View Document

Information Security Policy

This is the current version of this document. You can provide feedback on this document to the document author - refer to the Status and Details on the document's navigation bar.

Section 1 - Purpose

(1) QUT is committed to protecting its information assets and the information it holds about its students, partners and employees. The information security policy outlines how QUT protects its information assets against unauthorised access and use, theft, modification, destruction and unauthorised disclosure.

Top of Page

Section 2 - Application

(2) This Policy applies to:

  1. all of QUT’s organisational units (faculties and divisions);
  2. individuals with access to QUT information assets and resources, including staff, researchers, students and any person to whom the policy on Acceptable Use of Information and Communications Technology Resources Policy applies;
  3. all QUT information assets, whether processed by information technology systems or services, or held in physical records sources, regardless of whether or not the processing or storage is undertaken by QUT;
  4. cloud-based services used by QUT;
  5. voice and data communications equipment and software owned by QUT;
  6. research data;
  7. personal equipment connected to the QUT network; and
  8. QUT data in transit.
Top of Page

Section 3 - Roles and Responsibilities

Position
Responsibility
All users of QUT information assets
Ensure compliance with all information security requirements in this Policy and standards including reporting breaches of information security.
Maintain awareness of the information security risks and controls appropriate to the information accessed and used at QUT, including completion of required training as required by the University.
Vice-Chancellor and President
Is accountable for information security practices at QUT.
Risk and Audit Committee
Monitors cyber risk on a regular basis and recommends risk management actions where appropriate.
Vice-President (Digital) and Chief Digital Officer
Is responsible for implementation of the Information Security Management System (ISMS).
Promotes awareness of information security and implements systems, practices and processes to enhance information security at QUT.F
Approves the University’s information security strategy and information security standards made under this Policy.
Information Security Steering Group (ISSG)
Provides advice to ensure that there is a co-ordinated, consistent, and managed approach to information security management across QUT.
Provides advice on information security risk and recommends risk management actions where appropriate.
Reviews and endorses the following:
  1. Information Security Strategy;
  2. Information Security Policy;
  3. Information Security Standards for approval by Vice-President (Digital) and Chief Digital Officer.
Associate Director, Information Security
Manages information security incidents.
Provides reporting on the state of information security at QUT.
Ensures compliance with regulatory requirements related to information security.
Maintains the Information Security Policy and standards.
Maintains relationship with external security groups (including regulatory authorities, specialist forums and professional and special interest groups) to ensure that QUT responds to the emerging threat landscape and has access to external resources.
Heads of Organisational Units
Foster a positive culture towards information security within the organisational area.
Ensure compliance with the Information Security Policy and supporting standards as applicable to the organisational area.
Project Managers
Ensure compliance with Information Security Policy and standards in the design and implementation of IT projects.
Engage with the Information Security Team (IST) at QUT for information security advice as required.
Data custodians
Identify and implement the requirements related to data security, data accessibility and privacy, for the datasets for which they are responsible.
Classify information and data for the Information Asset Register (IAR).
Information asset owner
Provides the system owner with guidance and specific information security requirements that need to be applied to the information systems and information assets.
System owners
Are accountable to protect QUT’s IT assets.
Are responsible for applying the Information Security Policy and standards to the information systems and information assets they own.
Develop the relevant documentation (process, procedures, or guidelines), where applicable, to capture the specific requirements relevant to the information systems and information assets they own.
Consult and inform the information asset owner on the requirements to apply the information security policy and standards.
Top of Page

Section 4 - Information Security Management System

(3) QUT implements an Information Security Management System (ISMS) which supports the Information Security Strategy (QUT staff access only) and is based on the current version of the ISO/IEC27001 information security management standard, informed by Queensland Government Information Security Policy (IS18:2018). The scope of the ISMS includes the protection of all information, application and technology assets.

Top of Page

Section 5 - Information Security Principles

(4) The Information Security Management System (ISMS) is based on the following information security principles which are designed to support and defend QUT from a variety of information security risks.

Logical Access and Physical Access Security

(5) Logical access and physical access to QUT information assets is granted on the "least privilege" principle, whereby each user is granted the most restricted set of privileges needed for the performance of relevant tasks.

Information Security Risk Management

(6) Information security related risks must be identified, reported to concerned stakeholders and adequate controls are recommended to manage the risk.

Operational Security

(7) Operational security practices must be in place to manage information security related risks.

Information Security Incident Management

(8) Information security incidents must be actively managed in a defined manner in line with QUT’s incident management process.

Information Classification

(9) Information maintained in QUT’s information systems and in printed format is protected based on the assigned information classification level (F/1.2.5).

Audit and Compliance

(10) The established information security management processes must be conducted in line with regulatory requirements and be regularly audited to promote improvements in practices.

Human Resource Security

(11) QUT must have processes in place to screen candidates, on-board and off-board employees, and educate employees on security awareness.

(12) These principles assist in governing behaviour, objectives, approach and activities, in order to promote good practice in information security. The Vice-President (Digital) and Chief Digital Officer approves information security standards which further explain the implementation of the information security principles and define the information security controls.

Top of Page

Section 6 - Information Security Classification Approach

(13) QUT’s Information security classification approach is based on the Information security classification framework (QGISCF). This approach uses three categories Confidentiality, Availability and Integrity to classify QUT’s information and data. A risk rating will be assigned to each of the classification categories.

