(1) Managing and protecting the integrity, confidentiality and availability of the University's research and information resources and assets is vital for delivering the University services, protecting the University's business and reputation, and allowing the University to meet its legal and ethical responsibilities. (2) This policy provides the principles and procedures for protecting digital information, services and Information Technology (IT) Resources, and establishes the Information Digital Security Steering Committee (DSSC), which provides strategic direction, enables risk management, prioritises resource utilisation, measures performance, and defines the security culture that supports Digital Information Security Management at Western Sydney University. (3) This policy applies to all Authorised Users of digital information, information systems, and applications which are on University premises, belong to the University or are services or sites that are hosted for the University. (4) The policy is to be used as the basis for developing any new information security related policies, procedures and standards. (5) The policy is to be read in conjunction with the following University policies: (6) Words and Terms used in this policy are defined in Section 6 — Terms and Acronyms. (7) The University is committed to ensuring that access to and use of the University's digital information, services and IT Resources are efficient, lawful, appropriate and ethical, and subject to appropriate security controls. (8) The University aims to maintain a state of digital security where the risk of loss or damage to digital information and services is managed to an acceptable level. (9) The University acknowledges that good security requires all Authorised Users to be trained in and be aware of their digital information security responsibilities. (10) All Authorised Users must ensure that their use of University digital information: (11) All Authorised Users must take the following steps to reduce the risk of unauthorised access to digital information: (12) Authorised Users are to immediately report security incidents to their supervisor, and the Information Technology Service Desk (IT Service Desk). (13) Supervisors must immediately ensure that incidents referred to them are reported to the IT Service Desk. (14) Authorised Users must not publicise security incidents, as publicity increases risks to the University. (15) In accordance with Australian Guidelines for the Management of IT Evidence, HB171-2003, only defined security investigators are to collect security incident or investigative evidence. (16) All Authorised Users are required to understand their responsibilities regarding information security, including an awareness of those parts of the ISMS relevant to their duties. (17) The Vice-Chancellor and President is responsible for: (18) The Chief Information and Digital Officer, or their nominated representative, is responsible for: (19) ITDS will publish IT Security Advisories to raise awareness of security issues. (20) The University will provide access to training and advice to Authorised Users to raise awareness of their digital information security responsibilities. See the Cyber Security Policy for more details. [Ref. ISO 27002 section 7.2.2; ISM Control 0252]. (21) ITDS will maintain a Configuration Management System of all University information system assets, including business and service ownership details. While hardware components may be listed as part of a service provided, the physical hardware has a separate Asset Management Policy that must be followed from a purchasing and financial perspective. [Ref. ISM Controls 0289, 0291]. (22) The CIDO, or their nominated representative, will ensure that University digital information has a defined risk classification that includes a consistent assessment of legal and regulatory requirements, business sensitivity, criticality and proprietary information. [Ref. ISO 27002 section 8.2.1; ISM Control 0293]. (23) Business application owners of University information systems are to ensure that the development and testing of Business Continuity Plans include how their area(s) of responsibility will continue to function in the case of service interruptions or failure of information systems or other critical technology. [Ref. ISO 27002 section 17.1; ISM Control 0118]. (24) Managers and supervisors, in conjunction with the business application owner and the Chief Information and Digital Officer, shall ensure that all Authorised Users accessing information systems are made aware of their responsibility regarding Information security. (25) The business application owner and/or service owner, in consultation with the CIDO (or nominee), is responsible for ensuring that: (26) To prevent unauthorised logical access to digital information services, ITDS will: (27) The University will review ITDS systems as follows: (28) The University will ensure: (29) Policy breaches may result in disciplinary action being taken in accordance with relevant misconduct policies or staff agreements. (30) Any deviation from ITDS policies and processes must involve the Exemption Process to address the technical reasons and/or legitimate business requirements, and related potential risks to ITDS or the University as a whole. An exemption request must be completed by the relevant System owner (or delegate). See the Exemption Process for more details. [Ref. ISO 27002 section 5.1.1]. (31) The University uses password(s) as the primary protection for its User accounts, including Elevated Access Users. A poorly