- Background Information
- Policy Purpose
- Policy Documentation
- Application of Policy
4.1 Access Control
4.2 Digital Messaging
4.3 Communications and Operation Management
4.4 Physical and Environmental Security
4.5 System Acquisition, Development and Maintenance
4.6 Supplier Relationships
4.7 Information Security Incident Management
4.8 Information Security aspects of Business Continuity Management
4.9 Compliance Management
- Policy Principles
5.1 University Responsibilities
5.2 User Responsibilities
5.3 Managers and Supervisors
5.4 System and Technology Managers
- Risk Assessment and Treatment
- Information Classification
- Roles and Responsibilities (associated with this policy)
8.1 Approval Authority
8.2 Governing Authority
8.3 Responsible Officer
- Policy Review
- Glossary of Terms
1. Background Information
Information security is the protection of information and supporting systems from a wide range of threats in order to ensure business continuity, minimise operational risk, and maximise return on investments and operational opportunities. This document sets out the Australian Catholic University (ACU) policy statement for use by all members of the ACU community.
The policy is directly aligned with the Information Security Industry standard AS/NZS ISO/IEC 27002:2013(E) Information technology - Security techniques - Code of practice for information security management. Relevant sections from this standard are directly referenced in this document.
2. Policy Purpose
Data, Information and the underlying technology systems are essential assets to ACU and provide vital resources to staff and students and consequently need to be suitably protected.
Information security is achieved by implementing a suitable set of controls (based on risk profile), including policies, processes, procedures, organisational structures and software and hardware functions. These controls need to be established, implemented, monitored, reviewed and improved, where necessary, to ensure that specific security and University objectives are met.
The University is committed to providing a secure, yet open information environment that protects the integrity and confidentiality of information without compromising access and availability.
The purpose of the Information Security policy is to:
- Set out the security requirements that ACU must meet in order to manage the Confidentiality, Integrity, Availability and Privacy of University owned data and information.
- Ensure the University can meet its obligations with applicable laws, regulations, and standards.
3. Policy Documentation
This policy is expressed by documents that are split into two sections; the Policy, and its accompanying Procedures for compliance with the Policy.
Each section is subject to review and change as needed. Additional sections may be added.
4. Application of Policy
This policy applies to all information that is electronically generated, received, stored, printed, filmed, or keyed; and to the IT applications and systems that create, use, manage and store information and data. The policy covers the following areas:
4.1. Access Control
Objective: To limit access to information and information processing facilities in support of business requirements.
4.2. Digital Messaging
Objective: To establish and maintain the protocol for using Digital Messaging in all its forms, including the security aspects of information transfer within the University and with any external entities.
4.3. Communications and Operation Management
Objective: To ensure the protection of information and the secure operations of networks and supporting processing facilities.
4.4. Physical and Environmental Security
Objective: To prevent unauthorised physical access, damage and interference to the University's information and information processing facilities.
4.5. System Acquisition, Development and Maintenance
Objective: To ensure that information security is an integral part of information systems across the entire lifecycle. This includes information systems that provide services over public networks.
4.6. Supplier Relationships
Objective: To ensure protection of the University's information assets that are accessible by Service Providers.
4.7. Information Security Incident Management
Objective: To ensure a consistent and effective approach to the management of information security incidents, including security events and vulnerabilities.
4.8. Information Security aspects of Business Continuity Management
Objective: To ensure information security continuity is embedded in business continuity plans and management processes.
4.9. Compliance Management
Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security.
Formal processes and procedures covering these key areas are set out in the Procedures section of this Policy.
The provisions of this policy apply to all ACU, students and staff, (including temporary agents and staff engaged under contract). This policy includes, but is not limited to:
- University information in any form, including print, electronic, audio, video, and backup and archived data. This includes, computer systems, peripheral devices, software applications, databases, middleware and operating systems;
- Physical premises occupied by the personnel and equipment;
- Operational environments including power supply and related equipment;
- Processes and Procedures; and
- Transmission of Communications and related pathways.
5. Policy Principles
This Information Security Policy defines the principles for establishing effective security measures to ensure the Confidentiality, Integrity, Availability and Privacy of University information. The Policy also covers the continued availability of information and the Information Environment to support University business activities, including the implementation of appropriate controls to protect information from intentional or accidental disclosure, manipulation, modification, removal or copying.
The following principles outline the minimum standards that guide the University's Information Security processes and procedures and must be adhered to by all members of the ACU community.
5.1. University Responsibilities
The University is responsible for safeguarding the ACU Information Environment and Information Resources against security threats. The University discharges its responsibilities through the following and the set of measures outlined in the Procedural section of this Policy.
