View Current

Information Technology Security Rule

This is the current version of this document. You can provide feedback on this policy to the document author - refer to the Status and Details on the document's navigation bar.

Section 1 - Rationale and Scope

(1) The University of New England (UNE) acknowledges an obligation to ensure appropriate security for all Information Technology (IT) data, equipment, and processes in its domain of ownership and control. This obligation is shared, to varying degrees, by every member of the university.

(2) UNE's IT resources are a valuable University asset and must be managed accordingly to ensure their integrity, security and availability for lawful educational purposes. This document is intended as a high-level security policy statement for use by all University staff, students and users of the University's information technology resources.

(3) The purpose of this policy is to ensure:

  1. The provision of reliable and uninterrupted IT services;
  2. The integrity and validity of data;
  3. An ability to recover effectively and efficiently from disruption; and
  4. The protection of all the University's IT assets including data, software and hardware.

(4) This document will:

  1. Enumerate the elements that constitute IT security;
  2. Explain the need for IT security;
  3. Specify the various categories of IT data, equipment, and processes subject to this policy;
  4. Indicate, in broad terms, the IT security responsibilities of the various roles in which each member of the university may function;
  5. Indicate appropriate levels of security through standards and guidelines; and
  6. Outline the scope of IT Security.
Top of Page

Section 2 - Policy

Domains of Security

(5) This policy will deal with the following domains of security:

  1. Computer system security: CPU, Peripherals, Operating S ystem. This includes data security.
  2. Physical security: The premises occupied by the IT personnel and equipment.
  3. Operational security: Environment control, power equipment, operational activities.
  4. Procedural security by IT, vendor, management personnel, as well as ordinary users.
  5. Communications security: Communications equipment, personnel, transmission paths, and adjacent areas.

Reasons for IT Security

(6) Confidentiality of information is mandated by common law, formal statute, explicit agreement, or convention. Different classes of information warrant different degrees of confidentiality.

(7) The hardware and software components that constitute the University's IT assets represent a sizable monetary investment that must be protected. The same is true for the information stored in its IT systems, some of which may have taken huge resources to generate, and some of which can never be reproduced.

(8) The use of University IT assets in other than in a manner and for the purpose for which they were intended represents a misallocation of valuable university resources, and possibly a danger to its reputation or a violation of the law.

(9) Finally, proper functionality of IT systems is required for the efficient operation of the university. Some systems, such as the HR, Finance, Student Administration, and Library systems are of paramount importance to the mission of the university.

Roles and Responsibilities

Policy Management

(10) Approval of the IT Security Policy is to be undertaken by the University of New England Council on the recommendation of the Vice-Chancellor and Chief Executive Officer.

Policy Implementation

(11) Each member of the university will be responsible for meeting published IT standards of behaviour as outlined in the "Rules for the Use of Information & Communication Facilities & Services".

(12) IT security of each system will be the responsibility of its custodian.

(13) Regular Risk Assessments on IT security will be done by custodians and reported as required to the Director Audit and Risk.

Custodians

(14) University information must be protected against unauthorised access, tampering, loss and destruction in a way that is consistent with applicable laws and also with respect to significance to University activities. In practice this information is segregated into logical collections of records and data held in IT systems and applications. To fulfil this objective, each collection of information must be associated with a 'Custodian" who is charged with the protection and management of the information held by the respective system.

  1. IT will be the custodian of all strategic system platforms.
  2. IT will be the custodian of the strategic communications systems.
  3. IT will be the custodian of all central computing laboratories.
  4. IT will be the custodian of all central audiovisual equipment.
  5. Directorates, Offices and Units will be custodians of strategic applications under their management control (e.g. Finance, HR, and Library).
  6. Faculties, Schools, Offices, or Units will be custodians of all non-strategic systems under their ownership.
  7. Individuals and IT will be custodians of desktop, mobile and personal computing systems under their control.

(15) Custodians must assess and report on risks to IT security for systems or applications they are responsible for in accordance to UNE approved risk policy and procedures.

All Users

(16) Users must operate under the "Principles" and "Policy" in the "Rules for the Use of Information & Communication Facilities & Services".

(17) Users must comply with the "Principles" and "Policy" in the "Rules for the Use of Information & Communication Facilities & Services" and other IT and general policies such as the "Code of Conduct for Staff" and "Communication Policy".

