Information Security

Information Security

SUMMARY

The Information Security Policy establishes the principles that underpin the University’s approach to ensuring that the digital information systems security objectives of Confidentiality, Integrity, Availability, Compliance and Assurance are achieved by Macquarie University.

The Information Security Procedure establishes rules for and explains:

  • Access Control
  • Information Security Incident Management
  • Information Security Requests (‘Code Yellow’)
  • Password Management
  • Information Systems Acquisition, Development and Maintenance

The Data Classification Procedure and Standards outlines the steps required to classify and secure data within their span of control, according to the prescribed minimum standards for data protection.

POLICY

1     PURPOSE

To ensure that the following digital information and digital information systems security objectives are achieved by the University:

  1. Confidentiality – to uphold authorised restrictions on access to and disclosure of information including personal or proprietary information.
  2. Integrity – to protect information against unauthorised alteration or destruction and prevent successful challenges to its authenticity.
  3. Availability – to provide authorised users with timely and reliable access to information and services.
  4. Compliance – to comply with relevant legislation, regulations, contractual obligations requiring information to be available, safeguarded or lawfully used.
  5. Assurance – to provide assurance to the University community that information held by the University is appropriately protected and handled.

2     BACKGROUND

Data, information systems and IT Resources are strategic asserts of the University and assets consequently need to be appropriately secured.

This document states the University’s policy on Information Security and provides requirements to establish accountability and prudent and acceptable practices regarding the use and safeguarding of the university's information resources.

This policy is closely aligned with the 2015 New South Wales Government Digital Information Security Policy as recommended for universities by the New South Wales Government ICT Strategy and draws from the following guidelines for the Information Security Industry standards:

  • AS/NZS ISO/IEC 27005:20011 Information technology — Security techniques — Information security risk management
  • AS/NZS ISO/IEC 27002:2013(E) Information technology - Security techniques —Code of practice for information security management
  • AS ISO/IEC 27002:2015 Information technology — Security techniques — Code of practice for information security controls.

Relevant sections from these standards are directly referenced in this Policy and accompanying Procedures.

3     SCOPE

This policy applies to:

  1. the management of all matters relating to information security within the University
  2. all University information systems and information assets regardless of the media on which information is stored, the locations where the information is stored, the technology used to process the information, or the people and roles who handle the information
  3. all Information resources owned, leased, operated, or under the custodial care of third parties operated on behalf of the University; and
  4. all individuals accessing, using, holding, or managing University Information resources on behalf of the University.

4     DEFINITIONS

Commonly defined terms are located in the University Glossary.  The following definitions apply for the purpose of this Procedure.

In this Procedure unless a contrary intention appears–
Authority’ means –

  1. in relation to the IT Resources generally, the Chief Information Officer or the Chief Information Officer’s delegate
  2. in relation to a local facility, the relevant head of department, Executive Dean, or deputy vice–chancellor, or a person nominated by the relevant head of department, Executive Dean, or Deputy Vice–Chancellor;

authorised purposes’ means purposes associated with work or study in the University, provision of services to or by the University, which are approved or authorised by the relevant officer or employee of the University in accordance with University policies and procedures or pursuant to applicable contractual obligations, limited personal use, or any other purpose authorised by the relevant Authority;

‘Chief Information Officer’ means the person holding or acting in that position in the University, or any other person nominated by the vice‐chancellor to exercise that role for the purpose of this Procedure.

‘Confidential Data’ means one of three data classifications defined within the Data Classification Standard and Procedures. Data that is subject to restrictive regulatory obligations in relation to the access, distribution, retention and/or destruction.

‘Controlled Data’ means one of three data classifications defined within the Data Classification Standard and Procedures. Data that is not generally created for or made available for public consumption, but that is subject to release to the public through request via the Freedom of Information Act 1982 or other applicable Commonwealth or State Law.

‘Data’ means elemental units, regardless of form or media, that are combined to create information used to support research, teaching, and other University business processes. Data may include but are not limited to: written, electronic   video, and audio records, photographs etc.

‘Data Center’ means a facility used to house computer systems and associated components, such as telecommunications and storage systems.

‘Digital Data’ means the subset of Data (as defined above) that is transmitted by, maintained, or made available in electronic media.

Director of Human Resources means the person holding or acting in that position in the University, or any other person nominated by the Vice-Chancellor to exercise that role for the purpose of this Procedure;

‘illegal material’ means material the creation, transmission, storage, downloading or possession of which contravenes or if done in New south Wales would contravene the criminal law as it applies in any jurisdiction in Australia;

‘Information Security’ is the protection of information and supporting systems from a wide range of threats in order to ensure business continuity, minimise operational risk, and maximise return on investments and operational opportunities.

‘Information Security Management System’ the policies, procedures, standards, plans, metrics, reports, resources, and services adopted for the purpose of systematically securing University Information Resources by applying a risk management process

‘Macquarie IT’ means the Macquarie University IT Department.

‘intellectual property’ includes the rights relating to –

  1. literary (including computer programs), artistic, musical and scientific works;
  2. multimedia subject matter;
  3. performances of performing artists, phonograms and broadcasts;
  4. inventions in all fields of human endeavour;
  5. scientific discoveries;
  6. industrial designs;
  7. trademarks, service marks and commercial names and designations;
  8. plant varieties;
  9. circuit layouts; and
  10. confidential information;

‘limited personal use’ means use that –

  1. is of a purely personal nature and not for financial gain;
  2. does not directly or indirectly impose an unreasonable burden on any IT Resources;
  3. does not unreasonably deny any other user access to any facilities;
  4. does not contravene any law in any jurisdiction in Australia or any University statute, regulation, policy or procedure; and
  5. in the case of staff, does not interfere with the execution of duties;

'misuse’ has the meaning set out in the Acceptable Use of IT Resources Policy Schedule 1 – ‘Misuse’ ;

staff’ means staff of the University;

student’ includes a person who was a student at the time of any alleged breach of this Procedure, and a person who is a student for the purposes of Student Discipline;

‘University copyright officer’ means the officer designated by the Vice-Chancellor as responsible for overseeing copyright issues within the University;

5     POLICY STATEMENT

The University must have an Information Security Management System (ISMS) based on a comprehensive assessment of the risk to digital information and digital information systems.

