This is not a current document. To view the current version, click the link in the document's navigation bar.
Section 1 - Purpose and Context
(1) The purpose of this policy is to identify and outline the steps that are taken to ensure that malicious intrusion or accidental compromise of the security of Western Sydney University (the University) Information Technology (IT) Resources is prevented, reduced and managed.
(2) Within the ITDS department, various different sections are given responsibility for the controls necessary for the University's Cyber Security. For the purpose of expediency of language within this policy, 'ITDS' is used as a cover-all term for the appropriate sections within the department.
(3) This policy is to be read in conjunction with the following University policies:
- Acceptable Use of Digital Services Policy
- Digital Information Security Policy
- Email and Internet Policy,
- Intellectual Property Policy,
- Privacy Policy, and
- Password Protection Guide.
Top of PageSection 2 - Definitions
(4) Words and Terms used in this policy are defined in Section 6 — Terms and Acronyms.
Top of PageSection 3 - Policy Statement
(5) The University is committed to ensuring information security by preventing unauthorised access to, and modification or impairment of, its IT Resources and the information stored within them; through a combination of preventative measures, Cyber Security Incident Management, and the participation of all Authorised Users in ensuring that security measures are not undermined. [Ref. Cybercrime Act 2001, section 476.2]
(6) The University acknowledges that good security requires all Authorised Users to be trained in and be aware of their Cyber Security responsibilities.
(7) The University aims to maintain an appropriate level of Cyber Security to ensure the integrity, availability and confidentiality of all IT Resources.
Top of PageSection 4 - Procedures
(8) The CIDO authorises the appropriate group(s) within ITDS to perform specific procedures for ensuring the University's Cyber Security, including those identified within this policy.
(9) If any Authorised User (including contractors, visiting academics, and research students) suspects a Cyber Security Event or breach of security controls has occurred, they should report the event to the IT Service Desk immediately. [Ref. ISO 27002 section 7.2.2; ISM Controls 0123-124]
(10) ITDS will assess all reported Cyber Security Events to determine if a response is required. If a response is required, the Event becomes a Cyber Security Incident and will be managed by the appropriate response team in accordance with the steps outlined in the Cyber Security Incident Management Process. This will also ensure the collection and analysis of evidence from the Cyber Security Incident occurs without compromising its integrity. [Ref. ISO 27002 section 16.1.2, 16.1.3; ISM Control 0138]
(11) ITDS will put controls and other preventative measures in place to avoid Cyber Security Incidents, either as a result of experience from previous Cyber Security Incidents or as a countermeasure to likely Cyber Security Incidents, and will document and regularly review these measures to ensure their validity and reliability. [Ref. ISO 27002 section 16.1.6; ISM Control 0916]
(12) ITDS will review logs for breaches in the security of IT Resources, identify and manage Cyber Security Incidents, and create and manage records and documents associated to Cyber Security Incidents for further analysis. In the event of a breach in the University's Information Security, ITDS will endeavour to inform all those who are affected as soon as practical. [Ref. ISO 27002 16.1.5, 16.1.6; ISM Controls 0120-0121]
(13) Users are expected to exercise the same level of caution and awareness when accessing University IT Resources on devices not owned by the University as when accessing systems while using University equipment: alert the IT Service Desk to any suspicious activity; and have consideration of privacy and sensitive information concerns, such as accidental information leak or compromise for mobile devices being used in public places.
