Manual of Policies and Procedures

F/1.2 Information security

Contact Officer

Manager, Information Security, Information Technology Services / QUT Privacy Officer, Governance and Legal Services

Approval Date

29/10/2015

Approval Authority

Vice-Chancellor

Date of Next Review

31/10/2018

1.2.1 Policy principles
1.2.2 Regulatory obligations
1.2.3 Application
1.2.4 Roles and responsibilities relating to information security
1.2.5 Information security classification
1.2.6 Access
1.2.7 Information security audits and monitoring
1.2.8 Security breaches
Related Documents
Modification History

1.2.1 Policy principles

QUT is committed to protecting its information assets against unauthorised access and use, theft, modification, destruction and unauthorised disclosure. The University's information security policy addresses security issues related to the ownership, confidentiality, integrity and accessibility of information, and in particular, risks associated with the use of computers and networks for storing, transferring and processing information.

Top

1.2.2 Regulatory obligations

This policy is derived from obligations under the Queensland Government's Information Standard 18 - Information Security. This policy also supports QUT's obligations to comply with security requirements for managing information assets (F/1.9), managing records (F/6.1) and for protecting the privacy of personal information (F/6.2). QUT is also committed to complying as far as practicable with other standards designed to enhance protection of information assets, such as Australian and industry standards.

Top

1.2.3 Application

This policy applies to all organisational units of QUT and to all users of QUT's information technology (IT) resources, services and/or facilities, including staff, students, and other individuals associated with the University such as Council members, contractors, consultants or visitors.

This policy applies to all QUT information assets, whether processed by computers or held in physical records sources, regardless of whether the processing or storage is owned by QUT or not. The policy also applies to voice and data communications equipment and software owned by QUT or personal equipment connected to the QUT network and to data in transit in QUT communications media.

As a result of the application of this policy to all of QUT's information assets, physical security measures (to secure buildings, office spaces or other areas) must be taken into account in implementing this policy (H/3.4). Access to systems is addressed in section F/1.2.6 below.

Top

1.2.4 Roles and responsibilities relating to information security

All users of QUT information assets

All users of QUT's information assets must comply with this policy and must be aware of the security requirements for the systems they use and must take reasonable precautions to safeguard their access to these systems against inappropriate or unauthorised access (F/1.11 Acceptable use of information technology resources).

A user must not bypass security mechanisms and virus management systems.

As part of their work responsibilities, many QUT staff have access to valuable or sensitive information. Under this policy, QUT's information privacy policy (F/6.2) and the records management policy (F/6.1), all staff have a responsibility to maintain the security of such information.

Regardless of whether the device is privately owned or a QUT asset, whether it is located on-campus or off-campus, or whether it is a mobile or desktop device, this responsibility necessitates that appropriate care be taken when using or storing QUT information. In using personal devices or any non-QUT device to directly access QUT email or applications such as personal mobile phones synchronised to automatically access QUT email, it is required that the device be secured through the use of protection mechanisms that include physical protection of the device storing the information, activated access controls provided by the device or service (for example passwords or pins) and authenticated usage based on QUT authentication where possible.

Data custodians and system owners

As per the Corporate Information Asset Management policy (F/1.9), data custodians should consider appropriate controls and restrictions for the information in their custody. Information which is classified as protected or highly protected should not be moved out of an environment in which QUT's routine security standards (both physical and technical) apply unless the data custodian has approved the use as part of standard processes.

Unless stated otherwise by separate agreement, ownership of information, data and software within QUT is held solely by QUT and is not assigned or delegated in any way. All major information assets (as defined within the Information Asset Register) must be accounted for and have a nominated information asset owner and a data custodian who is accountable for the implementation and management of this policy in relation to the asset. Information Technology Services (QUT staff access only) maintains a list of accountable officers for the University's major data sets. The nominated owner or custodian will ensure that only authorised software are used in processing or storing information assets. The use of unauthorised software or software that has not been evaluated and approved to process or store information assets is not permitted.

Director, Information Technology Services

The Director, Information Technology Services is responsible for the development and publication of minimum security standards for QUT's business systems and networks, operating procedures, and other security protocols, including incident management and reporting protocols for information security breaches. The Director, Information Technology Services is also responsible for the establishment and promulgation of standards, identification of security threats and vulnerabilities, conduct of training and awareness relating to IT security, and participation in security audits and evaluations, including providing relevant advice to custodians of systems within QUT and the development and maintenance of business continuity plans for critical information systems (Business Continuity Management Framework).

Director, Governance and Legal Services

The Director, Governance and Legal Services is responsible for the implementation of the standards required to maintain privacy and to protect other sensitive QUT records.

Heads of organisational units

All organisational units within QUT will hold some data or information requiring the implementation of security standards. The head of the organisational unit is responsible for undertaking evaluations of risk in regard to information security and for implementing appropriate security measures for local information assets, including physical records, local IT systems and infrastructure.

Systems administrators

IT systems administrators are responsible for the integrity of the information systems in their custody and for implementing at the operational level required security standards. This includes the responsibility for implementing data back-up and recovery/restoration strategies, (including business continuity planning and disaster recovery strategies), and for managing the integrity of such processes.

