Policy overview
- 1 Purpose
- 2 Scope
- 3 Policy Statement
- 4 Principles
- 4.1 Internal governance
- 4.2 External party governance
- 4.3 Information Security and Cyber Security
- 4.4 Policy, planning and governance
- 4.5 Recordkeeping and Information Privacy
- 4.6 Information Asset management
- 4.7 People Portfolio management
- 4.8 Physical and environmental management
- 4.9 Communications and operations management
- 4.10 Access management and passwords
- 4.11 System acquisition, development and maintenance
- 4.12 Incident management
- 4.13 Business continuity management
- 4.14 Compliance management
- 4.15 Penalties and discipline
- 4.16 Other considerations
- 5 References
- 6 Schedules
- 7 Policy Information
1 Purpose
To ensure that Information Security measures are in place, commensurate with their Information Asset classification, to protect Information Assets, Information and Communication Technology (ICT) Assets and Information Systems within the University ICT environment against unauthorised use or accidental modification, loss or release; and assist the University mitigate any damage or liability arising from the use of these Information Assets and Information Systems for purposes contrary to the University's policies and relevant Regulatory Compliance Instrument.
2 Scope
This policy applies to all Employees, Researchers, University Members and Students (hereafter referred to as 'users') who have access to the University's Information Assets and related Information Systems.
3 Policy Statement
The University is committed to the management of risks associated with ICT Assets and Information Systems and the reduction of ICT security incidents. This policy provides the governance framework for Information management and security within the University and defines the University policy in all aspects of Information Security as stipulated under the relevant Information standards.
This policy aligns with:
- Higher Education Standards Framework (Threshold Standards) 2021: Standard 7.3 Information Management
4 Principles
4.1 Internal governance
Information Security governance arrangements are established and endorsed by the University ICT Strategy Board and assisted by other relevant University committees. The implementation, maintenance and control of operational Information Security is the responsibility of ICT Services. The ICT Cyber Security Committee is responsible for monitoring and recommending Information Security strategy, controls and associated operational security matters.
All Information System users are responsible for familiarising themselves with this policy and related policies and procedures, as appropriate to their role within the University. Effective communication of this ICT Information Management and Security Policy, and all associated policies and procedures, form part of this ongoing commitment to Information Security governance and is critical to ensuring that ICT Assets and Information Assets are protected from unauthorised use, accidental modification, loss or release.
In the event of a cyber breach such as, but not limited to, malware, computer hacking, ransomware, or denial of service attack, the Chief Information Officer is authorised to implement a range of measures, including removal of individual access to the network and removal of ICT Assets and ICT Systems from the network to minimise the risk of loss or misuse of Information Assets.
4.2 External party governance
The Chief Information Officer is delegated with ensuring that appropriate arrangements are established and documented to ensure that third party ICT service level agreements, operational level agreements, hosting agreements or similar contracts clearly articulate the level of security required and are regularly monitored.
4.3 Information Security and Cyber Security
Information Security activities, including Cyber Security awareness, are concerned with the protection of Information from unauthorised use or accidental modification, loss or release. Information Security is based on the following five elements:
- Confidentiality - ensuring that Information is only accessible to those with authorised access
- Integrity - safeguarding the accuracy and completeness of Information and processing methods
- Availability - ensuring that authorised users have access to Information when required
- Compliant Use - ensuring that the University meets all Regulatory Compliance Instruments and contractual obligations
- Responsible Use - ensuring that appropriate controls are in place so that users have access to accurate, relevant and timely Information but that users of the University's ICT resources do not adversely affect other users or other Information Systems.
