1 Policy Statement

The Division of ICT Services is committed to helping the University of Southern Queensland meet its statutory, legal, and moral obligations by administering its information holdings in a lawful, ethical, and cost-effective manner.

To achieve this objective, the Division of ICT Services will:

• adhere to all legal and legislative requirements,

• satisfy the Queensland Government’s mandatory information management and security principles as detailed in the Information Standards,

• develop, document, implement, and review information security controls commensurate with the value of the information, business significance, and sensitivity to:

• ensure University information systems operate with a high degree of assurance and integrity, and

• protect University information from unauthorised or inappropriate use, accidental or fraudulent modification, and loss.

• In pursuing these objectives, Division of ICT Services personnel will be guided by sound risk management practices and internationally-recognised governance principles and security framework.

2 Principles

2.1 Approach

ICT services are an important resource that the University of Southern Queensland makes available to clients with the understanding that they are used for teaching and learning, research, administration, and community engagement in accordance with the University’s mission. Clients are encouraged to make innovative use of resources and will generally be provided with access to services commensurate with their legitimate requirements.

• The University’s ICT Resource environment is dynamic, characterised by openness, creativity and free sharing of information to the greater benefit of the community in general. The University will respect this environment and inhibit these characteristics only when necessary to protect the essential interests of the University;

• Access to ICT resources will be allowed for the benefit of the University community, consistent with University policies and will respect the right of individuals, and articulate the rights and responsibilities with respect to academic freedom;

• Consistent with University policies, equality of access to computer facilities will not be denied or reduced without justification;

• Computer and network facilities are limited and should be used efficiently with consideration of the rights of others. When used appropriately, ICT Resources can enhance communication and learning, and when used inappropriately or unlawfully, these tools may infringe on the beliefs or rights of others. The University and clients have a shared responsibility for the appropriate use of such facilities;

• The Division of ICT Services accepts responsibility for the maintenance of its ICT Resources to standards of acceptable reliability and security, and for the provision of information to enable all clients to use these resources efficiently. ICT services will be provided to support the University’s strategic objectives however these responsibilities must be managed within resource allocations that may require the limiting of services and nonessential use where such use impacts significantly on the cost of provision, or operational performance;

• The Division of ICT Services recognises the right to privacy of clients, however reserves the right to examine client data where required to do so in accordance with the ICT Standard for the Use of ICT Resources, or as directed by legal request in accordance with a State or Federal Government Act or Legislation;

2.2 Principles for Information Resource Security

The University recognises the following security principles will be applied during the development of all supplementary documentation, and will also be consulted in all situations requiring interpretation of this policy.

• Accountability Principle. The responsibilities and accountability of owners, providers, and users of information systems and other parties concerned with the security of information systems should be explicit.

• Awareness Principle. In order to foster confidence in information systems, owners, providers and users of information systems and other parties should readily be able, consistent with maintaining security, to gain appropriate knowledge of and be informed about the existence and general extent of measures, practices and procedures for the security of information systems.

• Ethics Principle. Information systems and the security of information systems should be provided and used in such a manner that the rights and legitimate interests of others are respected.

• Multidisciplinary Principle. Measures, practices and procedures for the security of information systems should take account of, and address all relevant considerations and viewpoints, including technical, administrative, organisational, operational, commercial, educational and legislative.

• Proportionality Principle. Security levels, costs, measures, practices and procedures should be appropriate and proportionate to the value of and degree of reliance on the information systems and to the severity, probability and extent of potential harm, as the requirements for security vary depending upon the particular information systems.

• Integration Policy. Measures, practices and procedures for the security of information systems should be coordinated and integrated with each other and with other measures, practices and procedures of the organisation so as to create a coherent system of security.

• Reassessment Principle. The security of information systems should be reassessed periodically, as information systems and the requirements for their security vary over time. Security requirements should be reassessed whenever a change of function of the asset is made which may affect the sensitivity of the information.

• Simplicity Principle. Operational controls and security counter measures should be simple and easy to use.

