Information Security Policy - Layman's Terms
Information Security Policy
This article does not replace the requirement for you to read and understand the updated Information Technology Conditions of Use Policy, and the new Information Security Policy.
Information Security Policy in a nutshell, by domain –
Human Resources Security
Be sure to consider any Information Security requirements:
- When recruiting,
- When managing your staff, and
- When your staff leave the University.
ALL staff need to complete the Information Security Awareness Training module in Discover as part of their on-boarding process, and annually thereafter, which can be found here.
The IT Security team will strive to maintain a register of the University's major Information Assets and the nominated Information Owner, e.g.:
- Student data - University Registrar
- Finance Data - CFO
- Human Resource Data - Director of HR
The identified Information Owners must classify their Information Assets according to the security classifications in the Information Security Data Classification Procedure; and must review this security classification annually.
System Owners must apply appropriate security controls commensurate with the security classification of the data it holds.
All users must adhere to the Data Handling Requirements for any data with which they interact, with respect to its security classification.
Access to ICT Resources and Information Assets must only be granted via a controlled and auditable process; as approved by the nominated Information Owner (or delegate).
All users must ensure the absolute privacy and security of all passwords and security devices under their control. Security devices can include a phone used for 2-Factor authentication, and even your staff ID which provides proximity access to rooms and facilities.
Physical and Environmental Security
The Information Security Physical and Environmental Security Procedure outlines steps to observe to help protect physical ICT facilities such as data centres, network rooms, servers and hardware. You should read and understand this document if you’re involved in securing any of these.
All processes relating to Information Assets should be recorded in a Standard Operating Procedure (SOP). An SOP is a step by step instruction manual for important processes involving University IT Assets and Information Assets. The SOP should be written such that it completely and accurately describes a process so as to avoid the incorrect handling of systems and information; with the aim of protecting the Confidentiality, Integrity and Availability of that information.
Any changes to systems must be properly change managed, i.e. they should be appropriately developed, tested and commissioned commensurate with risk.
System Owners must ensure that there are sufficient controls in place against malicious code, e.g. Anti-virus, Intrusion Prevention Systems, Firewalls etc.
Data should be backed up and stored such that it can be recovered in a timely manner in the event of the loss or destruction of that data in the primary storage location.
All system owners, including those outside of IT Services, must ensure that security patches are installed in a timely fashion. Test and patch, early and often.
System Owners must manage the security of the networks and network protocols for the systems under their control. The Network Security Standard provides guidance on the approved configurations.
System Acquisition, Development and Maintenance
Information Security must be considered when buying, designing or maintaining any system holding University information assets.
All such systems must be security reviewed and benchmarked against industry best-practices. IT Services, and the IT Security team can assist with these reviews. Lodge a service request in ServiceUoN to request this service.
Any interaction with a third party that involves University ICT Resources or Information Assets must be covered by a formal agreement. This agreement will typically take the form of a contract which clearly sets out the obligations and service level agreements for all parties. The agreement must also set out the Information Security requirements for all parties to ensure the protection of University data.
Information Security Incident Management
All users must report any suspected events or weaknesses that might have an impact on the security of University Information Assets and IT Assets to the IT Service Desk. To report an incident, click here.
It is your responsibility to be aware of this policy, your responsibilities, and your legal obligations.
The CIO (or their delegate) will continuously monitor the University environment to measure compliance with this policy, and may disconnect or restrict access at any time without warning.
Exceptions to any provision may be requested by a User via the Exception Request form available in ServiceUoN. Exceptions will be considered based on the potential business impact and any incremental risk that the exception may pose to the University.