• Section 1 - Purpose and Context
• Section 2 - Definitions
• Section 3 - Policy Statement
• Section 4 - Procedures
• Part A - Responsibilities
• Part B - Information Security Awareness
• Part C - Configuration Management
• Part D - Business Continuity Management
• Part E - User Awareness and Responsibilities
• Part F - Access Control
• Part G - Maintenance and Review
• Part H - Compliance
• Part I - Authorised User Credentials
• Part J - Remote Access
• Part K - Digital Security Steering Committee (DSSC)
• Chair and Members
• Terms of Reference
• Part L - Information Security Management System (ISMS)
• Section 5 - Guidelines
• Section 6 - Terms and Acronyms

Section 1 - Purpose and Context

(1) Managing and protecting the integrity, confidentiality and availability of the University's research and information resources and assets is vital for delivering the University services, protecting the University's business and reputation, and allowing the University to meet its legal and ethical responsibilities.

(2) This policy provides the principles and procedures for protecting digital information, services and Information Technology (IT) Resources, and establishes the Information Digital Security Steering Committee (DSSC), which provides strategic direction, enables risk management, prioritises resource utilisation, measures performance, and defines the security culture that supports Digital Information Security Management at Western Sydney University.

(3) This policy applies to all Authorised Users of digital information, information systems, and applications which are on University premises, belong to the University or are services or sites that are hosted for the University.

(4) The policy is to be used as the basis for developing any new information security related policies, procedures and standards.

(5) The policy is to be read in conjunction with the following University policies:

1. Acceptable Use of IT Resources Policy;
2. Email and Internet Policy;
3. Cyber Security Policy;
4. Computer Systems Implementation Policy;
5. Research Higher Degree Scholarship Policy;
6. Disability Policy;
7. Asset Management Policy;
8. Intellectual Property Policy; and
9. Workplace Surveillance Policy.

Section 2 - Definitions

(6) Words and Terms used in this policy are defined in Section 6 — Terms and Acronyms.

Section 3 - Policy Statement

(7) The University is committed to ensuring that access to and use of the University's digital information, services and IT Resources are efficient, lawful, appropriate and ethical, and subject to appropriate security controls.

(8) The University aims to maintain a state of digital security where the risk of loss or damage to digital information and services is managed to an acceptable level.

(9) The University acknowledges that good security requires all Authorised Users to be trained in and be aware of their digital information security responsibilities.

Section 4 - Procedures

Part A - Responsibilities

(10) All Authorised Users must ensure that their use of University digital information:

1. is for official business purposes only, and
2. complies with University policies and procedures. (see the Acceptable Use of Digital Services Policy, the Email and Internet Policy, and the Cyber Security Policy for more details).

(11) All Authorised Users must take the following steps to reduce the risk of unauthorised access to digital information:

1. Use strong passwords (see Part I below);
2. Never reveal or share passwords with others under any circumstances;
3. Never ask for another user's password;
4. Ensure that sensitive information cannot be observed from their workstation's screen;
5. Log out or lock their workstation before leaving it unattended;
6. Immediately change their password if there is any concern that their account has been compromised;
7. Use University-approved methods to access University digital information when off campus (see the Computer Systems Implementation Policy for more details);
8. Take appropriate care when storing confidential or sensitive material on a memory stick or on privately owned devices; and
9. Ensure any third parties who are to handle University digital information are required to take appropriate security measures.

(12) Authorised Users are to immediately report security incidents to their supervisor, and the Information Technology Service Desk (IT Service Desk).

(13) Supervisors must immediately ensure that incidents referred to them are reported to the IT Service Desk.

(14) Authorised Users must not publicise security incidents, as publicity increases risks to the University.

(15) In accordance with Australian Guidelines for the Management of IT Evidence, HB171-2003, only defined security investigators are to collect security incident or investigative evidence.

(16) All Authorised Users are required to understand their responsibilities regarding information security, including an awareness of those parts of the ISMS relevant to their duties.

(17) The Vice-Chancellor and President is responsible for:

1. ensuring this policy and associated policies, procedures, standards and guidelines are publicised to all Authorised Users.
2. establishing the DSSC.

