(1) This policy supports the information Security function of the University of New England (UNE) to ensure that information security is effective across all functions of the University to provide staff, students and visitors safe and secure environment to work and study, free from disruption caused by malicious activity inside or outside of the University. (2) Within this policy: (3) The key targets for cyber attacks are often people. We strive to ensure all (4) To reduce the risk of harm to UNE’s information assets and people, this policy must be followed by all (5) Security awareness for (6) Application and service owners are the (7) UNE information systems are at risk of attacks, from within UNE or externally, at the infrastructure and application level. The effective management of information systems security is critical to ensuring these risks are mitigated. (8) The responsibility for security management of information systems outside the scope of Technology and Digital Services (TDS) is recorded in the technology asset register. (9) The principles to manage information systems security are defined in the Information Security Rule. (10) Information technology and communications service providers must provide evidence of their certification to The International Standards Organisations' standard covering Information Security Management Systems (ISO27000), or an equivalent security standard, or evidence as agreed by the authorised responsible officer defined in Table 1. (11) Information security requirements must be included as non-functional requirements in information technology and communications product and service contracts. (12) The effective management of information security is necessary for the success of the University's strategic plans. The maturity and performance of the information security function needs to be measured for it to be effectively managed. (13) The adoption of the Open Group Information Security Management Maturity Model (ISM3) provides standards and processes necessary for an effective security function, and the means of measuring maturity and performance. This has been interpreted for the University as its “Information Security Management Framework”. Executing these standards will enable measurement of the performance and maturity of the information security function. (14) The maturity and performance of UNE’s information security function will be measured and reported through self-assessment at Security Council meetings. (15) The maturity and performance of UNE’s information security function will be annually assessed by an independent expert and the outcomes and identified improvement opportunities reported to the final Security Council meeting of the year. (16) The Vice-Chancellor and Chief Executive Officer, pursuant to Section 29 of the University of New England Act 1993 (NSW), makes this University policy. (17) The Policy Steward, the Chief Information Officer is authorised to make procedures, that are consistent with this policy, for the operation of this policy. (18) (19) This policy is consistent with the NSW Cyber Security Policy. (20) This policy operates as and from the (21) Notwithstanding the other provisions of this policy, the Vice-Chancellor and Chief Executive Officer may approve an exception to this policy where the Vice-Chancellor and Chief Executive Officer determines the application of this policy would otherwise lead to an unfair, unreasonable or absurd outcome. Approvals by the Vice-Chancellor and Chief Executive Officer under this clause must: (22) These guidelines are supported by the oversight of the Security Council, and the following activities: Information Security Policy
Section 1 - Overview and Scope
Top of PageSection 2 - Policy
Part A - Security responsibilities of UNE Representatives and students
Key Tenet: People are often the targets of cyber attacks
There are criminals in cyberspace who will try to illegally access to your UNE account. They look for ways to gain access to your personal information, including birth date, credit card and banks account details and Tax File Numbers (TFN).
Cyber attackers use emails that look like legitimate links or attachments, but when opened make you vulnerable to having your information stolen, destroyed, or taken for ransom. If it looks suspicious, don’t click on it until you know it is legitimate.
Don’t share information that you don’t have to. You may be asked to provide your account access credentials because “there’s a problem with your account”. A legitimate business will not ask this. However, many business and social web sites try to extract as much information from you as they can, and then on-sell these lists. These lists can then be used by scammers to craft legitimate sounding attacks. Be careful what information you share.
WiFi connections in public spaces such as cafes and hotels are frequently not secure. Attackers can set up legitimate sounding WiFi names that they use to extract your information such as logins and passwords.
Complete the UNE security awareness training and refreshers. This will help you keep you safe and up to date on what to steps you can take to protect yourself in cyberspace.
Part B - Security responsibilities of Application and Service Owners
UNE information systems
Table 1: UNE information systems security management responsibilities
Information system components
Responsibility (TDS)
Infrastructure
Associate Director (Cloud Infrastructure Services)
Databases, platforms and data repositories
Associate Director, Data Services
UNE laptop and workstation fleet
Associate Director (Client Services)
Business applications
Deputy Chief Information Officer
Outsourced services and software as a service (SaaS)
Part C - Management of the information security function
Key Tenets: An effectively managed information security function is essential to the success of the strategic plan
Reporting
Section 3 - Authority and Compliance
Authority
Compliance
Top of PageSection 4 - Quality Assurance
Quality assurance activity / measure
Reporting
View Current
This is the current version of this document. To view historic versions, click the link in the document's navigation bar.
Staying Safe in Cyberspace
Security awareness is quality assured through embedded testing in the training courses.
Automated reporting to People and Culture.
The management of information security function is both self assessed and independently measured.
Security Council with maturity and performance reported.