Document Comments

Bulletin Board - Review and Comment

Step 1 of 4: Comment on Document

How to make a comment?

1. Use this Comment Icon to open a comment box for your chosen Section, Part, Heading or clause.

2. Type your feedback into the comments box and then click "save comment" button located in the lower-right of the comment box.

3. Do not open more than one comment box at the same time.

4. When you have finished making comments proceed to the next stage by clicking on the "Continue to Step 2" button at the very bottom of this page.

 

Important Information

During the comment process you are connected to a database. Like internet banking, the session that connects you to the database may time-out due to inactivity. If you do not have JavaScript running you will recieve a message to advise you of the length of time before the time-out. If you have JavaScript enabled, the time-out is lengthy and should not cause difficulty, however you should note the following tips to avoid losing your comments or corrupting your entries:

  1. DO NOT jump between web pages/applications while logging comments.

  2. DO NOT log comments for more than one document at a time. Complete and submit all comments for one document before commenting on another.

  3. DO NOT leave your submission half way through. If you need to take a break, submit your current set of comments. The system will email you a copy of your comments so you can identify where you were up to and add to them later.

  4. DO NOT exit from the interface until you have completed all three stages of the submission process.

 

Information Security Policy

Section 1 - Audience

(1) This policy applies to all users of the University of Newcastle’s (University) information assets and digital assets which include applications, cloud services, physical devices, data centres and any other type of University-managed technology. 

(2) All users are required to comply with the terms of this policy as well all applicable legislation. 

(3) This policy is supplemented by standards, procedures, and guidelines which should be read in conjunction with this document. A list of these documents is in clause 70. 

Top of Page

Section 2 - Purpose 

(4) This Policy aims to ensure that information security objectives are achieved by the University.  The objectives are information confidentiality, integrity, availability, compliance with applicable laws and regulations, and assurance.  

(5) Information security is critical to supporting the University's strategic and operational objectives and business continuity by protecting intellectual property, research, sensitive corporate data, and personal information

(6) This Policy defines the framework by which information security will be managed and supported across the University, and should be read in conjunction with the Information Technology Conditions of Use Policy

(7) The University takes a risk-based approach to information security in line with the requirements of the University's Risk Management Framework.  

(8) This Policy is continually reviewed and revised to address changes in the operating environment, cyber threat, and risk landscape, and the strategic objectives of the University

Top of Page

Section 3 - Scope 

(9) In the context of this policy, information refers to information assets, digital assets, and connected systems

(10) This policy applies to the University in its entirety, including its controlled entities

Top of Page

Section 4 - General Principles 

(11) The University selects appropriate controls to protect University information in accordance with industry standards, frameworks, and guidelines, including: 

  1. NIST Cyber Security Framework; 
  2. NIST Special Publication 800-53; 
  3. ASD Essential Eight; 
  4. Defence Industry Security Program responsibilities where applicable; and 
  5. Other relevant standards as required. 

(12) All users are to assist with the protection of University information assets and prevent disclosure to unauthorised individuals. 

(13) Information security solutions must be reviewed and authorised by the Cyber Security team to ensure security controls provide adequate protection and are applied consistently to all University information assets

(14) Where an explicit standard, procedure or control is not cited in this Policy, the following security principles are to be applied by each user to guide their decision making regarding the use and protection of the University's information: 

  1. the confidentiality, integrity, and availability of University information assets must be protected against unauthorised disclosure, alteration, degradation, and destruction; 
  2. multiple, complementary protections should be used where possible; 
  3. the most specific and minimum level of privilege should be granted to perform an action; 
  4. access to University information assets must be justified, authorised, and timely; 
  5. segregation of duties must be observed and enforced, ensuring avoidance of activity and privilege combinations which increase the risk of fraud, sabotage, or mishap; 
  6. methods of non-repudiation should be employed where possible, to provide an authentic audit trail of events, decisions, and decision makers; and 
  7. control and oversight of University information assets should remain sovereign to the University, whether by direct control or through instruments of governance. 
Top of Page

Section 5 - Roles and Responsibilities 

Chief Digital & Information Officer 

(15) The Chief Digital & Information Officer is responsible for information security policy development, and for managing the implementation and operation of the University's information security capabilities to ensure that the requirements of this policy are appropriately applied. 

