(1) Information and Communication Technology (ICT) allows for greater accessibility, mobility, convenience, efficiency and productivity. The increasing dependency on ICT also brings with it a greater exposure to threats. The University is committed to establishing and maintaining a state of security to manage these threats and ensure the integrity, confidentiality and availability of its information resources and assets. (2) The security of information and digital infrastructure is critical to the University. The purpose of information security is to protect and preserve the confidentiality, integrity, and availability of information. It also protects and preserves the authenticity and reliability of information, ensuring accountability. (3) Motivation and the capability of malicious actors to conduct threat activity is increasing exponentially with incidents, having the potential to damage the University financially and through the loss of reputation and confidence. (4) This Rule applies to University Information irrespective of whether it is printed, electronic, intellectual (knowledge), or any other form of public, confidential, private and sensitive information or data; and the ICT infrastructure used to store, process or transmit the University Information. (5) This Rule applies to (6) Given the level of sensitivity, value, and criticality the Information has to the University: (7) (8) (9) Information and information system owners must conduct information security risk assessments and, where appropriate, develop and implement controls and monitor and perform regular review of control effectiveness. (10) Operating procedures must be documented, maintained and available as required and determined by legislation and University rules, policies and procedures. (11) Changes to the University's information systems and network must be controlled through a formal change management process in accordance with the Information and Communications Technology Change and Release Management Procedure. (12) Duties and areas of responsibilities must be segregated to reduce opportunities for unauthorised or unintentional modification or misuse of University Information. (13) Development, test and production facilities must be separated to reduce the risk of unauthorised access or changes to the systems. (14) Security controls, service definitions and delivery levels must be included in service delivery agreements and must be implemented, operated and maintained by the outsourced service provider. (15) Outsourced services must be monitored, reviewed and audited by the delegated University contract manager: (16) The following tenets apply to privacy of information with respect to disclosure of personal information to an outsourced service provider. The outsourced service provider must define and document: (17) Access to buildings, rooms and physical Information assets will be restricted in accordance with legislated requirements and University rules, policies and procedures. (18) Granting, reviewing and revoking logical access must comply with the Identity Management Procedure. (19) Any person, at any time, may be requested to give proof of identity by production of a UNE identification card or other form of evidence to confirm their entitlement to access UNE systems and infrastructure. (20) An induction process for all (21) An exit process for all (22) A review of user access rights must be completed for (23) Information System owners must complete and evidence a review of user access rights and privileged access rights annually. (24) Privileges must be defined, documented and implemented. (25) System administrator or super user privileges must not be assigned to an individual's user account. These privileges must only be assigned to a distinct administrative account or accessed temporarily via system facilities which require additional authentication such as "sudo". (26) Passwords for administrative privileged accounts must comply with the Password Policy. (27) Information systems, network access and use must be logged, monitored, reviewed, audited and evidenced. (28) All information security incidents must be reported and managed in accordance with the Information Security Incident Reporting and Management Procedure. (29) All media must be secured as appropriate given the level of sensitivity, value and criticality the Information has to the University. (30) Network and infrastructure security including (but not limited to the use of network; appropriate authentication; and segregation in networks, will be managed in accordance with legislated requirements and University rules, policies and procedures. (31) Secure encrypted protocols, such as HTTPS, SSH and SFTP, must be used to secure all communication involving sensitive data, such as web-based login forms or communications of personally identifiable private information, to protect it from interception. (32) Certificates must be procured in accordance with the Procurement of SSL and End User Certificates Procedures. (33) Appropriate encryption must be used when electronically transferring University Information to recipients outside of the University. (34) All Media must be disposed of in accordance with the University's Asset Disposal Process. (35) All University Information must be disposed of in accordance with legislated requirements and University rules, policies and procedures. (36) The Vice-Chancellor and Chief Executive Officer, pursuant to Section 29 of the University of New England Act, makes this University Rule. (37) (38) The Rule Administrator is the Chief Information Officer who is authorised to make procedures and guidelines for the operation of this University Rule. The procedures and guidelines must be compatible with the provisions of this Rule. (39) This Rule operates as and from the (40) Previous policy on Information Technology Security and related documents are replaced and have no further operation from the (41) Notwithstanding the other provisions of this University Rule, the Vice-Chancellor and Chief Executive Officer may approve an exception to this Rule where the Vice-Chancellor and Chief Executive Officer determines the application of the Rule would otherwise lead to an unfair, unreasonable or absurd outcome. Approvals by the Vice-Chancellor and Chief Executive Officer under this clause must be documented in writing and must state the reason for the exception. (42) Authentication means verifying the identity of a user, process or device as a prerequisite to allowing access to resources in a system. (43) Availability means the assurance that systems are accessible and useable by authorised users when required. (44) Confidentiality means the assurance that information is disclosed only to authorised users. (45) Integrity means the assurance that information has been created, amended or deleted only by intended, authorised means. (46) Information means printed, written, electronic, intellectual (knowledge), or any other form of confidential, private and sensitive information or data. (47) Information System means hardware and software used for the processing, storage or communication of information. (48) Logical access control means limiting connections to computer networks, system files and data. (49) Media means hardware that is used to store information and includes (but is not limited to): (50) Information Security Incident means a single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security. (51) Information Security Event means an identified occurrence of a system, service or network state indicating a possible breach of information security or failure of safeguards, or a previously unknown situation that may be security relevant. (52) Approved Users and Entities means individuals and entities to whom the University has given explicit permission to utilise the University's ICT infrastructure for either a definite or indefinite period. (53) Privileged Account means a login ID on a system or application which has more privileges than a normal user. Privileged accounts are normally used by system administrators to manage the system, or to run services on that system, or by one application to connect to another.Cyber and Information Security Rule
Section 1 - Overview
Section 2 - Scope
Section 3 - Rule
Principles
Information Security Risk Management
Operational Security Management
Outsourced ICT Software and Services (including Cloud Services)
Access Control
Physical
Logical
Identification
Access Rights
Privileged Account Management
Monitoring and Auditing
Incident reporting and management
Media Security
Encryption
Disposal
Authority and Compliance
Section 4 - Definitions
View Current
This is not a current document. To view the current version, click the link in the document's navigation bar.
For the purposes of this document the following definitions apply.