(1) The University of New England (UNE) acknowledges an obligation to ensure appropriate security for all Information Technology (IT) data, equipment, and processes in its domain of ownership and control. This obligation is shared, to varying degrees, by every member of the university.
(2) UNE's IT resources are a valuable University asset and must be managed accordingly to ensure their integrity, security and availability for lawful educational purposes. This document is intended as a high-level security policy statement for use by all University staff, students and users of the University's information technology resources.
(3) The purpose of this policy is to ensure:
(4) This document will:
(5) This policy will deal with the following domains of security:
(6) Confidentiality of information is mandated by common law, formal statute, explicit agreement, or convention. Different classes of information warrant different degrees of confidentiality.
(7) The hardware and software components that constitute the University's IT assets represent a sizable monetary investment that must be protected. The same is true for the information stored in its IT systems, some of which may have taken huge resources to generate, and some of which can never be reproduced.
(8) The use of University IT assets in other than in a manner and for the purpose for which they were intended represents a misallocation of valuable university resources, and possibly a danger to its reputation or a violation of the law.
(9) Finally, proper functionality of IT systems is required for the efficient operation of the university. Some systems, such as the HR, Finance, Student Administration, and Library systems are of paramount importance to the mission of the university.
(10) Approval of the IT Security Policy is to be undertaken by the University of New England Council on the recommendation of the Vice-Chancellor.
(11) Each member of the university will be responsible for meeting published IT standards of behaviour as outlined in the "Rules for the Use of Information & Communication Facilities & Services".
(12) IT security of each system will be the responsibility of its custodian.
(13) Regular Risk Assessments on IT security will be done by custodians and reported as required to the Director, Audit and Risk.
(14) University information must be protected against unauthorised access, tampering, loss and destruction in a way that is consistent with applicable laws and also with respect to significance to University activities. In practice this information is segregated into logical collections of records and data held in IT systems and applications. To fulfil this objective, each collection of information must be associated with a 'Custodian" who is charged with the protection and management of the information held by the respective system.
(15) Custodians must assess and report on risks to IT security for systems or applications they are responsible for in accordance to UNE approved risk policy and procedures.
(16) Users must operate under the "Principles" and "Policy" in the "Rules for the Use of Information & Communication Facilities & Services".
(17) Users must comply with the "Principles" and "Policy" in the "Rules for the Use of Information & Communication Facilities & Services" and other IT and general policies such as the "Code of Conduct for Staff" and "Communication Policy".
(18) Users are responsible for the proper care and use of IT resources under their direct control.
(19) Users must use 'Hard to guess" passwords in accordance with the "General Password Policy".
(20) Users are required to report any IT security breaches or risks to ITD management or UNE senior management.
(21) It is recognized that various sections of the university provide services that relate to IT security, both directly and indirectly. It is expected that there will be collaboration between these sections and IT in generation of standards and implementation of the policy. Some of these sections and their services are:
(22) Standards and guidelines related to this policy assist ordinary users and system custodians to meet their IT security responsibilities. These standards and guidelines are an integral part of this university's IT Security Policy and therefore define it in detail.
(23) These Standards and Guidelines will appear under the following classifications:
(24) This policy is enunciated by the following documents. The documents are split into two sections. Basic policies will apply to all users, where the advanced polices apply to specific groups within the University and may not apply to ordinary users.
(25) The following documents are related to this policy:
(26) The IT Security Policy is be a "living" document that will be altered as required to deal with changes in technology, applications, procedures, legal and social imperatives, perceived dangers, etc.
(27) Security can be defined as "the state of being free from unacceptable risk".
(28) The potential causes of these losses are termed "threats". These threats may be human or non-human, natural, accidental, or deliberate. The risk concerns the following categories of losses:
(29) These are defined as:
(30) Efficient and Appropriate Use ensures that University IT resources are used for the purposes for which they were intended, in a manner that does not interfere with the rights of others.
(31) Availability is concerned with the full functionality of a system (e.g. finance or payroll) and its components.