4.4 Policy, planning and governance
The University recognises the importance of, and demonstrates a commitment to, maintaining a robust University Information Security environment. The University at a minimum will reasonably:
- develop and implement an Information Security policy (this policy)
- develop and implement an Information Security Plan, ensuring alignment with the University business planning, general security plan and risk assessment findings
- establish and document Information Security internal governance arrangements (including roles and responsibilities) to implement, maintain and control operational Information Security within the University. Relevant information shall be provided as needed including provision of timely and relevant information to the University's senior executive and Council regarding Information Security matters
- establish, document and regularly monitor Information Security external governance arrangements to ensure that third party service level agreements and operational level agreements clearly articulate the level of security required.
4.5 Recordkeeping and Information Privacy
For the purposes of the University's records management System and Information management, the University is required to comply with multiple Regulatory Compliance Instruments, including but not limited to:
- Information Privacy Act 2009
- Public Records Act 2002
- Records Governance Policy
- Queensland Information Standard 18: Security.
The University will meet its data retention obligations under the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (section 187) recognising that the University will rely on the 'immediate circle' exclusion for any relevant services provided only to persons who are 'inherently connected to the functions of the University'.
4.6 Information Asset management
The University has developed the Information Asset and Security Classification Procedure which establishes the process for classifying and handling University Information Assets based on their level of sensitivity, value and criticality to the University.
4.7 People Portfolio management
The University will implement measures to minimise the risk of loss or misuse of Information Assets by ensuring that Security Safeguards are incorporated into University People Portfolio management, including the development of supporting policies and processes. The University at a minimum will reasonably:
- implement induction and ongoing training and security awareness programs to ensure that all Employees are aware of and acknowledge this policy and related policies and procedures on Information Security and security responsibilities
- document and assign security roles and responsibilities where Employees have access to security classified Information or perform specific security related roles, and ensure that security requirements are addressed in recruitment and selection and in job descriptions
- develop and implement procedures for the separation of Employees from, or relocation within, the University.
4.8 Physical and environmental management
The University will apply measures to ensure that the level of physical controls implemented will minimise or remove the risk of equipment or Information being rendered inoperable or inaccessible, or being accessed, used or removed without authorisation. The University at a minimum will reasonably ensure that:
- building and entry controls for areas used in the processing and storage of security classified ICT Information are established and maintained, consistent with the Information Asset and Security Classification Procedure
- all ICT Assets that store or process Information are located in Secure Areas with control mechanisms in place to restrict access to authorised personnel only
- Policies, procedures and processes are implemented to monitor and protect the use and/or maintenance of Information Assets and mobile ICT Assets away from University premises
- Policies, procedures and processes are implemented for the secure disposal or reuse of ICT Assets, commensurate with the Information Asset's security classification level.
4.9 Communications and operations management
The University will ensure that operational procedures and controls are documented and implemented to ensure that all Information Assets and ICT Assets are managed securely and consistently, in accordance with the level of required security. The University at a minimum will reasonably ensure that:
- operational change control procedures and release management control procedures are implemented to ensure that changes to Information processing facilities or Systems are appropriately approved and managed
- System capacity is regularly monitored to ensure risks of System overload or failure, which could lead to a security breach, are avoided
- adequate controls are defined and implemented to mitigate the impact of threats and vulnerabilities to the network, including the prevention, detection, removal and reporting of attacks of malicious code on all ICT Assets
- Systems maintenance processes and procedures, including operator and audit/ fault logs, media handling procedures, Information backup procedures and archiving, will be implemented
- methods for exchanging Information within the University, outside the University, through online services, and/or with third parties, will be consistent with the Queensland Government Information Security Classification Framework (QGISCF) and the Network Transmission Security Assurance Framework (NTSAF) and University policies and procedures
- confidentiality requirements or non-disclosure agreements reflecting the need for protecting Information are to be undertaken in accordance with the University's Intellectual Property Policy and subordinate Procedures and identified and reviewed regularly
- each Employee must use the University authorised and supplied communications methods, including electronic mail, when transacting official University business
- the Student Communication Policy and related policies and procedures cover Handling Personal Student Information Policy and Procedure, Student Communication Procedure, Use of Electronic Mail Procedure establish the framework for all electronic communications with Students.
