Document Comments

Bulletin Board - Review and Comment

Step 1 of 4: Comment on Document

How to make a comment?

1. Use this Comment Icon to open a comment box for your chosen Section, Part, Heading or clause.

2. Type your feedback into the comments box and then click "save comment" button located in the lower-right of the comment box.

3. Do not open more than one comment box at the same time.

4. When you have finished making comments proceed to the next stage by clicking on the "Continue to Step 2" button at the very bottom of this page.

 

Important Information

During the comment process you are connected to a database. Like internet banking, the session that connects you to the database may time-out due to inactivity. If you do not have JavaScript running you will recieve a message to advise you of the length of time before the time-out. If you have JavaScript enabled, the time-out is lengthy and should not cause difficulty, however you should note the following tips to avoid losing your comments or corrupting your entries:

  1. DO NOT jump between web pages/applications while logging comments.

  2. DO NOT log comments for more than one document at a time. Complete and submit all comments for one document before commenting on another.

  3. DO NOT leave your submission half way through. If you need to take a break, submit your current set of comments. The system will email you a copy of your comments so you can identify where you were up to and add to them later.

  4. DO NOT exit from the interface until you have completed all three stages of the submission process.

 

Bring Your Own Device (BYOD) Policy

Section 1 - Audience

(1) This Policy applies to all users who utilise a personal device to access the digital environment of the University of Newcastle (University) or its controlled entities.

(2) This Policy is supplemented by standards, procedures, and guidelines which should be read in conjunction with this document.

Top of Page

Section 2 - Purpose

(3) This Policy provides the framework for users to use their own personal technology devices to access the University's digital environment. When such personal devices are used to access University systems, they are then referred to as BYOD (bring your own device) throughout the Policy.

(4) The purpose of this Policy is to:

  1. establish the requirements for the use of BYOD for study or work to access University systems and data;
  2. ensure that University systems and data are protected from cyber security threats and non-compliance with relevant laws and regulations; and
  3. establish the responsibilities of BYOD owners and the University's rights.
Top of Page

Section 3 - Scope

(5) This Policy applies to any personal device used to access University digital assets and platforms, including:

  1. University networks and connectivity solutions;
  2. University platforms, such as but not limited to ServiceNOW and M365;
  3. Software as a Service (SaaS) solutions which contain University data, or provide a service for the University;
  4. digital storage solutions;
  5. digital information and data; and
  6. any other digital asset(s).
Top of Page

Section 4 - Definitions

(6) In the context of this document, the following definitions apply:

  1. “application” or “app” means computer software designed to assist end users to carry out tasks;
  2. “Bring Your Own Device” or “BYOD” means any electronic device owned, leased, or operated by an employee, contractor, affiliate or student of the University which is capable of storing data and connecting to a network, including but not limited to mobile phones, smartphones, tablets, laptops, personal computers and netbooks. Any personally owned, leased, or privately operated electronic device that a user has explicitly authorised and configured to access the University's digital environment. This includes, but is not limited to, mobile phones, smartphones, tablets, laptops, personal computers and netbooks. A personal device is only governed by this Policy once it is utilised as a BYOD to access University data or networks;
  3. “Condition Access Policies” refers to automated configuration rules that evaluate identity, device health, and real-time risk parameters to dynamically grant, limit, or block access ot the University digital assets;
  4. “data” means a set of characters or symbols to which meaning is or could be assigned (AS/NZS ISO30300:2020 – Section 3.2.4). The Council of Australasian University Directors of Information Technology (CAUDIT) defines data as a set of facts, representing a specific concept or concepts. Value is added to data when they are combined and presented to users within a context, turning them into meaningful information to support business decisions and enable operational decisions. That is DATA + CONTEXT = INFORMATION;
  5. “Device Trust Tiers” means the categorisation framework used by the University to determine a personal device’s security health, segmented into Managed Devices (full enrolment), App-Managed Devices (containerised application security) and Browser-Only Access (unmanaged / view only);
  6. “impossible travel” refers to a cybersecurity detection method that flags login attempts from geographically distant locations within an unrealistically short period of time that may indicate potential account compromise by an attacker;
  7. “minimum requirements” means the minimum hardware, software or general operating requirements of a BYOD;
  8. “Mobile Device Management” or “MDM” means a solution which manages, supports, secures and monitors mobile devices;
  9. “personal data” refers to a users own (personal) data that is stored on a device;
  10. University data” means all information, records and materials created, received, maintained or transmitted by University users during official business, administration, research or academic operations;
  11. “wipe” or “wiping” refers to a security feature that renders the stored data on a BYOD inaccessible. Wiping may be performed locally or remotely via a University solution or by a system administrator;
  12. “zero trust architecture” refers to a security framework based on the premise to ‘never trust, always verify’. It assumes threats exist both inside and outside the network, meaning access is never granted based solely on physical location or network connection. Instead, it continuously validates user identity, device health, and session risk before granting access.
Top of Page