In particular, the University will:

  1. manage information security with controls for access, use, storage and transmission of digital information;
  2. allocate responsibility for various aspects of information security to information Owners, Custodians and Users in relation to the access, use, storage and transmission of information as described in the Data Classification Procedure and Standards
  3. classify all information against a defined risk profile and in accordance with the Data Classification Procedure and Standards
  4. Periodically carry out Information security risk assessments on all information systems on a regular basis in order to identify key risks and determine the controls required to effectively manage those risks.

The Information Security Procedures under this Policy set rules for and explain:

  • Access Control
  • Information Security Incident Management
  • Information Security Requests (‘Code Yellow’)
  • Password Management
  • Information Systems Acquisition, Development and Maintenance

The Data Classification Procedure and Standards under this Policy explains and set rules, roles and responsibilities for:

  • Data Classification Standards
  • Minimum Security Standards

Exceptions to the implementation of this policy must be approved by the Chief Information Officer in consultation with the relevant University stakeholders.

6     ROLES AND RESPONSIBILITIES FOR INFORMATION SECURITY

  1. All Authorised Users are responsible for information security in accordance with the Acceptable Use of IT Resources and this policy.
  2. Authorised Users must:

    2.1 use the resource only for the purpose specified by the Owner
    2.2 comply with controls established by the Owner, and
    2.3 prevent the unauthorized disclosure of Confidential Data.

  3. The Chief Information Officer is the delegate authorised to take necessary action to assure continuity and security of the digital campus.
  4. Responsibility for IT Security and IT Risk rests with the Chief Information Officer and Macquarie IT Senior Leadership Team.
  5. Heads of budget divisions must:

    5.1 actively support information security through clear direction, demonstrated commitment, explicit assignment, and acknowledgment of information security responsibilities
    5.2 ensure that all information security roles and responsibilities are clearly allocated
    5.3 ensure that information security policy and all supporting procedures have been effectively implemented for their areas of responsibility
    5.4 communicate to a staff member on termination their ongoing responsibilities to the University (e.g. ongoing confidentiality requirements in relation to University information assets).

  1. University budget divisions which operate IT facilities will include, amongst the duties of one or more of their staff, the role of overseeing information security and providing expert local advice as required. Specialist Information Security and IT risk management advice is available from Macquarie IT.
  2. The University will provide external providers with access to this policy and related procedures with which they must comply.

7     COMPLIANCE

Macquarie IT will monitor compliance with this policy and related procedures. Users must promptly report breaches of this policy and suspected information security weaknesses to the Chief Information Officer.

Any breach of this policy and related procedures may infringe relevant legislation as listed at the outset of this policy and expose persons to liability under such legislation.

Any breach of this policy or related procedures may result in formal disciplinary action for students will occur in accordance the Student Code of Conduct. Formal disciplinary action for staff will occur in accordance with the Misconduct/Serious Misconduct clauses as outlined in the Staff Code of Conduct, the Academic Staff Enterprise Agreement and the Professional Staff Enterprise Agreement.

Macquarie University may refer serious matters or repeated breaches to the Chief Operating Officer, Director of Human Resources, the Head of the relevant Organisational Unit or to the appropriate external authorities which may result in civil or criminal proceedings.

External providers who breach this policy or related procedures will be subject to suspension of access, termination of contract and/or further legal action.

8     RELEVANT LEGISLATION

Copyright Act 1968 (Cwlth)
Crimes Act 1900 (NSW)
Cybercrime Act 2001 (Cwlth)
Defamation Act, 2005 (NSW)
Government Information (Public Access) Act, 2009 (NSW)
Privacy Act, 1998 (Cwlth)
Privacy & Personal Information Protection Act, 1998 (NSW)
Spam Act 2003 (Cwlth)
Workplace Surveillance Act 2005 (NSW)

9     KEY RELATED DOCUMENTS

Supporting Information Security documents on this page (see Tabs above):
Information Security Procedure / Data Classification Procedure and Standards

Other related documents:
Acceptable Use of IT Resources Policy / Procedure / Schedule
AS/NZS ISO/IEC 27005:20011 Information technology — Security techniques — Information security risk management
AS/NZS ISO/IEC 27002:2013(E) Information technology - Security techniques — Code of practice for information security management
AS ISO/IEC 27002:2015 Information technology — Security techniques — Code of practice for information security controls.
Australian eduroam Policy
Copyright Guidance
Delegations of Authority Register
Discrimination, Bullying and Harassment Prevention Policy 
Electronic Harassment Policy
Intellectual Property Policy

Macquarie University Enterprise Agreement
2015 New South Wales Government Digital Information Security Policy
Policy Framework Policy
Staff Code of Conduct 
Student Code of Conduct
Student Discipline Rules and Procedure
Workplace Surveillance Policy (under development)

10   NOTES

10.1
Contact Officer
Josef Oduwo,
Director of Policy, Compliance and PMO – IT Department
10.2
Implementation Officer
Director of Policy, Compliance and PMO – IT Department
10.3
Approval Authority / Authorities
The Deputy Vice-Chancellor and Chief Operating Officer
10.4
Date Approved
21 June 2016
10.5
Date of Commencement
21 June 2016
10.6
Date for Review
30 June 2018
10.7
Documents Superseded by this Policy
Information Security Policy
Information Security Incident Response Policy
Password Selection and Management Policy
Security Control Firewall Policy
10.8
Amendment History
Na

PROCEDURE

1     PURPOSE

To set rules for and explain:

  • Access Control
  • Information Security Incident Management
  • Information Security Requests (‘Code Yellow’)
  • Password Management
  • Information Systems Acquisition, Development and Maintenance

This Procedure is closely aligned with the 2015 New South Wales Government Digital Information Security Policy Compliance with Minimum Controls Core Requirement as recommended for universities by the New South Wales Government ICT Strategy and draws from the following guidelines for the Information Security Industry standards:

  • AS/NZS ISO/IEC 27005:20011 Information technology — Security techniques — Information security risk management
  • AS ISO/IEC 27002:2015 Information technology — Security techniques — Code of practice for information security controls.

2     SCOPE

This Procedure applies to:

  1. the management of all matters relating to information security within the University
  2. all University information systems and information assets regardless of the media on which information is stored, the locations where the information is stored, the technology used to process the information, or the people and roles who handle the information
  3. all Information resources owned, leased, operated, or under the custodial care of third parties operated on behalf of the University; and
  4. all individuals accessing, using, holding, or managing University Information resources on behalf of the University.