• Least Privilege Principle. An information system resource, including managers, administrators, privileged accounts, clients, programs, processes or devices should only be granted the most restrictive set of privileges necessary to effectively perform a required task. Such privileges should only be assigned for the duration of the task. This principle is intended to limit the damage that can occur because of an accident or attack.

• Fail Safe Stance. To the fullest extent possible, security controls and counter measures should be fail safe. That is, in the event of the failure of a particular security control, potentially damaging, insecure or uncontrolled access should be denied by default.

• Protect and Proceed. First priority should be toward the protection of University assets. Only once adequate steps have been taken to minimise the exposure to all University assets from the currently identified attack, should action be taken to ensure the University responds appropriately to its legal, ethical and moral obligations.

2.3 Disclaimer

The University makes no warranty, explicit or implied, regarding the computer services offered, nor their fitness for any particular purpose. Similarly, no responsibility can be accepted by the University or its staff, for any damage arising directly or indirectly from the use of these facilities.

The University cannot guarantee to protect an individual against exposure to material that may be offensive to them, as such clients are warned that they may traverse or receive material that they find offensive.

The University will make all reasonable efforts to protect clients from possible computer-related dangers. However the University cannot always protect clients from all potential threats.

Compliance with this policy and associated standards does not confer immunity from the University’s legal obligations. Corporate Executive Portfolio Steward/Owners should ensure that they are aware of such obligations by referring to the documents listed in governing policy, legislative, statutory and regulatory requirements.

3 Procedures

3.1 Introduction

The University of Southern Queensland has responsibility for a significant amount of information which needs to be suitably protected.

Information, information systems, and information services are intrinsically vulnerable to unauthorised or inappropriate use or release, accidental or deliberate damage, and loss.

The potential consequences of unknowingly relying on incorrect information or an inability to access or trust required information could seriously impede University decision-making and result in irreparable damage, as well as damage to the University’s reputation.

• Information security is a governance process that seeks to minimise risks to business processes through preservation of:

• Confidentiality: ensuring that information is accessible only to those authorised to have access,

• Integrity: safeguarding the accuracy and completeness of information and information processing methods,

• Availability: ensuring that authorised clients have access to information and associated assets when required,

• Responsibility: ensuring that controls are in place so that clients of the University’s ICT resources and systems are not able to adversely affect other clients, resources, or systems, and

• Legal Compliance: ensuring that all legal and contractual obligations are met.

The Division of ICT Services is developing a culture that appreciates the value of information and has:

• adopted active risk management as a guiding business principle, and

• embrace Queensland Government Information Standards as a defining criteria for managing the security of its information and information management systems.

3.1.1 Documentation

All new documentation, or the maintenance of existing documentation, required within the Division of ICT Services under the provisions of this policy, must also comply with all aspects of the ICT Standard and Guide for Document Management and, where applicable, the USQ Policy on Policies.

3.2 Governance and Services

The Division of ICT Services has made a firm commitment to developing and maintaining a University ICT governance framework based on CobiT (Control Objectives for Information and related Technologies) for governing its ICT provision, and adopting:

• the ITIL (Information Technology Infrastructure Library) as a standard for the provision of ICT service,

• the CMM (Capability Maturity Model) for self-assessing its capabilities in ICT,

• ISO/IEC 27002:2007 Information technology – Security techniques – Code of practice for information security management,

• AS/NZS ISO/IEC 27001:2006 Information technology – Security techniques – Information security management systems - Requirements, and

• Queensland Government Information Standard 18 - Information Security as the basis for its information security standards, practices, and processes.

The Division of ICT Services is also under the guidance and direction of University governance bodies, including:

• ICT Strategy Committee

• Audit and Risk Committee

• Finance and Facilities Committee

• Governance and Legislation Committee

• Discipline Committee

• University Appeals Board

• Vice-Chancellor’s Committee

3.3 Information Security

3.3.1 Security Framework

Under Queensland Government Information Standard 18: Information Security Principle 2, the University of Southern Queensland is required to establish a framework to provide direction and coordinated management of information security. The Division of ICT Services has made a long term commitment to implementing the internationally-recognised CobiT governance methodology. The CobiT methodology establishes security and control practices that provide a reference framework for management, clients, auditors, control and security practitioners.

