1. Purpose of policy
The University is committed to the management of risks associated with Information and Communication Technology (ICT) assets and the reduction of ICT security incidents. This policy outlines the framework that reflects this commitment and addresses security issues related to the confidentiality, integrity and availability of information housed in ICT systems.
The responsibility for protecting ICT systems and information rests with all staff, students and third parties who use or have involvement with the systems. Both the University ICT user community and IT Services have responsibilities to ensure compliance with this Policy. The end-to-end information security management process will operate at an optimal level where education and awareness of each other’s responsibilities in the end-to-end process and commitment to individual responsibilities is high. Generally, IT Services will advise Business System Owners on design of information security internal controls and implement as directed by Business System Owners, having regard to industry good practice. IT Services will retain full responsibility for information assets within the IT Services ICT environment excluding non-ICT resources (e.g. printed records).
This policy is consistent with the Queensland Government’s Information Standard IS18 and the ISO/IEC 27001 standard.
2. Application of policy
This policy applies to all staff, students and other members of the University community who may access and use the University’s information assets.
Please refer to the University’s Glossary of Terms for policies and procedures. Terms and definitions identified below are specific to these procedures and are critical to its effectiveness:
Business System Owner means the nominated individual that has responsibility for the security of the data and application component of the Information Asset and is also accountable for those aspects of the Information System.
Business System means any Information System which is critical to the ongoing operations of the University and would cause losses to the University if data integrity is compromised or if the system becomes unavailable.
Cost Centre Manager means the most senior officer or member of staff responsible for the management of a faculty or a management or support service or administrative area or sub-section of which that is specifically identified for allocation of funding within the University’s budget framework.
End-User Developed System means an Information System developed by an individual(s) outside the University’s IT Services development guidelines (e.g. an Excel Spreadsheet or Access database).
Information Asset means all significant software, hardware and data used in the management of the related University information resources. (Note: This may include non-ICT resources (e.g. Printed records))
Information Classification means the categorisation of an Information Asset for the purposes of identifying the security controls required to protect that asset (see section 4.1, below).
Information System means an electronic system that manages data related to the Information Asset.
ICT Security Management Manual means a collection of artefacts set out in the USC ICT Security Policy framework, consistent with the Queensland Government’s Information Standard IS18 and the ISO/IEC 27001 standard.
Segregation of Duties means a separation of responsibilities in undertaking a task to minimise the likelihood of compromising security.
Third Party University Clients means contractors, consultants, adjunct appointments and other individuals who are not University staff or students but who require access to University Information Systems.
University Clients means staff and students of the University as well as Third Party University Clients.
4. Information System Classification
4.1 Each Information System will require its own level of security based on its Information Classification. The University classifies Information Systems within the following categories:
a) Public – information of a nature which does not warrant any restrictions on access from the community at large (e.g. the corporate website).
b) Internal (University Clients) – information which relates to University activities and which is of relevance in terms of application to or use by all members of the University community.
c) Restricted – information generated or utilised in the operation of University functions or business activities which require restrictions based on functional need, institutional risks and legislative requirements (e.g. personal privacy, commercial value, etc). Access may be necessary by a range of University Clients to carry out University activities. Examples may include staff and student personal information, financial information, information on commercial dealings or activities, and audit information.
5. Accountabilities and responsibilities
5.1 All Information Systems must be uniquely identified, assigned a Business System Owner and given an Information Classification. The Business System Owner is responsible for the adherence to this policy in relation to the Information System for which they are assigned. The University’s Information Systems, their responsible Business System Owners and their Information Classification will be identified in the Schedule: Information Systems, Owners and Classification, and indicative (but not exhaustive) responsibilities of IT Services and the Business System Owner for each part of this policy are identified in Schedule, Information Systems Responsibilities.
5.2 ITS is responsible for monitoring the University’s IT network infrastructure, including all hardware and communications links, and addressing any audit issues that may be identified in relation to these items.
5.3 Business System Owners are responsible for monitoring their Information System, authorising and revoking access (for Information Systems classified as Restricted) and addressing any audit issues that may be identified, with the assistance of ITS.
5.4 To avoid breaches of legal, statutory, regulatory, contract or privacy obligations the Director, IT Services will ensure that:
- ITS will monitor compliance to obligations with regard to the University’s IT network infrastructure;
- ITS will assist Business System Owners in monitoring compliance to obligations with regard to University’s Information Systems and Information Assets as required; and
- assistance is provided as required for the purpose of internal and/or external audits, including reporting on the status of audit issues.
5.5 The Director, IT Services is responsible for ensuring that a central authentication system (such as usernames and passwords for the network) is available and provides secure access by University Clients to Information Systems classified as Internal.