Top

1.2.5 Information security classification

QUT has a two-tier information security classification framework.

Information systems and resources (including physical corporate records resources) are classified according to their degree of criticality to University business operations. Systems and resources vital to maintaining business continuity are given the highest classification within this framework. These classification levels apply to all information systems, services, network segments and physical areas and equipment in which these systems are housed or accessed. Physical and environmental security controls should be in place for areas where security classified information is processed or handled, which may restrict entry to authorised users only. All staff, students or external contractors are allocated a clearance level to determine what information systems they are able to access.

The second element of the security classification framework is based on the nature of the information contained within a given dataset. The University uses the following classification levels for information (from least to most secured information):


Classification

Definition

Examples

Public

Information of a nature which does not warrant any restrictions on access by staff, students or the community; including annual reports and other public reporting mechanisms.

Publicly available material on websites (other than material that is specified as QUT access only).

Private

Information which relates to QUT business and which is of relevance in terms of application to or use by members of the QUT community only; and including information which requires restrictions based on institutional risks (eg. personal privacy, commercial value, etc) but where access is necessary by a range of University officers to carry out business activities. Information classified as private also refers to information classified as restricted and commercially-in-confidence. For unclassified information, the default data classification setting is private

Library databases, HiQ, Corporate systems, certain procedural information, budgets and compliance information, information about students and staff, information on commercial dealings or activities, and audit information.

Protected

Information of a confidential nature generated or utilised to manage QUT functions or business activities where greater restrictions are required to protect QUT rights and interests. Protected confidential information, if compromised, could cause damage to the University (eg. undermine or impede QUT legal or commercial rights or QUT's intellectual property, endanger the rights and interests of individuals, or limit QUT's liabilities). Some confidential information must be treated as highly protected as compromise will cause serious damage to the University where wider dissemination would expose QUT or individuals to significant risks or liabilities (eg. a direct threat to life, substantial damage to financial, legal or commercial rights and interests or intellectual property).

Information such as some research data, tax file numbers, sensitive personal information, public interest disclosures, and confidential out-of-court settlements.

These classifications are applied according to the value, importance, sensitivity and confidentiality of information, taking into account risk assessments, privacy, legal obligations, legislative requirements and commercial value. Where subsets of information within a given dataset are classified at a different or higher level of protection (for example, tax file numbers), appropriate security and access measures must be in place to reflect these varying security requirements. These may entail greater limits on view-only access, restrictions on the capacity to modify data, and similar safeguards.

All information resources, including data received from an external source, must be designated a security classification approved by the relevant data or system custodian. In general this will be the classification of the information system for which it is intended. Any changes to classifications must also be approved by the relevant data or system custodian. Information that is designated a “Protected’ classification must be recorded in the University’s Information Asset Register. The University will only permit use of an alternative information classification scheme derived from an external information source or from collaborative activities where it has been mapped against the classification framework designated within this policy.

Copying, storage and transmission of data should be handled such that clearance levels match the classification of the data. For example, data classified as protected should be stored in an area or on a server classified as protected.

Top

1.2.6 Access

Access to information systems at QUT is provided to users for the purpose of carrying out work, study or other activities as agreed with the University. In general, access to data is regulated by guidelines and procedures defined for each service and is granted on the "least privilege" principle, in which each user is granted the most restricted set of privileges needed for the performance of relevant tasks.

Except for information classified as publicly available (for example, the home page of the University's website) access to information systems at QUT must be controlled through user authentication and authorisation mechanisms. Physical access to protected or highly protected systems or equipment is controlled by designing appropriate isolation for sensitive computer and communications equipment and media. Specifically designated secure areas should be provided.

The general conditions of access are set out in QUT's Acceptable use of information technology resources policy (F/1.11). Access to information assets at QUT is monitored.

Student access

Students are only provided with access to the QUT information systems required to facilitate and progress their studies.

Staff access

Access to add, delete or modify data must be commensurate with job responsibilities and position descriptions should adequately document data responsibilities and roles. Additionally, the "separation of roles" principle should be applied to ensure that duties relating to the management and auditing of IT systems are carried out separately by different staff in accordance with the University's Internal control policy (A/2.6).

Staff with more extensive privileges, whether in relation to information or systems, may be required to sign a confidentiality agreement.

Access to information concerning technical solutions employed in the realisation of systems security controls is only available to specifically authorised staff. Such authorisation is to be granted according to guidelines established by the Deputy Vice-Chancellor (Technology, Information and Library Services) (refer to ITS Rules, Policies and Standards).

Access to individuals associated with the University

Granting access to individuals associated with the University must take full account of security risks involved and ensure that adequate controls to protect QUT's information assets are imposed (adequacy of controls must take into account the "least privilege" and "separation of roles" principles). In relation to external contractors and consultants, the University officer authorised in the Schedule of Authorities and Delegations (Appendix 3) to make the appointment must ensure that provisions in the contract of appointment or other legally binding agreement (for instance, a deed of confidentiality) are in place to mitigate information security and other risks.

