Information Security Policy

WHAT DO THE INFORMATION SECURITY POLICIES MEAN FOR ME?

The following information provides a “snapshot” of some of the more significant clauses relevant to staff and students.  It does not replace the requirement for you to read and understand the Information Technology Conditions of Use Policy, and the Information Security Policy.

INFORMATION TECHNOLOGY CONDITIONS OF USE POLICY

Click here to read the Information Technology Conditions of Use Policy. Some of the important clauses included in the IT Conditions of Use Policy are:

  1. The Conditions of Use Policy constitutes written notice to staff, as required by the Workplace Surveillance Act 2005 (Cth), of the University's ongoing computer surveillance activities. This notice is to be read in conjunction with the existing notice that is included in the University's CCTV Policy. This policy clause impacts staff only.
  2. The details relating to how the University monitors the network (Section 7.) provide more clarity about what we do, and what you need to be aware of.
  3. The use of peer-to-peer software (e.g. BitTorrent), network anonymisers, hacking tools and cryptocurrency mining software is forbidden on the University network. A list of other software applications that are forbidden for use on the University network will also be maintained, click here to view the list.
  4. The use of Personal Devices, including tablets and mobile phones on the University network must be done in accordance with the Policy and the BYOD Procedure. This includes:
    1. Maintaining up-to-date software patches
    2. Requiring a PIN or password to access the device
    3. Having anti-virus software installed and up-to-date
    4. Making your device available to the University for the purposes of any investigation or to securely wipe sensitive University data.
  5. The use of unapproved third-party services to store University data, such as Dropbox, Box, Google Drive, and the use of unapproved cloud platforms to process University information, including Software as a Service (SaaS), are prohibited without prior authorisation.

INFORMATION SECURITY POLICY

The Information Security Policy defines some guiding principles that underpin how Information Security should be managed at the University. The common thread across these guidelines is the phrase 'All users'. It is important to remember that we all play a part in protecting information. It is not singularly the domain of IT Security, or Systems Administrators, or Research Technical Officers to protect information. The information we aim to protect is not just digital in nature, but also includes our spiral bound paper notepads, the conversations we have with colleagues - even Post-It notes stuck to your monitor. It is everyone's responsibility to play their part to protect the University's information from threats to Confidentiality, Integrity and Availability:

  1. All users are responsible for following these policies to contribute towards managing University information securely.
  2. A risk-based approach to information security should be adopted by all users to help ensure that all information related risks are managed in a consistent and effective manner.
  3. All users are to assist with the protection of sensitive University data and information to prevent disclosure to unauthorised individuals.
  4. All users must comply with relevant legal and regulatory requirements.
  5. All users are to use or apply approved security solutions and services, where possible, to avoid the creation of disparate IT Security controls.

In addition to the guiding principles in the Information Security Policy, there are 8 supporting Standards, Guidelines and Procedures aligning to key Information Security domains that provide direction on how to manage Information securely. These are:

The Information Security Policy introduces responsibilities on Information Owners to classify their Information Assets to help ensure the correct security controls are in place. In short, the more sensitive the information, the tighter the controls need to be. Information Owners are charged with reviewing the security classification at least annually, and with ensuring that the corresponding System Owners & System Administrators are applying appropriate protections.