• Section 1 - Overview
• Section 2 - Scope
• Section 3 - Rule
• Principles
• Information Security Risk Management
• Operational Security Management
• Outsourced ICT Software and Services (including Cloud Services)
• Access Control
• Physical
• Logical
• Identification
• Access Rights
• Privileged Account Management
• Monitoring and Auditing
• Incident reporting and management
• Media Security
• Encryption
• Disposal
• Authority and Compliance
• Section 4 - Definitions

Section 1 - Overview

(1) Information and Communication Technology (ICT) allows for greater accessibility, mobility, convenience, efficiency and productivity. The increasing dependency on ICT also brings with it a greater exposure to threats. The University is committed to establishing and maintaining a state of security to manage these threats and ensure the integrity, confidentiality and availability of its information resources and assets.

(2) The security of information and digital infrastructure is critical to the University. The purpose of information security is to protect and preserve the confidentiality, integrity, and availability of information. It also protects and preserves the authenticity and reliability of information, ensuring accountability.  

(3) Motivation and the capability of malicious actors to conduct threat activity is increasing exponentially with incidents, having the potential to damage the University financially and through the loss of reputation and confidence.

Section 2 - Scope

(4) This Rule applies to University Information irrespective of whether it is printed, electronic, intellectual (knowledge), or any other form of public, confidential, private and sensitive information or data; and the ICT infrastructure used to store, process or transmit the University Information.

(5) This Rule applies to UNE Representatives and Students.

Section 3 - Rule

Principles

(6) Given the level of sensitivity, value, and criticality the Information has to the University:

1. all University Information, throughout its lifecycle, must be protected in a manner that is considered reasonable and appropriate; 
2. any Information System that stores, processes or transmits University Information must be secured in a manner that is considered reasonable and appropriate; 
3. backup of University Information must be made as appropriate. Backups must be regularly tested to verify validity and completeness and be conducted in compliance with legislation and University rules, policies and procedures.

(7) UNE Representatives and Students have a responsibility to ensure University Information is not used, accessed, disclosed, destroyed, modified or disrupted, without appropriate authorisation.

(8) UNE Representatives and Students have a responsibility to ensure:

1. University Information or Personal Information is not disclosed without proper verification of the identity of the requesting party;
2. their passwords comply with the University's Password Policy;
3. unattended equipment is secure;
4. a clear desk and clear screen practice is observed; and
5. when working off-site or travelling, that:
   1. mobile devices are physically secure;
   2. Information saved on mobile devices is secure;
   3. University Information cannot be observed by unauthorised persons; and
   4. conversations cannot be overheard by unauthorised persons.

Information Security Risk Management

(9) Information and information system owners must conduct information security risk assessments and, where appropriate, develop and implement controls and monitor and perform regular review of control effectiveness.

Operational Security Management

(10) Operating procedures must be documented, maintained and available as required and determined by legislation and University rules, policies and procedures.

(11) Changes to the University's information systems and network must be controlled through a formal change management process in accordance with the Information and Communications Technology Change and Release Management Procedure.

(12) Duties and areas of responsibilities must be segregated to reduce opportunities for unauthorised or unintentional modification or misuse of University Information.

(13) Development, test and production facilities must be separated to reduce the risk of unauthorised access or changes to the systems.

Outsourced ICT Software and Services (including Cloud Services)

(14) Security controls, service definitions and delivery levels must be included in service delivery agreements and must be implemented, operated and maintained by the outsourced service provider.

(15) Outsourced services must be monitored, reviewed and audited by the delegated University contract manager:

1. in compliance with the Contract; and
2. consistent with the nature and assessed risk of the software and or services being provided.

(16) The following tenets apply to privacy of information with respect to disclosure of personal information to an outsourced service provider. The outsourced service provider must define and document:

1. data security and safeguards against misuse or loss, unauthorised access, use, or alteration;
2. ongoing accessibility for the University and data subject;
3. the legislative environment and governing data laws in the location where data is stored;
4. who has control of data at the end of a contract;
5. authorised data retention and disposal; and
6. compliance with legislated requirements and the University's Privacy Management Rule.

Access Control

Physical

(17) Access to buildings, rooms and physical Information assets will be restricted in accordance with legislated requirements and University rules, policies and procedures.

Logical

(18) Granting, reviewing and revoking logical access must comply with the Identity Management Procedure.

Identification

(19) Any person, at any time, may be requested to give proof of identity by production of a UNE identification card or other form of evidence to confirm their entitlement to access UNE systems and infrastructure.

