• This is not a current document. It is no longer in force and the committee has been subsumed by the Technology Committee.
• Section 1 - Establishment
• Background
• Purpose
• Section 2 - Glossary                      
• Section 3 - Membership
• Section 4 - Functions and responsibilities
• Working group responsibilities
• Member responsibilities
• Advisory role and referral of matters
• Section 5 - Meetings
• Quorum
• Meetings
• Agendas and minutes
• Conflicts of interest
• Variations

This is not a current document. It is no longer in force and the committee has been subsumed by the Technology Committee.

Section 1 - Establishment

Background

(1) The Cyber Security Working Group (CSWG) is a sub-committee of the Technology Governance Committee (TGC).

(2) The CSWG is responsible for the governance of the cyber security activities of the University to provide assurance on the identification and management of the University's cyber risks and vulnerabilities.

(3) The duties of the CSWG shall apply to all matters associated with cyber and information security governance pertaining to the quality of technology, processes and training provided to, and on behalf of, the University.

Purpose

(4) The CSWG shall undertake the duties listed under Section 4, to allow it to ensure quality and governance oversight of the University’s cyber security and risk management activities.

(5) Plan and oversight the implementation of a robust set of business processes and controls to assure the cyber security of the University.

Section 2 - Glossary                      

(6) For the purpose of this document:

1. CSWG or working group - means Cyber Security Working Group.
2. TGC – means the Technology Governance Committee.

Section 3 - Membership

(7) The membership of the working group is set out below:

1. Director, IT Infrastructure and Security - Division of Information Technology (Presiding officer)
2. Manager, ICT Security - Division of Information Technology
3. Chief Security Officer – Executive Director, Safety, Security and Wellbeing
4. Director, Business Services - Division of Finance
5. Director, Workplace Relations and Partnerships - Division of People and Culture
6. Director, Risk and Compliance, Office of Governance and Corporate Affairs
7. University Ombudsman - Office of Governance and Corporate Affairs
8. Faculty Administration Manager nominated by the Deputy Vice-Chancellor (Academic)
9. A member of the academic body with cyber security expertise.

(8) Right of attendance:

1. Head Enterprise Architect, Enterprise Architecture – Division of Information Technology

Section 4 - Functions and responsibilities

(9) The objective of the CSWG is to oversee the confidentiality, integrity and availability of the University’s technology and information assets through the application and governance of appropriate cyber security controls.

(10) The CSWG has the responsibility for making decisions and providing multi-disciplinary input to manage institutional effort required to robustly follow/deliver robust cyber security controls aligned with the ASD Essential 8.

(11) The CSWG will fulfil responsibilities as outlined in the ICT Security Policy and is responsible for reviewing and ratifying:

1. organisational information security risks
2. information and communications technology (ICT) security strategy
3. annual ICT security reports
4. operation of the Information Security Management System (ISMS)
5. ICT security program, and
6. other ICT security risk mitigation strategies.

Working group responsibilities

(12) The working group shall:

1. adopt a risk-based approach to the assessment of University risk and strategic/tactical priorities
2. provide assurance on the identification and management of the University’s risks and vulnerabilities
3. provide assurance on the identification and management of the University’s compliance obligations, including legislative
4. provide overarching governance of the University’s cyber program and IT security, including reviewing, ratifying and proposing inclusions and direction
5. oversee the development of critical incident response plans
6. provide governance of the implementation and operation of the University’s ISMS, and
7. guide the development and implementation of information management and ICT security policy, and associated procedures, systems and processes in alignment with the Essential 8 and ISO standards.

(13) Membership across university portfolio areas is required to inform the CSWG of good governance, security, ethics and risk awareness in decisions and advice. Members will be required to provide understanding and insight of University obligations that inform and influence information utilisation and security, for example, legislation, privacy, copyright, state records, research, etc.

Member responsibilities

(14) Members shall:

1. maintain a good understanding of the concepts and purpose of the University’s Information Technology Policy, ASD Essential 8 and associated Information Security Guidelines
2. review and approve the ICT security strategy and program
3. promote the adoption of ICT security controls to ensure integrity, availability and confidentiality
4. promote the adoption and upholding of practices within the organisation that enhance best practice and quality through the design, implementation and monitoring of solutions and business processes, and
5. be available to assist in emerging University risk assessment and treatment recommendation, in line with the scope of this working group between regular meetings as required.

Advisory role and referral of matters

(15) The working group shall:

1. provide strategic advice to the TGC on proposals for improvement in the University’s information systems and cyber security controls
2. report to the TGC at least annually on reviewed and prioritised cyber security risks and mitigation strategies, and
3. report the operations of the working group and ICT security to the TGC and University executive, including Chief Operating Officer, as required.

Section 5 - Meetings

Quorum

(16) A quorum shall be a majority of the regular members of the working group or their delegates.

(17) A regular member may appoint another person to attend a meeting or meetings on their behalf, or to act on their behalf for a specified timeframe. A person so appointed will be deemed to be a regular member of the working group for the specified time and may vote as a regular member.

(18) The working group will be appropriately represented across the University to enable members to play a key role in educating, communicating and promoting the importance of good ICT security and data asset management. The CSWG will be supported by the Enterprise Architect, Information and Manager, ICT Security from within the Division of Information Technology.

Meetings

(19) At least four meetings will be planned annually. These will normally be one hour in duration.

Agendas and minutes

(20) Agendas and minutes of the previous meeting will be distributed within one week prior to a scheduled CSWG meeting.

Conflicts of interest

(21) Where a member has a perceived or material conflict of interest, they must declare this to the presiding officer and at the working group meeting prior to discussion of the item of business.

Variations

(22) Variations to the terms of reference and/or membership of the working group must be approved in accordance with Delegation Schedule A - Governance and Legal.