  1. Confidentiality measures the risk of information made available or disclosed to unauthorised individuals, entities, or processes, as either High (Protected), Medium (Sensitive), Low (Official), or Public information or data.
  2. Integrity measures the risk to the accuracy and completeness of information or data, as either High, Medium, or Low.
  3. Availability measures the risk of data accessibility on demand by an authorised entity, as either High, Medium, or Low.

(14) The assessment of security categories for relevant classes of information assets is used by the Vice-President (Digital) and Chief Digital Officer and the data custodian to determine appropriate security measures and controls to be adopted for the information asset class.

(15) QUT staff and students engaged under a contract requiring Defence Industry Security Program (DISP) membership must assess and protect information in accordance with the Protective Security Policy Framework, as specified in the Information Security Standard – Defence Industry Security Program.

Top of Page

Section 7 - Information Security Audits and Monitoring

(16) The University maintains logs and audit trails of network and system activities which may include personal information about users.

(17) Information Security Team at QUT performs information security audits and monitoring activities which include the following:

  1. monitoring its network, information systems, and services against malicious activities, and threats;
  2. logging and investigating its network, applications, and user activities for the purpose of investigating faults, security breaches, and unlawful activity; and
  3. regularly auditing the security of information systems and reporting to appropriate University committees, including the Risk and Audit Committee.

(18) Where diagnosis of problems, investigations or security audits are required, the University reserves the right to access logs, audit trails and individual files. In carrying out these tasks, cooperation with the Information Security team may be required. Cooperation and collaboration with law enforcement authorities may also be required from time to time.

Top of Page

Section 8 - Security Breaches

(19) A breach of information security, reported as an information security incident, is an identified occurrence or activity that has been successful in adversely affecting the integrity of the data, confidentiality of protected information and availability of information and major IT systems of QUT.

(20) QUT has an incident management process for managing IT incidents irrespective of their origin. Information security incidents are reported through this practice.

(21) Security breaches relating to personal information should be reported in accordance with QUT’s Information Privacy Policy and associated protocols.

(22) Serious breaches of information security by an individual user may result in disciplinary action (for staff and students) or the suspension or termination of access rights and computer accounts in accordance with the Acceptable Use of Information and Communications Technology Resources Policy. This Policy supports and complements State and Commonwealth laws. Illegal access to and use of computer systems at QUT may constitute a criminal offence under the relevant legislation. Breaches of information security which are also suspected of breaching State or Commonwealth laws will be reported to law enforcement authorities for appropriate action.

Top of Page

Section 9 - Defence Industry Security Program

(23) QUT staff and students engaged under a contract requiring Defence Industry Security Program (DISP) membership must comply with the Information Security Standard - Defence Industry Security Program and associated procedures.

Top of Page

Section 10 - Reporting

(24) Regular reporting on information security activities and risks is provided to the Information Security Steering Group and Risk and Audit Committee.

Top of Page

Section 11 - Definitions

Term Definition
Logical Access The ability to access the QUT’s information systems using a username and a password either directly or through remote access.
Information Security Annual Return The Information security annual return is a self-assessment of the information security controls mandated by and to the Queensland Government Customer and Digital Group (QGCDG).
Data Accessibility Sharing of the information asset to the maximum extent possible in accordance with data standards and data security and defining the conditions of use of the data.
Information Information is any collection of data that is processed, analysed, interpreted, classified or communicated in order to serve a useful purpose, present fact or represent knowledge in any medium or form. This includes presentation in electronic (digital), print, audio, video, image, graphical, cartographic, physical sample, textual or numerical form. Information may also be a public record or an information asset if it meets certain criteria.
Data The representation of facts, concepts or instructions in a formalised (consistent and agreed) manner suitable for communication, interpretation or processing by human or automatic means. Typically comprised of numbers, words or images. The format and presentation of data may vary with the context in which it is used. Data is not information until it is utilised in a particular context for a particular purpose. Examples include; Coordinates of a particular survey point; Driver licence number; Population of Queensland; Official picture of a minister in jpeg format.
Information Security Management System (ISMS) An ISMS is a systematic approach to managing sensitive information so that it remains secure. It includes people, processes and IT systems by applying a risk management process.
ISO 27001 ISO 27001 is an internationally recognized Information Security Management System (ISMS) standard. It is a framework for the requirements to manage an organisation's information security risks.
ISO (International Organization for Standardization) ISO is an independent, non-governmental international organisation with a membership of 164 national standards bodies including Australia.
Top of Page

Section 12 - List of Information Security Standards

(25) The information security principles are further explained in the Information Security Strategy (QUT staff access only) which cover the required information security controls.

  1. Information security risk management;
  2. Access Management;
  3. Cryptography;
  4. Supplier Risk Management;
  5. Malware protection;
  6. Logging and Monitoring;
  7. Information classification;
  8. Audit and Compliance;
  9. Capacity Management;
  10. Data Backup;
  11. Human Resource security;
  12. Mobile device security;
  13. Documenting Operating Procedures;
  14. Physical environmental security;
  15. Vulnerability and Patch Management;
  16. Working off-site;
  17. Business continuity;
  18. Change Management;
  19. Information security incident management;
  20. IT Asset management;
  21. Network Security; and
  22. System acquisition, development and maintenance.

(26) QUT staff and students engaged under a contract requiring Defence Industry Security Program (DISP) membership must also comply with the following information security standard; and associated procedures:

  1. Defence Industry Security Program.