The Division of ICT Services is committed to the secure management of USQ information resources within the CobiT framework that includes:

• regular reporting to, and involvement of, senior management

• active involvement of, and responsibility assigned to, all employees, students, and other

• relevant third parties for aspects of the implementation of information security

• continuous and proactive monitoring and review

• effective and honest reporting and management of incidents.

This USQ Policy for ICT Information Management and Security, and all associated standards, guides, references, practices, and procedures, form part of this ongoing commitment to information security governance.

3.3.1.1 Third Party Access

The University of Southern Queensland is required to consider and address information security when entering into third party contracts, including arrangements with contractors and consultants.

Accordingly, all third parties - including contractors, consultants, corporations, government bodies, and education institutions - will be required to sign a confidentiality agreement restricting the use and dispersal of confidential information.

All third parties will be advised that they are bound to comply with all aspects of this policy and its associated standards, guides, references, practices, and procedures.

3.3.1.2 Roles and Responsibilities

Roles and responsibilities relating to this policy are documented, as applicable, in the associated standards, guides, references, practices, and procedures, and in relevant University policies - including all University employees, students, consultants, contractors, and other third parties.

All University employees and students are responsible for familiarising themselves with this policy, its associated standards, guides, references, practices, and procedures, as appropriate to their role within the University of Southern Queensland.

3.3.1.2.1 Executive Director, ICT Services

The Executive Director, ICT Services is accountable for the coherent security management of the computing, communications, information resources and other business assets of the University.

These accountabilities include the formulation and maintenance of University-wide information security policy, security standards, guidelines, security and audit procedures.

3.3.1.2.2 Manager Business Continuity and Risk

The Manager Business Continuity and Risk is responsible for the development of information security policy and in concert with others developing broader University security strategy.

3.3.1.2.3 Security Officer

The Security Officer is responsible for the operational security of university resources.

3.3.1.2.4 Corporate Executive Portfolio Steward/Owners

It is the responsibility of University management to preserve, improve and account for University information and communication technology resources, as directed by University policy.

Sub Portfolio owners through delegated responsibility to the various Corporate Executive Portfolio Stewards are responsible for ensuring that:

• Each and every resource is identified and managed,

• Each identified resource is classified for information sensitivity,

• Appropriate and reasonable security practices are employed for all resources under their control.

• Documented security procedures are prepared, implemented, audited and reviewed.

• Clients are currently aware of their responsibilities in relation to the security of the University’s information and communication technology resources.

3.3.1.2.5 ICT Manager

Each University information and communication technology resource will have an assigned system administrator who is responsible for implementing the daily operational aspects of the information security policy. The system administrator reports to the relevant ICT Manager.

3.3.2 Information Asset Classification and Control

Under Queensland Government Information Standard 18: Information Security Principle 3, the University of Southern Queensland is required to implement policies and procedures for the classification and protective control of information assets (in electronic and paper-based formats) which are commensurate with their value, importance and sensitivity.

All major information assets used in the University operations will be identified, documented and assigned owners for the maintenance of security controls.

An information classification scheme will be identified and implemented that is in accordance with relevant University, legislative, statutory and regulatory requirements. In addition, the control of all security classified information (including handling, storage, transmission, transportation and disposal) will be in accordance with such requirements.

The disposal of USQ records will be in accordance with the approved records and retention disposal schedules and USQ policy - refer:

http://www.usq.edu.au/records/recordkeepingatusq/recordkeepingimpproject.htm#Disposal_Schedules_Policies

The management of USQ records will be in accordance with the statutory requirements of the Public Records Act 2002, the mandatory requirements of Information Standard 40: Recordkeeping (IS40) – refer:

http://www.usq.edu.au/records/recordkeepingatusq/recordkeepingimpproject.htm#Compliance and USQ policy.

University information assets and software used in ICT operations are subject to the requirements of the ICT Standard for Information Asset Classification and Control and the ICT Code of Practice for the Acceptable Use of ICT Resources.