chosen password may result in the compromise of the entire University's IT Resources. As such, all Authorised Users are responsible for taking the appropriate steps to select, secure, and manage their passwords. See the Password Protection Guide for more information. (32) Any and all Credentials assigned to Authorised Users are for their individual use only. Authorised Users must not share or disclose their Credentials to anyone, including supervisors, colleagues, friends, family, or IT staff. [Ref. ISO 27002 section 9.3]. (33) Any misuse of User Credentials to Elevate a User's system privileges above what has been authorised for their use will be considered to be a breach of policy and an act of misconduct. (34) ITDS will place controls around the level of complexity that passwords require, to ensure all Users have strong passwords [Ref. ISO 27002 section 9.3]. Strong passwords have the following characteristics: [Ref. ISO 27002 section 9.4.3]. (35) All passwords must be changed regularly, through the password management web applications for students and staff accessible through the University's website. Forced password reset periods will be determined as needed. Passwords can be changed more frequently if desired, and should be changed immediately if there is any possibility that the password or account may have been compromised. [Ref. ISO 27002 section 9.4.3]. (36) Elevated Access Users are expected to use stronger passwords than those required by Authorised Users (see the Password Guide Document for more details). (37) Elevated Access Users should use Credentials with administrative or elevated privileges only while performing Administration or role-related activities, and must use their regular Authorised User Credentials for all other activities. [Ref. ISO 27002 section 9.2.3e; ISM Control 1381]. (38) Passwords or login Credentials shall not be stored in clear text in electronic documents, on electronic locations (such as personal drives, shared drives, applications, SharePoint), or on paper in an unsecured location (such as a post-it note on a monitor, under a keyboard, or in an unlocked filing cabinet). [Ref. ISO 27002 section 9.3] Making use of a corporate encrypted password vault solution is acceptable as long as it has been assessed for security by ITDS and approved by the CIDO (or nominee). (39) The University is not required to provide remote access to its IT Resources to any Users. However, the University can provide some remote access capability where it is satisfied this is necessary for University purposes. [Ref ISO 27002 section 6.2.2] This includes: (40) Acquisition, installation or use of any remote access software without the authorization, approval and support of ITDS is considered a breach of policy. See the Computer Systems Implementation Policy for more information. (41) The University does not provide, fund, or subsidise off-campus access to the internet wherever other alternatives are present, except as required or allowed by the Research Higher Degree Candidature Essential Resources Policy and Disability Policy. (42) Unless otherwise provided by the University, it is the responsibility of the Authorised User to ensure they have the necessary computer, modem, connection media and software to connect to the internet. (43) The University has established the Digital Security Steering Committee (DSSC) to advise the University Executive on matters relating to the security of the University's digital information. (44) The chair of the DSSC is the Associate Director, Digital Security and Risk, and the committee includes representation from schools, divisions, Information Technology and Digital Services, and the Office of Audit and Risk Assessment. (45) The terms of reference of the DSSC are to: (46) The group will correspond via email and meet face to face at least three times a year. (47) The DSSC will develop an ISMS based on Australian and international standards. (48) The ISMS will address security controls and practices to be implemented by the University, including: (49) The ISMS will specify the responsibilities and approach to be taken to manage security incidents or investigation evidence, as defined in HB171-2003. Investigations shall only be permitted with the appropriate approvals as defined in the Workplace Surveillance Policy. (50) This policy should be read in conjunction with the following documents: (51) This policy makes reference to The Australian Guidelines for the Management of IT Evidence, HB171-2003, and the International Standard for Information Security, AS/NZS ISO/IEC 27002,both of which can be accessed under "Standards On-line Premium (SAI Global)" via the alphabetical listing in the e-Resources section of the University Library. (52) The following definitions apply for the purposes of this policy:Digital Information Security Policy
Section 1 - Purpose and Context
Top of PageSection 2 - Definitions
Section 3 - Policy Statement
Section 4 - Procedures
Part A - Responsibilities
Part B - Information Security Awareness
Part C - Configuration Management
Part D - Business Continuity Management
Part E - User Awareness and Responsibilities
Part F - Access Control
Part G - Maintenance and Review
Part H - Compliance
Part I - Authorised User Credentials
Part J - Remote Access
Part K - Digital Security Steering Committee (DSSC)
Chair and Members
Terms of Reference
Part L - Information Security Management System (ISMS)
Section 5 - Guidelines
Section 6 - Terms and Acronyms
View Current
This is not a current document. To view the current version, click the link in the document's navigation bar.