(16) The Chief Digital & Information Officer is responsible for: 

  1. ensuring that users are aware of this policy; 
  2. promoting and fostering a risk-aware, cyber safety culture; 
  3. defining the University's standards for digital assets and solutions; 
  4. maintaining a repository of the University's approved digital assets and services; 
  5. monitoring use of the University's digital assets, and disconnecting or restricting a user's access if the user has failed to comply with this policy or any of the University's other policies, procedures, manuals and guidelines; 
  6. approving the deployment and removal of digital assets from the University's networks.   
  7. approving updates to this policy to ensure that the policy continues to be suitable, adequate and effective, subject to any relevant delegation of authority. 

Heads of Organisational Units 

(17) Heads of Organisational Units are responsible for: 

  1. fostering a positive culture towards information security within their relevant organisational area; 
  2. ensuring compliance with this Policy and supporting standards as applicable to their organisational area;
  3. reporting cyber security risks and issues in their area to the Cyber Security team, and ensuring risks are managed within the University's risk appetite.  

Information Owner 

(18) Information Owners must be aware of statutory requirements regarding information confidentiality, personal information and record storage and retention. (See Data Classification and Handling Policy and Standard, Privacy Management Plan and Records Governance Policy). 

(19) Information Owners are responsible for: 

  1. determining the value of their information assets
  2. ensuring that relevant statutory requirements are met; 
  3. assigning an appropriate security classification to information assets according to the Data Classification and Handling Policy and Standard
  4. developing guidelines for, and authorising and reviewing access to, the information assets
  5. ensuring that risk assessments for their information assets are performed; and 
  6. ensuring that appropriate controls are specified and communicated to the system owner who has technical control of the information. 

System Owner 

(20) System Owners are responsible for: 

  1. managing system risk
  2. developing and updating Standard Operating Procedures (SOPs) to protect the system in a manner commensurate with risk
  3. ensuring that information asset lifecycles are defined, documented, and managed; 
  4. maintaining compliance with requirements specified by Information Owners for the handling of data processed by the system; 
  5. ensuring system security controls are commensurate with requirements set by the Cyber Security team; and  
  6. consulting with Digital Technology Solutions (DTS) to designate a System Administrator for the system.

System Administrator 

(21) System Administrators are responsible for: 

  1. the day-to-day administration of the digital asset
  2. developing, maintaining and documenting SOPs that include data integrity controls, authentication, recovery, and continuity of operations; 
  3. ensuring that access to information assets and the digital asset is secured as defined by the System Owner and Information Owner
  4. implementing security controls and other requirements of this Policy on digital assets for which the System Administrator has been assigned responsibility; 
  5. completing regular role-based training to ensure the effective management of the digital asset
  6. taking corrective action in respect of audit findings, system vulnerabilities and any reported security breaches; and 
  7. developing and testing disaster recovery and business continuity plans. 

Cyber Security Team 

(22) The Associate Director, Cyber Security and IT GRC leads the Cyber Security team which is responsible for: 

  1. providing advice to ensure that there is a coordinated and consistent approach to information security management across the University
  2. providing advice on managing information security risks, meeting relevant compliance obligations, and making recommendations to the University
  3. promoting a culture of cyber safety through continuous education; 
  4. developing and maintaining information security policies, standards and guidelines; 
  5. responding to and managing cyber security incidents;  
  6. conducting security control and risk assessments of vendors, digital assets and environments; and 
  7. investigating and reporting on suspected breaches of this Policy. 