Data that is personal to the User of a University IT Resource and is stored, processed, or transmitted on that IT Resource as a result of incidental personal use is not considered university data. However, University data stored on non-university IT facilities must be verifiably protected according to the minimum security standards outlined in the Data Classification Procedure and Standards.

3     DEFINITIONS

Commonly defined terms are located in the University Glossary.  The following definitions apply for the purpose of this Procedure.

In this Procedure unless a contrary intention appears–

Authority’ means –

  1. in relation to the IT Resources generally, the Chief Information Officer or the Chief Information Officer’s delegate
  2. in relation to a local facility, the relevant head of department, Executive Dean, or deputy vice–chancellor, or a person nominated by the relevant head of department, Executive Dean, or Deputy Vice–Chancellor;

authorised purposes’ means purposes associated with work or study in the University, provision of services to or by the University, which are approved or authorised by the relevant officer or employee of the University in accordance with University policies and procedures or pursuant to applicable contractual obligations, limited personal use, or any other purpose authorised by the relevant Authority;

‘Chief Information Officer’ means the person holding or acting in that position in the University, or any other person nominated by the vice‐chancellor to exercise that role for the purpose of this Procedure.

‘Confidential Data’ means one of three data classifications defined within the Data Classification Standard and Procedures. Data that is subject to restrictive regulatory obligations in relation to the access, distribution, retention and/or destruction.

‘Controlled Data’ means one of three data classifications defined within the Data Classification Standard and Procedures. Data that is not generally created for or made available for public consumption, but that is subject to release to the public through request via the Freedom of Information Act 1982 or other applicable Commonwealth or State Law.

‘Data’ means elemental units, regardless of form or media, that are combined to create information used to support research, teaching, and other University business processes. Data may include but are not limited to: written, electronic   video, and audio records, photographs etc.

‘Data Center’ means a facility used to house computer systems and associated components, such as telecommunications and storage systems.

‘Digital Data’ means the subset of Data (as defined above) that is transmitted by, maintained, or made available in electronic media.

Director of Human Resources means the person holding or acting in that position in the University, or any other person nominated by the Vice-Chancellor to exercise that role for the purpose of this Procedure;

‘illegal material’ means material the creation, transmission, storage, downloading or possession of which contravenes or if done in New south Wales would contravene the criminal law as it applies in any jurisdiction in Australia;

‘Information Security’ is the protection of information and supporting systems from a wide range of threats in order to ensure business continuity, minimise operational risk, and maximise return on investments and operational opportunities.

‘Information Security Management System (ISMS)’ the policies, procedures, standards, plans, metrics, reports, resources, and services adopted for the purpose of systematically securing University Information Resources by applying a risk-based management process

‘Macquarie IT’ means the Macquarie University IT Department.

‘intellectual property’ includes the rights relating to –

  1. literary (including computer programs), artistic, musical and scientific works;
  2. multimedia subject matter;
  3. performances of performing artists, phonograms and broadcasts;
  4. inventions in all fields of human endeavour;
  5. scientific discoveries;
  6. industrial designs;
  7. trademarks, service marks and commercial names and designations;
  8. plant varieties;
  9. circuit layouts; and
  10. confidential information;

‘limited personal use’ means use that –

  1. is of a purely personal nature and not for financial gain;
  2. does not directly or indirectly impose an unreasonable burden on any IT Resources;
  3. does not unreasonably deny any other user access to any facilities;
  4. does not contravene any law in any jurisdiction in Australia or any University statute, regulation, policy or procedure; and
  5. in the case of staff, does not interfere with the execution of duties;

‘misuse’ has the meaning set out in the Acceptable Use of IT Resources Policy Schedule 1 – ‘Misuse’;

staff’ means staff of the University;

student’ includes a person who was a student at the time of any alleged breach of this Procedure, and a person who is a student for the purposes of Student Discipline;

‘University copyright officer’ means the officer designated by the Vice-Chancellor as responsible for overseeing copyright issues within the University;

4     ACCESS CONTROL

4.1 Operational requirement for access control

Objective: To control access to information.

  • Access to information, information processing facilities, and operational processes must be approved on the basis of operational and security requirements by the nominated owner.
  • Anonymous access is not permitted to assets classified as sensitive.
  • Access control rules and rights for each user or group of users must be clearly stated.

4.2 User Access Management

Objective: To ensure authorised user access and to prevent unauthorised access to information systems.

  • Formal procedures must be in place to control the allocation of access rights to information systems and services.
  • The procedures must cover all stages in the life-cycle of user access, from the initial registration of new users to the final de-registration of users who no longer require access to information systems and services.
  • Special attention must be given, where appropriate, to the need to control the allocation of privileged access rights, which allow users to override system controls.

4.3 User registration

  • There must be a formal user registration and de-registration procedure (user registration form) in place for granting and revoking access to all information systems and services.
  • The access control procedure for user registration and de-registration must include:
    1. Using unique user IDs to enable users to be linked to and held responsible for their actions; the use of group IDs (role based accounts) must only be permitted where they are necessary for operational reasons, and must be approved and documented;
    2. Ensuring service providers do not provide access until authorization procedures have been completed;
    3. Maintaining a formal record of all persons registered to use the service;
    4. Immediately removing or blocking access rights of users who have changed roles or jobs or left the University;
    5. Periodically checking for, and removing or blocking, redundant user IDs and accounts after inactivity for 90 days, deletion after 180 days;
    6. Redundant user IDs are not to be issued to other users.

4.4 Privilege Management

  • The allocation and use of privileges must be restricted and controlled.
  • The principle of least privilege must be applied. Approved access by the asset owner must only be granted if it is deemed necessary to support a legitimate operational requirement.
  • Privileges must be assigned to a different user ID from those used for normal operational activity.
  • The University will monitor IT Resources and:
    1. review privileged access quarterly, to ensure continued access is required;
    2. log and audit use of and changes to IT systems and services; and
    3. retain logs for monitoring and investigations.

Staff authorised to undertake routine monitoring of IT Resources and extraordinary monitoring can only do so in accordance with University policies.

4.5 User Responsibilities Objective:
To prevent unauthorised user access, and compromise or theft of information and information processing facilities.

