Content
Information and Communication Technology (ICT) Security - Managerial Policy
Responsible officer: Vice-Chancellor and President
Designated officer: Director, Information Technology Services
Approving authority: Vice-Chancellor and President
Approval: C09/77, 8 December 2009
Last amended:
Effective starting date: 9 December 2009
Any policies replaced by this policy: IT Security Policy
Policy number: O25.
Related policies:
Due date for next review: 8 December 2014
Part A: Preliminary
1. Purpose of policy
The University is committed to the management of risks associated with Information and Communication Technology (ICT) assets and the reduction of ICT security incidents. This policy outlines the framework that reflects this commitment and addresses security issues related to the confidentiality, integrity and availability of information housed in ICT systems.
The responsibility for protecting ICT systems and information rests with all staff, students and third parties who use or have involvement with the systems. Both the University ICT user community and IT Services have responsibilities to ensure compliance with this Policy. The end-to-end information security management process will operate at an optimal level where education and awareness of each other’s responsibilities in the end-to-end process and commitment to individual responsibilities is high. Generally, IT Services will advise Business System Owners on design of information security internal controls and implement as directed by Business System Owners, having regard to industry good practice. IT Services will retain full responsibility for information assets within the IT Services ICT environment excluding non-ICT resources (e.g. printed records).
This policy is consistent with the Queensland Government’s Information Standard IS18 and the ISO/IEC 27001 standard.
2. Application of policy
This policy applies to all staff, students and other members of the University community who may access and use the University’s information assets.
3. Definitions
In this policy the following definitions apply:
Business System Owner means the nominated individual that has responsibility for the security of the data and application component of the Information Asset and is also accountable for those aspects of the Information System.
Business System means any Information System which is critical to the ongoing operations of the University and would cause losses to the University if data integrity is compromised or if the system becomes unavailable.
Cost Centre Manager means the most senior officer or member of staff responsible for the management of a faculty or a management or support service or administrative area or sub-section of which that is specifically identified for allocation of funding within the University’s budget framework.
End-User Developed System means an Information System developed by an individual(s) outside the University’s IT Services development guidelines (e.g. an Excel Spreadsheet or Access database).
Information Asset means all significant software, hardware and data used in the management of the related University information resources. (Note: This may include non-ICT resources (e.g. Printed records))
Information Classification means the categorisation of an Information Asset for the purposes of identifying the security controls required to protect that asset (see section 4.1, below).
Information System means an electronic system that manages data related to the Information Asset.
ICT Security Management Manual means a collection of artefacts set out in the USC ICT Security Policy framework, consistent with the Queensland Government’s Information Standard IS18 and the ISO/IEC 27001 standard.
Segregation of Duties means a separation of responsibilities in undertaking a task to minimise the likelihood of compromising security.
Third Party University Clients means contractors, consultants, adjunct appointments and other individuals who are not University staff or students but who require access to University Information Systems.
University Clients means staff and students of the University as well as Third Party University Clients.
Part B: Policy
4. Information System Classification
4.1 Each Information System will require its own level of security based on its Information Classification. The University classifies Information Systems within the following categories:
a) Public – information of a nature which does not warrant any restrictions on access from the community at large (e.g. the corporate website).
b) Internal (University Clients) – information which relates to University activities and which is of relevance in terms of application to or use by all members of the University community.
c) Restricted – information generated or utilised in the operation of University functions or business activities which require restrictions based on functional need, institutional risks and legislative requirements (e.g. personal privacy, commercial value, etc). Access may be necessary by a range of University Clients to carry out University activities. Examples may include staff and student personal information, financial information, information on commercial dealings or activities, and audit information.
5. Accountabilities and responsibilities
5.1 All Information Systems must be uniquely identified, assigned a Business System Owner and given an Information Classification. The Business System Owner is responsible for the adherence to this policy in relation to the Information System for which they are assigned. The University’s Information Systems, their responsible Business System Owners and their Information Classification will be identified in the Schedule: Information Systems, Owners and Classification, and indicative (but not exhaustive) responsibilities of IT Services and the Business System Owner for each part of this policy are identified in Schedule, Information Systems Responsibilities.
