Information Technology Security Policy

 

Breadcrumbs

Main Content

Information Technology Security Policy

Responsible officer: Vice-Chancellor

Council approval: C98/99, 24 November 1998

Last amended: -

Related policies:

Purpose and description

The information technology resources of the University, including computer systems and associated devices, networks and communications facilities, provide critical infrastructure and a valuable resource that must be effectively managed. The aim of this policy is to ensure:

  • the provision of uninterrupted IT services
  • the integrity and validity of data
  • an ability to recover effectively and efficiently from disruption and
  • the protection of all the University's IT assets including data, software, and hardware

Responsibility

The Vice-Chancellor is responsible for identifying acceptable levels of risk for various IT systems; and recommending approved policies to University Council.

Implementation of systems and appropriate procedures is the responsibility of the Executive Director of Information Services.

Authorising access to corporate information systems is the responsibility of the cost centre that manages the information system. All users of the University's information and IT assets are responsible for complying with the Security Policy.

Implementation actions

1 Risk profile

1.1 In formulating an effective Information Technology Security Policy it must be recognised that absolute security is not possible. Security comes at a financial cost and often results in a compromise to functionality and flexibility of use. Different systems and services have different risk profiles due to many factors including, clients on the system, access to the system, sensitivity of data, and its critical nature to the University's operations. Consequently, the University shall periodically carry out a risk assessment on all IT systems. The aim of such an assessment is to estimate the University's vulnerability for each system; to determine an acceptable level of risk for each; and to ensure that security measures being taken are sufficient to reduce the risk to acceptable levels. Furthermore, an estimate of the costs associated with achieving an appropriate level of security is required.

2 Physical security

2.1 Access to secure areas including the computer control room, the PABX room and communications closets shall be restricted to authorised staff through the use of passwords, locks, or access-control devices. Visitors to such areas shall be permitted only under the supervision of authorised Information Technology Services or Facilities staff. Details of visitors including name, time in, time out, and reason for entry shall be recorded in a log. Access to other IT resources such as computer laboratories, staff workstations, and Library systems will have sufficient security to ensure unauthorised clients do not have ready access.

2.2 During non-working hours, secure areas shall be protected against intrusion by appropriate surveillance systems or by security staff.

2.3 The campus computer network is a key element of the electronic based services that support the academic programs and administrative operations. Hardware is connected to the network only in accordance with the University's building and telecommunications standards. Any form of unauthorised experimentation with the campus network is prohibited, eg, unauthorised installation of hardware or network software; physical interference with hardware, network connections, or cabling, etc. The University discourages the use of modems attached directly to a client's computer. Where this is required Information Technology Services must have supervised the overall security setup of the computer.

3 Account management

3.1 The University shall determine who has access to available information technology resources.

3.1.1 Staff may be authorised to access resources required to perform their duties. Where possible a single sign-in will be used to authenticate and authorise client access to the network and appropriate services.

3.1.2 Students may be authorised to access services for academic purposes relating to their course of study at the University.

3.1.3 Persons other than staff and students may be provided access to use information technology resources under special circumstances subject to appropriate authorisation and indemnities.

3.1.4 Clients are responsible for their own accounts and are permitted to access only those resources for which they have been authorised. No client may use any other client's authorisation to access any system, nor allow any other person to use his or her authorisation, to access any system.

3.1.5 The University may withdraw access from any client who abuses privileges assigned to them.

3.1.6 Each employee, on commencement of employment, should be made aware of confidentiality requirements for information that they may have access to in the normal course of their employment.

3.2 The primary means of security for the University's information technology resources is through the allocation of individual computer accounts and passwords.

3.2.1 Systems will be configured, where possible, to implement password ageing. As such clients will be forced to change their password on a periodic basis.

3.2.2 It is every client's responsibility to ensure that passwords are selected carefully and not shared with other persons. Furthermore, passwords should not be coded into programs or passwords otherwise automatically remembered.

3.3 Clients should familiarise themselves with the policies Acceptable Use of Information Technology Resources Policy and Electronic Mail Policy for information regarding the use of IT resources and electronic mail.

3.4 IT security, including confidentiality, privacy and procedures relating to system access, shall be incorporated into formal staff induction procedures for all new staff and be conveyed to existing staff on a regular basis.

