Document Comments

Bulletin Board - Review and Comment

Step 1 of 4: Comment on Document

How to make a comment?

1. Use this Comment Icon to open a comment box for your chosen Section, Part, Heading or clause.

2. Type your feedback into the comments box and then click "save comment" button located in the lower-right of the comment box.

3. Do not open more than one comment box at the same time.

4. When you have finished making comments proceed to the next stage by clicking on the "Continue to Step 2" button at the very bottom of this page.

 

Important Information

During the comment process you are connected to a database. Like internet banking, the session that connects you to the database may time-out due to inactivity. If you do not have JavaScript running you will recieve a message to advise you of the length of time before the time-out. If you have JavaScript enabled, the time-out is lengthy and should not cause difficulty, however you should note the following tips to avoid losing your comments or corrupting your entries:

  1. DO NOT jump between web pages/applications while logging comments.

  2. DO NOT log comments for more than one document at a time. Complete and submit all comments for one document before commenting on another.

  3. DO NOT leave your submission half way through. If you need to take a break, submit your current set of comments. The system will email you a copy of your comments so you can identify where you were up to and add to them later.

  4. DO NOT exit from the interface until you have completed all three stages of the submission process.

 

Physical and Environmental Security Policy

Section 1 - Executive Summary and Purpose

(1) The University of Newcastle (University) is obligated to protect the people, information, and physical assets within its facilities. This requires the minimisation of the risk of harm to people; and the minimisation of the risk of information and physical assets being made inoperable or inaccessible, or being accessed, used, or removed without authorisation.

(2) This Policy establishes the physical and environment protections to the University's information and physical assets that must be applied and establishes the responsibilities for implementing physical and environmental protections.

(3) This Policy should be read in conjunction with:

  1. Digital Security Policy;
  2. Information Classification and Protection Policy; and
  3. Information Security Access Control Policy.
Top of Page

Section 2 - Scope

(4) This document applies to the University and it’s onshore controlled entity's information and physical assets, including secure areas.

(5) Secure areas are areas where sensitive, classified, or critical information and assets are used, processed, stored, or communicated.

Top of Page

Section 3 - Physical and Environmental Security Requirements

Part A - Secure Areas

(6) Controls to ensure security of information and information systems located in University and onshore controlled entity offices, rooms and other facilities must be designed, applied and documented.

Physical Security Perimeter

(7) University data centre facilities and rooms containing server infrastructure must be protected by a physical security perimeter.

(8) System Owner's must ensure appropriate controls are in place to establish secure areas. The selection of controls must be supported by a risk assessment.

(9) The following controls must be applied to secure areas:

  1. the perimeters of buildings containing data centres or server infrastructure must be physically sound (i.e. there must be no gaps in the perimeter or areas where a break-in could easily occur);
  2. external walls must be of solid construction and all external doors must be suitably protected against unauthorised access with control mechanisms, e.g. bars, alarms, locks, etc;
  3. doors and windows must be locked when unattended;
  4. doors must be fitted with an audible alarm that triggers when the doors have been kept open beyond a pre-determined length of time;
  5. all doors on a security perimeter must secured; and
  6. fire doors must be tested at least annually to comply with the Building Code of Australia (Building Code).

(10) Where appropriate, data centre entry points must be monitored by a closed-circuit television (CCTV) system on a 24/7 basis. Refer to the University Closed Circuit Television (CCTV) and Security Recordings Operational Policy for further information.

Physical Entry Controls

(11) Secure areas must be protected by appropriate entry controls to ensure that only authorised personnel are allowed access.

(12) Access to secure facilities must be authorised by an Information Owner, System Owner, or a Senior Leader.

(13) The following controls must be implemented:

  1. access to areas where sensitive information is processed or stored must be restricted to authorised personnel only;
  2. authentication controls, e.g. access control card system, must be used to authorise and validate access;
  3. access logs must be maintained by for facilities and IT systems;
  4. visitors must:
    1. only be allowed access for specific and authorised purposes;
    2. be escorted by authorised personnel whilst in secure areas;;
    3. be issued badges or tags of a different colour than staff;
    4. have their date and time of entry and departure recorded;
  5. all employees and other authorised personnel must wear visible identification;
  6. staff must notify a University Security Officer when they encounter unescorted visitors or anyone not wearing visible identification;
  7. visitors engaged under a supply contract may be granted restricted access only when required and their access must be authorised and monitored; and
  8. access rights must be regularly reviewed by the business unit granting access.