4.10 Access management and passwords
The University will put in place control mechanisms based on business requirements, assessed/accepted risks, Information classification and Regulatory Compliance Obligations for controlling access to all Information Assets and ICT Assets. The University at a minimum will reasonably ensure that:
- access will be provided to users for the purpose of carrying out work, study or other activities as agreed with the University
- access will be granted on the 'least privilege' principle in which each user is granted the most restricted set of privileges needed for the performance of the relevant tasks
- authentication requirements, including on-line transactions and services, must be appropriate for the security classification of the Information
- access to the University network and Information Systems requires specific authorisation and each user must be assigned an individually unique personal identification code and secure means of authentication
- access to shared ICT Assets in teaching and research laboratories may be subject to shared access management rules as agreed by the University
- policies and/or procedures for user registration, authentication management, access rights and privileges are defined, documented and implemented for all ICT Assets
- 'restricted access' and 'authorised use only' warnings must be displayed upon access to all Systems which have this capability
- access to all emails, documents, University network, and Information Systems will be terminated upon departure from the University.
There is an obligation on Employees who are studying University Courses, who also have a level of administration access to related University Systems, to contact the Course Coordinator for the Course/s the Employee is studying to alert them to this fact. This also applies to Employees with relationships to Students studying University Courses resulting in a perceived, potential or actual conflict of interest, as identified in the Employee Conflict of Interest Procedure. During the course of their study, the Employee is not permitted to access the relevant Course environments, or applicable Systems, using their administrator access.
The University requires users to keep user-level passwords confidential and change these immediately if they suspect that their password has been comprised.
A Clear Desk and Clear Screen is required to reduce the risk of unauthorised access or damage to Information Assets and ICT Assets.
4.11 System acquisition, development and maintenance
The University will apply measures to ensure that during System acquisition, development and maintenance, Security Safeguards will be established and will be commensurate with the security classifications of the Information contained within, or passing across, Information Systems, network infrastructure and applications. The University at a minimum will reasonably ensure that:
- security requirements are addressed in the specifications, analysis and/or design phases and internal and/or external audit are consulted when implementing new or significant changes to financial or critical business Information Systems
- Security Safeguards are established during all stages of System development, as well as when new Systems are implemented and maintained in the operational environment
- appropriate change control, acceptance and System testing, planning and migration control measures are carried out when upgrading or installing software in the operational environment
- a patch management program for operating Systems, firmware and applications of all ICT Assets is implemented to maintain vendor support, increase stability and reduce the likelihood of threats being exploited.
4.12 Incident management
The University will ensure the effective management of and response to Information Security incidents to maintain secure operations within the University. The University at a minimum will reasonably:
- establish and maintain an Information Security incident and response register and record all incidents
- ensure all Information Security incidents are reported and escalated (where applicable) through appropriate management channels and/or authorities
- ensure that incidents are investigated and apply formal disciplinary processes
- ensure responsibilities and procedures for the timely reporting of security events and incidents, including breaches, threats and security weaknesses, are communicated to all University Members.
4.13 Business continuity management
The University will ensure that a managed process, including documented plans, is in place to enable Information and ICT Assets to be restored or recovered in the event of a disaster or major security failure. The University at a minimum will reasonably:
- establish plans and processes to assess the risk and impact of the loss of Information and ICT Assets on University business in the event of a disaster or security failure and develop methods for reducing known risks to University Information and ICT Assets
- ensure business continuity Information and ICT Asset disaster recovery plans are maintained and tested to ensure Systems and Information are available and consistent with agency business and service level requirements.
University Members should also refer to the Business Continuity Policy and Crisis Management Policy.
4.14 Compliance management
The University will implement practices to ensure compliance with, and appropriate management of, all Regulatory Compliance Instruments relating to Information Security. The University at a minimum will reasonably ensure that:
- all Information Security policies, procedures and processes, including contracts with ICT third parties, are reviewed for compliance on a regular basis
- all reporting obligations relating to ICT Security are complied with and managed appropriately
- all reasonable steps are taken to monitor, review and audit University Information Security compliance, including the engagement of internal and/or external auditors and specialist organisations where required.
