Information Security Policy
WHAT DO THE INFORMATION SECURITY POLICIES MEAN FOR ME?
The following information provides a “snapshot” of some of the more significant changes relevant to staff and students. It does not replace the requirement for you to read and understand the updated Information Technology Conditions of Use Policy, and the new Information Security Policy.
These revised and new documents are effective from April 2017.
INFORMATION TECHNOLOGY CONDITIONS OF USE POLICY
The University Computing and Communications Facilities Conditions of Use Policy has been renamed to the Information Technology Conditions of Use Policy. The previous policy was created in 2007 and has had some minor changes over the years. This update is a major revision with the title changed to more clearly reflect the intent and scope of the Policy.
The main changes introduced by the updated Policy are as follows:
- The Conditions of Use Policy constitutes written notice to staff, as required by the Workplace Surveillance Act 2005 (Cth), of the University's ongoing computer surveillance activities. This notice is to be read in conjunction with the existing notice that is included in the University's CCTV Policy. This policy change impacts staff only.
- The use of peer-to-peer software (e.g. BitTorrent) is now forbidden on the University network. A list of other software applications that are forbidden for use on the University network will also be maintained, click here to view the list.
- The use of Personal Devices, including tablets and mobile phones on the University network must be done in accordance with the Policy and the BYOD Procedure. This includes:
- Maintaining up-to-date software patches
- Requiring a PIN or password to access the device
- Having anti-virus software installed and up-to-date
- Making your device available to the University for the purposes of any investigation or to securely wipe sensitive University data.
- The details relating to how the University monitors the network (Section 8.) have been updated to provide more clarity about what we do, and what you need to be aware of.
- Passwords will need to be changed annually (please note: the implementation of this will be phased and is not expected to commence until late 2017). To update your password please click here.
INFORMATION SECURITY POLICY
The Information Security Policy defines some guiding principles that underpin how Information Security should be managed at the University. The common thread across these guidelines is the phrase 'All users'. It is important to remember that we all play a part in protecting information. It is not singularly the domain of IT Security, or Systems Administrators, or Research Technical Officers to protect information. The information we aim to protect is not just digital in nature, but also includes our spiral bound paper notepads, the conversations we have with colleagues - even Post-It notes stuck to your monitor. It is everyone's responsibility to play their part to protect the University's information from threats to Confidentiality, Integrity and Availability:
- All users are responsible for following these policies to contribute towards managing University information securely.
- All users should adopt a risk-based, and risk averse approach to Information Security.
- All users are to protect sensitive University data and information in order to prevent unauthorised disclosure.
- All users must comply with relevant legal and regulatory requirements.
- All users should re-use existing approved security solutions where possible, to avoid the creation of disparate controls across the University.
In addition to the guiding principles in the Information Security Policy, there are 8 supporting Standards, Guidelines and Procedures aligning to key Information Security domains that provide direction on how to manage Information securely. These are:
- Human Resource Security - Human Resource Information Security Guidelines
- Asset Management - Information Security Data Classification Procedure
- Access Control - Information Security Access Control Procedure
- Physical & Environmental Security - Information Security Physical and Environmental Security Procedure
- Operations Management - Information Security Operations Management Procedure & Patch Management Procedure
- Telecommunications Security - Network Security Procedure
- Incident Management - Information Security Incident Management Guidelines
The Information Security Policy introduces responsibilities on Information Owners to classify their Information Assets to help ensure the correct security controls are in place. In short, the more sensitive the information, the tighter the controls need to be. Information Owners are charged with reviewing the security classification at least annually, and with ensuring that the corresponding System Owners & Administrators are applying appropriate protections.