Governance

Policies and procedures

Policy No.
UP16/3
Function
Technology And Telecommunications
Authoring Organisational Unit
Business Information and Technology Services
Date Approved
21/03/2016
Next Review Date
21/03/2018
Approving Body
Vice-Chancellor

The University of Western Australia

University Policy on: IT Security

Purpose of the policy and summary of issues it addresses:

This policy defines the security requirements to ensure the confidentiality, integrity, and availability of the University's IT systems. To enable the University and users to meet the policy objectives a number of policies and associated procedures and standards have been developed to underpin this policy.

Definitions:

University: the University of Western Australia.

Information Security: the preservation of confidentiality, integrity and availability of information.

University IT Systems: any digital system which is operated by, or on behalf of, the University.

Privileged Access: access to University IT systems by an authorised person.

Authorised Person: a person designated with authority in accordance with the Computer and Software Use Regulations.

BITS IT Service Desk: the single point of contact for all IT-related matters for BITS-supported areas.

System Administrator: the person who is responsible for the upkeep, configuration, and reliable operation of computer systems; especially multi-user computers, such as servers.

System Owner: person responsible for an IT system, i.e. that the IT system supports operations in accordance with business requirements, and that the IT system is secure in accordance with availability, integrity, confidentiality and traceability requirements.

University IT Systems: any digital system which is operated by, or on behalf of, the University

User: any person who uploads, downloads, displays, performs, transmits, or otherwise distributes or manipulates data on, or from, a University computer or a mobile device directly or remotely connected to the University network.

Policy statement:

The University is committed to ensuring appropriate security for all its IT systems. Effective IT security is essential to ensure the University meets its obligations for security, privacy and availability of University IT systems and information. The IT Security policy and the supporting IT standards address the security, access and monitoring issues to ensure appropriate measures are in place to protect the University IT systems.

1 Access Management

Access controls will be used to limit who has access to IT systems to ensure the confidentiality, integrity and availability of IT systems is maintained. All access to University IT Systems must incorporate appropriate authentication controls.

1.1 The University provides users access to the IT systems for work and study purposes. Access to IT systems is controlled through user authentication and authorisation mechanisms as detailed in the Computer and Software Use Regulations, University Policy on: Access to University Building and Electronic Systems by Staff and Visitors, University Policy on: Privacy of Electronic Material and the IT Standard on: Authentication and Passwords ( Appendix A). Only those users who have valid reasons for accessing the University's IT systems are granted access privileges appropriate to their roles.

1.2 Users can access IT systems from devices not directly connected to the University network using authentication mechanisms as defined in the IT Standard on: Remote Access to Electronic Systems ( Appendix B). The University expects its users to take reasonable steps to ensure the integrity and security of the University IT systems and data. Accounts to access University IT systems are for the exclusive use of authorised individuals and must not be used by others. Every reasonable precaution should be taken to ensure that passwords, accounts and information are adequately secured.

1.3 Authorised persons from University departments and units with privileged access have high-level access rights which enable them to perform authorised IT procedures and access any data stored on the University's IT systems.

2 Monitoring

2.1 The University reserves the right to monitor, log, collect and analyse the activities of account holders in their usage of University IT systems and associated infrastructure in line with relevant policies, procedures and IT standards.

3 Security

3.1 The University will take all reasonable steps to protect its IT systems from unauthorised use by viruses and malware. To minimise these risks relevant policies, procedures, as well as the IT Standard: Firewall Rule Sets ( Appendix C); and the IT Standard: Malware Protection ( Appendix D) apply.

3.2 Users must take all reasonable steps to protect external disk drives and other portable devices containing University information from damage, misuse, loss, theft or disclosure.

3.3 Security breaches and incidents can disrupt the use of the University's IT systems. Any security breaches or incidents must be reported to the Service Desk as soon as possible.

3.4 The University may monitor and investigate usage activity and suspected security incidents, and take reasonable steps to prevent and resolve security incidents.

3.5 The University may take any action it considers necessary to remedy immediate threats to the IT infrastructure or security, including suspending authorised accounts and/or disconnecting or disabling relevant IT facilities or other equipment, with or without prior notice.

4 Risk

The University will undertake regular risk assessments of its IT systems to identify and examine potential vulnerabilities and security measures and develop controls to reduce the identified risk to an acceptable level.

5 Disaster Recovery

The University will have appropriate measures in place to prepare for and cope with disaster, to minimise threats to the University's IT systems, and to facilitate the resumption of IT services in the event of a disruption in the shortest time possible with a minimal amount of data or resource loss..

6 Roles and Responsibilities

6.1 Users

All users will be responsible for:

Ensuring they are aware of, understand and comply with this policy, associated procedures and standards;

Taking reasonable precautions to safeguard their access to IT systems from inappropriate or unauthorised access.

Notifying any security incidents or problems to the Service Desk as soon as possible.

6.2 Privileged Access

Authorised persons from University departments and units with privileged access to perform authorised IT procedures that may lead to their exposure to private and/or confidential information, must not disclose any details of that information to any other person.

6.3 System administrators/owners

System administrators/owners will be responsible for:

Monitoring and reporting the security of the information systems under their technical control

Related forms: (Link)

TRIM File No:

F78977

Contact position:

IT Policy Officer

Related Policies or legislation:

Computer and Software Use Regulations

Code of Conduct

UP10/2 University Policy on: Access to University Building and Electronic Systems by Staff and Visitors

UP13/4 University Policy on: Data Backup and Recovery

UP13/5 University Policy on: Institutional Data Centre

UP07/44 University Policy on: Offensive Material on UWA Systems

UP07/58 University Policy on: Wireless Networks

UP13/7 University Policy on: UWA Network

UP07/54 University Policy on: Exercising Take-down Powers

UP07/45 University Policy on: Privacy of Electronic Material