University Members should also refer to the Policy Framework.
4.15 Penalties and discipline
Conduct in contravention of this policy may constitute a criminal offence under relevant State and Commonwealth legislation, resulting in legal prosecution. Where the violation is considered a criminal offence, the police (Federal and State) will be informed. Where applicable, the Director (Integrity and Professional Conduct) will also be advised.
This will be irrespective of whether the violation is internal (e.g. unauthorised access to Information), external (e.g. unauthorised remote access to the University network by a non-University Employee or Student), or where assistance is provided by a University Employee or Student to provide unauthorised access to the University network.
4.16 Other considerations
The University will make no warranty, explicit or implied, regarding the ICT services offered, nor their fitness for any particular purpose. Similarly, no responsibility can be accepted by the University or its Employees, for any damage arising directly or indirectly from the use of these services.
The responsibility for protecting ICT resources and services is shared with all users who use these services. The University will make all reasonable efforts to protect University Members from possible ICT and computer-related dangers but cannot always protect University Members from all potential threats. The University cannot guarantee to protect an individual against exposure to material that may be offensive to them. University Members will be warned that they may traverse or receive material that they find offensive.
5 References
Australian Government. (2015). Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015. Canberra, Australia: Australian Government Retrieved October 13, 2016 from https://www.comlaw.gov.au/Details/C2015A00039.
Queensland Government Chief Information Office. Data Encryption Standard. Retrieved January 2024, from https://www.forgov.qld.gov.au/information-and-communication-technology/qgea-policies-standards-and-guidelines/data-encryption-standard
Queensland Government Chief Information Office. Queensland Government Authentication Framework (QGAF). Retrieved January 2024, from https://www.forgov.qld.gov.au/information-and-communication-technology/qgea-policies-standards-and-guidelines/queensland-government-authentication-framework-qgaf
Queensland Government Chief Information Office. Queensland Government Enterprise Architecture Framework 2.0. Retrieved January 2024, from https://www.forgov.qld.gov.au/__data/assets/pdf_file/0020/322607/queensland-government-enterprise-architecture-framework-2-0-v-1-0-0.pdf
Queensland Government Chief Information Office. Information Security Classification Framework (QGISCF). Retrieved January 2024, from https://www.forgov.qld.gov.au/information-and-communication-technology/qgea-policies-standards-and-guidelines/information-security-classification-framework-qgiscf
6 Schedules
This policy must be read in conjunction with its subordinate schedules as provided in the table below.
7 Policy Information
Accountable Officer | Deputy Vice-Chancellor (Enterprise Services) |
Responsible Officer | Deputy Vice-Chancellor (Enterprise Services) |
Policy Type | Executive Policy |
Policy Suite | Cloud Computing Use Inherent Risk Schedule |
Subordinate Schedules | |
Approved Date | 10/4/2024 |
Effective Date | 10/4/2024 |
Review Date | 14/12/2028 |
Relevant Legislation | Electronic Transactions (Queensland) Act 2001 Information Security Manual - ISM (Australian Government) Metadata Management Principles Queensland Government Information Security Classification Framework (QGISCF) Procurement and Disposal of ICT Products and Services (IS13) Policy (Queensland Government) Information Security Policy (IS18:2018) (Queensland Government) General Retention and Disposal Schedule (GRDS) (Queensland Government) Information Asset Custodianship Policy (IS44) (Queensland Government) Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 |
Policy Exceptions | |
Related Policies | Acceptable use of ICT Resources Policy Contract Management Policy (under development) Enterprise Architecture Policy Enterprise Risk Management Policy Handling Personal Student Information Policy and Procedure Mobile Device and Service Policy Official Information Policy and Procedure Public Interest Disclosure Policy Records and Information Management Policy Research Code of Conduct Policy |
Related Procedures | Business Continuity and Crisis Management Procedure Commercialisation of Intellectual Property Procedure Contract Management Procedure (under development) Employee Conflict of Interest Procedure Information Asset and Security Classification Procedure Integrated Planning and Performance Procedure Intellectual Property Procedure Physical Security Infrastructure and Equipment Procedure Records and Information Management Procedure Recruitment, Selection and Appointment Procedure Student Communication Procedure |
