Network Security Policy

Document Number000816
Date Approved23 April 2007
Date Last Amended20 February 2013
   

1.      Introduction

The University’s network infrastructure provides the technical foundation for the conduct of its academic, research and administrative functions.

Providing access to information technology and network resources encourages the promotion of scholarship, research & free inquiry, and the interaction of research and teaching.

An essential part of ensuring that access remains available is to ensure that the network is sufficiently secure. The network must - within the limits of the University's resources - be protected to a level commensurate with its value to the University, while made available to those who need it. A secure network also ensures that the University meets both community expectations and its legal and statutory obligations.

Appropriate network security systems protect the University from the adverse impact on its reputation and operations of failures of confidentiality, integrity and availability.

This policy supports the University’s legal obligation to ensure that private information is managed in accordance with the principles outlined in the Privacy and Personal Information Protection Act 1998 No133, the Health Records and Information Privacy Act 2002, the Protected Disclosures Act 1994 and the State Records Act 1998 and the Universities Privacy Management Plan.  The provisions of these Acts must be taken into account when applying this policy.

2.      Scope

This policy applies to:

  • any communications networks (existing and future) to which University network equipment is connected;
  • all equipment connected to the networks mentioned above;
  • network administrators managing the equipment;
  • project leaders requiring new equipment to be connected to the network; and
  • all users utilising equipment that is connected to the network.

3.      Policy Intent

To  ensure that all network security activities support a culture of communication and information sharing, whilst accommodating  the University’s obligations in relation to:

  • providing clear and definitive instruction with regards to the University’s intention to safeguard personal and proprietary information; and
  • the privacy of personal information; and the protection of those University activities and knowledge that are determined to be confidential.

4.      Relevant Definitions

In this policy:

availability means the capacity of information systems (i) to be accessible and useable when required, and (ii) to  be able to resist attacks and recover from failures;

default to deny means the setting of the norm to denying access so that specific instruction must be provided to allow access;

confidentiality means the principle of protecting information and preventing its disclosure to anybody other than those who have a right and need to know;

integrity means a standard of performance that guarantees information is created, amended or deleted only by the intended authorised means.

least privilege means the principle that each subject be granted the most restrictive set of privileges needed for the performance of authorised tasks.

device means any piece of network connected equipment.

5.      Policy

Devices connected to the University’s communications network by any means must be protected and data secured by all appropriate measures.

All operating system software, device firmware, application software and other software:

  1. will be protected with the latest security-related patches from the vendor; and
  2. where applicable, will run up-to-date anti-virus software.

In cases where it is not possible to update software or firmware, the device must be protected by other means that limit network access.

Every device connected to the University network must be approved before installation and registered with IT Services.

The fundamental concept of least privilege and default to deny must be applied to all devices connected to the University network.

  1. Allowances must be the exception rather than the rule, and must be based on a legitimate business or academic need.
  2. These exemptions must be negotiated with IT Services before they are implemented or attempted to be implemented.

IT Services reserves the right to proactively deny access in order to preserve the availability and integrity of the network.

6.      Essential Supporting Documents

Information Security Policy 000813

Information Security Classification Policy 000814.

Information Security Roles and Responsibilities Policy.000815

University Computing and Communications Facilities Conditions of Use Policy 000817

Records Management Policy 000285

Privacy Management Plan 000258 

7.      Related Documents

AS/NZS 7799.2:2003: Information Security Management - Specification for Information Security Management Systems

Information Security Guideline for NSW Government – Part 1 Information Security Risk Management

University of Newcastle Act 1989

Privacy and Personal Information Protection Act 1998 No 133

Health Records and Information Privacy Act 2002

State Records Act 1998

Australian Copyright Act 1968

 

Approval AuthorityVice-Chancellor
Date Approved23 April 2007
Date Last Amended20 February 2013
Date for Review13 October 2013
Policy SponsorChief Operating Officer
Policy OwnerChief Information Officer
Policy ContactAssociate Director, Service Continuity
Amendment History

Minor amendment to hyperlink policy documents, The Secretariat, 25 March 2013.

Reviewed and updated including consistency of terminology, approved Vice-Chancellor 20 February 2013.