5.2 ITS is responsible for monitoring the University’s IT network infrastructure, including all hardware and communications links, and addressing any audit issues that may be identified in relation to these items.
5.3 Business System Owners are responsible for monitoring their Information System, authorising and revoking access (for Information Systems classified as Restricted) and addressing any audit issues that may be identified, with the assistance of ITS.
5.4 To avoid breaches of legal, statutory, regulatory, contract or privacy obligations the Director, IT Services will ensure that:
- ITS will monitor compliance to obligations with regard to the University’s IT network infrastructure;
- ITS will assist Business System Owners in monitoring compliance to obligations with regard to University’s Information Systems and Information Assets as required; and
- assistance is provided as required for the purpose of internal and/or external audits, including reporting on the status of audit issues.
5.5 The Director, IT Services is responsible for ensuring that a central authentication system (such as usernames and passwords for the network) is available and provides secure access by University Clients to Information Systems classified as Internal.
5.6 The Director, IT Services is responsible for maintaining an ICT Security Management Manual in support of this Policy.
5.7 All University Clients who are to have access to the University’s Information Systems are to be made aware of this policy and their responsibility for maintaining information security.
5.8 Each Business System Owner is to ensure that staff are trained in the effective use of their Information System.
6. Physical and system access control
6.1 Access to Information Systems at the University is to be provided to University Clients for the purpose of carrying out work, study or other activities as agreed with the University and as appropriate to the client’s role. Unattended access equipment (e.g. PC) is to be protected through physical or electronic means (e.g. System timeout). ITS will advise Business System Owners on design and implement as directed by Business System Owners, having regard to industry good practice.
6.2 Physical access controls for the University premises will be implemented in accordance with the risk and the importance of the Information Asset to be protected following consultation between the business and ITS.
6.3 Security risks should be assessed and managed in relation to the physical location of an Information Asset, particularly where this location is offsite from University premises.
6.4 Appropriate control mechanisms (e.g. Username and password) will be in place for authenticating access to all non-Public Information Systems and Information Assets. Access control must be in accordance with the Information Classification.
6.5 Access granted to Third Party University Clients is to take into account the risks involved, with adequate controls put in place to protect the University’s Information Assets (e.g. the most limited access rights in the system as possible in order to carry out the work). In addition the Business System Owner may require Third Party University Clients to sign a University confidentiality agreement.
6.6 In assessing risks to Information Systems, the Business Systems Owner must consider the security of the information in all media formats that will be used (e.g. hardcopy). Furthermore, consideration is required when information may be stored on mobile equipment which can be transported offsite (such as laptops, USB sticks and mobile phones), however it is the responsibility of ITS to lock access to mobile media on individual systems where practical.
6.7 Remote access to Restricted Information Systems will only be provided by ITS with the explicit authorisation of the Business System Owner.
6.8 Ownership of information, data and software within the University is assigned in a manner consistent with the University’s Intellectual Property Policy or with other contracts and agreements.
7. Operations management
7.1 Operations management procedures in relation to this policy will be maintained within the ICT Security Management Manual.
7.2 Changes to Information Systems will be subject to formal testing and change control procedures.
7.3 To reduce risk in the use of Information Systems, the Business System Owner (with consultation from ITS) should ensure that there is an appropriate Segregation of Duties. ITS will advise Business System Owners on design and implement as directed by Business System Owners, having regard to industry good practice.
7.4 ITS will ensure that appropriate systems will be in place to facilitate the detection and prevention of malicious software into the University’s ICT environment (e.g. The use of antivirus software).
7.5 The installation of unauthorised information and communications technology on the campus network is prohibited (e.g. installation of hardware or network software; physical interference with hardware, network connections, or cabling, etc).