Related forms, publications and websites | Enterprise Information Management Framework (EIM Framework) Use of Copyright Materials Guideline (Queensland Government) |
Definitions | Terms defined in the Definitions Dictionary |
Council means the governing body, the University of Southern Queensland Council....moreCouncil means the governing body, the University of Southern Queensland Council. A discrete element of a program, normally undertaken over a single Study Period, in which the Student enrols, and on completion of which the Student is awarded a grade....moreA discrete element of a program, normally undertaken over a single Study Period, in which the Student enrols, and on completion of which the Student is awarded a grade. Responsibilities of Course Coordinators include but are not limited to: Course planning, design and development Course Specifications and alignment with Program Learning Outcomes Assessment design, implementation and marking Course delivery and Student learning experiences by providing Student support leadership and guidance of teaching teams engagement with professional and ac...moreResponsibilities of Course Coordinators include but are not limited to: Course planning, design and development Course Specifications and alignment with Program Learning Outcomes Assessment design, implementation and marking Course delivery and Student learning experiences by providing Student support leadership and guidance of teaching teams engagement with professional and accreditation bodies ensuring currency of disciplinary and content knowledge and expertise reflecting on evaluations for the purpose of quality enhancement of Courses. A person employed by the University and whose conditions of employment are covered by the Enterprise Agreement and includes persons employed on a continuing, fixed term or casual basis. Employees also include senior Employees whose conditions of employment are covered by a written agreement or contract with the University....moreA person employed by the University and whose conditions of employment are covered by the Enterprise Agreement and includes persons employed on a continuing, fixed term or casual basis. Employees also include senior Employees whose conditions of employment are covered by a written agreement or contract with the University. Behaviour or conduct which is contrary to expected Student conduct outlined in the Student General Conduct Policy....moreBehaviour or conduct which is contrary to expected Student conduct outlined in the Student General Conduct Policy. Any collection of data that is processed, analysed, interpreted, organised, classified or communicated in order to serve a useful purpose, present facts or represent knowledge in any medium or form. This includes presentation in electronic (digital), print, audio, video, image, graphical, cartographic, physical sample, textual or numerical form....moreAny collection of data that is processed, analysed, interpreted, organised, classified or communicated in order to serve a useful purpose, present facts or represent knowledge in any medium or form. This includes presentation in electronic (digital), print, audio, video, image, graphical, cartographic, physical sample, textual or numerical form. An identifiable collection of data stored in any form and recognised as having value for the purpose of enabling the University to perform its business functions, thereby satisfying a recognised University requirement....moreAn identifiable collection of data stored in any form and recognised as having value for the purpose of enabling the University to perform its business functions, thereby satisfying a recognised University requirement. Concerned with the protection of Information from unauthorised use or accidental modification, loss or release....moreConcerned with the protection of Information from unauthorised use or accidental modification, loss or release. An individual or group of people who have been officially designated as accountable for specific data that is transmitted, used, and stored on a System within the University....moreAn individual or group of people who have been officially designated as accountable for specific data that is transmitted, used, and stored on a System within the University. The organised collections of hardware, software, equipment, policies, procedures and people that store, process, control and provide access to information....moreThe organised collections of hardware, software, equipment, policies, procedures and people that store, process, control and provide access to information. Regulatory Compliance Instrument An external compliance instrument provided by legislation, regulation, standards, statutes or rules, including subordinate instruments....moreAn external compliance instrument provided by legislation, regulation, standards, statutes or rules, including subordinate instruments. Regulatory Compliance Obligation An external obligation provided