(1) Managing and protecting the confidentiality, integrity and availability of the University's research and information Digital Services is vital for delivering the University services, protecting the University's business and reputation, and allowing the University to meet its legal and ethical responsibilities. (2) This policy provides the principles and procedures for protecting digital information, and Digital Services, and establishes the Digital Security Steering Committee (DSSC), which provides strategic direction, enables risk management, prioritises resource utilisation, measures performance, and defines the security culture that supports Digital Information Security Management at Western Sydney University. (3) This policy applies to all Authorised Users of digital information, and Digital Services which are on University premises, belong to the University or are services or sites that are hosted for the University. (4) The policy is to be used as the basis for developing any new information security related policies, procedures and standards. (5) The policy is to be read in conjunction with the following University documents: (6) This policy should be read in conjunction with the following: (7) This policy makes reference to the International Standard for Information Security, AS/NZS ISO/IEC 27002,both of which can be accessed under "Standards On-line Premium (SAI Global)" via the alphabetical listing in the e-Resources section of the University Library. (8) Words and Terms used in this policy are defined in Section 6 — Terms and Acronyms. (9) The University is committed to ensuring that access to and use of the University's digital information, and Digital Services are efficient, lawful, valid and ethical, and subject to appropriate security controls. (10) The University aims to maintain a state of digital security where the risk of loss or damage to digital information and services is managed to an acceptable level. (11) The University acknowledges that good security requires all Authorised Users to be trained in and be aware of their digital information security responsibilities. (12) All Authorised Users must ensure that their use of University digital information: (13) All Authorised Users must take the following steps to reduce the risk of unauthorised access to digital information [Ref. Cybercrime Act schedule 1]: (14) Authorised Users are to immediately report security incidents to their supervisor, and the Information Technology Service Desk (IT Service Desk). (15) Supervisors must immediately ensure that incidents referred to them are reported to the IT Service Desk. (16) Authorised Users must not publicise security incidents, as publicity increases risks to the University. (17) In accordance with the Cyber Security Incident Management Process (refer KB0014354 – requires staff login), only defined staff are to lead security incident investigations and evidence collection. (18) All Authorised Users are required to understand their responsibilities regarding information security, including an awareness of those parts of the Information Security Management System (ISMS) relevant to their duties. (19) The Vice-Chancellor and President is responsible for: (20) The Chief Information and Digital Officer, or their nominated representative, is responsible for: (21) ITDS will publish IT Security Advisories to raise awareness of security issues. (22) The University will provide access to training and advice to Authorised Users to raise awareness of their digital information security responsibilities. See the Cyber Security Policy and University Cyber Security website for more details. [Ref. ISO 27002 section 7.2.2; ISM Control 0252]. (23) ITDS will maintain a Configuration Management Data Base of all University Digital Services assets, including business ownership and support details. While hardware components may be listed as part of a service provided, the physical hardware has a separate Asset Management Policy that must be followed from a purchasing and financial perspective. [Ref. ISM Controls 0289, 0291]. (24) The CIDO, or their nominated representative, will ensure that University digital information has a defined data classification that includes a consistent assessment of legal and regulatory requirements, business sensitivity, criticality and proprietary information. [Ref. ISO 27002 section 8.2.1; ISM Control 0293]. (25) Business application owners of University Digital Services are to ensure that the development and testing of Business Continuity Plans include how their area(s) of responsibility will continue to function in the case of service interruptions or failure of Digital Services or other critical technology. [Ref. ISO 27002 section 17.1; ISM Control 0118, 0193]. (26) Managers and supervisors, in conjunction with the business application owner, Privacy Officer, and the Chief Information and Digital Officer, shall ensure that all Authorised Users accessing Digital Services are made aware of their responsibility regarding data privacy and security. (27) The ITDS Staff Code of Ethics is provided to assist ITDS staff in managing their responsibilities for safe use and provision of IT digital services. (28) The business application owner and/or service delivery manager, in consultation with the CIDO (or nominee), is responsible for ensuring that: (29) To prevent unauthorised logical access to data and services, ITDS will: (30) The University will review ITDS Digital Services as follows: (31) The University will ensure: (32) Policy breaches may result in disciplinary action being taken in accordance with relevant misconduct policies or staff agreements. (33) Any deviation from ITDS policies and processes must involve an Approved Exemption Process to address the technical reasons and/or legitimate business requirements, and related potential risks to ITDS or the University as a whole. An exemption request must be completed by the relevant Service Delivery Manager (or delegate). See the Exemption Process (as attached ServiceNow