(14) Users are responsible for ensuring that any devices they are using to access University IT Resources are up-to-date, free of viruses, and will not compromise the security controls the University places around its IT Resources. Authorised Users are expected to follow the Acceptable Use of Digital Services Policy whilst using their own devices when accessing University IT Resources. [Ref. ISO 27002 section 16.1.1; ISM Control 1398]
(15) ITDS will create and provide appropriate training and awareness campaigns to Authorised Users around Cyber Security Events in order to improve the effectiveness of the reporting and response processes. [Ref. ISO 27002 section 16.1.3; ISM Controls 0251-0253]
Cyber Security Incident Management
(16) Once a Cyber Security Incident has been reported, ITDS will determine what steps are necessary to manage it, following the Cyber Security Incident Management Process. This process provides procedural steps in responding so as to ensure a consistent and effective approach to the management of Cyber Security Incidents, including communication of these events and weaknesses. [Ref: ISO 27002 section 16.1; ISM Controls 0122, 0125, 0126]
Preventative Measures
(17) Preventative measures are in place to provide security controls around the University's IT systems. These include the following:
- Firewall: The University uses firewall hardware and software to log and protect internet and network usage, including connectivity of all Authorised Users and IT Resources, to prevent known threats and vulnerabilities from being exploited. The strength and configuration of the firewall used is based around industry standards to ensure the quality of protection on all University IT Resources. [Ref. ISO 27002 section 13.1.2; ISM Controls 1193, 1194, 0639]
- Blocking of websites: the University blocks certain website URLs, as their content is considered unsafe, unacceptable, or would put people, IT Resources, or the University at risk. This includes, but is not limited to, malicious, gambling, pornographic, or terrorist content. [Ref. ISO 27002 section 12.2.1; ISM Control 0959]
- Blocking of Applications: the University occasionally places a throttle or limit on the internet traffic to certain high-bandwidth streaming applications to prevent an unnecessary drain on University IT resources. [Ref. ISO 27002 section 12.1.3].
- Antivirus software: The University uses antivirus software to ensure the integrity, availability and confidentiality of its IT Resources and detect any malware or similar malicious code. Where possible, its source is traced. The strength of the antivirus software and the regularity that it is set to scan is based around industry standards. [Ref. ISO 27002 section 12.2.1; ISM Controls 1288]
- Automated Spam and Phishing Detection: The University uses systems that detect spam, phishing messages, and other malicious email entering and leaving its email servers, in order to protect against unsolicited commercial email (Spam), Phishing attempts and viral outbreaks. The configuration of this software is adjusted to cater for new types of Spam, Phishing attempts and other forms of malicious email as ITDS is made aware of them. As such, reporting of suspicious activity is still a vital part of this process. For more information on security and awareness in relation to email, see the Email and Internet Policy. [Ref. Spam Act 2003, section 4; Workplace Surveillance Act 2005, section 17.2; Telecommunications Act 1997, section 113; ISO 27002 section 13.2.3; ISM Controls 1234, 0264, 0266]
- Password strength: the University requires a certain level of complexity in all Authorised Users' passwords, to ensure that IT system access is within industry standards. See the Digital Information Security Policy and the Password Protection Guide for more information or advice on password requirements. [Ref AAF Federation Rules section 8.7; ISO 27002 section 9.2.4; ISM Controls 0421]
- Identification and management of technical vulnerabilities: The University conducts audits on its technical vulnerabilities in order to identify and manage them. Vulnerabilities will be assessed for their risk to University operations and managed accordingly. Management of technical vulnerabilities may involve interaction with vendors to find alternate solutions. [Ref: Higher Education Standards Framework 2015, section 6.2.1e; ISO 27002 section 12.6.1; ISM Controls 1163]
- Cryptography: The University procures digital certificates using a bona fide and valid Certificate Authority (CA), and ensures that cryptographic certificates are issued and managed as required. [Ref. ISO 27002 section 10; ISM Controls chapter 19]
(18) Any and all remote desktop software presents a significant threat to the security of the University's IT Resources. As such, the CIDO (or nominee) must first authorise and approve any software solution that provides remote access, in order to ensure the confidentiality, integrity, and availability of University IT Resources (see the Digital Information Security Policy for more details). [Ref. ISO 27002 section 6.2.2; ISM Control 1272]