7.6 Backup for Information Systems will be in place for all Information Systems. Backup media will be protected in an alternate location to the Information Systems. Operations, support and maintenance of backups and backup regimes are the responsibility of ITS, after consultation from Business System Owners with confirmation of items to be backed up.
7.7 Appropriate activity logging will be in place for all Information Systems.
7.8 ICT Security incidents will be dealt with in a manner consistent with the University’s Critical Incident Management - Institutional Operating Policy.
7.9 Confidential information is only to be transmitted across any accessible part of the network in a secure manner (preferably using encryption). ITS will provide the means and/or training for users to be able to do this.
7.10 Business continuity is to be managed in accordance with the University’s Business Continuity Management – Managerial Policy.
8. Information Systems development and maintenance
8.1 Information Systems will be developed in accordance with the USC Application Development Guide.
8.2 Information security requirements will be addressed wherever possible as part of the acquisition, implementation or development of the Information System.
8.3 Cost Centre Managers must ensure that any software developed for their area has adequate security features and these will be implemented to the satisfaction of any internal or external audit review. The development of these controls may require liaison and/or support with IT Services and other Cost Centres.
8.4 Where business continuity is critical, End-User Developed Systems will be avoided, or will be institutionalised and brought under the management of ITS where critical to ongoing operations.
9. Compliance
9.1 The University monitors and logs activity on its Information Systems and carries out security audits on these systems as required. The University reserves the right to access individual files.
9.2 The security of the University’s Information Systems and resources will be audited periodically and reported to appropriate University committees.
9.3 Breaches of this policy shall be treated as misconduct or serious misconduct and will be dealt with under relevant University policies including the Code of Conduct - Governing Policy, and the Student Conduct and Discipline - Governing Policy. The University reserves the right to restrict access by an individual to information technology resources when faced with evidence of a breach of University policies or law. Breaches that violate State or Commonwealth law shall be reported to the appropriate authorities.
END
Schedule: Business Systems, Owners and Classification
| Business System |
Business System Owner |
Classification |
| Building Management |
Director, Facilities Management |
Restricted |
| Card Access |
Director, Facilities Management |
Restricted |
| Career Guidance |
Director, Student Services |
Restricted |
| Career Placement |
Director, Student Services |
Restricted |
| Corporate Website and Content Management System |
Director, Marketing and Communications |
Public |
| Donor / Friend / Alumni Management |
Executive Officer, Foundation |
Restricted |
| Facilities Management |
Director, Facilities Management |
Restricted |
| Finance |
Chief Financial Officer |
Restricted |
| Human Resources / Payroll |
Director, Human Resources |
Restricted |
| International Relations Information System |
International Relations Director |
Restricted |
| IT Service Management |
Director, IT Services |
Restricted |
| Learning Management |
Manager, Office of Learning and Teaching |
Internal |
| Leisure Management |
Director, Facilities Management |
Restricted |
| Library |
Director, Information Services |
Public |
| Media Content Management |
Director, Marketing and Communications |
Restricted |
| Network Drives – Departmental |
Cost Centre Managers |
Restricted |
| Network Drives – Staff |
Director, IT Services |
Restricted |
| Network Drives – Student |
Director, IT Services |
Internal |
| Online Surveys |
Director, Strategic Information Analysis Unit |
Restricted |
| Portal |
Director, Information Services |
Internal |
| Records Management |
Director, Information Services |
Restricted |
| Research Management |
Manager, Office of Research |
Restricted |
| Research Repository |
Director, Information Services |
Public |
| Risk Management |
Director, Facilities Management |
Restricted |
| Staff Email |
Director, IT Services |
Internal |
| Student Email |
Director, IT Services |
Internal |
| Student Information |
Director, Student Administration |
Restricted |
| Student Printing |
Director, Information Services |
Restricted |
| Student Feedback |
Director, Strategic Information Analysis Unit |
Restricted |
| Telephone |
Director, IT Services |
Restricted |
| Timetabling |
Director, Facilities Management |
Restricted |
| University Network Access |
Director, IT Services |
Internal |
Schedule: Business Systems Responsibilities
| Policy reference |
Description |
Responsibilities - Business System Owner (BSO) |
Responsibilities - IT Services (ITS) |
| 4.1 |
Information system classification. |
Determine a classification in conjunction with IT Services. |
Where IT Services is the owner, classify the system appropriately. Where not, classify the system in conjunction with the BSO.