  • A clear desk and clear screen policy must be implemented to reduce the risk of unauthorised access or damage to papers, media, and information processing facilities for information classified as sensitive.

4.6 Network Access Control

Objective: To prevent unauthorised access to networked services.

  • Access to both internal and external networked services must be controlled.

4.7 Use of network services

  • Users will only be provided with access to the services that they have been specifically authorised to use.

4.8 User authentication for external connections

  • Appropriate authentication methods are required to control access for remote users.

4.9 Equipment identification in networks

  • Automatic equipment identification must be considered as a means to authenticate connections from specific locations and equipment.

4.10 Remote diagnostic and configuration port protection

  • Physical and logical access to diagnostic and configuration ports must be controlled.

4.11 Segregation in networks

  • Groups of information services, users, and information systems must be segregated on networks

4.12 Network connection control

  • For shared networks, especially those extending across the University’s boundaries, the capability of users to connect to the network must be restricted, in line with the access control policy and requirements of the business applications.

5     INFORMATION SECURITY INCIDENT MANAGEMENT

5.1 Reporting information security events and weaknesses

Objective: To ensure information security events and weaknesses associated with information systems are communicated in a manner allowing timely corrective action to be taken.

  • All employees, contractors and third party users must be made aware of the procedures for reporting the different types of event and weakness that might have an impact on the security of University assets. They must report any information security events and weaknesses as quickly as possible.
  • Users must not publicise security incidents, as publicity increases risks to the University.

5.2 Reporting and management of information security events

  • Any known or suspected information security event or weakness will be reported to the IT Service Desk immediately by calling +61--2 9850 HELP (4357), email onehelp@mq.edu.au.
  • Significant incidents are incidents that have implications on personal security, Occupational Health and Safety, breaches of privacy or incidents that may involve the administrative or academic manager.
  • Significant incidents must be reported to the Chief Information Officer immediately.
  • Faculties or Offices that cannot positively determine that the reported security event or weakness was a false positive will report the suspected information security event or weakness to the Chief Information Officer or the Information Security Manager immediately.
  • The ICT security team will evaluate the information and determine the appropriate course of action.
  • Any investigation outside the approval of the ICT Security team will be managed by disciplinary processes as per the Acceptable Use of IT Resources Policy.
  • A process of continual improvement will be applied to the response to, monitoring, evaluating, and overall management of information security incidents.
  • Where evidence is required, it must be collected to ensure compliance with legal requirements.
  • In accordance with Australian Guidelines for the Management of IT Evidence, HB171-2003, only defined security investigators are to collect security incident evidence. The Information Security Manager will ensure proper chain-of-custody of evidence when it is suspected that the information security event may result in legal action.

6     INFORMATION SECURITY REQUESTS (‘CODE YELLOW’)

CodeYellow is a procedure and mechanism to ensure the best signal-to-noise ratio available when information security action is needed.

CodeYellow is designed to enforce policy, create a viable audit trail, streamline approval and decrease the time taken to take action. It represents a concrete improvement on the current practice of unaccountable email trails, delays due to unavailability of decision makers.

CodeYellow is not an emergency hotline suitable for physical or personal danger or safety alarms. CodeYellow depends on an external software service (OneHelp) which does not have uptime, real-time alerting, emergency broadcast or security characteristics suitable for these kinds of situations.

CodeYellow works like this:

  1. An incident occurs and is assessed by a reporting entity
  2. The reporter raises an incident by one of three methods:
  3. Email: codeyellow@mq.edu.au
  4. Web link
  5. Telephone: +61-2-9850-HELP otherwise known as x4357
  6. Because different provisions apply, each CodeYellow must be classified as either: 6.1 Account access/lockout (where an account holder's access is to be terminated or an alternative account holder is granted proxy access)
    6.2 Account extension (where an account holder is approved by their Dean/Head of Office for access outside normal policy)
    6.3 Digital surveillance (where information gathering is required without the knowledge of an account holder)
    6.4 Privacy breach (where a suspected contravention of privacy policy has occurred and requires investigation)
    6.5 Law enforcement/regulatory (where a court, police or homeland security action has been requested or ordered)                                                 
  7. The resulting OneHelp ticket is routed to the Macquarie IT management team to ensure visibility by senior personnel, bypassing normal level 1,2 and 3 support teams.
  8. A OneHelp ticket approval process is initiated to key executives designated as having CodeYellow responsibility by reason of policy.
  9. Email notification to this approval group is initiated and can be responded to directly in email by clicking "yes/no" which will update the OneHelp audit trail to record the decision. The ticket cannot be actioned without the correct approval.
  10. Once the requisite combination of approvals is received, any starfleet member assign the ticket to the correct people to action it.

Approval mechanism
A OneHelp automated approval process is used as a prerequisite to actioning a CodeYellow. The key personnel involved are the current Chief Information Officer (CIO), Director Human Resources (DHR), General Counsel (GC) and Deputy Vice-Chancellor (Students and Registrar). Approval works like this (a composite view across policies):

Issue concerningStaffStudentsOther PartyHow many to approveAssociated PolicyDefinition
Account access/lockoutCIO and DHRCIO and DVC (S&R)CIO and DVC (S&R)1Acceptable Use of IT Resources Policy 1) Account Access: Person other than allocated owner needs access to email account after owner has left MQ.
Access is only given to the email archive (Postini) and never the account directly. This is to keep the identity of
account owner intact. System Administrator of Postini can grant access.
2) Lockout: MQ Employee is being locked out of their account for disciplinary reasons or has been dismissed etc. MAY
NEED TO ACT IMMEDIATELY. Sys Admin's need to lock/block OneID account access.
Account extensionCIO or DHRCIO or DVC (S&R)CIO or DVC (S&R)1Acceptable Use of IT Resources Policy Academic or professional staff member requests access to their email after they leave MQ (for more than what is
already allowed). The IT Service Desk can extend account after access is approved.
Digital surveillanceCIO and DHRCIO and DVC (S&R)CIO and GC1Acceptable Use of IT Resources Policy and Information Security Policy SERIOUS and SENSITIVE. Governed by legislation. Approval will be given to conduct digital surveillance on email
or digital records, disk copy of computer etc. CIO will coordinate.
Privacy breachGC and CIOGC and CIOGC and CIO1Information Security Policy Means that an MQ system has been hacked or breached. Staff need to act extremely quickly to mitigate breach.
Coordination point may come from many places – IT Security to be made aware a.s.a.p.
Law enforcement/
regulatory
GC or CIOGC or CIOGC or CIO1Agreement with Legal CounselSubpoena related searches. Subpoena from state or Federal police will be received by Legal Counsel who may ask
that digital records be provided directly to them. NEVER DEAL WITH POLICE DIRECTLY, ALWAYS REFER THEM TO
MQ Security. Nominated people within the IT Service Desk can provide information after approval given.
Personal Information AccessGC or CIO*Pre Approved for
Deidre Anderson
Darren Peters
Michael Carley
John Durbridge
GC or CIOPre approved for student information. 
1 for staff information.
Privacy Statement and Acceptable Use of IT Resources Policy 1) IT Service Desk can release student information to Deidre Anderson, Darren Peters, Michael Carley or John Durbridge
immediately if they ask for it - its pre approved.
2) Approval is needed to release staff information by General Counsel or CIO. Nominated people within
Macquarie IT/IT Service Desk can provide information after approval given.
  • A member of the Senior Leadership Team can act as a proxy for the CIO in the event of unreachability and are part of the IT management team that the ticket is routed to.
  • The Deputy Vice Chancellor or Vice Chancellor both have executive approval privilege should the situation warrant it or should one of the required approvers be unavailable - this is the only CodeYellow bypass mechanism. Invocation of this approval is also required to be noted on the ticket.

