Bulletin Board - Review and Comment
Step 1 of 4: Provide comments and feedback
How to make a comment
1. Use the
to open a comment box for a specific section, part, heading or clause.
2. Enter your feedback into the comment box and click ‘save comment’.
3. There is an opportunity to leave general comments and feedback on the second page.
4. Complete all three pages – make sure you ‘save and continue’ and ‘finalise submission’ before leaving the bulletin board.
5. You will be emailed a pdf copy of your comments. If you don’t receive this, your comments may not have saved correctly.
Important Information
The following tips will help to avoid losing your comments or corrupting your entries:
-
Sessions may time out, so submit multiple responses instead of trying to complete a long document in one session.
-
Avoid jumping between web pages/applications while logging comments.
-
Log comments for one document at a time. Complete and submit all comments for one document before commenting on another.
-
Use paste as plain text in the comment boxes if you need to copy and paste from another source (e.g. Word, email or other web content).
-
You can’t save your progress, so if you need to stop, submit your current set of comments. The system will email you a copy of your comments so you can identify where you were up to and add to them later.
-
Complete all three stages and ‘finalise submission’ before leaving the bulletin board.
(1) This guideline supports the Information Technology Policy and procedures by guiding the University's information security practices regarding the confidentiality, integrity, and availability of all information and communication technology (ICT) infrastructure, systems and processes. It aims to: (2) The following principles underpin and inform the implementation of these guidelines: (3) This part describes the University’s information security management framework. (4) Information security responsibilities are defined and allocated in accordance with the Information Technology Policy. (5) The Chief Information and Digital Officer has overall responsibility for information security within the University. Further details about what this responsibility involves, and the role of Division of Information Technology (DIT) staff, are provided in Appendix B - Risk Management. (6) System and asset custodians have responsibilities for the protecting individual assets and for carrying out specific information security processes. Responsibilities for information security risk management activities and acceptance of residual risk are as per the Risk Management Policy and procedures. (7) Roles and areas of responsibility are segregated to reduce the risk of unauthorised or inappropriate activity. (8) The University aims to comply with the NSW Cyber Security Policy. (9) The University complies with: (10) The DIT ICT Security Team engage with special interest groups, specialist security forums and professional associations including: (11) Information security must be integrated into the University's project management methods to ensure that information security risks are identified and addressed throughout all stages of a project. Refer to the DIT Project Security Considerations Guide. (12) This part guides how University staff and other authorised users should be supported to ensure they understand and comply with their ICT security responsibilities. (13) All employees and authorised users undertaking work for the University must handle the University's information in accordance with the Code of Conduct and/or the terms of the relevant contract or agreement. (14) Where appropriate to the nature of the role: (15) During the employment or engagement with the University, authorised users must be aware of: (16) Awareness, education, and training in security procedures and the correct use of information processing facilities will be provided to all authorised users to minimise possible information security risks. (17) Management responsibilities defined in position descriptions include responsibility for the security of information assets that the relevant organisational unit owns or uses. This includes ensuring that authorised users: (18) Access rights must be reviewed by system custodians to ensure that permissions remain appropriate to an infividual’s role and responsibilities. Reviews must be conducted in accordance with the University's defined access review requirements. (19) All authorised users must undertake mandatory ICT security training in accordance with the Information Technology Procedure - Acceptable Use and Access. For employees, training in information security awareness, obligations and disciplinary processes is undertaken during induction and annually thereafter (20) Where appropriate to the nature of the role and work done, system and asset custodians should ensure: (21) Managers must ensure that when authorised users depart the University or change roles, the user’s exit or change is managed and that all equipment and information assets assets are returned, and access rights are removed. (22) Where appropriate, the departing authorised user will be reminded of continuing nondisclosure obligations after leaving. (23) The communication of exit or role change responsibilities should include: (24) This part supports the integrity of the University's information assets, to ensure that data confidentiality is maintained when equipment or services are established, replaced, decommissioned or serviced, or in relation to storage media handling, control and disposal. (25) Business critical ICT assets must be identified and maintained in the appropriate asset register – Applications Portfolio, Data Assets Register or Infrastructure Assets Register. (26) Asset custodians must be assigned for all ICt assets and be recorded within the respective asset register. (27) Asset custodians are required to: (28) The Information Technology Procedure - Acceptable Use and Access defines: (29) All authorised users must return all University assets in their possession upon termination of their employment, contract or agreement. The termination process should be formalised in accordance with Part C and should include the return of all previously issued software, corporate documents and ICT equipment. This includes: (30) In cases where an authorised user has university operational knowledge, that information should be documented and transferred to the University. Where the authorised user plays a role in information security plans (e.g. incident response procedure or contingency plan), respective plans must be updated accordingly. (31) Sensitive information must be removed from any information system equipment that has been used for University business prior to its disposal, donation or re-use. (32) Disposal of equipment should be undertaken as per the Information Technology Procedure – Purchasing and Disposal. (33) The Information Classification and Handling Procedure requires information assets to be protectively marked into one of four classifications. The way the data is handled, published, moved and stored will be dependent on this scheme. See also the Data Access Form. (34) The use of removable media, including USB storage devices, must be restricted to minimise the risk of data loss, unauthorised access or malware introduction: (35) Data stored on removeable media must be classified by the relevant data or business custodian, in accordance with the Information Classification and Handling Procedure. (36) All computer media must be disposed of securely and safely when no longer required. Refer to the Information Technology Procedure - Purchasing and Disposal. (37) University information must only be disposed of when its retention requirements have been met, in accordance with the Records Management Policy and Records Management Procedure. (38) Physical media containing data that is no longer required must be either: (39) For hard-copy materials, acceptable methods of disposal include shredding, incineration, and pulping. (40) This part details access control requirements for information and/or information processing facilities. (41) Business requirements for access control must be defined and documented: (42) Authorised users are provided with a unique user ID and a password for access to any aspect of the University's ICT systems. (43) Shared, generic or group user IDs and/or passwords must not be created nor used. Conference accounts must be restricted to internet access only. (44) Authorised users are allocated access rights and permissions that correspond with the tasks they are expected to perform, in accordance with the Information Technology Procedure - Acceptable Use and Access. Access rights should be role-based (e.g. a user account will be added to a group that has been created with access permissions required by that job role). (45) Temporary access to the University's network and/or computer systems can be requested via the Temporary Access Administration System, and must include a declaration by the account supervisor that appropriate checks have been carried out and correct authorisation obtained prior to temporary access account creation. (46) When an employee departs the University under normal circumstances, standard process are triggered by the human resources management system and implemented by University’s approved identity and access management platform(s) to remove their access from managed ICT systems. (47) User accounts will be initially suspended or disabled only and not deleted. User account names should not be reused as this may cause confusion in the event of a later investigation. (48) User access management controls must ensure that inactive or dormant accounts are identified and addressed in accordance with defined inactivity thresholds. (49) User accounts must be actively managed to reduce the risks associated with prolonged inactivity. (50) The University provides secure remote access services that allow authorised users to work from a remote worksite. Appropriate controls must be implemented to authorise and control remote work activities. (51) Direct remote access using personal computing devices must be approved by the Manager, Infrastructure and provisioned via the IT Service Desk. (52) Use of remote access services are logged and recorded, including the user’s name and logon/off times. (53) Vendor access to the University's computer systems is granted solely for the work commissioned and for no other purposes. (54) Vendors must comply with all applicable University policies, standards and agreements, and vendor agreements and contracts should specify: (55) Approval for vendor remote access should be sought via the system custodian or relevant manager. (56) Privileged level access will be monitored and logged as per ‘Privileged access rights’ heading below. (57) Before accessing University information systems and, unless covered by an existing contract or agreement, an authorised representative of the vendor must sign DIT's Vendor Security, Privacy, Copyright and Confidentiality Agreement Form. (58) For vendors using a generic University account for remote access, contracts or agreements must include a requirement to inform the University of vendor staff moves and changes. Passwords must be changed as per the Information Technology Procedure - Passwords. (59) On a regular basis (at least twice a year), asset and system custodians will be required to review and document who has access to their areas of responsibility and the level of access in place. This identifies: (60) As part of the evaluation process for new or significantly changed systems, requirements for effective access control should be addressed and appropriate measures implemented. (61) These should consist of a comprehensive security model that includes support for, but not limited to: (62) As part of the selection of cloud service providers specifically, the following access-related considerations must be observed: (63) Addressing these requirements as part of the selection process will ensure that the provisions of this document can be met in the cloud, as well as within on-premise systems. (64) Privileged access rights such as those associated with administrator-level accounts must be identified for each system or network and tightly controlled: (65) Identified system or application custodians are responsible for approving or granting privileged access rights, and the authorisation level of those rights. (66) Day to day management of privileged access rights are the responsibility of the delegated system or application administrator. (67) The activity of privileged accounts must be monitored and logged including but not limited to: (68) Logs should be protected from unauthorised access and modification. (69) Privileged accounts should be subject to more frequent review and stricter inacitivity thresholds due to their elevated risk profile. (70) Users are bound by the Information Technology Procedure - Passwords. Quality and complex passwords must be enforced, with the quality and complexity of passwords created by users enforced by controls in the password management system. (71) Access to information and application system functions must be restricted in accordance with the Information Technology Procedure - Acceptable Use and Access. All information that is sensitive, critical, and/or valuable, must have system access controls to ensure that they are not improperly disclosed, modified, deleted, or rendered unavailable. (72) User privileges must be defined so ordinary users cannot gain access to, or otherwise interfere with, either the individual activities or private data of other users. (73) Access to operating systems must use a secure logon process, with physical access to business information system hardware restricted. (74) If any part of a logon sequence during the logging into a computer or data communications system process is incorrect, the user must only be given feedback that the entire logon process was incorrect. (75) Every logon screen for multi-user computers must include a special banner stating that: (76) A formal password management system must be enforced. This password management system must include various password controls such as, but not limited to: (77) Information systems must not use vendor supplied defaults for system passwords and other security passwords. (78) Users are bound by the University Information Technology Procedure - Passwords requiring users to follow industry best security practices in the selection and usage of passwords. (79) All information system tools and utilities that may be used to either cause significant damage and/or override systems must automatically be restricted to authorised users for intended usage purposes. (80) Access to program source code must be restricted to authorised employees and agents and on a need-to-know basis only. (81) Only Univeristy-managed personal computing devices are given privileged network access to critical University information systems. Non university-managed mobile devices will only be given privileged network access where approved by the Chief Information and Digital Officer or nominee. (82) Policies and supporting security measures should be adopted to manage the risks introduced by using managed devices. Appropriate controls must also be implemented to protect against the risks of working with mobile computing facilities used in unprotected environments. (83) All managed and non-managed mobile devices containing sensitive information must employ storage encryption for all files. (84) The University provides selected authorised users with portable computer equipment so that they may perform their jobs at remote locations. (85) This part supports proper and effective use of cryptography to protect the confidentiality of information in the event of unauthorised access or interception. (86) Data classified as highly sensitive and/or confidential/private should be encrypted in transport over the internet as well as in storage. Deciding whether a cryptographic solution is appropriate must be part of the wider process of risk assessment and selection of controls, and should determine: (87) Specialist advice should be sought from the ICT Security Team to: (88) If encryption technology is in use, key management must be in place, including key management policies and procedures to ensure that all cryptographic keys are protected against: (89) For keys used for the encryption of sensitive and/or critical data against disclosure and misuse, that key management policies and procedures should inlude: (90) This part sets out physical security requirements for the University such as computer room requirements, guarding, physical locks, and the security structure of all relevant premises within the offices of the University. (91) The University must define and use an appropriate security perimeter to protect areas such as data centres, which contain information processing facilities. Perimeter security barriers such as walls, card controlled entry gates and/or manned reception desks, should be utilised dependent on the level of physical security required. (92) Data centre physical security must be reviewed at least annually. (93) Remote data centre physical entry controls are governed by the data centre operator contracted to the University to provide data centre services. (94) On-campus physical entry controls are governed by the Facilities and Premises Procedure - Access, Use and Security. (95) Access to offices, computer rooms, or work areas containing sensitive and/or critical information must be physically restricted, with access only provided to those with a valid business need. Authorised user access lists must be periodically reviewed with access revoked for individuals no longer requiring access. (96) Documented processes and/or procedures for assigning identification cards to onsite authorised users and visitors define the processes for (97) Authorised users who can access the identification card generation and/or access control system(s) are documented and periodically reviewed. (98) Visitor logs for data centres and secure areas must be retained for at least three months and contain the: (99) All authorised users must wear an identification badge on their outer clothing when in data centres and/or facilities that store sensitive and/or critical University data. This identification must be clearly visible and distinguishable between onsite authorised users and visitors. (100) Employees must not permit unknown or unauthorised users access through doors, gates, and/or other entrances to restricted and/or sensitive areas. (101) Controlled areas should be created to protect offices, rooms, and facilities that should not be open to general or public access. All employees must ensure doors to sensitive areas, rooms, and/or information processing facilities are locked, preventing unauthorised access when not in use. Physical and/or logical controls must be implemented, restricting access to publicly accessible network connection points. (102) Information systems must be housed in a secure manner, protected from external and environmental threats to the premises. Such threats include, but are not limited to: (104) Additional controls and guidelines for working in sensitive areas must be used to enhance the security provided by the physical controls protecting the secure areas. Access to sensitive areas must be authorised and based on individual job functions with access revoked immediately upon termination. (105) Delivery and loading areas should be controlled, and where possible, isolated from information processing facilities to avoid unauthorised access. (106) On-premise equipment must be located and/or protected to reduce the risks from environmental threats, hazards, and opportunities for unauthorised access. (107) Physical access to networking and/or communications hardware must be restricted by appropriate physical controls. All business critical production computer systems including, but not limited to servers, firewalls, proximity access control, systems, and/or voice mail systems must be physically located within a secure data centre. (108) Authorised users who detect tampering with and/or substitution of devices are encouraged to report this. Training should be provided on how to: (109) Key ICT equipment must be protected from power failures and surges and other electrical anomalies. Uninterruptible power supply (UPS) systems, line conditioners, electrical power filters, and/or surge suppressors must be used for business critical ICT infrastructure. (110) Critical supporting utilities must be tested on a regular basis to ensure equipment has adequate capacity, in accordance with the manufacturer’s recommendations. (111) Power and telecommunications cabling carrying data and/or supporting information services must be protected from interception or damage. Installation and maintenance of power and telecommunication cabling must follow current industry security standards. (112) Equipment sent off-site for maintenance purposes must have any sensitive or confidential information erased to ensure the confidentiality and integrity of information. (113) Users must ensure that unattended equipment contains appropriate protection and/or security controls when unattended. If the computer system to which an authorised user is connected contains sensitive information, the authorised user must not leave their personal computer, workstation, or terminal unattended without locking or logging out. (114) Unless information is in active use by authorised users, desks must be clear and clean during non-working hours with sensitive information locked away. (115) Operations security aims to: (116) Operating procedures for information systems must be documented and maintained. Operating procedures must include, but not be limited to: (117) Nonstandard changes to information processing facilities and systems must be documented and controlled via the University Change Advisory Board (CAB). Extensions, modifications, and/or replacements to production software and hardware must be performed only when approval from CAB has been received prior to the proposed change window start time. (118) A change control procedure for all changes is defined and includes the: (119) Risk assessments and/or vulnerability assessments must be conducted when implementing new systems or making significant changes to existing systems. (120) Adequate rollback procedures must be developed for all changes to production systems ensuring information processing in the case of a change failure can be promptly restored to the respective state prior to the most recent change. (121) All changes to information processing facilities must be communicated to all relevant authorised users. Changes to the environment may also trigger the requirement to perform specific security tests, inclusive of, but not limited to vulnerability assessments and penetration tests confirming that changes made have not inadvertently degraded the security profile of the University. (122) Capacity demands must be monitored with projections of future capacity requirements made to ensure that adequate processing power, storage and other required resources are available. (123) Facilities and functions used in the development of computing solutions, notwithstanding their respective testing, must strictly be kept separate from production systems. This is to reduce the likelihood of accidental, and/or unauthorised changes to production systems, subsequently creating operational problems and/or compromising the University's related information. (124) Separation can be achieved through physical or logical separation, appropriate to the sensitivity of the information and/or functions of the system concerned. (125) Detection and prevention controls to protect against malware and appropriate user awareness procedures must be implemented. Approved anti-malware software must be deployed across the University network to all systems, remain enabled, and contain regular definition updates and scanning. (126) Anti-malware solutions and/or other appropriate controls should also be implemented and configured to prevent or detect the use of: (127) Anti-malware mechanisms must be confirmed as actively running and cannot be disabled or altered by users unless specifically authorised by management on a case-by-case basis for a limited period. (128) Systems that are malware-infected must be disconnected from the network until such time when the anti-malware software has been updated and all malware eradicated. (129) Appropriate content filtering mechanisms must be deployed to protect all user initiated connections. Formal measurement and reporting procedures must also be implemented to record the number and severity of actual or suspected malicious code incidents. (130) The University must ensure backup facilities are provided and used. Backup strategies are developed in collaboration with system custodians and contain copies of essential business information and software. All sensitive, valuable, and/or critical information recorded on backup computer media and stored outside University offices must be given an appropriate level of physical and environmental protection. Backup and restore procedures must be securely and adequately documented. (131) Critical business information and critical software archived on computer storage media for prolonged periods must be tested at least annually providing assurance that such data can be completely and efficiently recovered. (132) Refer to Appendix C for backup details. (133) Audit logs must be produced for business critical systems, showing: (134) Audit trails must be retained for at least one year. Audit trails must be implemented to link all system component access to each individual user. For event reconstruction, audit trails should contain event information that may include, but not limited to: (135) Audit trail entries recorded for all system components for each event must contain, but not be limited to: (136) All system and application logs must be maintained and stored securely in a form that cannot be accessed by unauthorised users. Any one authorised to access logs must have a demonstrable need for access to perform their regular duties, or as otherwise approved by the appropiate authority. (137) Audit trails must be secured and promptly backed up to a centralised log server or to media that is difficult to alter. Only individuals with job-related needs may have access to view audit trail files. (138) Log information should be exported to a security information and event monitoring solution for automated analysis, alerting and actioning. (139) Administrators and operational staff activities must be logged, and the logs retained for at least one year, with a minimum of three months available online. These logs must be subject to regular and independent checks. (140) Time synchronisation technology such as the Network Time Protocol (NTP) must be used to synchronise all critical system clocks, dates, and times. (141) Operational program libraries must only be updated by nominated administrators or system custodians with appropriate authorisation. Configuration management processes should be used to track and control all implemented software and related system documentation. Changes to operational systems must undergo the formal change management processes. (142) Systems and processes must be in place to collect information about information system technical vulnerabilities. New security vulnerabilities should be identified using reputable outside information sources. (143) The University’s exposure to these vulnerabilities must be evaluated and appropriate measures taken to address the associated risk. (144) All patches and security updates should be pushed out in a formalised and secure manner. (145) For internet accessible web applications, new threats and vulnerabilities must be addressed on an ongoing basis and the applications protected against known attacks. Automated technical solutions that detect and prevent web-based attacks (e.g. a Web Application Firewall (WAF)) should be installed in front of public-facing web applications to provide continual checks of all traffic and generate alerts where applicable. (146) Processes to review the security of public-facing web applications must be undertaken using either manual or automated tools or methods. These processes must be documented and reviewed: (147) Such web application must be re-evaluated post remediation actions. (148) An authorised user shall not introduce software or technology designed to disrupt, corrupt or destroy programs and/or data, or sabotage University ICT facilities as per the Information Technology Procedure - Acceptable Use and Access. (149) Access rights for the installation of software should follow the principle of least privilege. (150) Operational system audits must be planned and agreed upon to minimise the risk of disruptions to business processes. Audit requirements, scope and access (other than read-only) must be authorised and adequate resources provided. Procedures, requirements and responsibilities should be documented with all access monitored and logged. (151) This part ensures the protection of information in networks and supporting information processing facilities. (152) Controls must be implemented to achieve and maintain performance, reliability and security in networks inclusive of information in transit. Firewalls must be installed at each internet connection between any de-militarised zone (DMZ) and/or intranets and between any wireless network. (153) Configuration standards must be documented, implemented, updated and referenced for the installation and administration of all firewalls and routers. Rule sets and/or access control lists (ACLs) of firewalls and/or routers must be reviewed at least every six months. Configuration standards must include a description of groups, roles, and responsibilities for management of network components. They must also include a list of all services, protocols and ports necessary for business, inclusive of business justifications for protocols considered to be insecure. (154) All data transmitted over open public networks must be secured using strong cryptography and security protocols including, but not limited to TLS (transport layer security), and/or IPsec. A process should also be specified for: (155) Configurations and related parameters on all hosts attached to the University network must comply with current policies and standards. Security risk assessments must be conducted as a part of network design processes with such assessments carried out when introducing new network services or making significant changes to existing services. (156) All administrative access must be encrypted using security protocols, including but not limited to SSH (Secure Shell), VPN, or TLS. This applies to both web-based management and other administrative access. Responsibilities and procedures for the management of the network must also be established and documented. (157) Network diagrams and configurations including connections to other systems and networks must be maintained and kept current. Network diagrams must identify all connections between the environments containing critical and/or sensitive data and other networks including any wireless networks. (158) For critical business systems, methods to obscure IP addressing must be in place to prevent the disclosure of the private IP addresses and routing information from internal networks to the Internet. Such methods may include, but are not limited to: (159) Personal firewall software must be installed and active on any managed or non-managed devices used to access University’s network infrastructure that also connects to the Internet when outside of the University network. Personal security software must not be alterable by users of managed or non-managed devices. Security policies and operational procedures for managing firewalls should be documented, in use, and known to all affected parties. (160) Clear descriptions of security attributes, service levels and management requirements for all network services used by the University must be provided, inclusive of service level agreements and monitoring for services provided in-house or outsourced. (161) Controls must be implemented in networks to segregate groups of information services, users and information systems. Security risk assessments must be conducted as a part of network design processes with such assessments carried out regularly on data networks. (162) When transferring confidential or private information outside of the University, procedures and controls must be developed and implemented to protect the exchange, confidentiality and integrity of information. (163) Formal agreements must be established for the electronic and/or manual exchange of information between the University and other organisations, third parties or clients. (164) All employees of the University with access to email facilities are bound by the Information Technology Procedure - Acceptable Use and Access. (165) Where no contractual agreement exists, confidentiality and/or non-disclosure agreements reflecting the needs of the University for the protection of information should be used, regularly reviewed and documented. (166) This part details the specific criteria for the acquisition, development and maintenance of information systems. (167) System custodians and project managers must consider security requirements at all stages of system application development, for in-house and outsourced software. (168) Business requirements for new information systems, or enhancements to existing information systems, must specify the information security controls requirments, based on risk assessment and risk management frameworks. Security requirements and controls should reflect the business value of information assets involved and the potential business impact or loss that may result from a failure or absence of security. (169) Use of suppliers or cloud service providers that offer artificial intelligence (AI), machine learning, or automated decision-making capabilities must comply with the University's information security, privacy, and information classification requirements. (170) University information classified as confidential/private or highly sensitive must not be used in supplier provided or externally hosted AI services unless the service has been formally approved and appropriate contractual, security, and privacy controls are in place. (171) AI-enabled services are subject to the same supplier assurance, risk assessment, access control, and monitoring requirements as other cloud and third-party services (172) Information involved in application services traversing public networks should be protected using strong encryption methods from fraudulent activity and unauthorised disclosure and modification. (173) Information involved in application integration services should be protected to prevent: (174) Software and system development rules should be established and applied to all developments within the University. (175) The implementation of changes must be controlled using the University Information Technology Infrastructure Library (ITIL) change management procedures. The change management procedures must also be used for the testing and implementation of security patches and software modifications. (176) When hosting environments and/or operating systems are significantly changed, business critical applications must be reviewed and tested to ensure there are no adverse impacts or information security risks to the application. (177) Modifications to vendor supplied software packages must be discouraged and/or limited to necessary changes. All changes must be strictly controlled, documented and approved via change control procedures. (178) Guidelines for engineering of secure systems should be documented, maintained, reviewed and applied to any information system implementation efforts. (179) Virtualisation of systems can deliver increased operational efficiency in terms of hardware, network, storage and utilities usage. The security requirements of all virtualisation components must be considered. (180) Most security vulnerabilities and threats apply equally to virtualised and physical environments however virtualisation may introduce additional security implications. (181) All elements of a virtualisation solution must be secured and security maintained through software updates, configuration reviews and security testing. (182) Administrator access to the hypervisor must be restricted, managed and monitored. (183) Hypervisors and guest operating systems should be monitored for indicators of compromise. (184) The University should establish and appropriately protect secure development environments for system development and integration efforts, encompassing the entire system development lifecycle. (185) Privileged access to development and test environments should use different credentials from those used to access production environments. (186) When outsourcing software development projects the University should consider: (187) Testing of application security functionality should be integrated into development processes. (188) Acceptance criteria for new information systems, upgrades and new versions must be established with suitable tests of the system carried out prior to acceptance. Requirements and criteria for acceptance of new systems must be clearly defined, agreed, documented and tested. (189) Test data should be carefully selected and protected. If production data is used in development or test environments, it should be masked or obscured. (190) Test data, applications and related systems must be protected from unauthorised access and modifications. Operational databases containing sensitive and/or critical production data/information must not be used for testing purposes. (191) Confidential and personally identifiable information (PII) used for testing purposes, including sensitive details and content, must be appropriately protected. Production data must not be used for testing or development. (192) This part supports protection of the University's assets accessible by suppliers. (193) Use of cloud services does not transfer accountability for information security. The University retains responsibility for data protection, identity, access control, and configuration. Information security requirements for mitigating the risks associated with supplier access to University assets must be agreed with the supplier and documented. (194) Any authorised users contemplating the use of cloud-based services, or the transfer or storage of University information externally, must consult DIT to ensure that the solution is viable and secure. (195) Cloud service procurement should be undertaken in accordance with the NSW Government Cloud Policy and DIT's project security considerations. (196) All relevant information security requirements should be established and agreed upon with each supplier that may access, process, store, communicate, and/or provide ICT infrastructure components for the information of the University. (197) Contractual agreements should consider and include the security considerations as described in the NSW Government Cloud Policy and DIT's project security considerations. (198) Service providers should be engaged following established processes that include appropriate due diligence checks. The University must maintain a list of service providers and a written agreement from each that includes an acknowledgement by the service provider of their responsibility for securing critical and/or sensitive data that the service provider possesses, or otherwise stores, processes, or transmits on behalf of the University. (199) Service provider contracts and the provider’s compliance with information security requirements must be reviewed regularly and/or when significant changes occur, to ensure that appropriate security controls and practices are in place to protect University information. Reviews should be completed: (200) Service providers should provide regular reports on the status of the services delivered, and the University should review reports regularly to ensure adherence to agreements. (201) When required, service providers should allow the University, or an entity on its behalf, to audit the service provider’s facilities, networks, computer systems and procedures for compliance in accordance with the agreed information security policies and standards. (202) Changes to the services provided by third parties must be managed in line with formal change control procedures, including consideration of business system criticality and processes involved for risk (re)assessment. These changes may include: (203) This part provides definitions of the types of security incidents that may occur and plans for corrective action. (204) A consistent and effective approach must be applied to the management of information security incidents. Incident management responsibilities and procedures must be established to ensure quick, effective and orderly responses to security incidents and software malfunctions. (205) Individuals responsible for handling information security incidents must provide accelerated problem notification, damage control, and problem correction services in the event of computer related emergencies such as virus outbreaks and intrusions. (206) Individuals responsible for handling information systems security incidents must have clearly defined responsibilities and be provided the authority to handle incidents and create security incident reports. (207) The Division of Information Technology (DIT) is responsible for defining and operating a critical incident response process. (208) Information security events associated with information systems must be reported to the IT Service Desk. (209) A formal reporting and incident response procedure must be established for all breaches of information security, actual or suspected. (210) All authorised users must be made aware of the procedure for reporting security incidents and the need to report incidents immediately. (211) The DIT's critical incident response process must be tested at least annually and testing procedures must be in place. (212) Any observed or suspected security weaknesses in, or threats to, systems or services must be reported to the IT Service Desk. All authorised users must be made aware of this and be instructed not to attempt to deliberately exploit suspected vulnerabilities. (213) Information security events should be assessed to determine whether they are to be classified as information security incidents. (214) Information security incidents should be responded to by the DIT ICT Security Team including other relevant authorised users of the University and/or external parties. (215) Mechanisms must be in place to enable the types, volumes and costs of incidents and malfunctions to be quantified and monitored. An annual analysis of reported information security problems and violations must be prepared. Knowledge gained from analysing and resolving information security incidents should be used to reduce the likelihood or impact of future incidents. (216) Where action against an individual or organisation involves the law, either civil or criminal, the evidence presented must conform to the rules for evidence laid down in the relevant law or in the rules of the specific court in which the case will be heard. This must include compliance with any published current standard and/or code of practice to produce admissible evidence. (217) Information systems continuity must be embedded within the University's business continuity management systems. (218) A managed process regarding information systems availability requirements must be in place for the development and maintenance of business continuity throughout the University. Plans based on appropriate risk assessments must be developed as part of the overall approach to the University's business continuity. This is described in the Information Technology Policy. The ICT Security Team in conjunction with the Division of Information Technology leadership oversee the implementation of this. The extent of such plans is dependent on the delivery of a business impact analysis (BIA). (219) Such BIA must result in the specification of the: (220) Plans must be developed to maintain or restore business operations in a timely manner following a disaster or crisis. (221) The Information Technology Service Continuity Management (ITSCM) team must prepare and update a crisis management plan, covering topics such as: (222) The ITSCM team will develop, implement and test business continuity and/or disaster recovery plans. Such plans must specify how alternative facilities such as, but not limited to telephones, systems, and networks, will be provided for authorised users to continue operations in the event of an interruption to, or failure of, critical business processes. (223) All business continuity plans must consider the information security requirements of the University. (224) The University should verify established and implemented information security continuity controls at reoccurring intervals ensuring such controls are valid and effective during adverse situations. Business continuity plans must be tested regularly by respective teams as outlined in the ITSCM and undergo regular reviews ensuring such plans are up to date and effective. (225) Appropriate redundancy, as determined by required service levels, must be in place for critical systems and assets ensuring the availability of information processing facilities. (226) The University should identify business requirements for the availability of information systems. Where the availability cannot be guaranteed using existing system architecture, redundant components and/or architectures should be considered. (227) Where applicable, redundant information systems should be tested ensuring successful failover between components and/or other functions as intended. (228) This part suports compliance with legal, statutory, regulatory, and/or contractual obligations related to information security and/or other security requirements. (229) For every University production information system, all relevant statutory, regulatory and contractual requirements must be identified. This includes but is not limited to: (230) Appropriate procedures must be implemented to ensure compliance with legal restrictions on the use of material in respect of intellectual property rights and on the use of proprietary software products. (231) All computer programs and program documentation owned by the University must include appropriate copyright notices. (232) University records must be protected from loss, destruction, and falsification. Refer to the Records Management Policy, Privacy Management Plan and the Information Technology Procedure - Personal Data Breach. (233) The University must conduct information security reviews to ensure that information security controls are implemented and operated in accordance with the University's policies and procedures. (234) The University's approach to managing information security and its implementation (e.g. control objectives, controls, policies, processes and procedures) should be reviewed independently at planned intervals or when significant changes occur. (235) The University must ensure that all security procedures within their areas of responsibility are carried out correctly. Areas within the University that must be subjected to regular reviews to ensure compliance with security policies, procedures and standards include, but are not limited to: (236) Variances from generally accepted information system control practices must be noted and promptly initiated for corrective action. (237) Technical compliance should be reviewed with the assistance of automated tools which generate technical reports for subsequent interpretation by technical specialists. Alternatively, manual reviews by experienced system engineers supported by appropriate software tools may be performed. (238) Any technical compliance reviews such as penetration tests or vulnerability assessments should only be carried out by competent authorised users and/or under the supervision of such users. (239) The operation of the ISMS will be monitored in accordance with the University ISMS performance monitoring process. (240) Cyber security benchmarking should be conducted to ensure that the University's cyber security posture is aligned with the evolving threat landscape and sector opportunities. (241) With reference to industry benchmarks, frameworks, standards and best practices, the University will identify gaps and vulnerabilities in deployed security controls and develop remediation plans to address these issues as part of an ongoing continuous improvement program. (242) Benchmarking reviews will be carried out by competent authorised parties and will include the following elements: (243) This guideline uses terms defined in the Information Technology Policy, as well as the following:Information Security Guidelines
Section 1 - Purpose
Document context
Top of Page
Scope
Compliance drivers
Legislation and regulatory requirements as per Section 1
Policy suite
Policy
Information Technology Policy
Procedures
Guidelines
NA
Related documents
Review requirements
As per Policy Framework Policy.
Document class
Management
Section 2 - Procedure
Part A - Principles
Part B - Organisation of information security
Information security roles and responsibilities
Segregation of duties
Regulatory authorities
Contact with special interest groups
Information security in project management
Part C - Human resource security
Employment and contractor practices
Management responsibilities
Information security awareness, education and training
Termination and change of employment
Part D - Asset management
Responsibility for ICT assets
Asset registers
Asset Custodianship
Acceptable use of assets
Return of assets
Removal and secure disposal or reuse of equipment
Information security classification
Media handling
Disposing of media
Part E - Access control
Business requirements of access control
Access control
Providing user access
User access de-registration
User account inactivity and dormancy management
Remote work
Vendor remote access
Review of user access rights
System and application access control
Access control considerations for new services
Privileged access rights
Use of secret authentication information (passwords)
System and application access control
Information access restriction
Secure logon
Password management system
Use of privileged utility programs
Access control to program source code
Mobile devices
Part F - Cryptography
Cryptographic controls
Key management
Part G - Physical and environmental security
Secure areas
Physical security perimeter
Physical entry controls
Securing sensitive offices, rooms and facilities
Protecting against external and environmental threats
Working in secure areas
Delivery and loading areas
Information and communication technology (ICT) equipment
Equipment location and protection
Supporting utilities
Cabling security
Equipment maintenance
Unattended user equipment
Clear desk
Part H - Operations security
Operational procedures and responsibilities
Documented operating procedures
Change management
Capacity management
Separation of development, testing and operational environments
Protection from malware
Backup
Logging and monitoring
Event logging
Protection of log information
Administrator and operator logs
Clock synchronisation
Control of operational software
Installation of software on operational systems
Technical vulnerability management
Restrictions on software installation
Information systems audit controls
Part I - Communications security
Network security management
Security of network services
Segregation in networks
Information transfer
Information transfer policies and procedures
Agreements on information transfer
Electronic messaging
Confidentiality or non-disclosure agreements
Part J - System acquisition, development, and maintenance
Security requirements of information systems
Artificial intelligence services
Securing application services on public networks
Protecting application services transactions
Security in development and support processes
System change control procedures
Technical review of applications after operating platform changes
Restrictions on changes to software packages
Secure system engineering principles
Virtualisation
Secure development environment
Outsourced development
System security testing
System acceptance testing
Test data
Part K - Supplier and cloud service provider relationships
Information security procedures for supplier relationships
Addressing security within agreements
Supplier service delivery management
Part L - Information security incident management
Management of information security incidents and improvements
Responsibilities and procedures
Reporting information security events
Reporting information security weaknesses
Assessment of and decision on information security events
Response to information security incidents
Learning from information security incidents
Collection of evidence
Part M - Information security and business continuity management
Information systems continuity
Planning information systems continuity
Implementing information security continuity
Verify, review and evaluate information security continuity
Redundancies
Availability of information processing facilities
Part N - Compliance
Compliance with legal and contractual requirements
Intellectual property rights
Protection of records
Information security reviews
Independent review of information security
Compliance with security policies and standards
Technical compliance review
Information security management system (ISMS) performance monitoring process
Benchmarking
Top of PageSection 3 - Glossary