3.5 Access to all systems must be monitored on a continuing basis and audit trails maintained.

3.5.1 All unsuccessful attempts to logon to University computer systems must be logged and the connection disabled after three unsuccessful attempts.

3.5.2 Workstations or terminal sessions that are logged in and inactive for an extended period of time, and with no evident process activity may be automatically logged off and the details logged for later review.

3.5.3 Client accounts that remain unused over an extended period of time will be disabled.

4 Data security, confidentiality and privacy

4.1 Computer virus detection and protection may be carried out on central servers. Software will be made available to allow clients to minimise the likelihood of virus attacks on client workstations. Clients are expected to act responsibly by checking their systems and disks.

4.2 Backups of central servers and systems are undertaken as discussed elsewhere in this policy. However, clients are responsible for backing up their own data on floppy disks, network drives, or via other appropriate methods. Central backups are designed primarily for disaster recovery and not for individual file recovery.

4.3 In the normal course of accessing and using University IT resources, clients are provided with information about the computer system as well as information about the University. This information is essentially private to the University.

4.4 The University recognises the right to privacy of client files and communications. However, the University reserves the right to access files when necessary for the maintenance and security of information systems. Authorised personnel may examine files and directories where it is necessary to determine the ownership or recipient of lost or misdirected files, and also where the University has information or evidence that:

  • system integrity is threatened
  • security is compromised
  • an activity has a detrimental impact on the quality of service to other clients
  • the system is being used for purposes which are prohibited under University policies
  • the system is being used for unlawful purposes

4.5 The Internet will be treated as a potentially hostile environment. Only a limited number of central systems will have Internet access. Security on these systems will be tightly controlled. A firewall (or appropriate means to control network access of users and traffic) will be used to protect such systems. All traffic passing through the firewall must be capable of being logged and audited.

5 Business continuity and disaster recovery

5.1 Core systems hardware crucial to the normal operation of the network shall be protected against the effect of short-term electrical power outages and fluctuations by the installation of uninterrupted power supply (UPS) and surge protection devices.

5.2 IT facilities shall be adequately protected against fire and water damage.

5.3 The primary purpose of system backups is to provide for disaster recovery. An appropriate regular backup schedule shall be implemented to protect all data and software. A sufficient number of backups of data and software shall be stored off-site to protect against major damage at one location. The backup procedures shall be clearly defined, tested and documented.

5.4 To assure protection of all information assets and so that the current computing environment may be quickly re-established following a disaster, an inventory of production information systems is to be maintained. This inventory must indicate all existing hardware, software, automated files, databases and data communications links required to maintain the systems.

5.5 A Disaster Recovery Plan shall be implemented which takes into account the University's risk assessment. The plan shall be documented and tested periodically.

6 Security breaches and audits

6.1 Regular auditing shall be carried out on all computer systems to determine conformity to policy, and to satisfy the requirements of the University's internal and external auditors. As a result of any such audit, the University may delete or otherwise modify any data on any computer system that promotes a contravention of this policy in order to re-establish system security.

6.2 All unauthorised access attempts must be logged in a System (Audit Trail) Access Log. This must be reviewed periodically and appropriate action taken. A copy of the report of unauthorised access attempts must be kept for future reference.

6.3 All security breaches or suspected security breaches will require investigation and the preparation of a Security Breach Report. This report will be delivered to the Executive Director of Information Services and will include details on:

  • the general nature of the security breach
  • the general classification of people involved in the security breach, (such as external client, privileged staff member)
  • the computer systems involved in the security breach
  • the details of the security breach
  • the impact of the security breach
  • unrealised, potential consequences of the security breach
  • possible courses of action to prevent a repetition of the security breach and the side-effects of those courses of action

6.4 The University will refer any incident involving a possible breach of State, Federal or International law to the appropriate authority for investigation. The University will give that authority all reasonable assistance requested.

6.5 If a security breach occurs in which a person or organisation external to the University is involved as a potential victim of the breach, the University will refer to the external party the details specific to that party.

6.6 If a security breach involves facilities strictly internal to the University, the University will follow the appropriate University disciplinary procedures.

Back to top