F/1.2 Information security


Chapters
	A - Governance/Organisation
	B - Human Resources
	C - Learning/Teaching
	D - Research/Development
	E - Student Administration
	F - Information Management
	G - Financial Management
	H - Physical Facilities
	I - International/Community
	MOPP Appendices

	MOPP Protocol
	MOPP Updates

[Print-friendly version]

Contact Officer	Manager, IT Security, Information Technology Services / QUT Privacy Officer, Governance and Legal Services
Approval Date	09/08/2011
Approval Authority	Vice-Chancellor
Date of Next Review	01/09/2014

1.2.1 Policy principles
1.2.2 Application
1.2.3 Roles and responsibilities relating to information security
1.2.4 Information security classification
1.2.5 Access
1.2.6 Information security audits and monitoring
1.2.7 Consequences of non-compliance
Related Documents
Modification History

1.2.1 Policy principles

QUT is committed to protecting its information assets against unauthorised access and use, theft, modification, destruction and unauthorised disclosure. The University’s information security policy addresses security issues related to the ownership, confidentiality, integrity and accessibility of information, and in particular, risks associated with the use of computers and networks for storing, transferring and processing information.

This policy is derived from obligations under the Queensland Government's Information Standard No 18 - Information Security. This policy also supports QUT's obligations to comply with security requirements for managing records (F/6.1) and for protecting the privacy of personal information (F/6.2). QUT is also committed to complying as far as practicable with other standards designed to enhance protection of information assets, such as Australian and industry standards.

Top

1.2.2 Application

This policy applies to all organisational units of QUT and to all users of QUT’s information technology (IT) resources, services and/or facilities, including staff, students, and other individuals associated with the University such as Council members, contractors, consultants or visitors.

This policy applies to all information assets of QUT including information related to QUT’s functions and activities, whether processed by computers owned by or located on the University's premises, or held in physical records sources. The policy also applies to voice and data communications equipment and software owned by QUT or personal equipment connected to the QUT network and to data in transit in QUT communications media.

As a result of the application of this policy to all of QUT's information assets, physical security measures (to secure buildings, office spaces, etc) must be taken into account in implementing this policy (see H/3.4). Logical access to systems is dealt with in section F/1.2.6 below.

Top

1.2.3 Roles and responsibilities relating to information security

All users of QUT information assets

All users of QUT’s information assets must comply with this policy and must be aware of the security requirements for the systems they use and must take reasonable precautions to safeguard their access to these systems against inappropriate or unauthorised access.

A user must not bypass security mechanisms and virus management systems.

QUT staff may be granted access to valuable or sensitive information. Staff have a responsibility, both under this policy and other policies such as QUT's information privacy policy (F/6.2) and the records management policy (F/6.1), to maintain the security of such information. Regardless of whether the device is privately owned or a QUT asset or whether it is located on-campus or off-campus, this responsibility necessitates that appropriate care be taken when using or storing QUT information in a mobile storage device or in a non-QUT owned or operated storage service. Protection mechanisms to consider include physical protection of the device storing the information, access controls provided by the device or service (for example, passwords or pins) and authenticated usage based on QUT authentication where possible. Data custodians should consider appropriate controls and restrictions for the information in their custody. Information which is classified as protected or highly protected should not be moved out of an environment in which QUT's routine security standards (both physical and technical) apply unless the data custodian has approved the use as part of standard processes.

Data or system custodians

Unless stated otherwise by separate agreement, ownership of information, data and software within QUT is held solely by QUT and is not assigned or delegated in any way. All major information assets must be accounted for and have a nominated owner or custodian who is accountable for the implementation and management of this policy in relation to the asset. For further information on the role of data custodians, refer to F/1.1. The Information Technology Services Department maintains a list of accountable officers for the University’s major data sets (see http://www.its.qut.edu.au/governance/policies/QUTITpolicy.jsp).

Director, Information Technology Services

The Director, Information Technology Services is responsible for the development and publication of minimum security standards for QUT's business systems and networks, operating procedures, and other security protocols, including incident management and reporting protocols for information security breaches. The Director, Information Technology Services is also responsible for the establishment and promulgation of standards, identification of security threats and vulnerabilities, training and awareness relating to IT security, and participation in security audits and evaluations, including relevant advice to custodians of systems within QUT.