Limitations

  • All designated people in the tech group receive CodeYellow notifications, regardless of the type of approval.
  • Each type of request strictly requires the approvers nominated unless policy changes.
  • OneHelp itself is not a security mechanism; it is a tasking mechanism that can be seen by technicians. The system is not designed to be the case management mechanism for the issue, just the approval and execution of IT tasks.
  • Although regular support centre processes are short circuited by CodeYellow to limit the number of eyes on the incident and reduce the escalation time, a technician with the URL for a CodeYellow could access the incident. This is, of course, by design and necessary for efficient task flow.

7     PASSWORD SELECTION AND MANAGEMENT

7.1 The following controls must be applied:

  • User-level passwords must be kept confidential. If your password has been compromised – change your password immediately.
  • User accounts that have system-level privileges granted through group memberships or programs such as "sudo" must have a unique password from all other accounts held by that user.
  • Passwords must not be inserted into email messages or other forms of electronic communication.
  • Passwords must never be written down or stored online.
  • Passwords must never be included in scripts.
  • Initial passwords must be change on first time use.
  • Procedures to verify the identity of the requesting a new, replacement or temporary password must be followed by the persons performing the change.
  • Default vendor passwords must be altered following installation of systems or software.
  • Where possible, account must be disabled after 5 unsuccessful login attempts for account that access sensitive information.
  • Where possible, the last 9 passwords must not be re-used.
  • Maintain separate passwords from internal and external system access.
  • A keyed hash must be used where available. E.g. SNMP

7.2 All user-level and system-level strong passwords must conform to the following minimum of three of the following criteria, where possible:

  • Contain both upper and lower case characters (e.g., a-z, A-Z);
  • Have digits and punctuation characters as well as letters e.g.,$%^&;
  • Is at least eight characters long;
  • Is not a word in any language, slang, dialect, jargon, etc.
  • Is not based on personal information, names of family, etc.
  • Create a strong password that is easy to remember. Think of a phrase that you can easily remember. E.g. "This May Be One Way To Remember" and the password could be: "TmB1w2R!".

8     INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE

8.1 Correct processing in applications

Objective: To prevent errors, loss, unauthorised modification or misuse of information in applications.

a. Input data validation

  • Data input to applications must be validated to ensure that this data is correct and appropriate.

b.Message integrity

  • Requirements for ensuring authenticity and protecting message integrity in applications must be identified, and appropriate controls identified and implemented where classified as sensitive.

8.2 Cryptographic controls

Objective: To protect the confidentiality, authenticity or integrity of information by cryptographic means.

a. Key management

  • Key management must be in place to support the University's use of cryptographic techniques.
  • All cryptographic keys must be protected against modification, loss, and destruction. In addition, secret and private keys need protection against unauthorised disclosure. Equipment used to generate, store and archive keys must be physically protected.
  • A key management system must be based on an agreed set of standards, procedures, and secure methods for:
  • Generating keys for different cryptographic systems and different applications;
  • Generating and obtaining public key certificates; distributing keys to intended users, including how keys must be activated when received;
  • Storing keys, including how authorised users obtain access to keys;
  • Changing or updating keys including rules on when keys must be changed and how this will be done;
  • Dealing with compromised keys;
  • Revoking keys including how keys must be withdrawn or deactivated, e.g. when keys have been compromised or when a user leaves the University (in which case keys must also be archived);
  • Recovering keys that are lost or corrupted as part of operational continuity management, e.g. for recovery of encrypted information;
  • Archiving keys, e.g. for information archived or backed up;
  • Destroying keys;
  • Logging and auditing of key management related activities;
  • Proactive renewal of expired keys, prior to expiration date.

8.3 Security of system files

Objective: To ensure the security of system files.

a. Control of operational software

  • There must be procedures in place to control the installation of software on operational systems

b. Access control to program source code

  • Access to program source code must be restricted.

8.4 Security in development and support processes

Objective: To maintain the security of application system software and information

a. Change control procedures

  • The implementation of changes must be controlled by the use of ICT change control procedures

b. Technical review of applications after operating system changes

  • When operating systems are changed, critical applications must be reviewed and tested to ensure there is no adverse impact on University operations or security as part of ICT change control process.

c. Restrictions on changes to software packages

  • Modifications to software packages must be discouraged, limited to necessary changes, and all changes must be strictly controlled as part of the ICT change control process.

d. Outsourced software development

  • Outsourced software development must be supervised and monitored by the University.

8.5 Technical vulnerability management

Objective: To reduce risks resulting from exploitation of published technical vulnerabilities. Technical vulnerability management must be implemented in an effective, systematic, and repeatable way with measurements taken to confirm its effectiveness.

a.Control of technical vulnerabilities

  • A centralised vulnerability management process must be established.
  • All information about technical vulnerabilities of information systems being used must be obtained from external authorities such as AUSCERT to a central point of control – The Information Security Manager.
  • Vendor ratings will be adopted.
  • The University’s exposure to such vulnerabilities will be evaluated.
  • An agreed timeline must be defined to react to notifications of potentially relevant technical vulnerabilities.
  • The appropriate measures in conjunction with the asset owner must be taken to address the associated risk.
  • A patch management process must be established, implemented and monitored for all systems, maintaining a minimum patch level of n-1. This process will be managed by the ICT change management Policy.