Section 5 - General Principles

Part A - Institutional Principles

(7) The University permits the use of BYOD’s to provide flexibility to staff and students, especially those who require custom devices to undertake teaching, learning and research.

(8) BYOD access is provided at the discretion of the University and can be revoked at any time and for any reason.

(9) University data accessed, processed or communicated via a BYOD is and remains the property of the University.

(10) The University and users of BYOD’s understand and accept the conditions under which BYOD access is granted.

Part B - Zero Trust and Conditional Access Framework

(11) Access to the University's digital environment operates on a zero trust architecture model and is not guaranteed solely based on a user’s physical location or network connection.

(12) All access to University systems must be programmatically enforced through automated Conditional Access Policies. These policies will evaluate real-time session risk and require compliant or protected application sessions dynamically mapped to the evaluated Device Trust Tier.

(13) Access capabilities, including data downloading, printing and local synchronisation, will be automatically restricted or blocked on devices failing to meet the required trust tier for that data classification.

(14) The decision to provide BYOD access is determined dynamically based on risk and compliance requirements.

(15) Access must be enforced through Conditional Access Policies that require compliant or protected application sessions depending on the evaluated device trust level, which are subject to change.

(16) Device Trust Tier is determined automatically at sign-in and enforced through technical controls. Users are guided in real time on how to meet requirements if higher levels of access is required.

(17) Device health and session risk are continuously evaluated throughout sessions.

(18) Offline access to digital assets and applications which are classified as Restricted or Highly Restricted may not be available.

Part C - Device Trust Tiers

(19) To manage cybersecurity risks proportionally, the University dynamically categorises personal device connections into three distinct security tiers. A device’s tier is automatically evaluated at login and determines the level of access permitted.

Tier Requirement Access
Managed Devices University-managed or fully enrolled personal device which meets the security baseline. Full access to University systems and data.
App-managed Device Personal device with secure University apps (such as Outlook or Teams). Access to University data via approved applications only. No local data storage outside of the approved applications.
Browser-only access Unmanaged personal device with no enrolment or app protection. Access via a web browser only. Limited, view only or restricted functionality. No download or offline access.
Top of Page

Section 6 - Requirements for BYOD Owners

(20) This Policy should be read in conjunction with the Digital Technology Conditions of Use Policy.

(21) University data accessed via BYOD must remain on University systems and University data must not be stored on BYOD or personal accounts, except for authorised cloud syncing (for example, Microsoft OneDrive).

(22) BYOD owners are responsible for:

  1. implementing the security controls required by the University as a pre-requisite for access to University networks, systems and data;
  2. the damage, loss or theft of their devices should it occur;
  3. the cost of a BYOD, including the device, maintenance, mobile and data charges, software licenses (outside of University specific applications), and insurance;
  4. their personal data on their BYOD, including any loss or corruption, and for separating their personal data from University systems and University data;

(23) If a BYOD that is used to access University digital assets or applications is lost or stolen, the BYOD owner is responsible for immediately reporting the loss or theft to the DTS Service Desk on 02 4921 7000 (or 17000 as an internal call) or via an email to DTS-cybersecurity@newcastle.edu.au.

(24) When traveling internationally on official University business, staff must use a temporary loaner managed device rather than their personal device.

Top of Page

Section 7 - The University’s Rights

Guiding Principles and Privacy Safeguards

(25) In exercising the rights outlined below, the University is committed to protecting student and staff privacy, maintaining user autonomy, and adhering to relevant privacy legislation. The University's actions will be guided by the principles of proportionality (limiting actions to what is strictly necessary to secure data) and transparency.