Director, Governance and Legal Services

The Director, Governance and Legal Services is responsible for the implementation of the standards required to maintain privacy and to protect other sensitive QUT records.

Heads of organisational units

All organisational units within QUT will hold some data or information requiring the implementation of security standards. The head of the organisational unit is responsible for undertaking evaluations of risk in regard to information security and for implementing appropriate security measures for local information assets, including physical records, local IT systems and infrastructure.

Systems administrators

IT systems administrators are responsible for the integrity of the information systems in their custody and for implementing at the operational level required security standards. This includes the responsibility for implementing data back-up and recovery/restoration strategies, (including business continuity planning and disaster recovery strategies), and for managing the integrity of such processes.

Top

1.2.4 Information security classification

QUT has a two-tier information security classification framework.

Information systems and resources (including physical corporate records resources) are classified according to their degree of criticality to University business operations. Systems and resources vital to maintaining business continuity are given the highest classification within this framework. These classification levels apply to all information systems, services, network segments and physical areas and equipment in which these systems are housed or accessed. Physical and environmental security controls should be in place for areas where security classified information is processed or handled, which may restrict entry to authorised users only. All staff, students or external contractors are allocated a clearance level to determine what information systems they are able to access.

The second element of the security classification framework is based on the nature of the information contained within a given dataset. The University uses the following classification levels for information (from least to most secured information):

Classification	Definition	Examples
Public	Information of a nature which does not warrant any restrictions on access by staff, students or the community.	Commonly material on websites (other than material that is specified as QUT access only), or other public access resources, such as annual reports or other public reporting mechanisms.
QUT only	Information which relates to QUT business and which is of relevance in terms of application to or use by members of the QUT community only.	Library databases, QUT Virtual
QUT staff only	Information generated or utilised to manage QUT functions or business activities.	Corporate systems, certain procedural information, information relating to budgets and compliance.
Limited access	Information generated or utilised to manage QUT functions or business activities which requires restrictions based on institutional risks (eg personal privacy, commercial value, etc) but where access is necessary by a range of University officers to carry out business activities.	Information about students, staff, information on commercial dealings or activities, and audit information.
Protected	Information generated or utilised to manage QUT functions or business activities where greater restrictions are required to protect QUT rights and interests including legal or commercial rights or QUT's intellectual property, the rights and interests of individuals, or to limit QUT's liabilities. A useful definition of sensitive personal information is contained in section 6 of the Commonwealth Privacy Act 1988 .	Information such as research data, tax file numbers, sensitive personal information.
Highly protected	Information generated or utilised to manage QUT functions or business activities where wider dissemination would expose QUT or individuals to significant risks or liabilities. Very little information belongs in the highly protected category and it should be used sparingly.	Public interest disclosures, confidential out-of-court settlements.

These classifications are applied according to the value, importance and sensitivity of information, taking into account risk assessments, privacy, legal obligations, legislative requirements and commercial value. Where subsets of information within a given dataset are classified at a different or higher level of protection (for example, tax file numbers), appropriate security and access measures must be in place to reflect these varying security requirements. These may entail greater limits on view-only access, restrictions on the capacity to modify data, and similar safeguards.

All information resources must have a security classification approved by the relevant data or system custodian. Any changes to classifications must also be approved by that officer. Any data received from an external source must also be classified. In general it will inherit the classification of the information system for which it is intended. Use of alternative information classification schemes is permitted only where mapping to this classification framework is undertaken.

Copying, storage and transmission of data should be handled such that clearance levels match the classification of the data. For example, data classified as protected should be stored in an area or on a server classified as protected.

Top

1.2.5 Access

Access to information systems at QUT is provided to users for the purpose of carrying out work, study or other activities as agreed with the University. In general, access to data is regulated by guidelines and procedures defined for each service and is granted on the "least privilege" principle, in which each user is granted the most restricted set of privileges needed for the performance of relevant tasks.

Except for information classified as publicly available (for example, the home page of the University's website) access to information systems at QUT must be controlled through user authentication and authorisation mechanisms. Physical access to protected or highly protected systems or equipment is controlled by designing appropriate isolation for sensitive computer and communications equipment and media. Specifically designated secure areas should be provided.