(18) The Chief Information and Digital Officer, or their nominated representative, is responsible for:

1. applying this policy and the ISMS;
2. managing information security incidents in accordance with the ISMS;
3. making recommendations to the DSSC; and
4. ensuring that third party access to University information systems is approved by the system business application owner and conforms with the ISMS.

Part B - Information Security Awareness

(19) ITDS will publish IT Security Advisories to raise awareness of security issues.

(20) The University will provide access to training and advice to Authorised Users to raise awareness of their digital information security responsibilities. See the Cyber Security Policy for more details. [Ref. ISO 27002 section 7.2.2; ISM Control 0252].

Part C - Configuration Management

(21) ITDS will maintain a Configuration Management System of all University information system assets, including business and service ownership details. While hardware components may be listed as part of a service provided, the physical hardware has a separate Asset Management Policy that must be followed from a purchasing and financial perspective. [Ref. ISM Controls 0289, 0291].

(22) The CIDO, or their nominated representative, will ensure that University digital information has a defined risk classification that includes a consistent assessment of legal and regulatory requirements, business sensitivity, criticality and proprietary information. [Ref. ISO 27002 section 8.2.1; ISM Control 0293].

Part D - Business Continuity Management

(23) Business application owners of University information systems are to ensure that the development and testing of Business Continuity Plans include how their area(s) of responsibility will continue to function in the case of service interruptions or failure of information systems or other critical technology. [Ref. ISO 27002 section 17.1; ISM Control 0118].

Part E - User Awareness and Responsibilities

(24) Managers and supervisors, in conjunction with the business application owner and the Chief Information and Digital Officer, shall ensure that all Authorised Users accessing information systems are made aware of their responsibility regarding Information security.

Part F - Access Control

(25) The business application owner and/or service owner, in consultation with the CIDO (or nominee), is responsible for ensuring that:

1. physical access to digital information and information processing facilities is restricted.
2. information processing facilities are secured against damage.

(26) To prevent unauthorised logical access to digital information services, ITDS will:

1. segregate systems containing sensitive or critical information to secure hardware and networks or otherwise configure them to meet security and legislative requirements; and
2. restrict access at network and application levels. [Ref. ISO 27002 sections 9.1.2, 13.1.2, 13.1.3; ISM Control 0413].

Part G - Maintenance and Review

(27) The University will review ITDS systems as follows:

1. ITDS will:
   1. adopt change management processes, as described in the ITDS ITDS Change Management Process Document, for all identified systems; [Ref ISM Control 1121];
   2. review system capacity quarterly, to ensure continued adequate capacity;
   3. maintain backups and test the restoration of backups at least twice yearly;
   4. log and audit use of and changes to ITDS systems and services; and
   5. retain logs for routine reviewing and maintenance purposes [Ref ISO 27002 section 12.4]
2. Systems administrators and ITDS staff are to maintain reviewable activity logs.
3. Authorised staff are to undertake routine logging of ITDS systems/services in order to ensure their availability, integrity and confidentiality.

Part H - Compliance

(28) The University will ensure:

1. breaches of legal, civil, regulatory or contractual obligations are avoided, wherever possible.
2. policy, statutory, regulatory and contractual requirements are explicitly defined and documented for each Information System in use. [Ref ISO 27002 section 18.1.1].
3. audits of operational systems must actively minimise the risk of disruption, be conducted in accordance with the University's Audit Plan, and be non-intrusive, unless otherwise approved by the business application owner.
4. system audit tools are used only with permission of the CIDO.

(29) Policy breaches may result in disciplinary action being taken in accordance with relevant misconduct policies or staff agreements.

(30) Any deviation from ITDS policies and processes must involve the Exemption Process to address the technical reasons and/or legitimate business requirements, and related potential risks to ITDS or the University as a whole. An exemption request must be completed by the relevant System owner (or delegate). See the Exemption Process for more details. [Ref. ISO 27002 section 5.1.1].

Part I - Authorised User Credentials

(31) The University uses password(s) as the primary protection for its User accounts, including Elevated Access Users. A poorly chosen password may result in the compromise of the entire University's IT Resources. As such, all Authorised Users are responsible for taking the appropriate steps to select, secure, and manage their passwords. See the Password Protection Guide for more information.