3.3.3 Human Resource Security

Under Queensland Government Information Standard 18: Information Security Principle 4, the University of Southern Queensland is required to minimise the risk of loss or misuse of its information assets by ensuring that security controls are incorporated into the University’s human resource management.

University employees should refer to the relevant Human Resources policies, standards and procedures in respect of information security awareness training, as well as recruitment, supervision, and separation processes.

University employees and students should also refer to the ICT Standard for Human Resources Security and the ICT Code of Practice for the Acceptable Use of ICT Resources to ensure compliance with University policies for the correct use of information and systems.

3.3.4 Physical and Environmental Security

Under Queensland Government Information Standard 18: Information Security Principle 5, the University of Southern Queensland is required to ensure that the level of physical controls implemented minimises or removes the risk of equipment or information being inoperable or inaccessible, or being accessed, used, or removed without appropriate authorisation.

Entry controls will be in place for areas used in the processing and storage of sensitive information. To prevent unauthorised use, tampering, or interference, servers and other critical and/or sensitive equipment will be located in secure areas with access control mechanisms in place to restrict access to authorised staff only.

University employees and students are responsible for familiarising themselves with all aspects of the ICT Code of Practice for the Acceptable Use of ICT Resources and the ICT Standard for Physical and Environmental Security. Equipment, information, and software resources are all subject to the provisions of these standards.

Particular attention will be paid to provisions for the secure removal of information when disposing of, or re-using, equipment or storage devices, as documented in the ICT Standard for Information Asset Classification and Control.

3.3.5 Operational Security Management

Under Queensland Government Information Standard 18: Information Security Principle 6, the University of Southern Queensland is required to ensure operational procedures and controls will be documented and implemented to ensure that information, information systems, and networks are managed securely and consistently, in accordance with the level of required security.

Compliance with all aspects of this documentation will ensure the integrity of the operational environment when information systems and the network are implemented or changed.

All University of Southern Queensland employees and students are responsible for familiarising themselves with the following:

• ICT Standard for the Use of ICT Resources

• ICT Code of Practice for the Acceptable Use of ICT Resources

• ICT Standard for Computer Passwords and System Access Controls

• ICT Standard for Operational Security Management

• ICT Standard for the Use of Electronic Mail

3.3.5.1 Protection Against Viruses and Malicious Code

Security controls are in place, and will be maintained, for the protection of information and systems against viruses and other forms of malicious code. These controls include processes for the prevention, detection, and removal of malicious code in the information environment.

All University of Southern Queensland employees and students should familiarise themselves with the section on malicious software protection contained in the ICT Standard for Operational Security Management.

3.3.5.2 Systems Maintenance

The Division of ICT Services is responsible for ensuring the availability of information and information systems, networks, and applications, both in times of normal use and in the event of failure or unforseen loss of information.

Scheduled maintenance windows (Maintenance Calendar) will be established annually in conjunction with Corporate Executive Portfolio Steward/Owners and advertised on the ICT web site http://www.usq.edu.au/ict/staff/mainsch.htm.

Critical or emergency maintenance that may be required will be carried out at a time as agreed with the designated Corporate Executive Portfolio Steward/Owner.

3.3.5.3 Network Management

Security measures will be implemented to protect University networks and infrastructure from unauthorised access, and to safeguard information confidentiality and integrity.

Controls will be in place for the prevention, detection, removal, and reporting of attacks of malicious and mobile code, and for the detection of breaches and intrusion attempts. These controls will help ensure that information integrity and security is maintained.

3.3.5.4 Media Handling and Security

Security controls for the transportation, disposal, and storage of information media are documented in the ICT Standard for Information Asset Classification and Control.

All University of Southern Queensland employees and students should familiarise themselves with the ICT Standard for Information Asset Classification and Control to ensure the unauthorised modification, damage, or theft of information and information media, is minimised.

Acceptable encryption methods for the storage and transportation (including electronic transmission) of information will be adopted where required.

3.3.5.5 Exchange of Information and Software

Methods for exchanging information must be consistent with the ICT Standard for Information Asset Classification and Control, which supports the legal and legislative requirements outlined in Queensland Government Information Standard 18: Information Security.