Securing Offices, Rooms and Facilities

(14) Information Owners must regularly assess the security of areas where sensitive information is processed and/or stored. Controls that should be implemented to manage associated risks are:

  1. physical entry controls described in this document; and
  2. appropriate storage of sensitive information when not in use, in accordance with this document.

Protecting Against External and Environmental Threats

(15) Physical protection against natural disasters, malicious attacks or accidents must be designed and applied. Information Owners, System Owners planners and architects must incorporate, to the extent possible, physical security controls that protect University information and assets against damage from fire, flood, earthquake, explosion, civil unrest, and other forms of disasters. Consideration must be given to any security threats presented by neighbouring premises or streets. In addition to the Building Code and AS1851-2012 Routine Service of Fire Protection Systems and Equipment:

  1. combustible or hazardous materials must be stored at a safe distance from the secure area;
  2. bulk supplies, e.g. stationery, must not be stored in a secure area;
  3. environmental alarm systems, fire suppression and firefighting systems must be installed, tested and maintained.

Working in Secure Areas

(16) Security controls and procedures must be used by personnel when working in secure areas.

(17) Information Owners must identify and document requirements that apply to personnel who have been authorised to work in secure areas. Authorised personnel must be informed that:

  1. sensitive information cannot be discussed in a non-secure area;
  2. sensitive information cannot be disclosed to personnel who do not have a need-to-know; and
  3. visitors must be authorised, logged, and escorted.

Delivery and Loading Areas

(18) Access points such as reception, delivery and loading areas must be controlled and, if possible, isolated from secure areas or offices to avoid unauthorised access.

(19) Receiving staff members and employees of onshore controlled entities must ensure that:

  1. loading docks and delivery areas are regularly inspected and actively monitored;
  2. incoming material are inspected for potential threats before this material is moved from the delivery and loading area to the point of use;
  3. incoming material is registered on entry to the site.

Part B - Public Areas

(20) Public areas are areas that are freely accessible to the public, students, and visitors to the University.

(21) The value of IT assets situated in public areas should either be low (e.g. desktop PCs in general access areas) or the assets should be physically large to avoid theft (e.g. printing facilities or print credit kiosks).

(22) All equipment not intended for public use should be situated to minimise the risks of unauthorised access, and the compromise of information.

(23) IT assets located in public areas that may be used to access confidential information must be situated in such a way as to prevent unauthorised individuals from viewing the displayed data.

(24) All publicly accessible IT assets should be appropriately defended against vandalism, modification, and theft.

Part C - Equipment

Equipment Protection

(25) Equipment must be protected to reduce the risks of unauthorised access, environmental threats, and hazards.

(26) System Owners, planners and architects must ensure that University facilities are designed in a way that will safeguard sensitive information and assets.

(27) Servers, routers, switches, and other centralised computing equipment must be located in a room with access restricted to only those personnel who require it.

(28) Equipment should be located, and monitors angled, in such a way that unauthorised persons cannot observe the display.

(29) Staff printers and scanners should not be located in an area that is accessible to the public.

Supporting Utilities

(30) Critical ICT infrastructure, including network components and servers, must be protected from power supply interruption and other disruptions caused by failures in supporting utilities.

(31) The following controls must be implemented to help ensure availability of critical services:

  1. all supporting utilities such as electricity, water supply, sewage, heating/ventilation and air conditioning must be adequate for the systems they are supporting. Supporting utilities must be regularly inspected and, as appropriate, tested to ensure their proper functioning and to reduce any risk of malfunction or failure;
  2. an uninterruptible power supply (UPS) to support orderly close down or continuous running for equipment supporting critical business operations must be installed. Power contingency plans must cover the action to be taken on failure of the UPS.
  3. a back-up generator must be considered if processing is required to continue in the event of a prolonged power failure. An adequate supply of fuel must be available to ensure that the generator can perform for a prolonged period.
  4. UPS equipment and generators must be checked regularly to ensure they have adequate capacity and are tested in accordance with the manufacturer’s recommendations;
  5. emergency power off switches must be located near emergency exits in equipment rooms to facilitate rapid power down in case of an emergency. Emergency lighting must be provided in case of main power failure;
  6. the water supply must be stable and adequate to supply air conditioning, humidification equipment, and fire suppression systems (where used). An alarm system to detect malfunctions in the supporting utilities must be installed to limit any damage that a fault may cause to equipment;
  7. telecommunications equipment must be connected to the utility provider by at least two diverse routes to prevent failure in one connection path impacting voice or data services; and
  8. voice services must be adequate to meet local legal requirements for emergency communications.