9     COMPLIANCE

Macquarie IT will monitor compliance with this policy and related procedures. Users must promptly report breaches of this policy and suspected information security weaknesses to the Chief Information Officer.

Any breach of this policy and related procedures may infringe relevant legislation as listed at the outset of this policy and expose persons to liability under such legislation.

If any of the minimum standards contained within this document cannot be met on systems manipulating Confidential or Controlled data, an Exception Process must be initiated that includes reporting the non-compliance to the Chief Information Officer, along with a proposed risk assessment and management plan. Non-compliance with these standards may result in revocation of system or network access, notification of supervisors and reporting to the Office of Internal Audit.

Any breach of this policy or related procedures may result in formal disciplinary action for students in accordance the Student Code of Conduct. Formal disciplinary action for staff will occur in accordance with the Misconduct/Serious Misconduct clauses as outlined in the Staff Code of Conduct, the Academic Staff Enterprise Agreement and the Professional Staff Enterprise Agreement.

Macquarie University may refer serious matters or repeated breaches to the Chief Operating Officer, Director of Human Resources, the Head of the relevant Organisational Unit or to the appropriate external authorities which may result in civil or criminal proceedings.

External providers who breach this policy or related procedures will be subject to suspension of access, termination of contract and/or further legal action.

10   RELEVANT LEGISLATION

Privacy and Personal Information Protection Act 1998 (NSW) (PPIPA)

Copyright Act 1968 (Cwlth)
Crimes Act 1900 (NSW)
Cybercrime Act 2001 (Cwlth)
Defamation Act, 2005 (NSW)
Government Information (Public Access) Act, 2009 (NSW)
Privacy Act, 1998 (Cwlth)
Privacy & Personal Information Protection Act, 1998 (NSW)
Spam Act 2003 (Cwlth)
Workplace Surveillance Act 2005 (NSW)

11   KEY RELATED DOCUMENTS

Supporting Information Security documents on this page (see Tabs above):
Information Security Policy / Data Classification Procedure and Standards

Other related documents:
Acceptable Use of IT Resources Policy / Procedure / Schedule
AS/NZS ISO/IEC 27002:2013(E) Information technology - Security techniques — Code of practice for information security management
AS ISO/IEC 27002:2015 Information technology — Security techniques — Code of practice for information security controls
Australian Guidelines for the Management of IT Evidence, HB171-2003
IT Infrastructure and Systems Change Management Policy
Macquarie University Privacy Management Plan
2015 New South Wales Government Digital Information Security Policy

12     NOTES

12.1
Contact Officer
Josef Oduwo,
Director of Policy, Compliance and PMO – IT Department
12.2
Implementation Officer
Director of Policy, Compliance and PMO – IT Department
12.3
Approval Authority / Authorities
The Deputy Vice-Chancellor and Chief Operating Officer
12.4
Date Approved
21 June 2016
12.5
Date of Commencement
21 June 2016
12.6
Date for Review
30 June 2018
12.7
Documents Superseded by this Procedure
New Procedure
12.8
Amendment History
Na

DATA CLASSIFICATION PROCEDURE AND STANDARDS

1     PURPOSE

To facilitate the application of appropriate data security controls to University data and assists data Owners and Custodians to determine the level of classification required to protect data for which they are responsible.

This Data Classification Procedure and Standards is referenced from, and should be applied in conjunction with the Information Security Policy.

This Procedure is closely aligned with the 2015 New South Wales Government Digital Information Security Policy ‘Compliance with Minimum Controls Core Requirement as recommended for universities by the New South Wales Government ICT Strategy and draws from the following guidelines for the Information Security Industry standards:

  • AS/NZS ISO/IEC 27005:20011 Information technology — Security techniques — Information security risk management
  • AS ISO/IEC 27002:2015 Information technology — Security techniques — Code of practice for information security controls.

This Data Classification Procedure outlines the steps required to classify and secure data within their span of control, according to the prescribed minimum standards for data protection.

2     SCOPE

The scope of this procedure applies to all persons who use University IT facilities and/or have access to University data.

Based on the data classification, the Owner is required to implement appropriate security measures to protect the data consistent with the minimum security standards included in this document. Data that is classified as confidential has more stringent requirements than Controlled and Published classifications.

Data that is personal to the User of a University IT Resource and is stored, processed, or transmitted on that IT Resource as a result of incidental personal use is not considered university data. However, University data stored on non-university IT facilities must be verifiably protected according to the minimum security standards.

3     DEFINITIONS

Commonly defined terms are located in the University Glossary.  The following definitions apply for the purpose of this Procedure.

‘Custodian’ means an authorised person who is responsible for the collection, storage, or transmittal of electronic information.

‘Data Classification Register’ means a table showing the functional areas of the University, the Owner of the data repository within the functional area and the data classification for the data in the data repository.

‘Owner’ means an authorised person with the responsibility for coordinating the implementation of this procedure within their functional area of the University (Education, Research, Administration etc.)

‘User’ means an authorised person who accesses electronic information.

4     RESPONSIBILITIES AND REQUIRED ACTIONS

4.1 Responsibilities of the Chief Information Officer

The Chief Information Officer will consult with Faculties and Offices to jointly agree on who Owners and Custodians of University data shall be.

4.2 Responsibilities of the Owner

The Owner of a data repository is the authoritative head of the respective Faculty, School, or Office within the University. The Owner is the person responsible for the business use of the information in the data repository. Where appropriate, Ownership may be shared by persons of different areas within the University.

The Owner (or delegated representatives) are responsible for and authorised to:

  • approve access to the data repository and formally assign a custodian for it;
  • determine the value of the data;
  • specify and establish data control requirements and communicate these to custodians and users;
  • specify appropriate controls, based on risk assessment, to protect the University's information resources from unauthorised modification, deletion, or disclosure;
  • controls shall extend to information resources outsourced by the university;
  • confirm that controls are in place to ensure the accuracy, authenticity, and integrity of data;
  • confirm compliance with applicable IT security controls;
  • review the access rights of users depending on security risk management decisions;
  • complete an annual return to the Chief Information Officer for consolidation and certifying that their responsibilities under the Information Security Policy have been met;
  • promulgate data classifications, minimum security standards, procedures and business rules for data handling to their functional areas including Custodians and Users of the data;
  • conduct audits to review the classification of data on an annual basis to ensure currency of the data categories and that relevant procedures have been followed; and
  • maintain an up to date Data Classification Register for their functional area.

