View Current

Information and Communications Technology Security Policy

This is the current version of this document. You can provide feedback on this policy to the document author - refer to the Status and Details on the document's navigation bar.

Section 1 - Purpose

(1) Computer and information systems underpin the University's activities, and are essential to the teaching, learning, research and administration functions of Charles Sturt University (the University).

(2) This Policy sets out the University's information security obligations regarding the integrity, confidentiality and availability of all Information and Communication Technology (ICT) infrastructure, systems and processes.

(3) The University acknowledges its obligation to ensure the security of all information, infrastructure and processes it owns and controls. Every member of the University shares this obligation to varying degrees.

(4) This Policy defines in broad terms the framework within which information security risk is to be managed.

Scope

(5) This Policy applies to all University staff, students and other relevant parties including visitors, contractors and associated bodies who own, manage, access or use the University's ICT services.

(6) This Policy covers all:

  1. ICT systems and data attached to University computer or telephone networks;
  2. University systems;
  3. communications sent to or from the University; and
  4. data owned by the University, either internally or on systems external to the CSU network.

References

(7) This Policy should be read in conjunction with:

  1. NSW Government Digital Information Security Policy;
  2. Code of Conduct;
  3. Compliance Risks Identification Guidelines;
  4. Computing and Communications Facilities Use Policy; and
  5. Risk Management Policy.
Top of Page

Section 2 - Glossary

(8) For the purpose of this Policy:

  1. Information Security - encompasses:
    1. ICT security policies;
    2. organisation of information security;
    3. ICT asset management;
    4. information security compliance obligations;
    5. information security components of human resources management;
    6. ICT communications and operations management;
    7. Information security components of business continuity management;
    8. ICT services access control;
    9. ICT security incident management;
    10. ICT systems acquisition, development and maintenance; and
    11. ICT asset physical and environmental security.
  2. Information and Communications Technology (ICT) - includes:
    1. computers and peripherals (e.g. printers);
    2. communications infrastructure;
    3. computing facilities and utilities;
    4. information storage media; and
    5. systems and software.

(9) Availability - means information assets are accessible to authorised parties at appropriate times.

(10) Confidentiality - means access to information assets is only by authorised parties.

(11) Core strategic systems - means ICT information systems essential to the primary business functions of the University.

(12) Data Governance Committee - means the Committee established under the Initiatives and Strategy Implementation Plan.

(13) ICT security breach - means incident or action that impacts the confidentiality, integrity or availability of the University's information assets.

(14) ICT security risk - means a vulnerability with an associated threat that if exploited could impact the operations of the University.

(15) Information Security Management System (ISMS) - refers to the University's ISMS as per ISO/IES 2700.

(16) Integrity - means the quality and accuracy of information assets.

(17) Security risk assessment - means analysis that occurs to test the effectiveness of current University security controls that protect information and ICT assets of the University. This assessment includes a determination of the probability of losses to those assets.

(18) Significant risk - means a risk determined to be outside the University's Risk Appetite as determined in the Risk Management Policy.

(19) System custodian - means University executive staff with responsibility and ownership of information or ICT assets as identified and listed in the University’s Applications Portfolio, or the Primary Budget Centre Manager responsible for non-listed systems.

Top of Page

Section 3 - Policy

(20) The University will maintain compliance with the core requirements of the NSW Government Digital Information Security Policy including the operation of an Information Security Management System (ISMS) as per the guidelines defined in ISO/IEC 2700.

(21) In order to achieve compliance with this Policy, information security risk management will be undertaken as per the University's Risk Management Policy.

(22) The University will implement risk mitigation strategies to ensure appropriate legal, regulatory and contractual compliance to protect information assets against breaches of:

  1. confidentiality;
  2. failures of integrity; or
  3. information interruptions.

(23) The University will provide education, training and awareness for information security as appropriate to individual's roles and responsibilities.

(24) All University staff, students and other relevant parties as identified under clause 5, must report ICT security incidents, breaches or significant risks to the IT Service Desk.

(25) The University will report information security breaches or incidents that may involve criminal activity to relevant law enforcement agencies.

(26) Failure to comply with this Policy may result in disciplinary action as per the University's misconduct process, referred to in the Code of Conduct.

Responsibilities

(27) The Division of Information Technology is responsible for:

  1. risk management and security of ICT assets managed by the Division of Information Technology;
  2. provision of guidance and advice for risk management and security of all University ICT assets;
  3. ensuring appropriate risk assessments are undertaken and mitigation strategies implemented;
  4. providing information security awareness, promotion, education, training and support (including management of information security processes);
  5. implementing and operating an Information Security Management System (ISMS);
  6. initiating a formal security incident management process;
  7. reporting significant information breaches that compromise personal data to the University Ombudsman as the University's Privacy Officer;
  8. reporting significant security incidents and suspected breaches of this Policy to the Office of the Chief Financial Officer;
  9. reviewing this policy on an annual basis; and
  10. providing clear direction, visible support and promote Information Security through appropriate commitment and adequate resourcing.

(28) The Data Governance Committee is responsible for reviewing and prioritising:

  1. data security risks; and
  2. risk mitigation strategies.

(29) System custodians are responsible for:

  1. working with Division of Information Technology and providing relevant adequate resources to undertake risk assessments and develop and implement risk mitigation strategies and controls;
  2. ensuring an information security risk assessment is undertaken for core strategic systems on acquisition or when significant usage or data structure changes occur; and
  3. ensuring significant security breaches or incidents are reported to Division of Information Technology.

(30) All University staff, students and other relevant parties as listed under clause 5 are responsible for ensuring:

  1. the University's personal computing systems including desktop, mobile and personal devices are used in accordance with the Computing and Communications Facilities Use Policy;
  2. security incidents, breaches or significant risks are reported to the IT Service Desk; and
  3. identification and management of risk concerning usage of personal data and reporting of these risks to the IT Service Desk.
Top of Page

Section 4 - Procedures

(31) Nil.

Top of Page

Section 5 - Guidelines

(32) Nil.