|
| 5.1 |
Unique identification and designation of Business System Owner for each information system/application. |
Within the relevant functional area, the most senior officer or member of staff responsible for the management of a faculty or a management or support service or administrative area or sub-section of which that is specifically identified for allocation of funding within the University’s budget framework is assigned the role of the Business Systems Owner. |
In conjunction with the business and appropriate stakeholders, confirm BSO for all major Information Systems/Applications.
|
| 5.2 |
Monitoring the University’s IT network infrastructure and addressing audit issues. |
No responsibility, except to notify ITS if they become aware of any network infrastructure issues or concerns. |
Monitor the University’s IT network infrastructure and address audit issues related to this. |
| 5.3 |
Monitoring, authorising and revoking access and addressing audit issues. |
Monitor, authorise and revoke user access as required with the tools and means provided by ITS. |
Actioning requests from the BSO, and providing BSO with the means to either perform the tasks or perform the tasks requested by the BSO. |
| 5.4 |
Avoid breaches of legal, statutory, regulatory, contract or privacy obligations. |
Work in conjunction with ITS, to provide guidance as to compliance with respect to legal, statutory, regulatory, contract or privacy compliance obligations. |
Assist BSO in monitoring compliance to obligations with regard to University’s Information Systems and Information Assets, and assist in internal and/or external audits, including reporting on the status of audit issues. |
| 5.5 |
Central Authentication system. |
No responsibility to implement system, but bring to the attention of ITS if it is found that a restricted system can be accessed without authenticating. |
Ensure that the centralised authentication system is implemented and that restricted systems are only accessible after users have authenticated through the system.
|
| 5.6 |
Maintenance of ICT Security Management Manual. |
Provide advice to IT services as to changes in policies and procedures which may affect the ICT Security Management Manual (to avoid breaches of legal, statutory, regulatory, contract or privacy obligations). |
Maintain the ICT Security Management Manual. |
| 5.7 |
Policy awareness. |
Advise University Clients of security responsibilities specific to the system. |
Advise University Clients of the security policy and general security responsibilities. |
| 5.8 |
Staff training. |
Ensure that staff using the system are trained in its use. |
Ensure that staff using IT systems are trained in their use.
|
|
6.1
6.2
6.3 |
Access to Information Systems at the University.
Physical access controls for the University premises.
Assessment and measurement of Security risks. |
Work with ITS to assess the risks and implement physical security measures where the system is not housed in their data centre. |
Provide the access to the systems, and implement and maintain physical security of the systems when they are housed within ITS' data centre. Provide the mechanisms on the systems for system lockout and authentication. Provide advice and help BSOs to implement physical security to systems which are not housed in ITS' data centre |
| 6.5 |
Third Party University Clients. |
Ensure the third party signs a confidentiality agreement, and after access has been assigned to the network, assign lowest level access to the application. |
Ensure that third parties receive the lowest access to the systems administered by ITS, and only provide the access to the network after receiving a signed third party confidentiality agreement. |
| 6.6 |
Security of the information in all media formats that will be used. |
Consult with ITS to consider the security of media. |
In conjunction with BSOs, decide whether the use of certain media on systems is to be restricted, and implement the restrictions. |
| 6.7 |
Remote access to Restricted Information Systems. |
Approve / Deny users for remote access to the systems they are responsible for. |
Provide the mechanisms and infrastructure for remote access, and provide the access after permission from the BSO is received. |
| 6.8 |
Ownership of information, data and software within the University. |
Ensure ownership of information, data and software within the University for which the BSO is responsible, is assigned in a manner consistent with the University’s Intellectual Property Policy or with other contracts and agreements. |
Ensure ownership of information, data and software within ITS is assigned in a manner consistent with the University’s Intellectual Property Policy or with other contracts and agreements. |
