View Current

Information Security Rule

This is the current version of this document. You can provide feedback on this policy to the document author - refer to the Status and Details on the document's navigation bar.

Section 1 - Overview and Scope

(1) These information security principles assist the University of New England (UNE) to achieve its goals and objectives safely, securely, and without disruption from a cyber-attack.

(2) These principles apply to all information systems and services provided by UNE including those delivered through third party service providers.

Top of Page

Section 2 - Principles

Principle 1 – Technology Resilience

(3) We observe this principle by:

  1. ensuring Information Systems meet a baseline of acceptable security controls;
  2. ensuring Information Systems are designed to limit the damage caused by unauthorised access;  
  3. ensuring security supports a SaaS-first approach to information technology; and
  4. ensuring a risk-based and continuous improvement approach approach is followed to make security decisions.

Principle 2 – Standards Compliance

(4) We observe this principle by continually improving our compliance with:

  1. NSW Cyber Security Policy;
  2. Australian Cyber Security Center Essential Eight;
  3. Open Group Information Security Management Maturity Model (ISM3); and
  4. NIST Cyber Security Framework as the standards guidance for security controls.

Principle 3 – Enable and Empower Business

(5) We observe this principle by:

  1. ensuring that we understand UNE goals, objectives, risks, and the attributes of security that ensure their success; and
  2. ensuring that security controls are designed to allow the business to operate safely and securely, and not to inhibit it.

Principle 4 – Identify and Manage Business Risk

(6) We observe this principle by:

  1. understanding the key information and information systems used by all the UNE functions;
  2. ensuring that the security risk introduced by information technology is visible at the level of UNE goals and objectives;
  3. proactively identifying issues in information technology through reviews, assessments and testing;
  4. ensuring that risk treatment plans are in place and effectively executed for all security risks rated medium and above.
  5. ensuring our UNE Representatives and students are aware of the threats in cyberspace and how to avoid them.

Principle 5 – Situational Awareness

(7) We observe this principle by:

  1. understanding the external cyber threat landscape; 
  2. managing our information systems asset inventory and understanding its attack surface;
  3. monitoring our networks and systems to detect anomalous and malicious activity; and
  4. scanning information systems for vulnerabilities.

Principle 6 – Shared Common Core

(8) We observe this principle by:

  1. maintaining a security reference architecture;
  2. establishing and managing common security services; and
  3. exercising security governance across information systems acquisition.
Top of Page

Section 3 - Quality Assurance

(9) The UNE Security Council exercises good governance of information security, and ensuring the effective application of this Rule and its principles.

(10) The Chief Information Officer (CIO) is accountable for managing information security at UNE.

Top of Page

Section 4 - Authority and Compliance

Authority

(11) The Vice-Chancellor and Chief Executive Officer (VC&CEO), pursuant to Section 29 of the University of New England Act 1993 (NSW), makes this Rule.

(12) The Policy Steward, the CIO, is authorised to make associated documents for the operation of this Rule, that are consistent with this Rule.

(13) Notwithstanding the other provisions of this Rule , the VC&CEO may approve an exception to this Rule where the VC&CEO determines the application of this Rule would otherwise lead to an unfair, unreasonable or absurd outcome.  Approvals by the VC&CEO under this clause must:

  1. be documented in writing;
  2. must state the reason for the exception; and 
  3. be registered in the approved UNE electronic Records Management System in accordance with the Records Management Rule.

Compliance

(14) UNE Representatives and students must observe this Rule in relation to information security at UNE. Non-compliance may be a breach of the Code of Conduct, and/ or Student Behavioural Misconduct Rules,  and may be addressed under the disciplinary provisions of the relevant Enterprise Agreement for staff covered by an Enterprise Agreement, or the Student Behavioural Misconduct Rules for students.

(15) This Rule operates as and from the Effective Date. Previous information security Rules are replaced and have no further operation from the Effective Date.