management

(21) ITDS will maintain a Configuration Management System of University information system assets, including business and service ownership details. While hardware components may be listed as part of a service provided, the physical hardware has a separate Asset Management Policy that must be followed from a purchasing and financial perspective.

(22) The CIDO, or their nominated representative, will ensure that University digital information has a defined risk classification that includes a consistent assessment of legal and regulatory requirements, business sensitivity, criticality and proprietary information.

Part D - Business Continuity Management

(23) Business applications owners of University information systems are to ensure that the development and testing of Business Continuity Plans address how their area(s) of responsibility will continue to function in the case of service interruptions or failure of information systems or other critical technology.

Part E - User Awareness and Responsibilities

(24) Managers and supervisors, in conjunction with the business application owner and the Chief Information and Digital Officer, shall ensure that all users accessing information systems are made aware of their responsibility regarding information security.

Part F - Access Control

(25) The business application owner, in consultation with the CIDO or designee, is responsible for ensuring that:

1. Physical access to digital information and information processing facilities is restricted.
2. Information processing facilities are secured against damage.

(26) To prevent unauthorised logical access to digital information services, ITDS will:

1. segregate systems containing sensitive or critical information to secure hardware and networks or otherwise configure them to meet security and legislative requirements; and
2. restrict access at network and application levels.

Part G - Monitoring

(27) The University will monitor ITDS systems as follows:

1. ITDS will:
   1. adopt change management processes, as described in the ITDS Change Management Process Document, for all identified systems;
   2. review system capacity quarterly, to ensure continued adequate capacity;
   3. maintain backups and test the restoration of backups at least twice yearly;
   4. log and audit use of and changes to ITDS systems and services; and
   5. retain logs for monitoring and investigations and as evidence if subpoenaed.
2. Systems administrators and systems staff are to maintain reviewable activity logs.
3. Authorised staff are to undertake routine monitoring of ITDS systems/services, and extraordinary monitoring only in accordance with University policies.

Part H - Compliance

(28) The University will ensure:

1. Breaches of legal, civil, regulatory or contractual obligations are avoided, where possible.
2. Policy, statutory, regulatory and contractual requirements are explicitly defined and documented for each Information System in use.
3. Audits of operational systems must actively minimise the risk of disruption, be conducted in accordance with the University's Audit Plan, and be non-intrusive, unless otherwise approved by the business application owner.
4. System audit tools are used only with permission of the CIDO.

(29) Policy breaches may result in disciplinary action being taken in accordance with relevant misconduct policies or staff agreements.

Part I - Digital Security Steering Committee (DSSC)

(30) The University has established the Digital Security Steering Committee (DSSC) to advise the University Executive on matters relating to the security of the University's digital information.

Chair and members

(31) The chair of the DSSC is the Associate Director, Digital Security and Risk and the committee includes representation from schools, divisions, Information Technology and Digital Services, and the Office of Audit and Risk Assessment.

Terms of reference

(32) The terms of reference of the DSSC are to:

1. Oversee risk management by recommending appropriate measures to identify and mitigate risks and where appropriate advise the Audit and Risk Committee (ARC);
2. Manage the high level digital security strategy and agenda, enabling strategic alignment with business strategy to support the University's objectives;
3. Oversee and recommend key information security projects in line with strategic intent;
4. Drive the development and renewal of information security policies and recommendations including the evaluation of impacts on the business;
5. Make recommendations for implementing security practices into business processes (administration, teaching, research);
6. Monitor the effectiveness of information security management frameworks;
7. Routinely review and benchmark organisational information security practices and policies through audits and reviews ;
8. Actively develop and champion at all levels of the University an awareness of Information Security principles.
9. Routinely assess the digital landscape in the industry and amongst peers with the view of identifying opportunities and or threats.

(33) The group will correspond via email and meet face to face at least three times a year.

Part J - Information Security Management System (ISMS)

(34) The DSSC will develop an ISMS based on Australian and international standards.

(35) The ISMS will address security controls and practices to be implemented by the University, ensuring:

1. Security incidents are contained, reported, analysed, and assessed, based on incident type, volume and impact.
2. Incident related data, logs and forensic IT information are collected as soon as possible.
3. A robust CMS is in place to support the University's digital information needs.

(36) The ISMS will specify the responsibilities and approach to be taken to manage security incidents, as defined in HB171-2003.

Section 5 - Guidelines

(37) The Australian Guidelines for the Management of IT Evidence, HB171-2003, and Australian Standard AS/NZS ISO/IEC 27001 can be accessed under "Standards On-line Premium (SAI Global)" via the alphabetical listing in the e-Resources section of the University Library.