(18) Users are responsible for the proper care and use of IT resources under their direct control.

(19) Users must use 'Hard to guess" passwords in accordance with the "General Password Policy".

(20) Users are required to report any IT security breaches or risks to ITD management or UNE senior management.

University Services

(21) It is recognized that various sections of the university provide services that relate to IT security, both directly and indirectly. It is expected that there will be collaboration between these sections and IT in generation of standards and implementation of the policy. Some of these sections and their services are:

  1. Human Resources: Personnel selection, induction, and exit-processing.
  2. Registrar: Policies concerning information confidentiality/privacy.
  3. Campus Services: Physical building security.
  4. Library: Copyright and Intellectual Property.
  5. Finance: Financial transactions.

Standards and Guidelines

(22) Standards and guidelines related to this policy assist ordinary users and system custodians to meet their IT security responsibilities. These standards and guidelines are an integral part of this university's IT Security Policy and therefore define it in detail.

(23) These Standards and Guidelines will appear under the following classifications:

  1. Personal behaviour.
  2. Strategic systems.
  3. Desktop (personal) systems.
  4. School-based non-strategic systems.

Documents

(24) This policy is enunciated by the following documents. The documents are split into two sections. Basic policies will apply to all users, where the advanced polices apply to specific groups within the University and may not apply to ordinary users.

Basic policies for all users (Staff & Students)

  1. IT Security Policy.
  2. General Password Policy
  3. Personal Mobile computing policy
  4. P2P file-sharing policy
  5. Standards and Guidelines for All Users of University Computing and Network Facilities
  6. Standards and Guidelines for Desktop Computers
  7. Audit Vulnerability Scan Policy

Advanced policies for custodians, system owners and application developers

  1. General Server Security Policy
  2. Change Management Policy
  3. Change Management Procedure
  4. Standards and Guidelines for Non-Strategic Systems
  5. Standards and Guidelines for Strategic Systems

Related policies and procedures

(25) The following documents are related to this policy:

  1. UNE Code of Conduct for Staff.
  2. AARNet Access & Acceptable Use Policy
  3. Communications Charging - Internet Services Procedure
  4. Communication Policy
  5. Disk Space Allocation Procedure
  6. Email List Policy
  7. Email Procedure
  8. Forum & Blog Procedure
  9. ITD Infrastructure Maintenance Window Procedure
  10. Information and Communications Infrastructure Policy
  11. Modem Charging Procedure
  12. Network Registration Procedure
  13. Rules for the Use of Information & Communication Facilities & Services
  14. Standard Operating Environment Policy
  15. Student Computer Laboratories Procedure
  16. Training Computer Laboratory Procedure
  17. User Registration Procedure
  18. Web Publishing, Content and Online Applications Policy

Changes

(26) The IT Security Policy is be a "living" document that will be altered as required to deal with changes in technology, applications, procedures, legal and social imperatives, perceived dangers, etc.

  1. Major changes will be made in consultation with Council, and with the approval of the Vice-Chancellor and Chief Executive Officer.
  2. Minor changes will be approved by the Director Information Technology of the University.
Top of Page

Section 3 - Definitions

(27) Security can be defined as "the state of being free from unacceptable risk".

(28) The potential causes of these losses are termed "threats". These threats may be human or non-human, natural, accidental, or deliberate. The risk concerns the following categories of losses:

  1. Confidentiality of Information.
  2. Integrity of data.
  3. Efficient and appropriate use.
  4. System availability.

(29) These are defined as:

  1. Confidentiality of information refers to the privacy of personal or corporate information. This includes issues of copyright.
  2. Integrity of data refers to the accuracy of data. Loss of data integrity may be gross and evident, as when a computer disc fails, or subtle, as when a character in a file is altered.
  3. The assets that must be protected include:
    1. Computer and Peripheral Equipment.
    2. Communications Equipment.
    3. Computing and Communications Premises.
    4. Power, Water, Environmental Control, and Communications utilities.
    5. Supplies and Data Storage Media.
    6. System Computer Programs and Documentation.
    7. Application Computer Programs and Documentation.

(30) Efficient and Appropriate Use ensures that University IT resources are used for the purposes for which they were intended, in a manner that does not interfere with the rights of others.

(31) Availability is concerned with the full functionality of a system (e.g. finance or payroll) and its components.