View Current

Information Security Human Resource Guidelines

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Executive Summary

(1) The University of Newcastle (University) is committed to and is responsible for ensuring the confidentiality, integrity and availability of the information stored on its systems.

(2) All users interacting with information assets have a responsibility to ensure the security of those assets.

(3) The University must perform checks to ensure that each individual user is suitable to be given access to the University's ICT systems and the information held on these systems.

(4) Users must be trained, equipped and periodically reminded to use information securely.

(5) When employment ends with the University, respective user access must be suspended or removed from ICT systems.

(6) Where a user’s role changes, the user’s information access privileges must be reviewed and changed accordingly on a ‘least privilege’ basis.

Top of Page

Section 2 - Purpose

(7) The intent of this guideline is to govern the human resources aspect of information security for employees of the University.

Top of Page

Section 3 - Scope

(8) For the purpose of this guideline, an employee of the University is anyone who is engaged by the University to provide service to the University regardless of the job function, including:

  1. full-time, part-time and casual staff;
  2. contractors and third party users; and
  3. volunteers.
Top of Page

Section 4 - Guidelines

Prior to Employment

Objective: To develop a comprehensive process that includes identification of job roles and responsibilities, identify the appropriate candidate screening level for those roles and responsibilities, and to establish terms and conditions of employment.

(9) Prior to hiring or contracting staff or contractors, security roles and responsibilities should be clearly articulated in job descriptions or well defined in terms and conditions of employment.

(10) For roles where handling of restricted or high-restricted information, or where access to sensitive ICT systems is required, careful attention should be paid to validation of references and the appropriate level of background checks.

During Employment

Objective: To ensure that employees are aware of and understand their information security roles and responsibilities; to ensure that they understand information security risks, and to ensure they have the necessary knowledge to mitigate those threats.

(11) All new employees should participate in new employee orientation and be provided with pertinent information including security policies and procedures, and the potential disciplinary process and actions for any security breaches.

(12) New employees must be required to acknowledge that they have read and understand the University's Information Technology Conditions of Use Policy.

(13) All managers and supervisors must emphasise the importance of information security to their employees.

(14) All employees must complete the University's Information Security Awareness Training within the first six (6) months of employment, which is available in Discover. The training should be completed again annually thereafter.

Termination and Change of Employment

Objective: To develop an orderly exit process to ensure that access to University systems is removed, and assets returned, in an expedited timeframe.

(15) Responsibilities for performing employee terminations must be clearly defined and assigned to ensure actions are taken within the prescribed timeframes.

(16) A checklist of actions to be taken and the person responsible for the execution of each action allows for quick identification of any missed steps.  Please see Separations and Transfer checklist.

(17) Specifically, University assets must be returned on the termination of employment.

(18) Additionally, access to information assets must be removed at the termination of employment.

Top of Page

Section 5 - Roles and Responsibilities

Responsibilities of all Employees

(19) Things to do:

  1. participate in security awareness training and events;
  2. understand and abide by the University's Information Technology Conditions of Use Policy and Information Security Policy;
  3. follow established processes and procedures to maintain system and information security;
  4. consult managers and supervisors for guidance on security issues; and
  5. consider security implications when making changes that involve information assets.

(20) Things to avoid:

  1. not asking for clarification or direction when unsure about information security requirements.

(21) Things to pay attention to:

  1. legislation and policy related to information security; and
  2. University communications relating to information security.

(22) Things to report:

  1. actions or activities which could circumvent or impair security controls; and
  2. actual and suspected security incidents.

Responsibilities of Management

(23) Things to do:

  1. ensure information security requirements are included in job descriptions;
  2. ensure required pre-employment checks are completed for all new employees;
  3. when assigning work, ensure employees are aware of security requirements;
  4. consult the Information Security Team for guidance on security issues;
  5. understand and abide by the University's Information Technology Conditions of Use Policy and Information Security Policy;
  6. support security awareness training and events; and
  7. if a security breach occurs, review and revise related operating procedures as needed.

(24) Things to pay attention to:

  1. legislation and policy related to information security; and
  2. University communications relating to information security.

(25) Things to establish procedures for:

  1. orientation programs for new employees;
  2. reviewing system access for employees when employment status changes occur; and
  3. Standard Operating Procedures for system use.

(26) Things to monitor:

  1. that employees support and follow security processes and practices.

(27) Things to report:

  1. promptly contact Information Technology Services when actual or suspected breaches of privacy or information security occur.

(28) Things to reinforce with employees:

  1. the importance of understanding policies, adhering to standards and following approved processes for the protection of information;
  2. that everyone has a role in securing information resources.