Manual of Policies and Procedures

F/1.2 Information security

Contact Officer

Associate Director, Information Security, Digital Business Solutions

Approval Date

25/03/2020

Approval Authority

Vice-Chancellor and President

Date of Next Review

31/03/2023

1.2.1 Purpose
1.2.2 Application
1.2.3 Roles and responsibilities
1.2.4 Information Security Management System
1.2.5 Information security principles
1.2.6 Information security classification approach
1.2.7 Information security audits and monitoring
1.2.8 Security breaches
1.2.9 Reporting
1.2.10 Definitions
1.2.11 List of information security standards
Related Documents
Modification History

1.2.1 Purpose

QUT is committed to protecting its information assets and the information it holds about its students, partners and employees. The information security policy outlines how QUT protects its information assets against unauthorised access and use, theft, modification, destruction and unauthorised disclosure.

Top

1.2.2 Application

This policy applies to all of QUT’s organisational units (faculties, institutes, divisions), and individuals with access to QUT information assets and resources, including staff, researchers, students and any person to whom the policy on Acceptable use of information and communications technology resources (F/1.11) applies.

This policy applies to all QUT information assets, whether processed by information technology systems or services, or held in physical records sources, regardless of whether or not the processing or storage is undertaken by QUT. The policy also applies to cloud-based services used by QUT; voice and data communications equipment and software owned by QUT; research data; personal equipment connected to the QUT network; and QUT data in transit.

Top

1.2.3 Roles and responsibilities

 

Position
Responsibility

All users of QUT information assets

  • ensure compliance with all information security requirements in this policy and standards including reporting breaches of information security
  • maintain awareness of the information security risks and controls appropriate to the information accessed and used at QUT, including completion of required training as required by the University

Vice-Chancellor and President

  • is accountable for information security practices at QUT
  • approves the Information security annual return for submission to Queensland Government Customer and Digital Group (QGCDG)
  • attests to QUT’s information security posture and the compliance of its Information Security Management System (ISMS) as required for the submission to Queensland Government Customer and Digital Group (QGCDG)

Risk and Audit Committee (A/3.3)

  • endorses the Information security annual return for submission to Queensland Government Customer and Digital Group (QGCDG)
  • monitors cyber risk on a regular basis and recommends risk management actions where appropriate

Chief Information Officer (CIO)

  • is responsible for implementation of the Information Security Management System (ISMS) and compliance with Queensland Government Customer and Digital Group’s (QGCDG’s) information security policy requirements
  • promotes awareness of information security and implements systems, practices and processes to enhance information security at QUT
  • approves the University’s information security strategy and information security standards made under this policy

Information Security Steering Committee (ISSC)

  • provides advice to ensure that there is a co-ordinated, consistent, and managed approach to information security management across QUT
  • provides advice on information security risk and recommends risk management actions where appropriate
  • reviews and endorses the following:
    • Information security strategy
    • Information security policy
    • Information security standards for approval by Chief Information Officer (CIO)
    • Information security annual return to Queensland Government Customer and Digital Group (QGCDG)
    • attestation letter to Queensland Government Customer and Digital Group (QGCDG) on QUT’s information security posture and compliance of its the Information Security Management System (ISMS)

Associate Director, Information Security

  • manages information security incidents
  • provides reporting on the state of information security at QUT
  • ensures compliance with regulatory requirements related to information security
  • maintains the information security policy and standards
  • maintains relationship with external security groups (including regulatory authorities, specialist forums and professional and special interest groups) to ensure that QUT responds to the emerging threat landscape and has access to external resources

Heads of organisational units

  • foster a positive culture towards information security within the organisational area
  • ensure compliance with the information security policy and supporting standards as applicable to the organisational area

Project managers

  • ensure compliance with information security policy and standards in the design and implementation of IT projects
  • engage with the Information Security Team (IST) at QUT for information security advice as required

Data custodians

  • identify and implement the requirements related to data security, data accessibility and privacy, for the datasets for which they are responsible
  • classify information and data for the Information Asset Register (IAR)

Information asset owner

  • provides the system owner with guidance and specific information security requirements that need to be applied to the information systems and information assets

System owners

  • are accountable to protect QUT’s IT assets
  • are responsible for applying the information security policy and standards to the information systems and information assets they own
  • develop the relevant documentation (process, procedures, or guidelines), where applicable, to capture the specific requirements relevant to the information systems and information assets they own
  • consult and inform the information asset owner on the requirements to apply the information security policy and standards

Top

1.2.4 Information Security Management System

QUT implements an Information Security Management System (ISMS) based on the current version of the ISO27001 standard, as per Queensland Government Customer and Digital Group’s (QGCDG’s) requirements. The scope of the ISMS includes the protection of all information, application and technology assets (F/1.2.2).

