Governance

Policies and procedures

Policy No.
UP19/2
Function
Technology And Telecommunications
Authoring Organisational Unit
Policy Team - SPP Central Unit
Date Approved
18/02/2019
Next Review Date
18/02/2022
Approving Body
Executive Group

The University of Western Australia

Save this template to the preferred folder on your network drive. 

Note: You must save the template each time you want to write a policy to ensure that you are using the most recent version of the template.

You can use the show/hide button on your toolbar (this looks like a paragraph mark) to hide or show instructions in the template.  If clicking on this button does not work, please go to Tools - Options - View - and un-tick “hidden text” before trying again.

Note: Please do not type or paste over instructions.

(A comprehensive set of instructions is also provided on the Template and Instructions page of the University Policies website.)

To include text in the template, except in the Definitions section, place your cursor at the end of the relevant section heading provided or at the end of the relevant instructions and press “Enter” before beginning to type or pasting in text.  To include text in the definitions section place your cursor immediately under the heading before beginning to type.

Note: If you are pasting in text you must save it as plain text first so that you do not import any additional styles into the policy document.

Formatting styles are embedded in this template and can be found in a drop-down menu on your toolbar.  Note: Please do not add to or alter the styles.  It is recommended that styles be applied once text is finalised.  Apply a style by highlighting the text and clicking on the appropriate style from the drop-down list.

If you require a numbered heading style within the policy text, please use Heading 4 from the drop-down styles list.  This will automatically apply a number to the heading and each time you use the Heading 4 style the next sequential number will be applied automatically. 

Styles 1.1 (Style 1), 1.1.1 (Style 2), and 1.1.1.1 (Style 3) are available for the body of the text.  To reduce complexity, it is recommended that numbering below the level of 1.1.1.1 be avoided.  Bullet points can be used for lists if required.  The list bullet style is available from the styles drop-down list.

Note: If you press “Enter” after a heading provided in the template or after a set of instructions the Normal, Policy style will automatically be applied.

Note: Please do not use tabs in your document.  

University Policy on: Cyber Security

 

 

Overtype “Policy Name” with the name of the policy.  This must convey specifically, accurately and succinctly what the policy addresses eg Award of Honours, Study Leave.

1. Purpose

a) The purpose of this policy is to —

i. commit the University to preserving the security of IT Assets;

ii. establish risk based Cyber Security practices and express responsibilities for achieving these;

iii. contribute to a University culture of integrity.

 

b) In this policy —

iv. Cyber Security                                                                                       section 2;

v. Cyber Security Management Framework                                         section 4;

vi. Cyber Security                                                                                       section 5.1

vii. Mobile Devices                                                                                      section 5.2;

viii. IT Asset management and data security                                          section 5.3;

ix. Cyber Security access control                                                             section 5.4;

x. IT asset physical and environmental security                                  section 5.5;

xi. IT operations security                                                                           section 5.6;

xii. University Networks security                                                               section 5.7;

xiii. IT systems acquisition and development                                         section 5.8;

xiv. Web Application security                                                                     section 5.9;

xv. Cyber Security in supplier relationships                                           section 5.10;

xvi. IT Incident management                                                                     section 5.11;

xvii. IT Resilience                                                                                         section 5.12;

xviii. IT risk and compliance                                                                         section 5.13.

 

c) This policy is to be read in conjunction with the following:

i. Cyber Security Management Framework; and

ii. Acceptable Use of IT Policy.

 

2. Cyber Security

a) Cyber Security means the protection of IT Assets by addressing threats to University Information that is processed, stored and transmitted by interconnected information system.

b) IT Assets mean any tangible or intangible thing, belonging to, or contracted to the University or members of the University Community, which is worth protecting and used to access, process, store or transmit data.

3. Scope

3.1. Institutional Scope

a) The scope of this policy applies to the entire University.

3.2. Individual Scope

a) The scope of this policy applies to the entire University Community.

 

4. Cyber Security Management Framework

a) The University will develop and manage a Cyber Security Management Framework.  The University will continually improve the Cyber Security Management Framework to provide effective and detailed requirements for Cyber Security practices.

b) Cyber Security Management Framework means a systematic approach to managing sensitive IT Assets so that they remain secure by applying a risk management process. It includes people, processes, IT systems and Cyber Security Controls.

c) Cyber Security Control means safeguards or countermeasures to detect, avoid, mitigate or minimise risks to Cyber Security.

