Information Security Policy
| Document Number | 000813 |
|---|---|
| Date Approved | 23 April 2007 |
| Date Last Amended | 20 February 2013 |
1. Introduction
The University of Newcastle routinely gathers, stores, maintains, processes, transmits and disposes of records containing information. That information plays a vital role in supporting the University’s business processes and customer services, in contributing to operational and strategic business decisions, and in conforming to legal and statutory requirements. Accordingly, information must be protected to a level commensurate with its value to the organisation, while made available to those who need it.
This policy supports the University’s legal obligation to ensure that private information is managed in accordance with the principles outlined in the Privacy and Personal Information Protection Act 1998 No133, the Health Records and Information Privacy Act 2002, the Protected Disclosures Act 1994 and the State Records Act 1998 and the Universities Privacy Management Plan. The provisions of these Acts must be taken into account when applying this policy.
2. Scope
This policy applies to:
- all users of the University of Newcastle’s information, including service providers of the University of Newcastle;
- all information assets encompassing facilities, data, software, paper documents and personnel.
3. Policy Intent
To provide definitive instruction on the safeguarding of personal and proprietary information and thereby protect the University from the adverse impact on its reputation and operations of failures of confidentiality, integrity and availability.
4. Relevant Definitions
In this policy:
availability means the capacity of information systems (i) to be accessible and useable when required, and (ii) to be able to resist attacks and recover from failures;
confidentiality means the principle of protecting information and preventing its disclosure to anybody other than those who have a right and need to know;
information system means any University of Newcastle corporate telecommunications and/or computer related equipment or interconnected system or subsystem of equipment that is used in the acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission or reception of voice and/or data.
integrity means a standard of performance that guarantees information is created, amended or deleted only by the intended authorised means.
5. Policy
Information is an asset of the University.
Information used to support the University's operations will be securely stored.
Information will be used in a manner which protects the integrity of the data and the privacy of those associated with it.
Confidential, sensitive and proprietary information will be protected from corruption, loss, unauthorised access and disclosure.
Any guideline or procedure that is developed to implement this policy must;
ensure the availablity of appropriate information and services to its staff and students, customers and buisness partners;
minimise the possibility of a threat to information security causing loss or damage to the University of Newcastle, its staff and students, its customers and business partners;
minimise the extent of loss or damage from a security breach or exposure;
ensure that adequate resources are applied to implement an effective information security program.
All University of Newcastle staff, students, conjoints, third parties, and government agencies who have access to the University of Newcastle’s information systems will be informed of their responsibilities and obligations with respect to security.
The principles of information security will be consistently and effectively applied during the planning and development of University activities.
Compliance with this policy will be monitored on a regular basis.
6. Essential Supporting Documents
Information Security Classification Policy 000814
Information Security Roles and Responsibilities Policy 000815
Network Security Policy 000816
University Computing and Communications Facilities Conditions of Use Policy 000817
Records Management Policy 000285
Privacy Management Plan 000258
7. Related Documents
AS/NZS 7799.2:2003: Information Security Management - Specification for Information Security Management Systems
Information Security Guideline for NSW Government – Part 1 Information Security Risk Management
Privacy and Personal Information Protection Act 1998 No 133
Health Records and Information Privacy Act 2002
State Records Act 1998
Australian Copyright Act 1968
Copyright Amendment (Digital Agenda) Act 2000
Protected Disclosures Act 1994
NSW State Records Authority Standard on Counter Disaster Strategies for Records and Recordkeeping systems (No. 6)
NSW State Records Authority Standard on Managing a Records Management Program (No. 8)
NSW State Records Authority Standard on Physical Storage of State Records (No. 3)
| Approval Authority | Vice-Chancellor |
|---|---|
| Date Approved | 23 April 2007 |
| Date Last Amended | 20 February 2013 |
| Date for Review | 31 October 2013 |
| Policy Sponsor | Chief Operating Officer |
| Policy Owner | Chief Information Officer |
| Policy Contact | Associate Director, Service Continuity |
| Amendment History | Minor amendment to hyperlink policy documents, The Secretariat, 25 March 2013. Reviewed and updated including consistency of terminology, approved Vice-Chancellor 20 February 2013. |