Top

1.2.5 Information security principles

The Information Security Management System (ISMS) is based on the following information security principles which are designed to support and defend QUT from a variety of information security risks.

  • Logical access and physical access security
    Logical access and physical access to QUT information assets is granted on the "least privilege" principle, whereby each user is granted the most restricted set of privileges needed for the performance of relevant tasks.
  • Information security risk management
    Information security related risks must be identified, reported to concerned stakeholders and adequate controls are recommended to manage the risk.
  • Operational security
    Operational security practices must be in place to manage information security related risks.
  • Information security incident management
    Information security incidents must be actively managed in a defined manner in line with QUT’s incident management process.
  • Information classification
    Information maintained in QUT’s information systems and in printed format is protected based on the assigned information classification level (F/1.2.5).
  • Audit and Compliance
    The established information security management processes must be conducted in line with regulatory requirements and be regularly audited to promote improvements in practices.
  • Human resource security
    QUT must have processes in place to screen candidates, on-board and off-board employees, and educate employees on security awareness.

These principles assist in governing behaviour, objectives, approach and activities, in order to promote good practice in information security. The Chief Information Officer approves information security standards which further explain the implementation of the information security principles and define the information security controls.

Top

1.2.6 Information security classification approach

QUT’s Information security classification approach is based on the Queensland Government Information Security Classification Framework (QGISCF). This approach uses three categories Confidentiality, Availability and Integrity to classify QUT’s information and data. A risk rating will be assigned to each of the classification categories.

  • Confidentiality measures the risk of information made available or disclosed to unauthorised individuals, entities, or processes, as either High (Protected), Medium (Sensitive), Low (Official), or Public information or data.
  • Integrity measures the risk to the accuracy and completeness of information or data, as either High, Medium, or Low.
  • Availability measures the risk of data accessibility on demand by an authorised entity, as either High, Medium, or Low.

The assessment of security categories for relevant classes of information assets is used by the Chief Information Officer and the data custodian to determine appropriate security measures and controls to be adopted for the information asset class.

Top

1.2.7 Information security audits and monitoring

The University maintains logs and audit trails of network and system activities which may include personal information about users.

Information Security Team at QUT performs information security audits and monitoring activities which include the following:

  • monitoring its network, information systems, and services against malicious activities, and threats
  • logging and investigating its network, applications, and user activities for the purpose of investigating faults, security breaches, and unlawful activity
  • regularly auditing the security of information systems and reporting to appropriate University committees, including the Risk and Audit Committee.

Where diagnosis of problems, investigations or security audits are required, the University reserves the right to access logs, audit trails and individual files. In carrying out these tasks, cooperation with the Information Security team may be required. Cooperation and collaboration with law enforcement authorities may also be required from time to time.

Top

1.2.8 Security breaches

A breach of information security, reported as an information security incident, is an identified occurrence or activity that has been successful in adversely affecting the integrity of the data, confidentiality of protected information and availability of information and major IT systems of QUT.

QUT has an incident management process for managing IT incidents irrespective of their origin. Information security incidents are reported through this practice.

Security breaches relating to personal information should be reported in accordance with QUT’s Information privacy policy (F/6.2.11) and associated protocols.

Serious breaches of information security by an individual user may result in disciplinary action (for staff and students) or the suspension or termination of access rights and computer accounts in accordance with the Acceptable use of information and communications technology resources policy (F/1.11). This policy supports and complements State and Commonwealth laws. Illegal access to and use of computer systems at QUT may constitute a criminal offence under the relevant legislation. Breaches of information security which are also suspected of breaching State or Commonwealth laws will be reported to law enforcement authorities for appropriate action.

Top

1.2.9 Reporting

Regular reporting on information security activities and risks is provided to the Information Security Steering Committee and Risk and Audit Committee (A/3.3).

QUT is required to submit an information security annual return to Queensland Government Customer and Digital Group (QGCDG). The submission is made annually to QGCDG following endorsement and approval of the Vice-Chancellor and President and the Risk and Audit Committee.

Top

1.2.10 Definitions

Logical access
The ability to access the QUT’s information systems using a username and a password either directly or through remote access.

Information security annual return
The Information security annual return is a self-assessment of the information security controls mandated by and to the Queensland Government Customer and Digital Group (QGCDG).