Use of, accountabilities, and security risks associated with, electronic mail and the use of information and communication devices are addressed and clearly defined in the ICT Code of Practice for the Acceptable Use of ICT Resources. All University of Southern Queensland employees and students are responsible for familiarising themselves with this Code of Practice.

3.3.6 Access Controls

Under Queensland Government Information Standard 18: Information Security Principle 7, the University of Southern Queensland is required to ensure that control mechanisms based on business-owner requirements and assessed/accepted risks will be in place for controlling access to all information, information systems, networks (including remote access), infrastructures, and applications.

Access control rules for information and systems, including…

• network access

• operating system access

• application access

… are subject to the provisions of the ICT Standard for Computer Passwords and System Access Controls, ICT Standard for Information Asset Classification and Control and the ICT Code of Practice for the Acceptable Use of ICT Resources. Authorised clients are responsible for familiarising themselves with all aspects of the access control standards noted in these documents.

3.3.7 System Development and Maintenance

Under Queensland Government Information Standard 18: Information Security Principle 8, the University of Southern Queensland is required to ensure that security controls will be implemented during all stages of system development, as well as when new systems are implemented into the operational environment. Such controls will be commensurate with the security classification of the information contained within, or passing across, information systems, networks infrastructures, and applications.

Security controls and requirements for new systems, together with security controls for improvements to current systems, will be identified and documented.

In particular, appropriate testing, planning, and migration control measures will be carried out when upgrading or installing new systems and software, to ensure the integrity and security of the information resource environment is not adversely affected.

Division of ICT Services system development and maintenance staff are responsible for familiarising themselves with the ICT Standard for System Development and Maintenance.

3.3.8 Business Continuity Management

Under Queensland Government Information Standard 18: Information Security Principle 9, the University of Southern Queensland is required to ensure that a managed process, including documented plans, will be in place to enable the University of Southern Queensland information environment to be restored or recovered in the event of a disaster or major security failure.

The Division of ICT Services will manage Business Continuity in accordance with the University’s Business Continuity Policy and Framework. The Division of ICT Services in conjunction with the designated Corporate System Steward/Owners will establish processes to assess the risk and impact of information or system loss on University business operations in the event of a disaster or security failure.

These processes will be maintained and tested regularly to ensure the ongoing integrity, availability, and confidentiality of University information and systems.

3.3.9 Risk Management and Compliance

Under Queensland Government Information Standard 18: Information Security Principle 10, the University of Southern Queensland information security controls for all information processes, systems, and infrastructure must adhere to any legislative or regulatory obligations under which the University operates. The Division of ICT Services will conduct regular information security risk assessments, which will be used as input into the continuing development of information security plans.

These assessments will include:

• physical security risks

• deficiencies in personnel knowledge, training and practices

• recorded security practices

• Information Communication Technology security.

Information security risks are threats that can impact on the availability, confidentiality, or integrity of information.

Following the identification of risk mitigation strategies, and changes to information security standards and procedures, there will be some residual information security risks where the University has elected to accept the risk by doing nothing, or the mitigation strategy has not completely eliminated the risk. These residual risks will be openly stated in the respective information security plans.

To avoid duplication of effort, the Division of ICT Services may combine information security risk assessments with other business operations-related risk assessments.

The Division of ICT Services will manage Risk Management in accordance with the University’s Risk Management Policy and Framework. Division of ICT Services risk assessments will be updated and reviewed on an annual basis.

The Division of ICT Services will create a number of mitigation strategies, broadly these will be:

• Preventative: Planned actions to reduce the likelihood a risk will occur.

• Contingency: Planned actions to reduce the consequences of the risk if it does occur.

Many mitigation strategies are both preventative and contingent, while some mitigation strategies will have an impact on more than one risk.

Any residual risk remaining after the cost effective mitigation strategies have been implemented will be identified.

3.3.10 Compliance

The Division of ICT Services will manage ICT compliance risks in accordance with the University’s Compliance Framework.

Through continuous improvement and the provision of education and training, the Division of ICT Services will foster communication and monitoring processes that recognise the importance of ensuring that procedures and processes are in place to ensure compliance, and to identify any gaps in current processes to ensure that non-compliance is appropriately assessed and addressed.