Information Security Controls 

Personnel Security 

(23) All applicable users are subject to appropriate security processes before, during and after the cessation of their employment with the University in accordance with the Personnel Security Policy and Standard

(24) Ongoing information security awareness training must be provided to all users including employees, affiliates, contractors and third-party users of the University's information assets, digital assets, and connected systems

Asset Management 

Inventory of Assets 

(25) A register must be maintained by the Chief Digital & Information Officer of all the University's major digital assets and their interactions, including: 

  1. hardware, software, services, and service providers; 
  2. data and their associated metadata; and 
  3. authorised data flows, transactions, and data transformation. 

Information and Data Classification 

(26) The sensitivity, criticality, and ownership of each information asset must be clearly stated. 

(27) Information Owners must classify their assigned information assets upon creation according to the classifications outlined in the Data Classification and Handling Policy and Standard. The classification of an information asset is based on the asset's importance and risk, relative to the goals and objectives of the University

(28) Information Owners must review the data classifications of their information assets upon any significant change to the asset, or changes in regulatory requirements, to ensure that appropriate controls remain in place for the asset as it evolves over time. 

Information Handling and Protection 

(29) The confidentiality, integrity, and availability of all University information must be protected while at rest, in transit, and in use. 

(30) University information assets must only be stored, processed, and transmitted by systems authorised under the Information Technology Conditions of Use Policy

(31) Based on the data classification, System Owners and System Administrators must comply with the applicable controls to help maintain the protection of information assets under their control. 

Identity Management 

(32) System Owners are responsible for ensuring that: 

  1. identities and credentials are issued, managed, and revoked by all systems which store, transmit, or process University data; 
  2. identities are proofed and bound to credentials based on the context of interactions; 
  3. identity assertions are protected and verified; and 
  4. systems, system components, and users are authenticated and authorised. 

(33) All users must protect passwords and other types of credentials in accordance with the requirements of the Information Security Access Control Standard

Access Control 

(34) Access to University information assets must be managed, monitored, and enforced commensurate with University risk management

(35) Access to University information assets, and University resources that store, process, or transmit those assets, should only be granted following a controlled and auditable process supported by operational and security requirements defined by the System Owner

Physical and Environmental Security 

(36) The Chief Digital & Information Officer is responsible for defining the standards, processes and procedures related to the management and access of physical facilities, such as data centres, network rooms, servers and networking hardware. 

(37) The physical protection of the University's digital assets must be managed to ensure protection against malicious or accidental damage, or loss. See Physical and Environmental Security Policy and Standard

Operations Security Management 

(38) System Owners and System Administrators are responsible for documenting and maintaining Standard Operating Procedures (SOPs) for the digital assets and information assets that they manage. These SOPs must be made available to all users who need them, to ensure the correct and secure operation of the University's digital assets and information assets

(39) Users involved in the administration, development, testing and commissioning of the University's digital assets must follow appropriate change management procedures. 

Controls Against Malware 

(40) The installation and execution of unauthorised software must be prevented on all systems which store, process, or transmit University information. 

(41) System Owners and System Administrators are responsible for: 

  1. implementing detection, prevention, and recovery controls to protect against malicious code; and 
  2. appropriate user awareness procedures for the digital assets and solutions they manage. 

(42) These controls must also be implemented in accordance with DTS standards. 

Backup 

(43) Data backups are an essential control and safeguard to ensure the availability of University information. 

(44) System Owners must ensure that backups of important data, software and configuration settings are performed and retained in a coordinated and resilient manner in accordance with business continuity requirements. 

(45) System Administrators must back-up all information assets under their management on a regular basis and store these in such a way to protect them from unauthorised access or modification. 

(46) Backup procedures must be tested to confirm that recovery can be completed in a timely manner to ensure continuity of University operations. 

Log Management 

(47) All System Owners and System Administrators are responsible for ensuring that logs containing security events are generated and made available for centralised monitoring by the Cyber Security team. 

(48) Event logs should be analysed and used to identify potentially adverse events such as unauthorised and suspicious activity. 

(49) Event logs may be presented as evidence in investigations and must be protected and retained according to applicable laws and organisational requirements. 