Any deviation from the Standards for Data Protection will require a waiver in the form of written approval from the Owner.  The waiver will be recorded on the Owner's Data Classification Register.

4.3 Responsibilities of the Custodian

  • carefully consider the information they are working with and to discharge their responsibilities in accordance with the Minimum Security Standards (Section 6 of this procedure);
  • implement the controls specified by the Owner(s);
  • provide physical and procedural safeguards for the data;
  • assist Owners in evaluating the cost-effectiveness of controls and monitoring;
  • implement monitoring techniques and procedures for detecting, reporting; investigating incidents; and
  • custodians must not transfer or store Critical Information in email, Microsoft Word/Excel etc. unless the manner of doing so meets the storage and transmission requirements stipulated in the Standards for Data Protection. 

Advice relating to Custodian should be sought from the Chief Information Officer.

4.4 Responsibilities of the User

The User of a data repository can be an individual or an automated application or process that is authorised by the Owner to access the data in accordance with the Owner's procedures and business rules. A User is any person who has been authorised by the Owner of the data repository to read, enter, or update data. The User is the single most effective control for providing adequate data security. Users have the responsibility to:

  • carefully consider the information they are working with and to discharge their responsibilities in accordance with the Minimum Security Standards (Section 4 of this procedure). 
  • use the data repository only for the purpose specified by the Owner;
  • comply with IT security controls established by the Owner;
  • prevent disclosure of confidential or sensitive information; and
  • custodians must not transfer or store Critical Information in email, Microsoft Word/Excel etc. unless the manner of doing so meets the storage and transmission requirements stipulated in the Standards for Data Protection. 

Advice relating to User Responsibilities should be sought from the Chief Information Officer.

5     DATA CLASSIFICATION CATEGORIES

All university data that is stored, processed, or transmitted on university IT resources (or on other IT resources where university business occurs) must be classified into one of three categories.

  • Confidential
  • Controlled
  • Published

To classify data, Owners must start by understanding the classifications. There are specific laws and regulations that govern some kinds of data. Additionally, there are situations where Owners must consider whether the confidentiality, integrity, or availability of the data is a factor. Finally, consideration must be given to the storage of data on more than one medium, such as moving data between computers by flash drive, for example. If only the primary IT facility is considered to be confidential, but not the secondary computer or the transfer media, the secondary computer could put University data at risk because it would not be adequately protected.

For the intent and purpose of this Procedure, data can be categorised as one of the following three categories:

5.1. Confidential Data

  • is subject to restrictive regulatory obligations in relation to the access, distribution, retention and/or destruction of data;
  • where unauthorised disclosure would seriously impact the University and/or its partner organisations;
  • that is protected specifically by Commonwealth or State law or by University rules and regulations; and
  • Where data is protected by any known law or regulation, but which must nevertheless be protected due to contractual agreements or to maintain confidentiality (e.g. Non Disclosure Agreements, Memoranda of Understanding, Service Level Agreements, Grants or Funding Agency Agreements etc.)

Examples of confidential data are:

  • Credit card numbers - are often the target of internet theft;
  • Tax file numbers - are required by the Australian Tax Office to be stored and used securely.  Failure to adopt appropriate measures could see the University in breach of its legal obligations.
  • Health Information - is highly sensitive and subject to a number of statutory controls, including, but not limited to the Information Privacy Act and the Health Records Act.  The accidental disclosure of health information could result in significant adverse press for the University and fines for breaches of data confidentiality requirements.
  • Reportable Police Information (incidents and violations).
  • Information classified by Human and Animal Ethics Committees.

Confidential data must be protected by applying the appropriate Minimum Security Standards.

5.2. Controlled Data

  • where unauthorised disclosure may adversely impact the University and/or its partner organisations;
  • where access is limited to a selected group or process; and
  • where data not otherwise identified as confidential but which is releasable in accordance with certain legal provisions (e.g. contents of specific e-mail, date of birth, salary, etc.) Such data must however, be appropriately protected to ensure a controlled and lawful release.

 Examples of controlled data are:

  • financial information that not subject to regulatory compliance requirements and hence classified as confidential;
  • committee meeting minutes;
  • student evaluation of teaching survey results;
  • research datasets; and
  • communications with research partners.

Controlled data must be protected by applying the appropriate Minimum Security Standards.

5.3. Published Data

  • data not otherwise identified as Confidential or Controlled and is made available or released to the general public; and
  • where no adverse effects are expected to result from the wide circulation of this data.

Examples of Published data are:

  • the University home page;
  • faculty course lists and the University Handbook; and
  • research achievements and rankings.

Published data must be protected by applying the appropriate Minimum Security Standards.

6     MINIMUM SECURITY STANDARDS

This section lists the minimum standards that should be applied to Confidential, Controlled and Published data categories.

Notwithstanding these minimum standards, data Owners and Custodians are expected to use their professional judgment in managing risks to the data repositories they own and support. IT security controls should be proportional to the confidentiality, integrity, and availability profiles of the data.

6.1       Data Backup


Ref No

Minimum Requirements

Confidential

Controlled & Published

6.1.1

System administrators should establish and follow a procedure to carry out regular system backups.

Required

Recommended

6.1.2

Backups must be verified at least quarterly, either through automated verification, through customer restores, or through trial restores.

Required

Recommended

6.1.3

Systems administrators must maintain documented restoration procedures for systems and the data on those systems.

Required

Recommended

6.2       Change Control

Ref NoMinimum RequirementsConfidentialControlled & Published
6.2.1There must be a change control process for systems configuration. This process must be documented.RequiredRecommended
6.2.2System changes should be evaluated prior to being applied in a production environment. Patches must be tested prior to installation in the production environment if a test environment is available.