Cabling Security

(32) Power and telecommunications cabling carrying data or supporting information services must be protected from interception or damage.

(33) Power and telecommunications lines into information processing facilities must be underground or subject to adequate alternative protection.

(34) Network equipment must be protected from unauthorised physical access or damage by placing it within a secured data centre, or a locked cabinet or room.

(35) Power cables should be segregated from communications cables to prevent interference.

(36) Cables and equipment must be clearly marked to minimise handling errors such as accidental patching of incorrect network cables. A documented patch cabling standard should be used to reduce the possibility of errors.

Equipment Maintenance

(37) Equipment must be correctly maintained to help ensure availability and integrity of sensitive information and assets.

(38) When equipment is serviced, System Owners must consider the sensitivity of the information it holds, and the value of the assets. System Owners must ensure the following controls are applied:

  1. equipment must be maintained in accordance with the supplier’s recommended schedule and specifications;
  2. only formally contracted maintenance personnel who have been sbuject to the University's procurement processes may undertake repairs and service equipment;
  3. records of all suspected faults and maintenance activity must be maintained by IFS; and
  4. maintenance activity must be scheduled at a time of day that limits interference with services or operations; and

(39) Users should be notified before equipment is taken off-line for maintenance wherever possible.

(40) If off-site maintenance is required, appropriate controls must be implemented; confidential information should be cleared from the equipment, maintenance personnel should be appropriately authorised, and supplier relationship agreements should exist to ensure the appropriate protection of information.

Removal of Assets

(41) University-owned equipment, information and software must not be removed from University premises without appropriate authorisation by a senior staff member (or their nominee).

Security of Equipment and Assets Off-Premises

(42) IT assets must be safeguarded in accordance with University policy when off-site from University premises.

(43) System Owners must ensure that equipment used or stored off-site is safeguarded in accordance with the value of the asset and the sensitivity of information stored on it. Controls to apply include:

  1. encrypting sensitive data;
  2. using a logical or physical access control mechanism (such as a password) to protect against unauthorised access;
  3. using a physical locking or similar mechanism to restrain the equipment; and
  4. ensuring personnel are instructed on the proper use of the chosen controls.

(44) Personnel in possession of University equipment must:

  1. not leave it unattended in a public place;
  2. ensure the equipment is under their direct control at all times when travelling;
  3. take measures to prevent viewing of sensitive information by unauthorised personnel;
  4. not allow unauthorised individuals to use the equipment; and
  5. report loss or stolen equipment immediately.

(45) Due care must be taken by University staff when travelling with a laptop or other equipment holding sensitive information. Specific security mechanisms, such as strong authentication and encryption, must be considered for the devices according to the classification of the data stored on each device.

Secure Disposal or Re-Use of Equipment

(46) All data and software must be erased from equipment prior to disposal or redeployment.

Unattended User Equipment

(47) Unattended equipment must be safeguarded by:

  1. terminating the active session when finished;
  2. locking the session with a password protected screen saver or other approved mechanism;
  3. logging off computers, servers, terminals, and other devices when session is finished;
  4. switching off devices when not required;
  5. enabling password protection on mobile devices, printers, kiosks, and portable storage devices; and
  6. securing devices with a cable lock when enhanced physical security is justified.

Clear Desk and Clear Screen Policy

(48) Sensitive information must be safeguarded from unauthorised access, loss, or damage.

(49) Workspaces must be secured when they cannot be monitored by staff. Workspaces can be secured by:

  1. clearing desktops and work areas;
  2. locking hard copy sensitive information in an appropriate cabinet;
  3. locking portable storage devices with sensitive information in an appropriate cabinet;
  4. activating a password-protected screen saver;
  5. retrieving documents from printers; and
  6. ensuring that sensitive hard copy documents that are no longer needed are placed in shredding bins, not recycle bins.

(50) When visitors, cleaning contractors, or other staff without a “need-to-know” are in the area, sensitive information must be safeguarded by:

  1. covering up and maintaining control of hard-copy files;
  2. minimising windows, blanking computer screens or activating the password-protected screen saver.

(51) Sensitive information must not be discussed in public or other areas where there is a risk of being overheard by unauthorised personnel.

Part D - Defence Industry Security Program (DISP)                

(52) Prior to agreeing to store, process, or communicate information or assets under DISP, approval from the Cyber Security team must be obtained.  

(53) The Cyber Security team must ensure that physical security controls required by the Defence Security Policy Framework (DSPF) are implemented when approving activity under the DISP.