3.4 Internet and Email Use

The University of Southern Queensland employees and students may be provided with internet access (including email) for University purposes. University employees and students with internet access must recognise that responsibility and accountability for the security of University information and information systems/services is the shared responsibility of all clients.

All University employees and students with internet access are responsible for familiarising themselves with the relevant standards noted at section 3.5 Operational Security Management, and must understand and acknowledge that the general principles of law and community standards apply to communication and publishing via the internet.

In addition to disciplinary actions that may be taken by the University, employees and students must be aware that there are legal sanctions for the improper use of the internet, and that some uses may constitute a criminal offence.

University employees should also be aware that email is considered documents of the University for the purposes of the Right to Information Act 2009 (Qld).

3.4.1 Online Content Regulation Compliance

Pursuant to the requirements of the Broadcasting Services Act 1992, the University of Southern Queensland endorses and will support effective, practical and appropriate measures that assist the University and clients manage Internet use.

3.4.1.1 Access by Minors

The University of Southern Queensland will take reasonable steps to ensure that restricted content is not accessible to minors (those under 18 years of age).

3.4.1.2 Content Takedown Notice

The University of Southern Queensland will have in place a procedure for receiving and responding to takedown notices (as defined in the Act) issued by the Government Authority or third party organization within the timeframe required under the Act.

3.5 Monitoring and Privacy

The Division of ICT Services routinely monitors traffic on networks. Logs obtained from monitoring operations are used for capacity planning, performance measurement, security, accountability, and evidentiary purposes.

Whilst the University of Southern Queensland respects the right to privacy of its employees and students, where there is abuse - or suspected abuse - of networks or networks facilities and services, the University retains the right to inspect all University owned ICT devices, together with all files, messages, and logs contained on those devices, to investigate such abuse or suspected abuse.

By connecting a privately owned ICT device (including wireless or remote connection) to the University network, any University employee or student acknowledges that they will be bound by, and comply with, the terms and conditions of use of University of Southern Queensland ICT resources, as established in this policy and:

• ICT Standard for the Use of ICT Resources

• ICT Code of Practice for the Acceptable Use of ICT Resources

• ICT Standard for Computer Passwords and System Access Controls

• ICT Standard for Operational Security Management

• ICT Standard for the Use of Electronic Mail

By connecting a privately owned ICT device (including wireless or remote connection) to the University of Southern Queensland network, any University employee or student acknowledges that the network traffic generated by privately owned ICT device is generated in pursuit of University business only and that - while the traffic is traversing University networks - it is subject to the same right of inspection as traffic originating from University owned ICT devices.

3.6 Penalties and Discipline

Failure to comply with the terms of this policy may result in disciplinary action and process as determined according to the Student Discipline Policy for General Misconduct. Employee discipline is determined by University policy and procedure and employment contracts, as applicable.

Conduct in contravention of this policy may also constitute an offence or crime under relevant State and Commonwealth legislation, resulting in legal prosecution.

Irrespective of whether the violation is an internal (e.g. unauthorised access to information) or external (e.g. unauthorised remote access to the University of Southern Queensland network by a non-University employee or student), where the violation is considered a criminal offence, the police (Federal and State) will be informed. Where applicable, the Crime and Misconduct Committee will be advised.

3.7 Policy, Monitoring and Review

The Executive Director, ICT Services, or their delegate, is responsible for monitoring, reporting, and review of this policy. This officer shall ensure that:

• this policy is reviewed at least once each calendar year

• compliance with this policy is monitored/audited on a regular basis, as determined by risk assessment

• effectiveness of this policy is reported as directed by the Executive Director, ICT Services, or delegate.

• The review cycle will be dependent on a number of factors, including the level of risk and the rate of change.

• Other triggers for renewing this policy include:

• changes to business operations, including the implementation of new systems

• accommodation relocation and/or redevelopment

• organisational change

• occurrence of a significant incident that highlights an issue

• emergence of new risks

• changes to technologies.

4 Other Policy Information