(19) Using or accessing University IT Resources off-site presents inherent risks to the privacy of confidential and sensitive information kept in those resources. In the interests of protecting security and privacy, all remote access provisions are expected to be used for University business only, and certain restrictions will need to be in force at all times:
- All Authorised Users of University IT Resources, whether on-campus or off-campus, are expected to exercise an appropriate level of care and caution to prevent unauthorised access to any and all IT Resources (see the Digital Information Security Policy for more information);
- All Authorised Users of University IT Resources, whether on-campus or off-campus, are expected to exercise an appropriate level of care and caution to maintain the security of confidential and sensitive information, to protect the privacy of themselves, other Authorised Users, and the University (see the Privacy Policy for more information); and
- Where remote access to University systems is provided, such access is subject to the Acceptable Use of Digital Services Policy, and all other relevant University policies. All use of the University's IT Resources is logged and may be subject to routine reviews. [Ref. ISO 27002 sections 11.2.6, 11.2.8; ISM Controls 1082, 1398]
Top of PageSection 5 - Guidelines
(20) The University maintains an SOE to provide a consistent and secure environment across University IT systems. This also allows the University to maintain better control over any technical vulnerabilities that are known or that arise impacting the environment. All computers procured by the University following its typical procurement process will have an appropriate SOE in place by default, if possible. It is recommended that all University IT Resources are part of an SOE wherever possible.
(21) This Policy should be read in conjunction with the following:
- The Australian Signal Directorate's Information Security Manual
- Spam Act 2003
- Workplace Surveillance Act 2005
- Telecommunications Act 1997
- Higher Education Standards Framework 2015
- AAF Federation Rules
(22) This policy makes reference to the International Standard for Information Security, AS/NZS ISO/IEC 27002, which can be accessed under "Standards On-line Premium (SAI Global)" via the alphabetical listing in the e-Resources section of the University Library.
Top of PageSection 6 - Terms and Acronyms
(23) The following definitions apply for the purposes of this policy:
- Authorised User: a person who is an enrolled or attending student, a current employee, or a formal supplier, affiliate or associate of the University who is granted access and provided with authentication Credentials by the University. Eduroam users are also Authorised Users.
- Confidential and Sensitive Material: any information or material that a person knows or ought reasonably to know is confidential or sensitive, including but not limited to:
- The Personal Information of staff or students
- Student, staff or research subject health information
- Unpublicised financial information
- Unpublicised strategic, legal, or research information
- Any data that could compromise any facet of the University, including reputation
- CIDO: Chief Information and Digital Officer
- Cyber Security Event: any actual or suspected breach, threat, event, risk, vulnerability, or security weakness relating to University IT Resources.
- Cyber Security Incident: any Cyber Security Event that has been determined as a genuine breach in Cyber Security.
- ISMS: Information Security Management System
- ITDS: Information Technology and Digital Services
- IT Resources - systems, software, hardware, services, communications and network facilities (including email, internet, and Wi-Fi access), and supporting infrastructure provided by or on behalf of the University.
- IT Service Desk: a team within ITDS, established to be the first point of call for staff and students, for all IT matters.
- Malware: malicious software or code; software programs designed to damage or do other unwanted actions that are put onto the University's IT systems without permission that do not serve a function to the University's business, and are often designed to actively work against it.
- Phishing: a form of social engineering, commonly an email or telephone call, designed to convince Users to provide information about or access to an IT system; believing the source of the message to be genuine, or originating from within that IT system.
- Remote Desktop Software: an application, protocol, or other software solution that allows a computer or similar device to connect to the University's hardware or network without being on-site. This does not include the University's Wi-Fi network, which is only broadcast on-site.
- SOE: Standard Operating Environment; where the University's computers all make use of the same baseline software suite supporting IT Resources. This includes the patches, updates and software installed, and the administration systems used.
- University Digital Information: any data stored electronically, or used by, or on behalf of, the University in the conduct of its teaching, research, or business. University information is the property of the University. See the Intellectual Property Policy for more information.