Data accessibility
Sharing of the information asset to the maximum extent possible in accordance with data standards and data security and defining the conditions of use of the data.

Information
Information is any collection of data that is processed, analysed, interpreted, classified or communicated in order to serve a useful purpose, present fact or represent knowledge in any medium or form. This includes presentation in electronic (digital), print, audio, video, image, graphical, cartographic, physical sample, textual or numerical form. Information may also be a public record or an information asset if it meets certain criteria.

Data
The representation of facts, concepts or instructions in a formalised (consistent and agreed) manner suitable for communication, interpretation or processing by human or automatic means. Typically comprised of numbers, words or images. The format and presentation of data may vary with the context in which it is used. Data is not information until it is utilised in a particular context for a particular purpose. Examples include; Coordinates of a particular survey point; Driver licence number; Population of Queensland; Official picture of a minister in jpeg format.

Information Security Management System (ISMS)
An ISMS is a systematic approach to managing sensitive information so that it remains secure. It includes people, processes and IT systems by applying a risk management process.

ISO 27001
ISO 27001 is an internationally recognized Information Security Management System (ISMS) standard. It is a framework for the requirements to manage an organisation's information security risks.

ISO (International Organization for Standardization)
ISO is an independent, non-governmental international organisation with a membership of 164 national standards bodies including Australia.

Top

1.2.11 List of information security standards

The information security principles are further explained in the information security standards (QUT staff access only) which cover the required information security controls.

  • Information security risk management
  • Access Management
  • Cryptography
  • Supplier Risk Management
  • Malware protection
  • Logging and Monitoring
  • Information classification
  • Audit and Compliance
  • Capacity Management
  • Data Backup
  • Human resource security
  • Mobile device security
  • Documenting Operating Procedures
  • Physical environmental security
  • Vulnerability and Patch Management
  • Working off-site
  • Business continuity
  • Change Management
  • Information security incident management
  • IT Asset management
  • Network Security
  • System acquisition, development and maintenance

Top

Related Documents

MOPP A/2.6 Internal control

MOPP F/1.11 Acceptable use of information technology resources

MOPP F/6.2 Information privacy

Australian Signals Directorate (ASD) “Essential Eight”

Financial Accountability Handbook (Queensland Treasury)  

Information security annual return

Queensland Government Customer and Digital Group (QGCDG) Information security policy (IS18:2018)

Queensland Government Information Security Classification Framework (QGISCF)

Financial Accountability Act 2009 (Qld)

Financial and Performance Management Standard 2019

Information Privacy Act 2009 (Qld)

Top

Modification History

Date Sections Source Details
25.03.20 All Vice-Chancellor and President Revised policy
09.12.16 F/1.2.6, F/1.2.8 Enhancing the Student Experience REAL Difference Change Manager Revised policy to include REAL Difference initiative, approved name change for position title, Deputy Vice-Chancellor (Technology, Information and Learning Support) to Deputy Vice-Chancellor (Technology, Information and Library Services) - effective 03.01.17
29.10.15 All Vice-Chancellor Revised policy
23.08.13 F/1.2.4, F/1.2.6 Deputy Vice-Chancellor (Technology, Information and Learning Support) Periodic review - editorial amendments to reflect current practice
14.12.12 All Vice-Chancellor Policy and classification scheme revised to reflect increasing cloud IT service provision

09.08.11

All

Vice-Chancellor

Periodic review - policy revised

15.09.10

All

Governance Services

Policy revised to reflect repeal of Information Facilities Rules

14.12.06 All Vice-Chancellor Revised policy (incorporates former Appendix 53 Management of QUT information systems) (endorsed by Information Technology Advisory Committee 25.10.06)
07.10.04 F/1.2.6 Secretariat Editorial (revised committee name - Information Technology Advisory Committee, approved by Vice-Chancellor 07.10.04)
08.07.04 F/1.2.6 Secretariat Editorial (deleted reference to Information Technology Strategic Governance Committee, disbanded June 2004, and replaced with reference to new Information Technology and Library Resources Committee)
06.06.03 F/1.2.1, F/1.2.7 Pro-Vice-Chancellor (Information and Academic Services) Revised to ensure compliance to Queensland Government Information Standard 18 - Information Security
09.11.01 F/1.2.5 Pro-Vice-Chancellor (Information and Academic Services) Revised Policy
22.06.01 F/1.2.6 MOPP Officer Editorial changes
11.01.00 All Vice-Chancellor New policy (endorsed by Vice-Chancellor's Advisory Committee 22.09.98)

Top