(1) Information security is the protection of information and supporting systems from a wide range of threats in order to ensure business continuity, minimise operational risk, and maximise return on investments and operational opportunities. This document sets out the Australian Catholic University (ACU) Information Security Policy for use by all members of the ACU community. (2) The Policy is directly aligned with the Information Security Industry standard AS/NZS ISO/IEC 27002:2013(E) Information technology - Security techniques - Code of practice for information security management. Relevant sections from this standard are directly referenced in this document. (3) Data, information and the underlying technology systems are essential assets to ACU and provide vital resources to staff and students and consequently need to be suitably protected. (4) Information security is achieved by implementing a suitable set of controls (based on risk profile), including policies, processes, procedures, organisational structures and software and hardware functions. These controls need to be established, implemented, monitored, reviewed and improved, where necessary, to ensure that specific security and University objectives are met. (5) The University is committed to providing a secure, yet open information environment that protects the integrity and confidentiality of information without compromising access and availability. (6) The purpose of this Policy is to: (7) This Policy is expressed by documents that are split into two sections: this Policy, and the accompanying Information Security Procedure for compliance with the Policy. Each section is subject to review and change as needed. Additional sections may be added. (8) This Policy applies to all information that is electronically generated, received, stored, printed, filmed, or keyed; and to the IT applications and systems that create, use, manage and store information and data. The Policy covers the following areas: (9) The provisions of this Policy apply to all ACU, students and staff, (including temporary agents and staff engaged under contract). This Policy includes, but is not limited to: (10) This Policy defines the principles for establishing effective security measures to ensure the Confidentiality, Integrity, Availability and Privacy of University information. The Policy also covers the continued availability of information and the Information Environment to support University business activities, including the implementation of appropriate controls to protect information from intentional or accidental disclosure, manipulation, modification, removal or copying. (11) The following principles outline the minimum standards that guide the University's Information Security processes and procedures and must be adhered to by all members of the ACU community. (12) The University is responsible for safeguarding the ACU Information Environment and Information Resources against security threats. The University discharges its responsibilities through the following and the set of measures outlined in the Information Security Procedure: (13) Users must abide by all relevant laws and all University policies. (14) Users are expected to take responsibility for developing an adequate level of information security awareness, education, and training to ensure appropriate use of the information environment. (15) Users may only access information needed to perform their authorised duties. (16) Users are expected to determine and understand the classification of the information to which access has been granted through training, other resources or by consultation with the relevant supervisor or the Data Steward. (17) Users must protect the confidentiality, integrity and availability of the University's information as appropriate for the information classification level. (18) Users may not in any way divulge, copy, release, sell, loan, alter or destroy any information, except as authorised by the relevant University delegate. (19) Users must safeguard any physical key, ID card or computer / network account that enables access to University information. This includes maintaining appropriate password creation and protection measures as set out in the password composition guidelines. (20) Any activities considered likely to compromise sensitive information must be reported to the relevant supervisor or to the IT Security Officer. (21) Users are obliged to protect sensitive information even after separation from the University. (22) In addition to complying with the requirements listed above for all staff and contractors, managers and supervisors must: (23) In addition to complying with the stated Policy requirements defined for all staff, contractors, managers and supervisors, system and information environment managers are responsible for: (24) Security requirements are identified by a methodical assessment of security risks. Expenditure on controls needs to be balanced against the operational damage likely to result from security failures. (25) The results of the risk assessment will help to guide and determine the appropriate management action and priorities for managing information security risks, and for implementing controls to protect against these risks. (26) Responsibilities for Risk Assessment and Treatment are clearly defined in the Risk Management Policy and Risk Management Procedure. (27) ACU information is classified under four broad classification headings: (28) The ICT Governance Policy sets out the access rights, roles and responsibilities of ACU staff in relation to the management and protection of information. Further detail about the classification of information is listed in Section 10. (29) The Vice-Chancellor and President is the Approval Authority for this Policy. (30) The Information Communication and Technology Advisory Committee (ICTAC) is the Governing Authority for this Policy and the Chief Operating Officer is the Chair of the Committee. (31) The Chief Information and Digital Officer is the Responsible Officer for this Policy. (32) Specific responsibilities associated with this Policy include monitoring compliance with this Policy. (33) Unless otherwise indicated, this Policy will still apply beyond the review date. (34) To establish operational definitions and facilitate ease of reference, the following terms are defined as they relate specifically to this Policy.Information Security Policy
Section 1 - Background Information
Section 2 - Policy Purpose
Top of PageSection 3 - Policy Documentation
Section 4 - Application of Policy
Top of PageSection 5 - Policy Principles
University Responsibilities
User Responsibilities
Managers and Supervisors
System and Technology Managers
Top of Page
Section 6 - Risk Assessment and Treatment
Section 7 - Information Classification
Section 8 - Roles and Responsibilities (associated with this Policy)
Approval Authority
Governing Authority
Responsible Officer
Section 9 - Policy Review
Section 10 - Definitions
Term
Definition
Access Control
is the selective restriction of access to the ACU information environment and/or ACU information resources.