in Regulatory Compliance Instruments....moreAn external obligation provided in Regulatory Compliance Instruments. Any person/s involved in Research Activities at, or on behalf of the University. This includes, but is not limited to Employees, Students, visiting scholars, research partners, research affiliates, holders of Honorary or Adjunct positions....moreAny person/s involved in Research Activities at, or on behalf of the University. This includes, but is not limited to Employees, Students, visiting scholars, research partners, research affiliates, holders of Honorary or Adjunct positions. A person who is enrolled in a UniSQ Upskill Course or who is admitted to an Award Program or Non-Award Program offered by the University and is: currently enrolled in one or more Courses or study units; or not currently enrolled but is on an approved Leave of Absence or whose admission has not been cancelled....moreA person who is enrolled in a UniSQ Upskill Course or who is admitted to an Award Program or Non-Award Program offered by the University and is: currently enrolled in one or more Courses or study units; or not currently enrolled but is on an approved Leave of Absence or whose admission has not been cancelled. The term 'University' or 'UniSQ' means the University of Southern Queensland....moreThe term 'University' or 'UniSQ' means the University of Southern Queensland. Persons who include: Employees of the University whose conditions of employment are covered by the UniSQ Enterprise Agreement whether full time or fractional, continuing, fixed-term or casual, including senior Employees whose conditions of employment are covered by a written agreement or contract with the University; members of the University Council and University Committees; visiti...morePersons who include: Employees of the University whose conditions of employment are covered by the UniSQ Enterprise Agreement whether full time or fractional, continuing, fixed-term or casual, including senior Employees whose conditions of employment are covered by a written agreement or contract with the University; members of the University Council and University Committees; visiting, honorary and adjunct appointees; volunteers who contribute to University activities or who act on behalf of the University; and individuals who are granted access to University facilities or who are engaged in providing services to the University, such as contractors or consultants, where applicable. | |
Definitions that relate to this policy only | |
Clear Desk Clear desks at the end of each work day of all sensitive Information Assets including documents and notes, business cards, and removable media (e.g. USB memory sticks) to ensure a reduction of the risk of information theft, fraud, or a security breach caused by sensitive Information being left unattended and visible in plain view. Clear Screen Locking computers when leaving a desk unattended and logging off when leaving for an extended period of time to ensure that the contents of the computer screen are protected from prying eyes and the computer is protected from unauthorised use. Cyber Security Measures relating to the confidentiality, availability and integrity of Information that is processed, stored and communicated by electronic or similar means. Source: Australian Government. (2016). Attorney-General's Department - Cyber security. Retrieved from https://www.ag.gov.au/RightsAndProtections/CyberSecurity/Pages/default.aspx ICT Asset All applications and technologies that are owned, procured and/or managed by the University. These include desktop and productivity tools, application environments, hardware devices and Systems software, network and computer accommodation, and management and control tools. Public Record Refer Section 6 Public Records Act 2002. A public record is any form of recorded Information that provides evidence of the decisions or actions of a 'public authority' (in this case the University of Southern Queensland) in undertaking its business activities or in the conduct of its affairs. The Act includes all records (and Information) irrespective of the form, the custodial arrangements and the technology used to generate, manage, preserve and access records. Secure Area Provides the highest integrity of access to, and audit of, Security Classified Information Assets to ensure restricted distribution and to assist in subsequent investigation if there is unauthorised disclosure or loss of Information Assets. The essential physical security features of a Secure Area include, but are not limited to:
Security Safeguards Hardware, programs, procedures, policies and physical safeguards which are put in place to assure the integrity and protection of an Information Asset System together with other forms of control including training. System A combination of Information Assets and ICT Assets supporting a business process. | |
Keywords | Information management and security |
Record No | 13/340PL |