Access Rights

(20) An induction process for all UNE Representatives must be completed to ensure their awareness of their responsibilities with respect to the user access rights and privileged access rights they have been assigned.

(21) An exit process for all UNE Representatives separating from the University must be completed to ensure that all user access rights and privileged access rights have been revoked upon separation.

(22) A review of user access rights must be completed for UNE Representatives who change roles within the University, irrespective of whether or not that individual has moved to a role in another unit, department, School or directorate.

(23) Information System owners must complete and evidence a review of user access rights and privileged access rights annually. 

Privileged Account Management

(24) Privileges must be defined, documented and implemented.

(25) System administrator or super user privileges must not be assigned to an individual's user account. These privileges must only be assigned to a distinct administrative account or accessed temporarily via system facilities which require additional authentication such as "sudo".

(26) Passwords for administrative privileged accounts must comply with the Password Policy.

Monitoring and Auditing

(27) Information systems, network access and use must be logged, monitored, reviewed, audited and evidenced.

Incident reporting and management

(28) All information security incidents must be reported and managed in accordance with the Information Security Incident Reporting and Management Procedure.

Media Security

(29) All media must be secured as appropriate given the level of sensitivity, value and criticality the Information has to the University.

(30) Network and infrastructure security including (but not limited to the use of network; appropriate authentication; and segregation in networks, will be managed in accordance with legislated requirements and University rules, policies and procedures.

Encryption

(31) Secure encrypted protocols, such as HTTPS, SSH and SFTP, must be used to secure all communication involving sensitive data, such as web-based login forms or communications of personally identifiable private information, to protect it from interception.

(32) Certificates must be procured in accordance with the Procurement of SSL and End User Certificates Procedures.

(33) Appropriate encryption must be used when electronically transferring University Information to recipients outside of the University.

Disposal

(34) All Media must be disposed of in accordance with the University's Asset Disposal Process.

(35) All University Information must be disposed of in accordance with legislated requirements and University rules, policies and procedures.

Authority and Compliance

(36) The Vice-Chancellor and Chief Executive Officer, pursuant to Section 29 of the University of New England Act, makes this University Rule.

(37) UNE Representatives, Students and Approved Users and Entities must observe it in relation to University matters.

(38) The Rule Administrator is the Chief Information Officer who is authorised to make procedures and guidelines for the operation of this University Rule. The procedures and guidelines must be compatible with the provisions of this Rule.

(39) This Rule operates as and from the Effective Date. 

(40) Previous policy on Information Technology Security and related documents are replaced and have no further operation from the Effective Date of this new Rule.

(41) Notwithstanding the other provisions of this University Rule, the Vice-Chancellor and Chief Executive Officer may approve an exception to this Rule where the Vice-Chancellor and Chief Executive Officer determines the application of the Rule would otherwise lead to an unfair, unreasonable or absurd outcome. Approvals by the Vice-Chancellor and Chief Executive Officer under this clause must be documented in writing and must state the reason for the exception. 

Section 4 - Definitions

(42) Authentication means verifying the identity of a user, process or device as a prerequisite to allowing access to resources in a system.

(43) Availability means the assurance that systems are accessible and useable by authorised users when required.

(44) Confidentiality means the assurance that information is disclosed only to authorised users.

(45) Integrity means the assurance that information has been created, amended or deleted only by intended, authorised means.

(46) Information means printed, written, electronic, intellectual (knowledge), or any other form of confidential, private and sensitive information or data.

(47) Information System means hardware and software used for the processing, storage or communication of information.

(48) Logical access control means limiting connections to computer networks, system files and data.

(49) Media means hardware that is used to store information and includes (but is not limited to):

1. mobile devices:
   1. laptops;
   2. phones; 
   3. tablets;
   4. portable hard drives;
   5. USB memory devices;
   6. CDs and DVDs etc. and
   7. backup tapes
2. desktop computers
3. printers, faxes and copiers
4. servers.

(50) Information Security Incident means a single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security.

(51) Information Security Event means an identified occurrence of a system, service or network state indicating a possible breach of information security or failure of safeguards, or a previously unknown situation that may be security relevant.

(52) Approved Users and Entities means individuals and entities to whom the University has given explicit permission to utilise the University's ICT infrastructure for either a definite or indefinite period.

(53) Privileged Account means a login ID on a system or application which has more privileges than a normal user. Privileged accounts are normally used by system administrators to manage the system, or to run services on that system, or by one application to connect to another.