Knowledge Base KB0013593 — requires staff login) for more details. [Ref. ISO 27002 section 5.1.1]. (34) The University uses password(s) as the primary protection for its User accounts, including Privileged Access Users. A poorly chosen password may result in the compromise of the user’s credentials and can put the Digital Services of the entire University at risk. As such, all Authorised Users are responsible for taking the appropriate steps to select, secure, and manage their passwords. See the Password Protection Guide for more information. (35) Any and all Credentials assigned to Authorised Users are for their individual use only. Authorised Users must not share or disclose their Credentials to anyone, including supervisors, colleagues, friends, family, or IT staff. [Ref. ISO 27002 section 9.3]. (36) Any misuse of User Credentials to Elevate a User's Digital Service privileges above what has been authorised for their use will be considered to be a breach of policy and an act of misconduct. (37) ITDS will place controls around the level of complexity that passwords require, to ensure all Users have strong passwords [Ref. ISO 27002 section 9.3]. Strong passwords have the following characteristics: [Ref. ISO 27002 section 9.4.3]. (38) All passwords must be changed regularly, through the password management web applications for students and staff accessible through the University's website, or the appropriate application. Forced password reset periods will be determined as needed. Passwords can be changed more frequently if desired, and should be changed immediately if there is any possibility that the password or account may have been compromised. [Ref. ISO 27002 section 9.4.3]. (39) Passwords or login Credentials shall not be stored in clear text in electronic documents, on electronic locations (such as personal drives, shared drives, applications, SharePoint), or on paper in an unsecured location (such as a post-it note on a monitor, under a keyboard, or in an unlocked filing cabinet). [Ref. ISO 27002 section 9.3] Making use of a corporate encrypted password vault solution is acceptable as long as it has been assessed for security by ITDS and approved by the CIDO (or nominee). (40) Privileged Access Users are expected to use stronger passwords than those required by Authorised Users (see the Password Protection Guide for more details). (41) Privileged Access Users should use Credentials with administrative or elevated privileges to perform Administration or role-related activities only, and must use their regular Authorised User Credentials for all other activities. [Ref. ISO 27002 section 9.2.3e; ISM Control 1381; ACSC Essential 8]. In particular, internet access while using a privileged account must be limited to what is needed for the administration or support activities for which the privileged account was provided. (42) The University may review the use of access accounts used for Privileged Access. (43) The University provides some remote access capability where it is satisfied this is necessary for University purposes; however, it is not required to provide remote access to its Digital Services to any Users. [Ref. ISO 27002 section 6.2.2] This may include: (44) Acquisition, installation or use of any remote access software without the authorization, approval and support of ITDS is considered a breach of policy. See the Digital Services Implementation Policy for more information. (45) The University does not provide, fund, or subsidise off-campus access to the internet wherever other alternatives are present, except as required or allowed by the Research Higher Degree Candidature Essential Resources Policy, Disability Policy or Higher Education Standards Framework (Threshold Standards) 2021 (section 3.3(3)). (46) Unless otherwise provided by the University, it is the responsibility of the Authorised User to ensure they have the necessary computer, modem, connection media and software to connect to the internet. (47) The University has established the Digital Security Steering Committee (DSSC) to advise the University Executive Committee and the University Audit and Risk Committee on matters relating to the security of the University's digital information. (48) The chair of the DSSC is the Director, Digital Strategy, Security and Risk, and the committee includes representation from schools, divisions, Information Technology and Digital Services, and the Privacy Officer and the Office of Audit and Risk Assessment. (49) The terms of reference of the DSSC are to: (50) The group will correspond via email and meet face to face at least three times a year. (51) The DSSC will review an ISMS based on Australian and international standards. (52) The ISMS will address security controls and practices to be implemented by the University, including: (53) The ISMS will specify the responsibilities and approach to be taken to manage Cyber Security Incidents or Investigation. Investigations into people shall only be permitted with the appropriate approvals as defined in the Workplace Surveillance Policy; for students as defined in the Student Code of Conduct. (54) Nil. (55) The following definitions apply for the purposes of this policy:Digital Information Security Policy
Section 1 - Purpose and Context
Section 2 - Definitions
Section 3 - Policy Statement
Section 4 - Procedures
Part A - Responsibilities
Part B - Information Security Awareness
Part C - Configuration Management
Part D - Business Continuity Management
Part E - User Awareness and Responsibilities
Part F - Access Control
Part G - Maintenance and Review
Part H - Compliance
Part I - Authorised User Credentials
Part J - Privileged User Credentials
Part K - Remote Access
Part L - Digital Security Steering Committee (DSSC)
Chair and Members
Terms of Reference
Part M - Information Security Management System (ISMS)
Section 5 - Guidelines
Section 6 - Terms and Acronyms
View Current
This is the current version of this document. To view historic versions, click the link in the document's navigation bar.