| 7.1 |
Operations management procedures. |
In consultation with ITS, develop procedures to fulfil the duties of this policy, and provide them to ITS for inclusion in the Information Security Management Manual. |
Incorporate procedures gained from BSOs into the ICT Security Management Manual. |
| 7.2 |
Changes to Information Systems. |
Make changes to systems in accordance with ITS policy and procedures to ensure the confidentiality, integrity and availability of data. |
Implement, maintain and enforce the use of a single, overarching IT change management policy for the university, including all phases from request, development, testing, authorisation, and implementation. |
| 7.3 |
Segregation of Duties. |
In consultation with ITS, ensure Segregation of duties exists for roles and responsibilities within the application and consider segregations when making changes to users' access as well as roles and responsibilities themselves. |
Assist BSO in developing and maintaining Segregation of Duties within their systems. |
| 7.4 |
Detection and prevention of malicious software. |
No responsibility to implement Antivirus, but inform ITS if system is compromised. |
Implement antivirus application(s) on the University network. |
| 7.5 |
The installation of unauthorised information and communications technology on the network. |
No Responsibility, except to notify ITS if they become aware of any unauthorised information and communications technology on the network. |
Apply policies to the underlying systems and network to prevent the installation of unauthorised software. |
| 7.6 |
Backup of Information Systems. |
Inform ITS of backup requirements for their application. |
Operate, support, maintain, and ensure the ongoing testing of backups, and that backup media is moved offsite. Backup systems as required by BSOs. |
| 7.7 |
Appropriate activity logging. |
If the system allows, turn on activity logging and periodically review the logs either manually or automatically. Review the logs provided by ITS (if any). |
As far as practical, log all activities performed on the network, and provide the logs to BSOs for review. Alternatively, use an application to report on the logs automatically. |
| 7.8 |
ICT Security incidents. |
Inform ITS of any security incidents. |
Investigate known incidents in accordance with the University’s Critical Incident Management - Institutional Operating Policy. |
| 7.9 |
Transmission of confidential information. |
Use means provided by ITS to transmit data in an encrypted manner. |
Provide the means for all staff and users to transmit data in an encrypted matter, such as via a secured file transfer service. |
| 7.10 |
Business continuity management. |
Ensure that appropriate Business Continuity plans are developed and in place and that these are aligned with the IT Services Disaster Recovery plans for the application. |
Ensure that appropriate Disaster Recovery plans are developed and in place and that these are aligned with the Business Continuity Plans for the application. |
| 8.2 |
Information security requirements. |
Ensure ITS is aware of any specific information security requirements for the business unit so they can be addressed as part of the acquisition, implementation, development or enhancement of the Information System / application. |
Address information security requirements, including those specified by the BSO, as part of the acquisition, implementation, development or enhancement of the Information System. |
| 8.4 |
End user developed systems. |
Ensure ITS is aware and kept up to date of any End user developed applications (such as Excel spreadsheets or Access databases) used by the business unit which are being relied upon heavily. |
If informed of any important End user developed applications where continuity and support becomes critical, ensure these are institutionalised and brought under the control of either ITS or the relevant department. |
| 9.1 |
Activity monitoring and logging. |
Liaise with both ITS (if appropriate) and the authority requesting to review logs and provide the data required. |
Provide the means for the university to monitor and log activities performed on the systems and network. |
| 9.2 |
Periodic IT Security Audits. |
Liaise with ITS and the auditors to provide the requested data. |
Liaise with the BSO and the auditors to provide the requested data. |
| 9.3 |
Breaches of the Policy. |
Restrict access for specific users to the application after being instructed by the relevant governing body. |
Restrict access for specific users to the network after being instructed by the relevant governing body. |
END
Back to top