(1) This policy sets out the requirements for users and the administration of Charles Sturt University's (the University) information and communication technology (ICT) resources. (2) It is intended to achieve the following objectives: (3) This policy applies to all authorised users and all University managed ICT resources, as defined in the glossary. (4) Delegation Schedule D - Facilities and Information Technology states delegated authorities for approving access to University ICT resources, including: (5) In addition to the delegated authorities, the following authorities and responsibilities for access to ICT systems and resources are given through this policy or as otherwise noted: (6) Access to computing and communications facilities is provided to authorised users for carrying out University work, study and other University-related purposes. (7) Access to and use of the University’s computing and communication facilities is subject to compliance with the Information Technology Procedure - Acceptable Use and Access. (8) Access to and use of the University’s network, CSUNet, will be in accordance with the Information Technology Procedure - CSUNet Access. (9) Delegation Schedule D - Facilities and Information Technology states delegated authorities for the security of information systems, including: (10) In addition to the delegated authorities, the following authorities and responsibilities for information security are given through this policy or as otherwise noted: (11) The University is a critical education asset under the Security of Critical Infrastructure Act 2018 and subject to mandatory reporting under that Act. (12) The security of information and digital infrastructure is critical to the University. Information security protects and preserves the confidentiality, integrity, and availability of information. It also protects and preserves the authenticity and reliability of information, ensuring accountability. This policy and supporting procedures ensure information systems are maintained, securely and confidentially as necessary to: (13) The University acknowledges the requirement to manage cyber risk arising from criminal activities, internal threats, and local and foreign interference. (14) The University will maintain compliance with the core requirements of the NSW Cyber Security Policy including the operation of an information security management system (ISMS) as per the guidelines defined in ISO/IES 2700 Information Security Management System. (15) To achieve this: (16) The University will provide education, training and awareness for information security as appropriate to individual's roles and responsibilities. (17) The University will report information security breaches or incidents that may involve criminal activity to relevant law enforcement agencies, in line with relevant state and Commonwealth reporting requirements. (18) The University will implement an ISMS and supporting program of investment to ensure appropriate security standards and measures are established, implemented, monitored, reviewed and improved as required to meet business and compliance objectives are met. (19) Detailed information security requirements and processes are set out in the: (20) Delegation Schedule D - Facilities and Information Technology states the delegated authorities for: (21) Delegation Schedule C - Finance sets out the expenditure delegations relevant to the procurement of ICT. (22) In addition to the delegations, the following authorities and responsibilities for the introduction of new technologies and the purchase or disposal of ICT resources are given through this policy or as otherwise noted: (23) All University ICT equipment must be purchased through the Computer Shop, unless an exemption applies, in accordance with the Information Technology Procedure - Purchasing and Disposals. (24) Information technology procurement, initiatives or projects may require review and assessment by the Project Review Board and/or Technology Governance Committee, in accordance with their terms of reference or as otherwise determined by the Chief Information and Digital Officer. (25) The following procedures support this policy: (26) Information Security Guidelines (27) For the purpose of this policy, the following terms are defined:Information Technology Policy
Section 1 - Purpose
Scope
Section 2 - Policy
Part A - Access and use of University ICT resources
Authorities and responsibilities
Officer or body
Authorities and responsibilities
Chief Information and Digital Officer
Application of this part
Part B - Information security
Authorities and responsibilities
Officer or body
Authorities and responsibilities
Division of Information Technology
Chief Information and Digital Officer
Privacy officer (see the Privacy Management Plan)
Lodge cyber security incident reports for critical infrastructure assets, in accordance with the Security of Critical Infrastructure Act 2018.
System custodians
Application of this part
Part C - New technologies, purchases and disposals
Authorities and responsibilities
Officer or body
Authorities and responsibilities
Chief Information and Digital Officer (or delegate)
All information technology, software and hardware procurement approvals.
Application of this part
Section 3 - Procedure
Top of PageSection 4 - Guidelines
Section 5 - Glossary
View Current
This is the current version of this document. You can provide feedback on this policy to the document author - refer to the Status and Details on the document's navigation bar.
Authorise access to CSUNet.
Maintain the University’s register of non-members provided with CSUNet access.
Authorise staff to access personal and/or confidential information when required for the purpose of addressing technical faults.
Authorise investigations into breaches of acceptable use of ICT resources.
Risk management and security of ICT assets managed by the Division of Information Technology.
Provision of guidance and advice for risk management and security of all University ICT assets.
Ensure appropriate risk assessments are undertaken and mitigation strategies implemented.
Provide information security awareness, promotion, education, training and support (including management of information security processes).
Implement and operate an Information Security Management System (ISMS).
Initiate formal security incident management process.
Provide clear direction, visible support and promote information security through appropriate commitment and adequate resourcing.
Approve exceptions to the requirements of the Information Technology Procedure - Passwords.
Approve alternate authentication mechanisms (other than passwords or personal identification numbers) for applications and systems.
Compliance with the Notifiable Data Breaches scheme.
Lodge the Notifiable Data Breach Statement - form with the Office of the Australian Information Commissioner.
Approve information about a University data breach that is to be provided to impacted individuals or other third parties.
Director, Security and Resilience (CSO) and/or
Chief Information and Digital Officer (or delegate)
Work with Division of Information Technology and provide adequate resources to undertake risk assessments and develop and implement risk mitigation strategies and controls.
Ensure an information security risk assessment is undertaken for core strategic systems on acquisition or when significant usage or data structure changes occur.
Ensure significant security breaches or incidents are reported to IT Service Desk.