 

5. Cyber Security Practices

5.1. Security Culture

a) The University will foster Cyber Security risk awareness and a security culture through —

i. communicating personal responsibilities of the University Community for Cyber Security; and

ii. communicating Cyber Security risks to relevant stakeholders.

5.2. Mobile Devices

a) The University will deploy Mobile Devices that are configured and managed in accordance with Mobile Device security requirements defined in the Cyber Security Management Framework;

b) The University may not authorise the connection to the University Networks of Mobile Devices that do not comply with Mobile Device security requirements defined in the Cyber Security Management Framework.

c) Mobile Device means a portable computing device including but not limited to smartphones and tablet computers.

5.3. IT Asset Management and Data Security

a) The University will maintain an inventory of its IT Assets and identify asset owners.

b) Asset owners will ensure that security measures for acceptable use, data handling, encryption and disposal, as defined in the Cyber Security Management Framework, are implemented.

5.4. Cyber Security Access Control

a) IT Assets will be configured to uniquely identify users, utilise risk-based authentication mechanisms, and authorise access in accordance with the Information Governance Framework.

5.5. IT Asset Physical and Environmental Security

a) Owners of IT Assets will ensure protections from unauthorised physical access, environmental damage or interference, commensurate to the information classification and criticality of the IT Assets.

5.6. IT Operations Security

a) The University will maintain and operate its IT Assets in line with security measures defined in the Cyber Security Management Framework for —

i. change management;

ii. malware protection;

iii. vulnerability management;

iv. backup and recovery; and

v. logging and monitoring.

5.7. University Network Security

a) The University Networks will be developed, operated and monitored to allow for —

i. securing information in transit;

ii. securing the flow of communications within University Networks; and

iii. securing the flow of communication with external stakeholders of the University Community.

b) University Network means the University’s system of interconnected computers and the communication equipment used to connect them.

5.8. IT Systems Acquisition and Development

a) The University will introduce new technologies, implement new systems and update existing system functionalities according to risk-based security requirements defined in the Cyber Security Management Framework.

5.9. Web Application Security

a) The University will only operate internet facing Web Applications that are designed, built, acquired and tested in line with security measures as defined in the Cyber Security Management Framework so that security is proactively applied at all layers of the solution.

b) Web Applications means client–server computer programs where the client runs in a web browser.

5.10. Cyber Security in Supplier Relationships

a) The University will analyse and control Cyber Security risks arising from IT services provided by third party suppliers, vendors and partners in accordance with requirements defined in the Cyber Security Management Framework.

5.11. IT Incident Management

a) The University will monitor, assess and respond to IT Incidents according to security requirements defined in the Cyber Security Management Framework.

b) IT Incident means any event that is not part of the standard operation of a service and that causes, or may cause, an interruption to, or a reduction in, the quality of that service.

5.12. IT Resilience

a) The University will implement, maintain and embed risk based IT Resilience capability to enable the recovery of IT Assets within timeframes commensurate to the criticality of the asset.

b) IT Resilience means the ability of IT Assets to resist failure or to recover in a timely manner from any disruption, usually with minimal recognizable effect.

5.13. IT Risk and Compliance

a) The University will proactively identify, document, mitigate and monitor IT risks through a formal risk management process.

 

6. Breach

a) Failure to comply with this policy by a member of the University Community may be considered a breach of the Code of Conduct and may result in disciplinary action.

 

7. Definitions

Cyber Security Controls is defined in section 4

Cyber Security is defined in section 2

Cyber Security Management Framework is defined in section 4

IT Assets is defined in section 2

IT Incident is defined in section 5.11

IT Resilience is defined in section 5.12

Mobile Device is defined in section 5.2

University is defined in the University of Western Australia Act 1911 (WA).

University Activity means engaging in study, work, recreation, other activities and services, and the performance of official duties for the University regardless of the location.

University Community means all individuals who engage in University Activity and/or use University Property.

University Information means all data and information created by, collected, received and stored, whether by the University Community or on behalf of the University, in any format or medium.