If a test environment is not available, the lack of patch testing should be communicated to the service subscriber or data customer, along with possible changes in the environment due to the patch.
RequiredRecommended

6.3      Computer Virus Protection

Ref NoMinimum RequirementsConfidentialControlled & Published
6.3.1Anti-virus software must be installed and enabled.RequiredRequired
6.3.2Install and enable anti-spyware software. Installing and enabling anti-spyware software is required if the machine is used by administrators to browse Web sites not specifically related to the administration of the machine.RecommendedRecommended
6.3.3Anti-virus and, if applicable, anti-spyware software should be configured to update signatures daily.RequiredRecommended

6.4      Physical Access

Ref NoMinimum RequirementsConfidentialControlled & Published
6.4.1Systems must be physically secured in racks or areas with restricted access. Portable devices shall be physically secured if left unattended.RequiredRecommended
6.4.2Backup media must be secured from unauthorised physical access. If the backup media is stored off-site, it must be encrypted or have a documented process to prevent unauthorised access.RequiredRecommended
6.4.3Repairs to storage devices must be undertaken onsite and under supervision of Information Technology staff.RequiredRecommended

6.5      System Hardening

Ref NoMinimum RequirementsConfidentialControlled & Published
6.5.1Systems must be set up in a protected network environment or by using a method that assures the system is not accessible via a potentially hostile network until it is secured.RequiredRecommended
6.5.2Operating system and application services security patches should be installed expediently and in a manner consistent with change management procedures. Products that no longer receive security updates from the vendor (e.g., unsupported) are not authorised.RequiredRequired
6.5.3If automatic notification of new patches is available, that option should be enabled.RequiredRequired
6.5.4Services, applications, and user accounts that are not being utilized should be disabled or uninstalled.RequiredRecommended
6.5.5Methods should be enabled to limit connections to services running on the host to only the authorised users of the service. Software firewalls, hardware firewalls, and service configuration are a few of the methods that may be employed.RequiredRecommended
6.5.6Services or applications running on systems manipulating confidential data should implement secure (that is, encrypted) communications as required by confidentiality and integrity needs.RequiredRecommended
6.5.7Systems will provide secure storage for Confidential data as required by confidentiality, integrity, and availability needs. Security can be provided by means such as, but not limited to, encryption access controls, file system audits, physically securing the storage media, or any combination thereof as deemed appropriate.
Contracts with third party providers must include appropriate standards for data protection and comply with privacy clauses in the Macquarie University Privacy Management Plan.
RequiredRecommended
6.5.8If the operating system supports it, integrity checking of critical operating system files should be enabled and tested. Third-party tools may also be used to implement this.RequiredRecommended
6.5.9Integrity checking of system accounts, group memberships, and their associated privileges should be enabled and tested.RequiredRecommended
6.5.10Whenever possible, all non-removable or (re-) writable media must be configured with file systems that support access control.RequiredRecommended
6.5.11Access to non-public file system areas must require authentication.RequiredRequired
6.5.12Access to records and files must be restricted to specific job roles, and require authentication and password protection. Strong password requirements will be enabled, as technology permits, based on the category of data the account is allowed to access.RequiredRequired
6.5.13Apply the principle of least privilege to user, administrator, and system accounts.RequiredRecommended
6.5.14Transportable devices should be protected by a passcode and encryption (if available on the device) and stored in a secured (locked) location.RequiredRecommended

6.6 Security Monitoring

Ref NoMinimum RequirementsConfidentialControlled & Published
6.6.1If the operating system comes with a means to log activity, enabling and testing of those controls is required.RequiredRecommended
6.6.2Operating system and service log monitoring and analysis should be performed routinely. This process should be documented.RequiredRecommended
6.6.3The systems administrator must follow a documented backup strategy for security logs (for example, account management, access control, data integrity, etc.). Security logs should retain at least 14 days of relevant log information (data retention requirements for specific data should be considered).RequiredRecommended
6.6.4All administrator or root access must be logged.RequiredRecommended

6.7      Transmission


Ref No
Minimum RequirementsConfidentialControlled & Published
6.7.1Data must be encrypted using an approved encryption method when transmitted over the Internet or unsecured communications channel.RequiredRecommended
6.7.2Data must not be made available via the public Internet, the wireless network or by facsimile.RequiredRecommended
6.7.3Transmission must only be by a dedicated secure link (e.g. credit card gateway) or transported by hand.RequiredRecommended

6.8       Disposal


Ref No

Minimum Requirements

Confidential

Controlled & Published

6.8.1

Data must be removed before the storage device is retired or reused. If the data cannot be removed, the device must be destroyed.

Required

Recommended

7     COMPLIANCE

If any of the minimum standards contained within this document cannot be met on systems manipulating Confidential or Controlled data, an Exception Process must be initiated that includes reporting the non-compliance to the Chief Information Officer, along with a proposed risk assessment and management plan. Non-compliance with these standards may result in revocation of system or network access, notification to supervisors and reporting to the University Audit and Risk Committee.

8     RELEVANT LEGISLATION

Privacy and Personal Information Protection Act 1998 (NSW) (PPIPA)
Copyright Act 1968 (Cwlth)
Crimes Act 1900 (NSW)
Cybercrime Act 2001 (Cwlth)
Defamation Act, 2005 (NSW)
Government Information (Public Access) Act, 2009 (NSW)
Privacy Act, 1998 (Cwlth)
Privacy & Personal Information Protection Act, 1998 (NSW)
Spam Act 2003 (Cwlth)
Workplace Surveillance Act 2005 (NSW)

9     KEY RELATED DOCUMENTS

Acceptable Use of IT Resources Policy / Procedure
AS/NZS ISO/IEC 27002:2013(E) Information technology - Security techniques - Code of practice for information security management
AS/NZS ISO/IEC 27002:2015 Information technology—Security techniques—Code of practice for information security controls
Information Security Procedure
Macquarie University Privacy Management Plan
2015 New South Wales Government Digital Information Security Policy

10   NOTES

10.1
Contact Officer
Josef Oduwo,
Director of Policy, Compliance and PMO – IT Department
10.2
Implementation Officer
Director of Policy, Compliance and PMO – IT Department
10.3
Approval Authority / Authorities
The Deputy Vice-Chancellor and Chief Operating Officer
10.4
Date Approved
21 June 2016
10.5
Date of Commencement
21 June 2016
10.6
Date for Review
30 June 2018
10.7
Documents Superseded by this Procedure
New Procedure
10.8
Amendment History
na
Back to the top of this page