Security risks must also be taken into account in provisioning guidelines, for routine use of QUT systems and resources by individuals associated with the University.

Responsibility for granting access rights

In general, the data custodian has responsibility for determining data security requirements and user access levels for the dataset or system (F/1.1), though responsibility for determining user access levels may be delegated (Appendix 3). The decision on the granting of access for individual users is made according to the normal delegated authority processes of the University. Decisions by a delegate authorised to grant access must be made in accordance with the considerations set out in this section, in particular, the "least privilege" principle and the "separation of roles" principle.

Review of access rights

Whether undertaken through system design, automated processes or manually, it is a responsibility of all data custodians to implement a system whereby access rights are reviewed regularly (at least annually).

Revocation of access rights

The data custodian or system owner should ensure that appropriate mechanisms are in place for revocation or downgrading of access rights due to termination of employment, change of position (where reasonably possible) or due to security breaches or other misconduct. Exit procedures for both staff and students should include revocation of access to physical resources and buildings by cancellation of building access and/or return of keys (B/7.2 General Employment; H/3.4.2 Physical security and traffic).

Top

1.2.7 Information security audits and monitoring

The University monitors its information systems and services and carries out detailed security audits of systems, data and access as required. As a result, QUT logs network activity and may use it to investigate faults, security breaches and unlawful activity. Where diagnosis of problems, investigations or security audits are required, the University reserves the right to access individual files.

In carrying out these tasks, cooperation with security response teams established for the purpose of protecting information security within regional and/or national and/or international information networks which QUT uses will be required. Cooperation and collaboration with law enforcement authorities may also be required from time to time.

The security of information systems and resources at the University is audited regularly and reported to appropriate University committees, including Audit and Risk Management Committee. The most important systems will be audited most frequently. System owners are responsible for developing and monitoring an audit schedule for their systems.

Top

1.2.8 Security breaches

A breach of information security, reported as an information security incident, is an identified occurrence or activity that has been successful in adversely affecting the integrity of the data, confidentiality of protected information and availability of information and major IT systems of the University.

The process for managing a security breach will depend on the type and severity of the incident. Information security incidents are to be reported to the Information Security Team. The Information Security Team will manage and/or escalate security incidents, and must report serious breaches to the Deputy Vice-Chancellor (Technology, Information and Library Services). If an individual believes that the security breach relates to personal information, they may make a complaint in accordance with the University’s Information privacy policy (F/6.2.11).

Serious breaches of information security by an individual user may result in disciplinary action (for staff and students) or the suspension or termination of access rights and computer accounts in accordance with the Acceptable use of information technology resources policy (F/1.11).

This policy supports and complements State and Commonwealth law. It should be emphasised that illegal access to and use of computer systems at QUT constitutes a crime under the relevant legislation. Such breaches may also be reported to law enforcement authorities for appropriate action.

Top

Related Documents

MOPP Appendix 3 Schedule of Authorities and Delegations

MOPP A/2.6 Internal control

MOPP B/7.2 General employment conditions

MOPP F/1.11 Acceptable use of information technology resources

MOPP F/6.1 Records management policy

MOPP F/6.2 Information privacy

MOPP H/3.4 Physical security and traffic

Information Standard 18 - Information Security

Information Technology Services

Top

Modification History

Date Sections Source Details
09.12.16 F/1.2.6, F/1.2.8 Enhancing the Student Experience REAL Difference Change Manager Revised policy to include REAL Difference initiative, approved name change for position title, Deputy Vice-Chancellor (Technology, Information and Learning Support) to Deputy Vice-Chancellor (Technology, Information and Library Services) - effective 03.01.17
29.10.15 All Vice-Chancellor Revised policy
23.08.13 F/1.2.4, F/1.2.6 Deputy Vice-Chancellor (Technology, Information and Learning Support) Periodic review - editorial amendments to reflect current practice
14.12.12 All Vice-Chancellor Policy and classification scheme revised to reflect increasing cloud IT service provision

09.08.11

All

Vice-Chancellor

Periodic review - policy revised

15.09.10

All

Governance Services

Policy revised to reflect repeal of Information Facilities Rules

14.12.06 All Vice-Chancellor Revised policy (incorporates former Appendix 53 Management of QUT information systems) (endorsed by Information Technology Advisory Committee 25.10.06)
07.10.04 F/1.2.6 Secretariat Editorial (revised committee name - Information Technology Advisory Committee, approved by Vice-Chancellor 07.10.04)
08.07.04 F/1.2.6 Secretariat Editorial (deleted reference to Information Technology Strategic Governance Committee, disbanded June 2004, and replaced with reference to new Information Technology and Library Resources Committee)
06.06.03 F/1.2.1, F/1.2.7 Pro-Vice-Chancellor (Information and Academic Services) Revised to ensure compliance to Queensland Government Information Standard 18 - Information Security
09.11.01 F/1.2.5 Pro-Vice-Chancellor (Information and Academic Services) Revised Policy
22.06.01 F/1.2.6 MOPP Officer Editorial changes
11.01.00 All Vice-Chancellor New policy (endorsed by Vice-Chancellor's Advisory Committee 22.09.98)

Top