Vulnerability Management 

(50) All System Owners and System Administrators are responsible for ensuring that security patch and vulnerability management processes are defined to identify, prioritise and remediate security vulnerabilities for digital assets and solutions that they own or manage. This will help to minimise the risk of malicious attacks compromising the confidentiality, integrity or availability of University information assets

(51) Security patching and vulnerability management of the University's digital assets and resources must be carried out in accordance with DTS patching approach. 

Configuration Management 

(52) The configuration of hardware and software supporting University information assets must be managed using practices defined by Digital Technology Solutions, and must work to prevent unauthorised or accidental deployment, detect and prevent malicious settings and misconfiguration, and support testing rigor. 

Network Communications Security 

(53) The Chief Digital & Information Officer is responsible for management oversight and security of University network infrastructure. 

(54) DTS will manage, control and segregate parts of the network based on classification and risk

System Acquisition, Development and Maintenance 

(55) The Chief Digital & Information Officer shall ensure that information security is an integral part of information system and application architecture and design across the entire lifecycle of the University's digital assets

(56) System Owners and System Administrators must ensure that all of the applications and services for which they are responsible for within the University's digital environment, are reviewed by the Cyber Security team and benchmarked against industry best-practice prior to acquisition or upgrade, in consultation with the Chief Digital & Information Officer. 

(57) Users must only use applications or services approved by the Chief Digital & Information Officer to store, process or communicate University information assets. Exemptions to this requirement must be applied for in accordance with Section 8 of this Policy. 

Supplier Relationships 

(58) To ensure protection of the University's digital assets and information assets, any access provided to external providers must be appropriately risk-managed and subject to a formal agreement. Any agreement entered into on behalf of the University must be done so in accordance with the relevant University policies and delegations of authority. 

(59) The University will work with those third parties who access, support and service the University digital assets to ensure, as far as reasonably practicable, that they comply with this Policy and information security requirements. These requirements must, where applicable, be outlined in the formal agreement with the relevant external provider. 

Information Security Incident Management 

(60) To ensure a consistent and effective approach to identifying and managing information security incidents that could impact the University's digital assets, defined guidelines have been developed and implemented. See Cyber Security Incident Management Procedure

(61) All users of the University's digital assets must report any suspected event or weakness that might have an impact on the security of University information assets and digital assets to the DTS Service Desk. 

Travel and Work from Home 

(62) All users of the University's digital assets should be aware of cyber threats while travelling within Australia and abroad and adhere to the advice for protecting the University's information assets while travelling. 

(63) Staff and students who connect personal devices to University networks or use those devices to access the University's digital assets must adhere to the Information Security BYOD Policy

Top of Page

Section 6 - Enforcement 

(64) All Users of the University's digital assets should be aware of this Policy, their responsibilities and obligations. 

(65) Non-compliance with the provisions of this Policy may result in action under the University's policies, Staff Code of Conduct, Student Code of Conduct or relevant enterprise agreement/employment contract and may also result in referral to a statutory authority and/or agency. 

(66) The Chief Digital & Information Officer (or their nominee) is responsible for monitoring the use of the University's digital assets to measure compliance with this policy. 

(67) Where a user has been found to fail to comply with this Policy or any other of the University's IT policies, procedures, manuals, or guidelines, a delegate as outlined in the Delegations Register may disconnect or restrict that user's access to any part of the University's digital assets

Top of Page

Section 7 - Exceptions 

(68) Exceptions to this policy may be requested by a user in writing to the Chief Digital & Information Officer. Exceptions will be assessed based on the business impact, the security risk that the proposed exemption may pose and any compensating controls that may be implemented in relation to the proposed exemption. 

Top of Page

Section 8 - Related Policies and Procedures 

(69) This Policy provides overarching guidance for information security. Access to additional standards and procedures can be requested via DTS. Related policies include: 

  1. Data Classification and Handling Policy and Standard
  2. Information Security BYOD Policy
  3. Information Security Access Control Standard
  4. Information Technology Conditions of Use Policy
  5. Cyber Security Incident Management Procedure
  6. Physical and Environmental Security Policy and Standard
  7. Personnel Security Policy and Standard