Authorisation
is the function of specifying access rights to information resources.
Availability
refers to ensuring that information assets are available for their intended use.
Confidentiality
of information assets refers to limiting information access and disclosure to authorized users, and preventing access by or disclosure to unauthorized ones.
Data or Institutional Data
is a general term used to refer to the University's information resources and administrative records which can generally be assigned to one of four categories:
Data Steward
is a Member of the Executive who oversees the capture, maintenance and dissemination of data for a particular Organisational Unit. Data Stewards are responsible for assuring the requirements of the Data and Information Governance Policy and the Data and Information Governance Procedure are followed within their Organisational Unit. Data Stewards also have delegated responsibility for information assets, including defined responsibilities for determining appropriate classifications of information, defining access rights and ensuring that information asset risks are identified and managed.
One or more Data Managers may be defined for an information asset, with some responsibility for operation of the asset delegated by the data steward.
Information Asset
is any set of information or part of the Information Infrastructure critical to the functioning of the University. Every information asset has a delegated system owner.
Information Environment
includes the buildings, permanent installations, information services, fixtures, cabling, and capital equipment that comprise the underlying system within or by which the University:
Information Resources
is a general term used to refer to the University's information resources and administrative records, the term in intended to include information and data (structured or unstructured) stored in print, digitally, or in any other format.
Information Security
is the set of measures by which the University seeks to treat risks to the confidentiality, integrity and availability of its information assets.
Information Security Risk
measures the potential loss of an asset's confidentiality, integrity, or availability. Risks are defined by a combination of threats, vulnerabilities and impacts — a threat exploiting vulnerability results in an impact. Risks can be accepted (if the cost of treating the risk outweighs the cost of the impact), mitigated (through applying appropriate controls) or transferred (through insurance).
Integrity or Data Integrity
refers to the accuracy and consistency of data over its entire life-cycle.
Member of the Executive
is defined as the positions, which normally report to either the Vice-Chancellor and President or a Member of the Senior Executive, and in an area of responsibility published on the University's Organisational chart.
Password
is a word, or string of characters used for user authentication to prove identity to gain access to a resource.
Passphrase
is a sequence of words or other text used to control access to a computer system, program or data where this functionality is available. A passphrase is similar to a password in usage, but is generally longer for added security.
Privacy
The University will comply with all current Privacy related legislation in particular, the Privacy Amendment (Private Sector) Act 2000 (Cth) (the Privacy Act).
Quality or Data Quality
Refers to the validity, relevancy and currency of data.
Security
Refers to the safety of University data in relation to the following criteria:
Standards (mandatory) and guidelines (recommended practices)
will be published as attachments to this policy to assist users, system owners and data stewards to meet their IT security responsibilities. These standards and guidelines, though presented as attachments, are an integral part of this university's Information Security Policy.
Threat
is any technological, natural, or man-made cause of harm to an information asset.
Vice-Chancellor's Advisory Committee (VCAC) (also Member of the Senior Executive)
is the peak senior strategic forum of ACU. The Vice-Chancellor and President chairs VCAC, membership of the group inclused the Provost and Deputy Vice-Chancellor (Academic); Chief Operating Officer; Deputy Vice-Chancellor (Research and Enterprise); and Deputy Vice-Chancellor (Education).
Vulnerability
is a weakness in the security of an information asset that might be exploited by a threat, such as a software bug, unlocked room or well-known or readily identifiable password.
View Document
This is the current version of this document. You can provide feedback on this document to the document author - refer to the Status and Details on the document's navigation bar.
Formal processes and procedures covering these key areas are set out in the Information Security Procedure.