1 Policy Statement
2 Principles
- 2.1 Penalties and Discipline
- 2.2 Policy, Monitoring and Review
3 References
4 Definitions
5 Other Policy Information

	University of Southern Queensland
	USQ Policy for ICT Information Management and Security

Trim Location:	<Insert TRIM Location>
Document Category*:	Policy
Purpose*:	This policy outlines the direction, scope, and approach to the secure management of information assets and systems within the University of Southern Queensland ICT environment. The intent is to protect information assets, and any ICT assets which create, process, store, view or transmit information against unauthorised use or accidental modification, loss or release. This policy will continue to be reviewed and evaluated in line with changes to business processes and information security risks.
Scope and Application:	This policy applies equally to all University of Southern Queensland employees, including permanent, temporary, part-time and contract employees, as well as students, alumni, consultants, or third-party employees with access to the University of Southern Queensland ICT environment.
Responsible Officer*:	DVC (Academic Services) and Chief Information Officer /PVC Enterprise/

1 Policy Statement

The University is committed to the management of risks associated with Information and Communications Technology (ICT) assets and systems and the reduction of ICT security incidents. This policy provides the governance framework for information management and security within the University of Southern Queensland. This policy establishes the University’s management commitment and governance arrangements and defines the University policy in all aspects of information security as stipulated under the relevant information standards.

Disclaimer

The University makes no warranty, explicit or implied, regarding the ICT services offered, nor their fitness for any particular purpose. Similarly, no responsibility can be accepted by the University or its staff, for any damage arising directly or indirectly from the use of these services.

The responsibility for protecting ICT resources and services resides with all staff, students and third parties who use these services.The University will make all reasonable efforts to protect stakeholders from possible ICT and computer-related dangers but advises that it cannot always protect stakeholders from all potential threats.The University cannot guarantee to protect an individual against exposure to material that may be offensive to them, as such stakeholders are warned that they may traverse or receive material that they find offensive.

University stakeholdersshould also refer to the USQ Policy for the Acceptable Use of ICT Resources.

2 Principles

Internal Governance

Information security governance arrangements are established and endorsed by the University ICT Strategy Board and assisted by other USQ governance committees. The implementation, maintenance and control of operational information security is the responsibility of ICT Services under the direction of the Executive Director (ICT Services). An ICT Security Committee, reporting to the Executive Director (ICT Services), is delegated with the responsibility of monitoring and recommending information security strategy, controls and associated operational security matters. All University employees and students are responsible for familiarising themselves with this policy, its associated policies, guides, references, practices, and procedures, as appropriate to their role within the University of Southern Queensland.

External Party governance

The Executive Director (ICT Services) is delegated with ensuring that appropriate arrangements are established and documented to ensure that third party ICT service level agreements, operational level agreements, hosting agreements or similar contracts clearly articulate the level of security required and are regularly monitored.

Information Security

Information security activities are concerned with the protection of information from unauthorised useor accidental modification, loss or release. Information security is based on the following five elements:

Confidentiality – ensuring that information is only accessible to those with authorised access;

Integrity – safeguarding the accuracy and completeness of information and processing methods;

Availability – ensuring that authorised stakeholders have access to information when required;

Compliant Use – ensuring that USQ meets all legal and contractual obligations; and

Responsible Use – ensuring that appropriate controls are in place so that stakeholders have access to accurate, relevant and timely information but that stakeholders of USQ ICT resources do not adversely affect other stakeholders or other systems.

Policy, Planning and Governance

The University of Southern Queensland recognises the importance of, and demonstrates a commitment to, maintaining a robust University information security environment. The University at a minimum will:

develop an Information Security Policy (this policy);

develop an Information Security Plan, ensuring alignment with the University business planning, general security plan and risk assessment findings;

establish and document information security internal governance arrangements (including roles and responsibilities) to implement, maintain and control operational information security within the University;

establish and document information security external governance arrangements to ensure that third party service level agreements and operational level agreements clearly articulate the level of security required and are regularly monitored.

For the purposes of recordkeeping and information management, USQ is required to comply with various enactments and standards including:

Public Records Act 2002;

Queensland Government Information Standard 40: Recordkeeping;

Queensland Government Information Standard 18: Security.

This policy will be communicated on an ongoing basis and will be accessible to all stakeholders. This USQ Policy for ICT Information Management and Security, and all associated policies, guides, references, practices, and procedures, form part of this ongoing commitment to information security governance.

Asset Management

The University of Southern Queensland will implement procedures for the classification and protective control of information assets (regardless of format). The University may wish to extend existing information asset and technology registers to incorporate security classification and control requirements. The University at a minimum will ensure:

all information assets are assigned appropriate classification and control in accordance with and based around the Queensland Government Information Security Classification Framework (QGISCF);

all ICT assets that create, store, process or transmit security classified information are assigned ICT asset custodians and are also assigned appropriate controls in accordance with the QGISCF;

all ICT assets that provide underpinning and ancillary services will be protected from internal and external threats;

each staff member must use USQ authorised and approved ICT assets for the creation, storage, processing and transmission of information when transacting official USQ business.