5.6 The Director, IT Services is responsible for maintaining an ICT Security Management Manual in support of this Policy.
5.7 All University Clients who are to have access to the University’s Information Systems are to be made aware of this policy and their responsibility for maintaining information security.
5.8 Each Business System Owner is to ensure that staff are trained in the effective use of their Information System.
6. Physical and system access control
6.1 Access to Information Systems at the University is to be provided to University Clients for the purpose of carrying out work, study or other activities as agreed with the University and as appropriate to the client’s role. Unattended access equipment (e.g. PC) is to be protected through physical or electronic means (e.g. System timeout). ITS will advise Business System Owners on design and implement as directed by Business System Owners, having regard to industry good practice.
6.2 Physical access controls for the University premises will be implemented in accordance with the risk and the importance of the Information Asset to be protected following consultation between the business and ITS.
6.3 Security risks should be assessed and managed in relation to the physical location of an Information Asset, particularly where this location is offsite from University premises.
6.4 Appropriate control mechanisms (e.g. Username and password) will be in place for authenticating access to all non-Public Information Systems and Information Assets. Access control must be in accordance with the Information Classification.
6.5 Access granted to Third Party University Clients is to take into account the risks involved, with adequate controls put in place to protect the University’s Information Assets (e.g. the most limited access rights in the system as possible in order to carry out the work). In addition the Business System Owner may require Third Party University Clients to sign a University confidentiality agreement.
6.6 In assessing risks to Information Systems, the Business Systems Owner must consider the security of the information in all media formats that will be used (e.g. hardcopy). Furthermore, consideration is required when information may be stored on mobile equipment which can be transported offsite (such as laptops, USB sticks and mobile phones), however it is the responsibility of ITS to lock access to mobile media on individual systems where practical.
6.7 Remote access to Restricted Information Systems will only be provided by ITS with the explicit authorisation of the Business System Owner.
6.8 Ownership of information, data and software within the University is assigned in a manner consistent with the University’s Intellectual Property – Governing Policy or with other contracts and agreements.
7. Operations management
7.1 Operations management procedures in relation to this policy will be maintained within the ICT Security Management Manual.
7.2 Changes to Information Systems will be subject to formal testing and change control procedures.
7.3 To reduce risk in the use of Information Systems, the Business System Owner (with consultation from ITS) should ensure that there is an appropriate Segregation of Duties. ITS will advise Business System Owners on design and implement as directed by Business System Owners, having regard to industry good practice.
7.4 ITS will ensure that appropriate systems will be in place to facilitate the detection and prevention of malicious software into the University’s ICT environment (e.g. The use of antivirus software).
7.5 The installation of unauthorised information and communications technology on the campus network is prohibited (e.g. installation of hardware or network software; physical interference with hardware, network connections, or cabling, etc).
7.6 Backup for Information Systems will be in place for all Information Systems. Backup media will be protected in an alternate location to the Information Systems. Operations, support and maintenance of backups and backup regimes are the responsibility of ITS, after consultation from Business System Owners with confirmation of items to be backed up.
7.7 Appropriate activity logging will be in place for all Information Systems.
7.8 ICT Security incidents will be dealt with in a manner consistent with the University’s Critical Incident Management – Managerial Policy.
7.9 Confidential information is only to be transmitted across any accessible part of the network in a secure manner (preferably using encryption). ITS will provide the means and/or training for users to be able to do this.
7.10 Business continuity is to be managed in accordance with the University’s Business Continuity Management – Managerial Policy.
8. Information Systems development and maintenance
8.1 Information Systems will be developed in accordance with the USC Application Development Guide.
8.2 Information security requirements will be addressed wherever possible as part of the acquisition, implementation or development of the Information System.
8.3 Cost Centre Managers must ensure that any software developed for their area has adequate security features and these will be implemented to the satisfaction of any internal or external audit review. The development of these controls may require liaison and/or support with IT Services and other Cost Centres.
8.4 Where business continuity is critical, End-User Developed Systems will be avoided, or will be institutionalised and brought under the management of ITS where critical to ongoing operations.
9.1 The University monitors and logs activity on its Information Systems and carries out security audits on these systems as required. The University reserves the right to access individual files.
9.2 The security of the University’s Information Systems and resources will be audited periodically and reported to appropriate University committees.
9.3 Breaches of this policy shall be treated as misconduct or serious misconduct and will be dealt with under relevant University policies including the Staff Code of Conduct - Governing Policy, and the Student Conduct and Discipline - Governing Policy. The University reserves the right to restrict access by an individual to information technology resources when faced with evidence of a breach of University policies or law. Breaches that violate State or Commonwealth law shall be reported to the appropriate authorities.