Information Security Roles and Responsibilities Policy
|Date Approved||23 April 2007|
TheUniversity of Newcastle routinely gathers, stores, maintains, processes, transmits and disposes of records containing information in the course of its day to day operations. Responsibility for ensuring the secure and consistent management of that information rests with appointed individuals and groups.
This policy supports the University’s legal obligation to ensure that private information is managed in accordance with the principles outlined in the Privacy and Personal Information Protection Act 1998 No133, the Health Records and Information Privacy Act 2002, the Protected Disclosures Act 1994 and the State Records Act 1998 and the Universities Privacy Management Plan. The provisions of these Acts must be taken into account when applying this policy.
2. Policy Intent:
To provide a clear delineation of responsibility for the management of information that will ensure that access to information is both controlled and authorised.
This policy endorses the University’s Information Security Management System (ISMS).
3. Relevant Definitions:
In this policy:
availability means the capacity of information systems to be: (i) accessible and useable when required, and (ii) able to resist attacks and recover from failures;
confidentiality means the principle of protecting information and preventing its disclosure to anyone other than those who have a right and need to know;
information lifecycle means the series of stages in the life of information from inception to archiving or disposal;
information system means any University of Newcastle corporate telecommunications and/or computer related equipment or interconnected system or subsystem of equipment that is used in the acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission or reception of voice and/or data;
integrity means a standard of performance that guarantees information is created, amended or deleted only by the intended authorised means;
least privilegemeans the principle that each subject be granted the most restrictive set of privileges needed for the performance of authorised tasks (aka ‘need to know’);
security classification means the process of assigning value to data in order to manage it according to its sensitivity to loss or disclosure.
The University assigns particular responsibility for information security to Information owners, custodians and users.
4.1. Information Owner
i. Information processed by an information system will have an identified owner. This responsibility will be formally assigned and documented.
ii. Information Owners will be senior business or faculty unit managers who have been given the authority to collect, create, retain and maintain information and information systems within their assigned area of control.
iii. The Information Owner may delegate some operational responsibilities, but will retain accountability
iv. The Information Owner will be required to:
· determine (i) the value of the information within the information system (ii) the statutory requirements regarding privacy and retention;
· assign an appropriate security classification label in consultation with the Records Management Office and staff in the Corporate Information Unit ;
· assign custody of the information;
· authorise access to the Information;
· specify controls to ensure confidentiality, integrity and availability;
· communicate the control requirements to the custodian and users of the information;
· develop a disaster recovery or business continuity plan for the information which identifies (i) any potential risks and (ii) vital information, and communicate this to the Information Custodian
4.2. Information Custodian
i. Information Custodians are those individuals who control information systems regardless of physical or logical location, storage medium, technology used, or the purpose(s) they serve.
ii. The Information Custodian will be responsible for the administration of controls as specified by the owner. This task will include:
· evaluating the cost-effectiveness of controls based on the classification attributed by the owner;
· implementing physical and or technical controls;
· administering access to information;
· ensuring the availability of information by implementing appropriate recovery options based on the business criticality of the information in their possession, as per the disaster recovery or business continuity plan produced by the Information Owner
4.3. Information User
i. Information Users are individuals who have been granted explicit authorisation by the relevant Information Owner to access, alter, destroy, or use information within an information system.
ii. An Information User will be responsible for:
· using the information only for the purpose intended by the owner;
· complying with all controls established by the owner and custodian;
· ensuring that classified or sensitive information is not disclosed to anyone without permission of the owner.
5. Essential Supporting Documents
Information Security Policy
Information Security Classification Policy.
Network Security Policy
University of Newcastle Computing and Communications Facilities Conditions of Use
Records Management Policy
University of Newcastle Privacy management Plan
6. Related Documents:
AS/NZS 7799.2:2003: Information Security Management - Specification for information security management systems
NSW Department of Commerce Information Management - Classification Guideline
Privacy and Personal Information Protection Act 1998 No 133
Health Records and Information Privacy Act 2002
State Records Act 1998
Australian Copyright Act 1968
Copyright Amendment (Digital Agenda) Act 2000
Protected Disclosures Act 1994
NSW State Records Authority Standard on Counter Disaster Strategies for Records and Recordkeeping systems (No. 6)
NSW State Records Authority Standard on Managing a Records Management Program (No. 8)
|Date Approved||23 April 2007|
|Date for Review||23 April 2010|
|Policy Sponsor||Deputy Vice-Chancellor (Services)|
|Policy Owner||Chief Information Officer|
|Policy Contact||Associate Director, Infrastructure|