Human Resources Management

The University of Southern Queensland will implement measures to minimise the risk of loss or misuse of information assets by ensuring that security controls are incorporated into University human resource management, including the development of supporting policies and processes. The University at a minimum will:

implement induction and ongoing training and security awareness programs, to ensure that all employees are aware of and acknowledge the University’s information security policy, their security responsibilities and associated security processes;

document and assign security roles and responsibilities where employees have access to security classified information or perform specific security related roles, and ensure that security requirements are addressed, in recruitment and selection and in job descriptions;

develop and implement procedures for the separation of employees from, or movement within, the University.

Physical and Environmental Management

The University of Southern Queensland will apply measures to ensure that the level of physical controls implemented will minimise or remove the risk of equipment or information being rendered inoperable or inaccessible, or being accessed, used or removed without appropriate authorisation.The University at a minimum will ensure that:

building and entry controls for areas used in the processing and storage of security classified ICT information are established and maintained consistent with the QGISCF;

all ICT Assets that store or process information must be located in Secure Areas with control mechanisms in place to restrict access to authorised personnel only;

policies and processes are implemented to monitor and protect the use and/or maintenance of information assets and mobile ICT assets away from University premises;

policies and processes are implemented for the secure disposal or reuse of ICT assets which are commensurate with the information asset’s security classification level.

In addition, USQ must comply with the requirements of Principle 5 and 6 of the Queensland Government Information Standard 40: Record Keeping.

Communications and Operations Management

The University of Southern Queensland will ensure that operational procedures and controls are documented and implemented to ensure that all information assets and ICT assets are managed securely and consistently, in accordance with the level of required security. The University at a minimum will ensure:

operational change control procedures and release management control procedures are implemented to ensure that changes to information processing facilities or systems are appropriately approved and managed;

system capacity must be regularly monitored to ensure risks of system overload or failure which could lead to a security breach are avoided;

adequate controls are defined and implemented for the prevention, detection, removal and reporting of attacks of malicious code on all ICT assets;

comprehensive systems maintenance processes and procedures including operator and audit/ fault logs, media handling procedures, information backup procedures and archiving will be implemented;

methods for exchanging information within the University, outside the University, through online services, and/or with third parties will be consistent with the QGISCF and theNetwork Transmission Security Assurance Framework (NTSAF);

each staff member must use USQ authorisedand supplied communications methods, including electronic mail, when transacting official USQ business. The University Policy Electronic Communication with Students establishes the framework for all electronic communications with students.

Access Management

The University of Southern Queensland will put in place control mechanisms based on business requirements, assessed/accepted risks, information classification and legislative obligations for controlling access to all information assets and ICT assets. The University at a minimum will ensure:

authentication requirements, including on-line transactions and services must be appropriate for the security classification of the information;

access to the USQ network andinformation systems requires specific authorisation and each user must be assigned an individually unique personal identification code and secure means of authentication;

policies and/or procedures for user registration, authentication management, access rights and privileges are defined, documented and implemented for all ICT assets;

restricted access and authorised use only warnings must be displayed upon access to all systems which have this capability.

System Acquisition, Development and Maintenance

The University of Southern Queensland will apply measures to ensure that during system acquisition, development and maintenance, security controls will be established and will be commensurate with the security classifications of the information contained within, or passing across, information systems, network infrastructure and applications. The University at a minimum will ensure:

security requirements are addressed in the specifications, analysis and/or design phases and internal and/or external audit are consulted when implementing new or significant changes to financial or critical business information systems;

security controls must be established during all stages of system development, as well as when new systems are implemented and maintained in the operational environment;

appropriate change control, acceptance and system testing, planning and migration control measures must be carried out when upgrading or installing software in the operational environment;

a patch management program for operating systems, firmware and applications of all ICT assets must be implemented to maintain vendor support, increase stability and reduce the likelihood of threats being exploited.

In addition, USQ must comply with the requirements of Principle 5 and 6 of the Queensland Government Information Standard 40: Record Keeping.

Incident Management

The University of Southern Queensland will apply methods to ensure that effective management and response to information security incidents is critical to maintaining secure operations within the University. The University at a minimum will:

establish and maintain an information security incident and response register and record all incidents;

ensure all information security incidents are reported and escalated (where applicable) through appropriate management channels and/or authorities. ensure that these incidentsare investigated and if it is found that a deliberate information security violation or breach has occurred, apply formal disciplinary processes;

responsibilities and procedures for the timely reporting of security events and incidents includingbreaches, threats and security weaknesses, must be communicated to all employees including contractors and third parties.