The general conditions of access are set out in QUT's Acceptable use of information technology resources policy (F/1.11). Access to information assets at QUT is monitored.

Student access

Students are only provided with access to the QUT information systems required to facilitate and progress their studies.

Staff access

Access to add, delete or modify data must be commensurate with job responsibilities and position descriptions should adequately document data responsibilities and roles. Additionally, the "separation of roles" principle should be applied to ensure that duties relating to the management and auditing of IT systems are carried out separately by different staff in accordance with the University’s Internal control policy (A/2.6).

Staff with more extensive privileges, whether in relation to information or systems, may be required to sign a confidentiality agreement either at the time of appointment or when the privileges are granted.

Access to information concerning technical solutions employed in the realisation of systems security controls is only available to specifically authorised staff. Such authorisation is to be granted according to guidelines established by the Deputy Vice-Chancellor (Technology, Information and Learning Support) (refer to http://www.its.qut.edu.au/governance/policies/ for further details).

Access to individuals associated with the University

Granting access to individuals associated with the University must take full account of security risks involved and ensure that adequate controls to protect QUT's information assets are imposed (adequacy of controls must take into account the "least privilege" and "separation of roles" principles). In relation to external contractors and consultants, the University officer authorised in the Schedule of Authorities and Delegations (MOPP Appendix 3) to make the appointment must ensure that provisions in the contract of appointment or other legally binding agreement (for instance, a deed of confidentiality) are in place to mitigate information security and other risks.

Security risks must also be taken into account in provisioning guidelines, for routine use of QUT systems and resources by individuals associated with the University.

Responsibility for granting access rights

In general, the data custodian has responsibility for determining data security requirements and user access levels for the dataset or system (see F/1.1), though responsibility for determining user access levels may be delegated (see Appendix 3). The decision on the granting of access for individual users is made according to the normal delegated authority processes of the University. Decisions by a delegate authorised to grant access must be made in accordance with the considerations set out in this section, in particular, the "least privilege" principle and the "separation of roles" principle.

Review of access rights

Whether undertaken through system design, automated processes or manually, it is a responsibility of all data custodians to implement a system whereby access rights are reviewed regularly (at least annually).

Revocation of access rights

The data or system custodian should ensure that appropriate mechanisms are in place for revocation or downgrading of access rights due to termination of employment, change of position or due to security breaches or other misconduct. Exit procedures for both staff and students should revoke access to physical resources and buildings by cancellation of building access and/or return of keys (refer to B/7.2 , H/3.4.2 for further information about these requirements).

Top

1.2.6 Information security audits and monitoring

Any breaches of security requirements by an individual user may result in disciplinary action (for staff and students) or the suspension or termination of access rights and computer accounts in accordance with the Acceptable use of information technology resources policy (F/1.11).

This policy supports and complements State and Commonwealth law. It should be emphasised that illegal access to and use of computer systems at QUT constitutes a crime under the relevant legislation. Such breaches may also be reported to law enforcement authorities for appropriate action.

Top

Modification History

Date	Sections	Source	Details
09.08.11	All	Vice-Chancellor	Periodic review - policy revised
15.09.10	All	Governance Services	Policy revised to reflect repeal of Information Facilities Rules
14.12.06	All	Vice-Chancellor	Revised policy (incorporates former Appendix 53 Management of QUT information systems) (endorsed by Information Technology Advisory Committee 25.10.06)
07.10.04	F/1.2.6	Secretariat	Editorial (revised committee name - Information Technology Advisory Committee, approved by Vice-Chancellor 07.10.04)
08.07.04	F/1.2.6	Secretariat	Editorial (deleted reference to Information Technology Strategic Governance Committee, disbanded June 2004, and replaced with reference to new Information Technology and Library Resources Committee)
06.06.03	F/1.2.1, F/1.2.7	Pro-Vice-Chancellor (Information and Academic Services)	Revised to ensure compliance to Queensland Government Information Standard 18 - Information Security
09.11.01	F/1.2.5	Pro-Vice-Chancellor (Information and Academic Services)	Revised Policy
22.06.01	F/1.2.6	MOPP Officer	Editorial changes
11.01.00	All	Vice-Chancellor	New policy (endorsed by Vice-Chancellor's Advisory Committee 22.09.98)

Top