(32) Any and all Credentials assigned to Authorised Users are for their individual use only. Authorised Users must not share or disclose their Credentials to anyone, including supervisors, colleagues, friends, family, or IT staff. [Ref. ISO 27002 section 9.3].

(33) Any misuse of User Credentials to Elevate a User's system privileges above what has been authorised for their use will be considered to be a breach of policy and an act of misconduct.

(34) ITDS will place controls around the level of complexity that passwords require, to ensure all Users have strong passwords [Ref. ISO 27002 section 9.3]. Strong passwords have the following characteristics: [Ref. ISO 27002 section 9.4.3].

1. A minimum of 8 characters
2. Contains characters from at least three of the four groups below:
   1. Upper case letters [A, B, C...]
   2. Lower case letters [a, b, c...]
   3. Numbers [0, 1, 2, 3...]
   4. Special characters [!@#$%^*()_+=[]{}?] (Do not use '"&\<>)
3. Is not a password you have used recently (within the last 5 passwords)

(35) All passwords must be changed regularly, through the password management web applications for students and staff accessible through the University's website. Forced password reset periods will be determined as needed. Passwords can be changed more frequently if desired, and should be changed immediately if there is any possibility that the password or account may have been compromised. [Ref. ISO 27002 section 9.4.3].

(36) Elevated Access Users are expected to use stronger passwords than those required by Authorised Users (see the Password Guide Document for more details).

(37) Elevated Access Users should use Credentials with administrative or elevated privileges only while performing Administration or role-related activities, and must use their regular Authorised User Credentials for all other activities. [Ref. ISO 27002 section 9.2.3e; ISM Control 1381].

(38) Passwords or login Credentials shall not be stored in clear text in electronic documents, on electronic locations (such as personal drives, shared drives, applications, SharePoint), or on paper in an unsecured location (such as a post-it note on a monitor, under a keyboard, or in an unlocked filing cabinet). [Ref. ISO 27002 section 9.3] Making use of a corporate encrypted password vault solution is acceptable as long as it has been assessed for security by ITDS and approved by the CIDO (or nominee).

Part J - Remote Access

(39) The University is not required to provide remote access to its IT Resources to any Users. However, the University can provide some remote access capability where it is satisfied this is necessary for University purposes. [Ref ISO 27002 section 6.2.2] This includes:

1. The provision of web applications to allow students and staff to access University IT Resources remotely (such as Western Central/Student Portal, vUWS, Student Email, tutorial registration), and
2. ITDS approved remote desktop software solutions. The approved software used may be reviewed and changed periodically to ensure that security controls are still valid and up-to-date.

(40) Acquisition, installation or use of any remote access software without the authorization, approval and support of ITDS is considered a breach of policy. See the Computer Systems Implementation Policy for more information.

(41) The University does not provide, fund, or subsidise off-campus access to the internet wherever other alternatives are present, except as required or allowed by the Research Higher Degree Candidature Essential Resources Policy and Disability Policy.

(42) Unless otherwise provided by the University, it is the responsibility of the Authorised User to ensure they have the necessary computer, modem, connection media and software to connect to the internet.

1. Where such equipment is provided, the University's usual process for procurement will be followed (see the Computer Systems Implementation Policy for more details).
2. Where such equipment is provided, the University's usual processes for security and privacy will be followed (see the Cyber Security Policy for more details).
3. Where such equipment is provided by the University, it remains the property of the University, and all relevant policies and processes (including the Acceptable Use of IT Resources Policy) remain in effect at all times, regardless of the location of the equipment.

Part K - Digital Security Steering Committee (DSSC)

(43) The University has established the Digital Security Steering Committee (DSSC) to advise the University Executive on matters relating to the security of the University's digital information.

Chair and Members

(44) The chair of the DSSC is the Associate Director, Digital Security and Risk, and the committee includes representation from schools, divisions, Information Technology and Digital Services, and the Office of Audit and Risk Assessment.