Business Continuity Management

The University of Southern Queensland will ensure that a managed process including documented plans are in place to enable information and ICT assets to be restored or recovered in the event of a disaster or major security failure. The University at a minimum will:

establish plans and processes to assess the risk and impact of the loss of information and ICT assets on University business in the event of a disaster or security failure and develop methods for reducing known risks to University information and ICT assets;

ensure business continuity information and ICT asset disaster recovery plans are maintained and tested to ensure systems and information are available and consistent with agency business and service level requirements.

University employees, students and third parties should also refer to the USQ Business Continuity Policy.

Compliance Management

The University of Southern Queensland will implement practices to ensure compliance with, and appropriate management of, all legislative and reporting obligations relating to information security. The University at a minimum will:

ensure all information security policies, processes and requirements including contracts with ICT third parties, are reviewed for compliance on a regular basis;

all reporting obligations relating to ICT information security must be complied with and managed appropriately;

ensure that all reasonable steps are taken to monitor, review and audit University information security compliance, including the engagement of internal and /or external auditors and specialist organisations where required.

In addition, USQ must comply with the requirements of Principle 5 and 6 of the Queensland Government Information Standard 40: Record Keeping.

University employees, students and third parties should also refer to the USQ Compliance Management Policy.

2.1 Penalties and Discipline

Failure to comply with the terms of this policy may result in disciplinary action. Student disciplinary processes are specified in the Student Discipline Policy for General Misconduct. Employee discipline is determined by University policy and procedure and employment contracts, as applicable.

Conduct in contravention of this policy may also constitute an offence or crime under relevant State and Commonwealth legislation, resulting in legal prosecution.

Irrespective of whether the violation is an internal (e.g. unauthorised access to information) or external (e.g. unauthorised remote access to the University of Southern Queensland network by a non-University employee or student), where the violation is considered a criminal offence, the police (Federal and State) will be informed. Where applicable, the Crime and Misconduct Committee will be advised.

2.2 Policy, Monitoring and Review

The Executive Director (ICT Services), or their delegate, is responsible for the review of this policy. This officer shall ensure that:

this policy is reviewed at least once each calendar year;
compliance with this policy is monitored/audited on a regular basis, as determined by risk assessment;
effectiveness of this policy is reported as directed by the Executive Director (ICT Services), or delegate.

3 References

Network Transmission Security Assurance Framework (NTSAF)

Queensland Government Authentication Framework (QGAF)

Queensland Government Enterprise Architecture (QGEA)

Queensland Government Information Security Classification Framework (QGISCF)

4 Definitions

Word/Term	Definition (with examples if required)
ICT Asset	All applications and technologies that are owned, procured and/or managed by USQ. These include desktop and productivity tools, application environments, hardware devices and systems software, network and computer accommodation, and management and control tools.
Information	Any collection of data that is processed, analysed, interpreted, organised, classified or communicated in order to serve a useful purpose, present facts or represent knowledge in any medium or form. This includes presentation in electronic (digital), print, audio, video, image, graphical, cartographic, physical sample, textual or numerical form.
Information Asset	An identifiable collection of data stored on ICT Assets and recognised as having value for the purpose of enabling USQ to perform its business functions, thereby satisfying a recognised USQ requirement.
Information Security	Concerned with the protection of information from unauthorised use or accidental modification, loss or release.
Information Systems	The organised collections of hardware, software, equipment, policies, procedures and people that store, process, control and provide access to information.
Public record (refer Section 6, Public Records Act 2002)	A public record is any form of recorded information that provides evidence of the decisions or actions of a ‘public authority’ (in this case USQ) in undertaking its business activities or in the conduct of its affairs. The Act includes all records (and information) irrespective of the form, the custodial arrangements and the technology used to generate, manage, preserve and access records.
Security Classified Information	Information which has been assessed against the Queensland Government Information Security Classification Framework (QGISCF) and assigned a classification
Secure Area	Provides the highest integrity of access to, and audit of, Security Classified Information Assets to ensure restricted distribution and to assist in subsequent investigation if there is unauthorised disclosure or loss of information assets. The essential physical security features of a Secure Area include: appropriately secured points of entry and other openings tamper-evident barriers, highly resistant to covert entry an effective means of providing access control during both operational and non‑operational hours all persons to wear passes all visitors escorted at all times during non-operational hours a monitored security alarm system, providing coverage for all areas where Security Classified information assets are stored an approved means of limiting entry to authorised persons.
Stakeholders	all staff, students, contractors, third parties, clinical and adjunct title holders, affiliates, alumni and all other individuals who access USQ’s systems and/or network.
System	A combination of Information Assets and ICT Assets supporting a business process.