University Network is defined in section 5.7

University Property means tangible and non-tangible things, belonging to, or contracted to the University or members of the University Community, including campuses, facilities and services.

Web Applications is defined in section 5.9

 

8. Legislative Controls

Higher Education Support Act 2003 (Cth)

Privacy Act 1998 (Cth)

Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth)

State Records Act 2000 (WA)

 

 

 

This must be in Normal, Policy style.

Provide a brief summary of the reasons for the policy and issues it addresses.  This section is designed to stand alone.  The aim is to provide the reader with enough information to make a decision about whether or not this is the policy they are looking for.  It must not be longer than 200 words. 

Example 1

This policy defines the nature and purpose of study leave provisions for academic staff and sets out eligibility criteria and other conditions that apply.

Example 2

This policy seeks to rationalise the award of honours across the University by addressing such issues as: entry standards, course content and structure, supervision, assessment, examination, grades, classifications, benchmarking and the maintenance and provision of documentation relating to these matters.  It is based on resolutions of the Academic Board flowing from the 1999 report of the Honours Working Party.

 

Policy No

UP19/2

This is the TRIM record number.  Note: This is not the TRIM file number.  If this is a new policy, apply for the policy number (contact rorett@admin.uwa.edu.au) after the policy has been approved by the relevant position or body and before it is submitted for storing in TRIM.

 

Approving body or position

Executive

Include the name of the body or position with responsibility for approving the policy.  This must be one of the following:

Senate

Academic Board/Council

Vice-Chancellor

Senior Deputy Vice-Chancellor

Deputy Vice-Chancellor (Education)

Deputy Vice-Chancellor (Research and Innovation)

Registrar and Executive Director (Academic Services) Executive Director (Finance and Resources)

 

Date original policy approved

February 2019

Insert date of approval of original policy.  If this information cannot readily be ascertained insert “as per file”.

 

Date this version of policy approved

February 2019

When the policy document has been approved by the relevant body or position insert date of approval.

 

Date policy to be reviewed

February 2022

If the proposing body has not determined a date for review of the policy, a default date of ten years from the date of the latest revision approval will apply.  Enter the appropriate date.

If the document contains procedures, include the date that these were last updated.  Procedures are approved by the relevant Director.

 

TRIM

F19/524

Insert the appropriate TRIM file number.  All policies must have a TRIM file for storing information relating to policy development and other related information.  Note this is not the policy number.  Apply for a TRIM file number at http:/intranet.uwa.edu.au/page/38742

 

Contact position

Associate Director Enterprise Security

State the name of the position that is to be contacted for any queries regarding the policy, eg University Secretary.  Note: As this will link through to the University’s Contact Directory, the position name must be given exactly as it appears in that directory.

 

 

Provide details of, and, if appropriate, web links to, other policies, legislation or committee resolutions that relate to the subject of the policy, if known, eg Statute(s), University General Rule(s).  If unsure what these might be, try one or more of the following:

Conduct a search on TRIM.

Make an enquiry to Archives and Records.

Seek help from staff in the relevant section. 

If related policies are stored in University Policy format on the University Policies site, please provide the relevant policy number(s). 

 

 

Switch off the instructions by clicking the hide/show button on your toolbar.

Check the content of the document for clarity and accuracy.

Submit the document to the relevant position or body for approval.

When the document is approved -

if the policy does not already have a University Policy number, apply for one by completing the form at http://intranet.uwa.edu.au/archives/new_university_policy_number (Control and click to follow the link.)

include the University Policy number in the relevant table box in the template; and

complete the relevant approval date and any other table boxes at the end of the template that have not yet been completed.

Save the document in Filtered HTML format to a convenient location on your network drive (Go to File – Save As and select Web Page, Filtered from the drop-down list under the filename box.)

Apply the style-checker as follows:

Go to the following URL http://www.admin.uwa.edu.au/policytidy (Control and click to follow the link.)

Browse to find the policy document you have saved in Filtered HTML.

Hit “Submit” to bring up the preview of the converted document.

Check for errata and mis-processed characters.

Once the document is correct, click on “Download Document” to download the document to the preferred folder on your network drive.

Appropriate Director emails (rorett@admin.uwa.edu.au) the policy to University Records for storing in TRIM and publishing on the University Policies website.