Terms of Reference

(45) The terms of reference of the DSSC are to:

1. oversee risk management by recommending appropriate measures to identify and mitigate risks and where appropriate advise the Audit and Risk Committee (ARC);
2. manage the high level digital security strategy and agenda, enabling strategic alignment with business strategy to support the University's objectives;
3. oversee and recommend key information security projects in line with strategic intent;
4. drive the development and renewal of information security policies and recommendations including the evaluation of impacts on the business;
5. make recommendations for implementing security practices into business processes (administration, teaching, research);
6. monitor the effectiveness of information security management frameworks;
7. routinely review and benchmark organisational information security practices and policies through audits and reviews;
8. actively develop and champion at all levels of the University an awareness of Information Security principles; and
9. routinely assess the digital landscape in the industry and amongst peers with the view of identifying opportunities and/or threats.

(46) The group will correspond via email and meet face to face at least three times a year.

Part L - Information Security Management System (ISMS)

(47) The DSSC will develop an ISMS based on Australian and international standards.

(48) The ISMS will address security controls and practices to be implemented by the University, including:

1. Security incidents are contained, reported, analysed, and assessed, based on incident type, volume and impact.
2. Incident related data, logs and forensic IT information are collected as soon as possible.
3. A robust CMS is in place to support the University's digital information needs.

(49) The ISMS will specify the responsibilities and approach to be taken to manage security incidents or investigation evidence, as defined in HB171-2003. Investigations shall only be permitted with the appropriate approvals as defined in the Workplace Surveillance Policy.

Section 5 - Guidelines

(50) This policy should be read in conjunction with the following documents:

1. The Exemption Process
2. The Password Protection Guide
3. The Australian Signal Directorate's Information Security Manual

(51) This policy makes reference to The Australian Guidelines for the Management of IT Evidence, HB171-2003, and the International Standard for Information Security, AS/NZS ISO/IEC 27002,both of which can be accessed under "Standards On-line Premium (SAI Global)" via the alphabetical listing in the e-Resources section of the University Library.

Section 6 - Terms and Acronyms

(52) The following definitions apply for the purposes of this policy:

1. Authorised User: a person who is an enrolled or attending student, a current employee or contractor, or a formal supplier, affiliate or associate of the University who is granted access and provided with authentication Credentials by the University. Eduroam users are also Authorised Users.
2. Business Continuity Plan: As relates to this policy, a documented plan for how a business will continue to function in their required capacity in the event of a technology component failure, until such time as the technology is restored to functional service.
3. CIDO: Chief Information and Digital Officer
4. CMS: Configuration Management System; the computerised system that is used in IT to manage the inventory, deployment, support, ownership and other pertinent information for the overall management of University applications and services during the computer system's lifecycle
5. Confidential and Sensitive Material: any information or material that a person knows or ought reasonably to know is confidential or sensitive, including but not limited to:
   1. The Personal Information of staff or students
   2. Student, staff or research subject health information
   3. Unpublicised financial information
   4. Unpublicised strategic, legal, financial, or research information
   5. Any data that could compromise any facet of the University, including reputation
6. Cyber Security Event: any actual or suspected breach, threat, event, risk, vulnerability, or security weakness relating to University IT Resources
7. DSSC: Digital Security Steering Committee.
8. Elevated Access user: an Authorised User who has been provided with additional access privileges (often taking the form of an Administrator account and Credentials) in addition to their Authorised User account, in order to be able to access protected University IT Resources.
9. ISMS: Information Security Management System
10. ITDS: Information Technology and Digital Services
11. IT Resources: systems, software, hardware, services, communications and network facilities (including email, internet, and Wi-Fi access), and supporting infrastructure provided by or on behalf of the University.
12. Remote Desktop Software: an application, protocol, or other software solution that allows a computer or similar device to connect to the University's hardware or network without being on-site. This does not include the University's Wi-Fi network, which is only broadcast on-site.
13. System Owner: the person or persons who are identified as being responsible for a University IT Resource's management. These are typically Business Application Owners and/or the Service Owners.
    1. Business Application Owner: the person with primary responsibility for the computer system who is within the business unit that is the primary user of the computer system.
    2. Service Owner: the person in an IT or IT-like position that has primary responsibility for the IT support of the computer system
14. University digital information: any data stored electronically, or used by, or on behalf of, the University in the conduct of its teaching, research, business. University information is the property of the University. See the Intellectual Property Policy for more information.