5 Other Policy Information

Peak Approval Authority:	Vice-Chancellor
Committee Owner*:	Vice-Chancellors Committee/ICT Strategy
Division/Department/Office*:	DVC (Academic Services) and Chief Information Officer /ICT Services
Development Pathway:	ICT Strategy Board Executive Director (ICT Services) Directors(ICT Services) Manager, Corporate Records
Approval Pathway:	USQ Council Vice-Chancellor Vice-Chancellors Committee ICT Strategy Board DVC (Academic Services) and Chief Information Officer Executive Director (ICT Services)
Approval Delegation:	Vice-Chancellor	Approve policy
	Vice-Chancellors Committee ICT Strategy Board	Endorse policy
	DVC (Academic Services) and Chief Information Officer	Endorse policy and approve procedure
	Executive Director (ICT Services)	Endorse procedure
Procedural Delegation:	<The responsible officer may approve procedural changes only>
Related Legislation / guidelines:	Where relevant within the University of Southern Queensland environment, the following apply: University of Southern Queensland Act 1998 Information Privacy Act 2009 (Qld) Public Records Act 2002 (Qld) Right to Information Act 2009 (Qld) Australian Standards: AS/NZS ISO/IEC 27001:2006 – Information technology – Security techniques -Information security management systems AS/NZS ISO/IEC 27002:2007 - Information technology - Security techniques Queensland Government Information Standards: IS 2: ICT Resources Strategic Planning IS 13: Procurement and Disposal of ICT Products and Services IS 18: Information Security IS 26: Internet IS 31: Retention and Disposal of Public Records IS 33: Information Access and Use IS 34: Metadata IS 38: Use of ICT Facilities and Devices IS 39: Domain Names IS 40: Recordkeeping IS 44: Information Asset Custodianship IS 46: Use of Copyright Materials
Strategic Plan/Goal & Objectives:	<Goal ? /Objective ?>
Supporting documents, forms:	< list and hyperlink supporting documentation>

Associated USQ policies:	Where relevant within the ICT environment, the following apply: USQ Business Continuity Policy USQ Compliance Management Policy USQ Disaster Preparedness (Hard Copy Records) Policy USQ Electronic Communication with Students Policy USQ Intellectual Property Policy USQ Planning Policy USQ Privacy Policy USQ Procurement and Purchasing Policy USQ Quality Management Policy USQ Records Disposal Policy USQ Records Management Governance Policy USQ Risk Management Policy USQ Student Discipline Policy for General Misconduct USQ Policy for the Acceptable Use of ICT Resources Document (Electronic) USQ Business Continuity Policy Document (Electronic)http://policy.usq.edu.au/policy/files/business%20continuity.htm USQ Compliance Management Policy Document (Electronic) http://policy.usq.edu.au/policy/files/compliance%20management.htm USQ Disaster Preparedness (Hard Copy Records) Policy Document (Electronic)http://policy.usq.edu.au/policy/files/usq%20disaster%20preparedness%20(hard%20copy%20records)%20plan.htm USQ Electronic Communication with Students Policy Document (Electronic) http://policy.usq.edu.au/policy/files/electronic%20communication%20with%20students.htmUSQ Intellectual Property Policy Document (Electronic)http://policy.usq.edu.au/policy/files/intellectual%20property.htm USQ Planning Policy Document (Electronic) http://policy.usq.edu.au/policy/files/planning%20policy.htm USQ Privacy Policy Document (Electronic) http://policy.usq.edu.au/policy/files/privacy%20policy.htm USQ Procurement and Purchasing Policy Document (Electronic)http://policy.usq.edu.au/policy/files/procurement%20and%20purchasing.htm USQ Quality Management Policy Document (Electronic)http://policy.usq.edu.au/policy/files/quality%20management.htm USQ Records Disposal Policy Document (Electronic)http://policy.usq.edu.au/policy/files/records%20disposal%20policy.htm USQ Records Management Governance Policy Document (Electronic)http://policy.usq.edu.au/policy/files/records%20management%20governance.htm USQ Risk Management Policy Document (Electronic)http://policy.usq.edu.au/policy/files/risk%20management.htm USQ Student Discipline Policy for General Misconduct Document (Electronic)http://policy.usq.edu.au/policy/files/student%20discipline%20policy%20for%20general%20misconduct.htm http://www.usq.edu.au/records/recordkeepingatusq/recordpolicies
Policy Category**:	<Governance/Student/Academic/Operations and relevant sub category>
Effective Date*:	2012-10-02
Approval Date:	2012-10-02
Next Review Date*:	2013-10-02
Expiry Date of Policy:	N/A
Audience:
Keywords:
Location:
Document Status**:
Sunset Requirement:
Service Delivery:
Policy Impact:
Consultation and Agreement: