View Current

Information and Communications Technology Security Policy

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Purpose

(1) Computer and information systems underpin the University's activities and are essential to the teaching, learning, research and administration functions of Charles Sturt University (the University).

(2) This policy sets out the University's information security obligations regarding the integrity, confidentiality and availability of all information and communication technology (ICT) infrastructure, systems and processes.

(3) This policy defines in broad terms the framework within which information security risk is to be managed.

(4) The University acknowledges its obligation to ensure the security of all information, infrastructure and processes it owns and controls. Every member of the University shares this obligation to varying degrees.

Scope

(5) This policy applies to all authorised users who own, manage, access or use the University's ICT services.

(6) This policy covers all:

  1. ICT systems and data attached to University computer or telephone networks;
  2. University systems;
  3. communications sent to or from the University; and
  4. data owned by the University, either internally or on systems external to the CSU network.

References

(7) This policy should be read in conjunction with:

  1. Information Security Guidelines;
  2. NSW Cyber Security Policy;
  3. Code of Conduct;
  4. Compliance Risks Identification Guidelines;
  5. Computing and Communications Facilities Use Policy; and
  6. Risk Management Policy.
Top of Page

Section 2 - Glossary

(8) For the purpose of this policy:

  1. Authorised users – means all:
    1. continuing and fixed term professional, academic and executive staff;
    2. visiting and adjunct appointments;
    3. casual academics;
    4. casual professional staff;
    5. students;
    6. visitors, vendors, contractors and associated bodies with authorised access to information systems.
  2. Availability - means information assets are accessible to authorised parties at appropriate times.
  3. Computer system(s) – means any University system used for the processing of information, either within the University premises, or at an off-site location. This includes private and/or third-party equipment, if such equipment is used to access University information.
  4. Confidentiality - means access to information assets is only by authorised parties.
  5. Core strategic systems - means ICT information systems essential to the primary business functions of the University.
  6. Data Governance Committee - means the committee established under the Technology Governance Committee.
  7. ICT security breach - means incident or action that impacts the confidentiality, integrity or availability of the University's information assets.
  8. ICT security risk - means a vulnerability with an associated threat that if exploited could impact the operations of the University.
  9. Information and communications technology (ICT) - includes:
    1. computers and peripherals (e.g. printers);
    2. communications infrastructure;
    3. computing facilities and utilities;
    4. information storage media; and
    5. systems and software.
  10. Information security - encompasses:
    1. ICT security policies;
    2. organisation of information security;
    3. ICT asset management;
    4. information security compliance obligations;
    5. information security components of human resources management;
    6. ICT communications and operations management;
    7. Information security components of business continuity management;
    8. ICT services access control;
    9. ICT security incident management;
    10. ICT systems acquisition, development and maintenance; and
    11. ICT asset physical and environmental security.
  11. Information Security Management System (ISMS) - refers to the University's ISMS as per ISO/IES 2700 Information Security Management System.
  12. Integrity - means the quality and accuracy of information assets.
  13. Security risk assessment - means analysis that occurs to test the effectiveness of current University security controls that protect information and ICT assets of the University. This assessment includes a determination of the probability of losses to those assets.
  14. Significant risk - means a risk determined to be outside the University's Risk Appetite Statement as determined in the Risk Management Policy.
  15. System custodian - means University executive staff with responsibility and ownership of information or ICT assets as identified and listed in the University’s Applications Portfolio, or the Primary Budget Centre Manager responsible for non-listed systems.
  16. Technology Governance Committee – has cross-University representation and is chaired by the Chief Financial Officer. Responsible for providing direction, oversight and governance of the Portfolio of Technology Initiatives.
Top of Page

Section 3 - Policy

(9) The University will maintain compliance with the core requirements of the NSW Cyber Security Policy including the operation of an Information Security Management System (ISMS) as per the guidelines defined in ISO/IES 2700 Information Security Management System.

(10) In order to achieve compliance with this Policy, information security risk management will be undertaken as per the University's Risk Management Policy.

(11) The University will implement risk mitigation strategies to ensure appropriate legal, regulatory and contractual compliance to protect information assets against breaches of:

  1. confidentiality;
  2. failures of integrity; and
  3. information interruptions.

(12) The University will provide education, training and awareness for information security as appropriate to individual's roles and responsibilities.

(13) All authorised users must report ICT security incidents, breaches or significant risks to the IT Service Desk.

(14) The University will report information security breaches or incidents that may involve criminal activity to relevant law enforcement agencies.

(15) Failure to comply with this Policy may result in disciplinary action as per the University's misconduct process referred to in the Code of Conduct.

Responsibilities

(16) The Division of Information Technology is responsible for:

  1. risk management and security of ICT assets managed by the Division of Information Technology;
  2. provision of guidance and advice for risk management and security of all University ICT assets;
  3. ensuring appropriate risk assessments are undertaken and mitigation strategies implemented;
  4. providing information security awareness, promotion, education, training and support (including management of information security processes);
  5. implementing and operating an Information Security Management System (ISMS);
  6. initiating a formal security incident management process;
  7. reporting significant information breaches that compromise personal data to the University Ombudsman as the University's Privacy Officer;
  8. reporting significant security incidents and suspected breaches of this policy to the Office of the Chief Financial Officer;
  9. reviewing this policy on an annual basis; and
  10. providing clear direction, visible support and promote information security through appropriate commitment and adequate resourcing.

(17) The Data Governance Committee is responsible for reviewing and prioritising:

  1. data security risks; and
  2. risk mitigation strategies.

(18) System custodians are responsible for:

  1. working with Division of Information Technology and providing relevant adequate resources to undertake risk assessments and develop and implement risk mitigation strategies and controls;
  2. ensuring an information security risk assessment is undertaken for core strategic systems on acquisition or when significant usage or data structure changes occur; and
  3. ensuring significant security breaches or incidents are reported to IT Service Desk.

(19) All authorised users are responsible for ensuring:

  1. the University's personal computing systems including desktop, mobile and personal devices are used in accordance with the Computing and Communications Facilities Use Policy;
  2. security incidents, breaches or significant risks are reported to the IT Service Desk; and
  3. identification and management of risk concerning usage of personal data and reporting of these risks to the IT Service Desk.
Top of Page

Section 4 - Procedures

(20) Nil.

Top of Page

Section 5 - Guidelines

(21) Nil.