(1) Managing and protecting the integrity, confidentiality and availability of the University's research and information resources and assets is vital for delivering the University services, protecting the University's business and reputation, and allowing the University to meet its legal and ethical responsibilities. (2) This policy provides the principles and procedures for protecting digital information, services and resources, and establishes the Information Digital Security Steering Committee (DSSC), which provides strategic direction, enables risk management, prioritises resource utilisation, measures performance and defines the security culture that supports Digital Information Security Management, at Western Sydney University. (3) This policy applies to all users of digital information, information systems and applications which are on University premises, belong to the University or are services or sites that are hosted for the University. (4) The policy is to be used as the basis for developing any new information security related policies, procedures and standards. (5) The policy is to be read in conjunction with the IT Acceptable Use of Resources Policy, Records and Archives Management Policy, Email Policy and Asset Management Policy. (6) The following definitions apply for the purpose of this policy: (7) The University is committed to ensuring that access to and use of the University's digital information, services and resources are efficient, lawful, appropriate and ethical, and subject to appropriate security controls. (8) The University aims to maintain a state of digital security where the risk of loss or damage to digital information and services is managed to an acceptable level. (9) The University acknowledges that good security requires all users to be trained in and be aware of their digital information security responsibilities. (10) All users must ensure that their use of University digital information: (11) All users must take the following steps to reduce the risk of unauthorised access to digital information: (12) Users are to immediately report security incidents to their supervisor, and the Information Technology Service Desk (IT Service Desk) (13) Supervisors must immediately ensure that incidents referred to them are reported to the IT Service Desk. (14) Users must not publicise security incidents, as publicity increases risks to the University. (15) In accordance with Australian Guidelines for the Management of IT Evidence, HB171-2003, only defined security investigators are to collect security incident evidence. (16) All users are required to understand their responsibilities regarding information security, including an awareness of those parts of the ISMS relevant to their duties. (17) The Vice-Chancellor and President is responsible for: (18) The Chief Information and Digital Officer, or their nominated representative, is responsible for: (19) ITDS will publish IT Security Advisories to raise awareness of security issues. (20) The University will provide access to training and advice to users to raise awareness of their digital information security responsibilities. (21) ITDS will maintain a Configuration Management System of University information system assets, including business and service ownership details. While hardware components may be listed as part of a service provided, the physical hardware has a separate Asset Management Policy that must be followed from a purchasing and financial perspective. (22) The CIDO, or their nominated representative, will ensure that University digital information has a defined risk classification that includes a consistent assessment of legal and regulatory requirements, business sensitivity, criticality and proprietary information. (23) Business applications owners of University information systems are to ensure that the development and testing of Business Continuity Plans address how their area(s) of responsibility will continue to function in the case of service interruptions or failure of information systems or other critical technology. (24) Managers and supervisors, in conjunction with the business application owner and the Chief Information and Digital Officer, shall ensure that all users accessing information systems are made aware of their responsibility regarding information security. (25) The business application owner, in consultation with the CIDO or designee, is responsible for ensuring that: (26) To prevent unauthorised logical access to digital information services, ITDS will: (27) The University will monitor ITDS systems as follows: (28) The University will ensure: (29) Policy breaches may result in disciplinary action being taken in accordance with relevant misconduct policies or staff agreements. (30) The University has established the Digital Security Steering Committee (DSSC) to advise the University Executive on matters relating to the security of the University's digital information. (31) The chair of the DSSC is the Associate Director, Digital Security and Risk and the committee includes representation from schools, divisions, Information Technology and Digital Services, and the Office of Audit and Risk Assessment. (32) The terms of reference of the DSSC are to: (33) The group will correspond via email and meet face to face at least three times a year. (34) The DSSC will develop an ISMS based on Australian and international standards. (35) The ISMS will address security controls and practices to be implemented by the University, ensuring: (36) The ISMS will specify the responsibilities and approach to be taken to manage security incidents, as defined in HB171-2003. (37) The Australian Guidelines for the Management of IT Evidence, HB171-2003, and Australian Standard AS/NZS ISO/IEC 27001 can be accessed under "Standards On-line Premium (SAI Global)" via the alphabetical listing in the e-Resources section of the University Library.Digital Information Security Policy
Section 1 - Purpose and Context
Section 2 - Definitions
Top of Page
Section 3 - Policy Statement
Section 4 - Procedures
Part A - Responsibilities
Part B - Information Security Awareness
Part C - Configuration Management
Part D - Business Continuity Management
Part E - User Awareness and Responsibilities
Part F - Access Control
Part G - Monitoring
Part H - Compliance
Part I - Digital Security Steering Committee (DSSC)
Chair and members
Terms of reference
Part J - Information Security Management System (ISMS)
Section 5 - Guidelines
View Current
This is not a current document. To view the current version, click the link in the document's navigation bar.