- Defining roles and responsibilities and establishing clear lines of accountability;
- Protecting the University's information assets against internal and external threats (e.g. security breach, loss of data);
- Ensuring that the University complies with applicable laws, regulations, and standards;
- Identifying and treating security risks to the University's information environment through appropriate physical, technical and administrative channels; and
- Developing best practices for effective Information Security across the University.
5.2. User Responsibilities
- Users must abide by all relevant laws and all University policies.
- Users are expected to take responsibility for developing an adequate level of information security awareness, education, and training to ensure appropriate use of the information environment.
- Users may only access information needed to perform their authorised duties.
- Users are expected to determine and understand the classification of the information to which access has been granted through training, other resources or by consultation with the relevant supervisor or the Data Steward.
- Users must protect the confidentiality, integrity and availability of the University's information as appropriate for the information classification level.
- Users may not in any way divulge, copy, release, sell, loan, alter or destroy any information, except as authorised by the relevant University delegate.
- Users must safeguard any physical key, ID card or computer/network account that enables access University information. This includes maintaining appropriate password creation and protection measures as set out in the password composition guidelines.
- Any activities considered likely to compromise sensitive information must be reported to the relevant supervisor or to the University IT Security Officer.
- Users are obliged to protect sensitive information even after separation from the University.
5.3. Managers and Supervisors
In addition to complying with the requirements listed above for all staff and contractors, managers and supervisors must:
- Ensure that departmental procedures support the objectives of confidentiality, integrity and availability defined by the Data Stewards, and that those procedures are followed.
- Ensure that restrictions are effectively communicated to those who use, administer, capture, store, process or transfer the information in any form, physical or electronic.
- Ensure that each staff member understands his or her information security related responsibilities.
5.4. System and Technology Managers
In addition to complying with the stated policy requirements defined for all staff, contractors, managers and supervisors, system and information environment managers are responsible for:
- Ensuring adequate security for computing and network environments that capture, store, process and/or transmit University information;
- Ensuring that the requirements for confidentiality, integrity and availability as defined by the appropriate Data Steward are being appropriately managed within their respective environments.
- Understanding the classification level of the information that will be captured by, stored within, processed by, and/or transmitted through their technologies.
- Developing, implementing, operating and maintaining a secure information environment that includes:
- A cohesive architecture;
- System implementation and configuration standards;
- Procedures and guidelines for administering network and system accounts and access privileges in a manner that satisfies the security requirements defined by the Data Stewards; and
- An effective strategy for protecting information against generic threats posed by computer hackers that adheres to industry-accepted "information management best practices" for the system or service.
6. Risk Assessment and Treatment
Security requirements are identified by a methodical assessment of security risks. Expenditure on controls needs to be balanced against the operational damage likely to result from security failures.
The results of the risk assessment will help to guide and determine the appropriate management action and priorities for managing information security risks, and for implementing controls to protect against these risks.
Responsibilities for Risk Assessment and Treatment are clearly defined in the University's Risk Management Policy and Procedures.
7. Information Classification
ACU information is classified under four broad classification headings:
- Internal Restricted
- Internal Protected
- Internal General
- Public Access
The Information Governance Policy sets out the access rights, roles and responsibilities of ACU staff in relation to the management and protection of information. Further detail about the classification of information is listed in the Definition and Terms section of this document.
8. Roles and Responsibilities (associated with this policy)
8.1. Approval Authority
The Vice-Chancellor is the Approval Authority for this policy.
8.2. Governing Authority
The Information Communication Technology Advisory Committee is the Governing Authority and the Chief Operating Officer is the Chair of the Committee.
8.3. Responsible Officer
The Director, Information Technology is the Responsible Officer.
Specific responsibilities associated with this policy include monitoring compliance with the Information Security Policy.
9. Policy Review
|Date||Major or Minor Revision||Description of Revision(s)|
|10/11/2014||Major||Final Information Security Policy Draft v4.0|
10. Glossary of Terms
To establish operational definitions and facilitate ease of reference, the following terms are defined as they relate specifically to this Policy.
Access Control – is the selective restriction of access to the ACU information environment and/or ACU information resources.
Authorisation – is the function of specifying access rights to information resources.
Availability – refers to ensuring that information assets are available for their intended use.
Confidentiality – of information assets refers to limiting information access and disclosure to authorized users, and preventing access by or disclosure to unauthorized ones.
Data or Institutional Data – a general term used to refer to the University's information resources and administrative records which can generally be assigned to one of four categories:
- Public access data – data that is openly available to all staff, students, and the general public.
- Internal general data – data used for University administration activities and not for external distribution unless otherwise authorised.