(26) The University retains the administrative authority to extract, audit, and collect data strictly from University-managed applications and containerised environments on a BYOD. The University's authority does not extend to personal data. Personal files, private communications, photos and non-University applications are legally excluded from University collection, monitoring or eDiscovery search processes.

(27) The University reserves the right to remotely wipe University-specific application data from any BYOD in the event of a suspected or actual compromise, including the loss or theft of a BYOD; and if the BYOD owner ceases employment, affiliation, or studies with the University. This right strictly applies to University data and corporate applications; the University will not execute a full factory reset that deletes personal data, photos or private files.

(28) The University reserves the right to reject BYOD usage that does not meet the University's cyber security and legal requirements.

(29) Cyber security controls required on any BYOD include, but are not limited to:

  1. automatic screen lock;
  2. device pin codes, password or biometric login;
  3. endpoint protection and automated device health attestation;
  4. encryption of data in storage;
  5. backups;
  6. current vendor-supported operating systems;
  7. up-to-date systems and applications; 
  8. authentication to University networks, systems and data; and
  9. active jailbreak and root detection.

(30) A detection of the failure of one or more of the listed controls above may result in an automated, immediate revocation of all active sessions, and may result in the removal of the device out of App-managed or Managed tiers dependent on risk.

(31) The University reserves the right to change requirements for BYOD access including the maturity of security controls required.

(32) When using University networks, the University may restrict access to high-risk websites and services. This restriction does not extend to non-University networks.

(33) The University may assess and monitor any BYOD for malware and vulnerabilities via automated endpoint protection.

(34) The University may prevent screen capture or similar functions of restricted and high-restricted University data from the BYOD.

(35) The University will not access or monitor personal use of a BYOD (unless required for a formal investigation and permitted by law).

(36) Compromised BYODs must be restricted from accessing University networks, systems and data. Users will be notified where they are trying to connect a compromised device via automated endpoint protection.

(37) The University may monitor the location from which a BYOD signs into identify unusual activity, such as impossible travel.

(38) The University may push and remove data associated with University applications to and from a BYOD to enhance its security or manageability.

(39) The University has a right to inspect University data held on a BYOD.

(40) The University may request an inspection of a BYOD in the owner’s presence prior to them leaving the University to confirm there is no University data stored on the BYOD.

Top of Page

Section 8 - Enforcement

(41) Non-compliance with the provisions of this Policy may result in action under the University's policies, Staff Code of Conduct, Student Code of Conduct or relevant enterprise agreement / employment contract and may also result in referral to a statutory authority and/or agency.

(42) The Chief Digital & Information Officer (or their nominee) is responsible for monitoring the use of the University's digital assets to measure compliance with this Policy.

(43) Where a user has been found to fail to comply with this Policy or any other of the University's IT policies, procedures, manuals, or guidelines, an authorised delegate may withdraw, suspend, restrict or limit that user’s access to a University computing or communications facility.

Top of Page

Section 9 - Device Usage and Support

(44) The BYOD owner assumes all responsibility and risk associated with accessing University services from their personal devices.

(45) While the University will take all reasonable efforts to ensure access to the University digital environment is available, the University does not guarantee that access will be available at all times.

(46) The University will not impose a fee on BYOD owners for registering a BYOD on the University network.

(47) BYOD owners are responsible for supporting their own devices. The University will only provide limited support for any application the University has provided.

(48) The following tables outline responsibilities for support, connectivity and access and meeting minimum requirements:

Support  Responsibility
Physical provisioning BYOD Owner
Replacement of defective / damaged BYOD BYOD Owner
Operating system support, including licencing BYOD Owner
Application support of BYOD, including licencing BYOD Owner
University provided / supported applications 17000 Service Desk
Backing up and restoring data and configuration settings BYOD Owner
Device Connectivity / Access Responsibility
University wireless 17000 Service Desk
University Secure Access Clients 17000 Service Desk
Home internet BYOD Owner
Mobile Internet BYOD Owner
Minimum Requirements Responsibility
Meeting the minimum requirements outlined in Section 5 of this Policy BYOD Owner

(49) Each BYOD will be automatically registered within the University's Microsoft 365 platform on first connection to the University exchange email service.

(50) The Microsoft 365 platform incorporates Mobile Device Management capabilities which can enforce security configurations on a BYOD.

(51) A limit may apply to the number of BYOD’s that can be registered for a single person.