- Internal protected data – data that is only available to staff with the authorized access in order to perform their assigned duties.
- Internal restricted data – data that is of a sensitive or confidential nature and is restricted from general distribution. Special authorisation must be approved before access or limited access is granted.
Data Steward – is a Member of the Executive who oversees the capture, maintenance and dissemination of data for a particular Organisational Unit. Data Stewards are responsible for assuring the requirements of the Data Governance Policy and the Data Governance Procedures are followed within their Organisational Unit. Data Stewards also have delegated responsibility for information assets, including defined responsibilities for determining appropriate classifications of information, defining access rights and ensuring that information asset risks are identified and managed
One or more Data Managers may be defined for an information asset, with some responsibility for operation of the asset delegated by the data steward.
An Information Asset – is any set of information or part of the Information Infrastructure critical to the functioning of the University. Every information asset has a delegated system owner.
The Information Environment – includes the buildings, permanent installations, information services, fixtures, cabling, and capital equipment that comprise the underlying system within or by which the University:
- Generates, stores, transmits, manages, uses, analyses, or accesses information; or
- Transmits communication.
Information Resources – a general term used to refer to the University's information resources and administrative records, the term in intended to include information and data (structured or unstructured) stored in print, digitally, or in any other format.
- Structured Information usually refers to data captured and stored in University Enterprise systems, databases and spreadsheets.
- Unstructured Information as it refers to this Policy- is all information that cannot be easily classified to fit within the structured area. Photographs, graphic images, video, webpages, pdf files, PowerPoint presentations, emails, blog entries, wikis and word processing documents fall within the unstructured area.
Information security – is the set of measures by which the University seeks to treat risks to the confidentiality, integrity and availability of its information assets.
Information security risk – measures the potential loss of an asset's confidentiality, integrity, or availability. Risks are defined by a combination of threats, vulnerabilities and impacts — a threat exploiting vulnerability results in an impact. Risks can be accepted (if the cost of treating the risk outweighs the cost of the impact), mitigated (through applying appropriate controls) or transferred (through insurance).
Integrity or data integrity – refers to the accuracy and consistency of data over its entire life-cycle.
Member of the Executive – is defined as the positions, which normally report to either the Vice-Chancellor or a Member of the Senior Executive, and in an area of responsibility published on the University's Organisational chart.
A Password – is a word, or string of characters used for user authentication to prove identity to gain access to a resource.
A Passphrase – is a sequence of words or other text used to control access to a computer system, program or data where this functionality is available. A passphrase is similar to a password in usage, but is generally longer for added security.
Privacy – The University will comply with all current Privacy related legislation in particular, The Privacy Amendment (Private Sector) 2000 (the Privacy Act).
Quality or data quality – refers to the validity, relevancy and currency of data.
Security – refers to the safety of University data in relation to the following criteria:
- Access control;
- Effective incident detection, reporting and solution;
- Physical and virtual security; and
- Change management and version control.
Senior Executive Group or SEG (also Member of the Senior Executive) – is the peak senior strategic forum of ACU. The Vice-Chancellor chairs the SEG, membership of the group comprises the Provost/ Deputy Vice-Chancellor (Academic); Chief Operating Officer/ Deputy Vice-Chancellor; Deputy Vice-Chancellor (Research); and Deputy Vice- Chancellor (Students, Learning & Teaching).
Standards (mandatory) and guidelines (recommended practices) – will be published as attachments to this policy to assist users, system owners and data stewards to meet their IT security responsibilities. These standards and guidelines, though presented as attachments, are an integral part of this university's Information Security Policy.
A threat – is any technological, natural, or man-made cause of harm to an information asset.
A vulnerability – is a weakness in the security of an information asset that might be exploited by a threat, such as a software bug, unlocked room or well-known or readily identifiable password.
- Information Security Policy (Policy, PDF File, 121.6 KB)
|Policy applies to||
|Governing Authority||Information Communication Technology Advisory Committee (ICTAC)|
|Responsible Officer||Director, Information Technology|
|Date of Last Revision||01/11/2014|
|Effective Date of Last Revision|
|Date of Policy Review *||01/11/2017|
* Unless otherwise indicated, this policy will still apply beyond the review date.
Related Policies, Procedures, Guidelines and Local Protocols
Acceptable Use of IT Policy
Code of Conduct for All Staff
AARNet Access Policy
Copyright and Moral Rights
Data Governance Policy
Information Security Procedure
Intellectual Property Policy
Policy on Policy Development
Records and Archives Policy
Records Retention and Disposal Schedule
Risk Management Policy
Telecommunications Usage Policy
Page last updated: 2017-06-26
Short url: http://www.acu.edu.au/policy/798569