Policy Redesign Project

All policies and procedures are being reviewed as part of this project. This document is pending review, but remains in effect until the review is carried out.

Information Security Policy

Establishment: Resources Committee, 22 July 2010 

Last Amended:

Vice-Chancellor, 5 December 2014
Nature of Amendment: Name change from ICT Security Policy and complete rewrite of content.
Date Last Reviewed: December 2014
Responsible Officer:

Director, Information Technology Services

1.  Objective

The University recognises that information is a valuable strategic asset that supports the achievement of the University’s mission. The value derived from information assets is dependent upon the achievement of three objectives:

  1. Observing the appropriate confidentiality obligations associated with each kind of information asset;
  2. Maintaining the integrity of the information assets used by the University; and
  3. Enabling the availability of information assets in the formats required and at the times needed.

Information Technology (IT) is a critical component in achieving the above objectives for all information assets stored in digital form.

The purpose of this policy is to describe the University’s approach to protecting its digital information assets and to inform staff, students, contractors and associated third parties of their respective obligations and responsibilities.

This policy is written to be consistent with the Information Security Standards AS/NZS ISO/IEC 27001:2006 and AS/NZS ISO/IEC 27002:2006 and also the Commonwealth Privacy Act (1988) requirements relating to the protection and secure disposal of personal information (Australian Privacy Principle 11).

2.  Scope

This policy applies to all staff, students, contractors, controlled entities and associated third parties who have reason to access any digital information asset owned or controlled by the University.

This policy’s coverage includes all IT hardware and software used in the provision of access to the University’s digital information assets.

3.  Definitions

  • FAN is the Flinders Authentication Name, the unique value assigned to each user that identifies and authenticates users to University IT systems;
  • Information Assets comprises all forms of data or knowledge that are processed, stored and transferred that have value to Flinders University in electronic or hardcopy forms;
  • Information Classification is a systematic method for assessing and documenting the protection requirements of information to ensure the University can meet defined confidentiality, integrity, availability and retention requirements;
  • Information Owner is a person (typically a Responsible Officer) who is responsible for the appropriate protection of an information asset (or a group of assets);
  • IT Resource means any form of technology used to collect, process, store and disseminate information and includes computer hardware and software, business applications software, communications systems and networks;
  • IT System Assets includes information, the computer systems that support business and control functions, networks and communication links, business applications and programs, and all forms of electronic storage media;
  • University Information comprises electronic or hardcopy information that is created by Flinders staff, students, contractors, researchers, or other third parties that may have some value to the University;
  • User any person accessing any of the University's IT resources and / or facilities, including, but not limited to – staff, students, alumni, consultants, contractors, third parties, other users who are authorised by the University to access systems and/or the campus network, and anyone connecting non-Flinders University equipment (e.g. laptop computers) to the University network.

4.  Information Security Management Framework

The University will maintain a formal Information Security Management Framework (ISMF) that includes, but is not limited to, the following requirements:

  • A formal information security governance committee;
  • A risk-based approach to digital Information Asset protection;
  • Documentation and ongoing maintenance of Information Assets and IT System Assets, owners, risks and controls;
  • Identification and compliance with applicable legislation; and
  • Establishing metrics to formally measure policy compliance and ISMF effectiveness.

Manager, ITS Security Services is responsible for:

  • Day-to-day management of the University’s information security management program, including all information security audits and reviews;
  • Forming necessary working groups and/or reference groups that are representative of the University to review and approve policies, procedures and standards;
  • Communicating policy responsibilities to all University stakeholders and advising on compliance;
  • Authoring and maintaining the additional information security policies and procedures that support the achievement of the University’s information security objectives.

Director, Information Technology Services is responsible for:

  • Reporting on the effectiveness of the University’s information security management to the Pro Vice-Chancellor (Information Services); and
  • Assessing the effectiveness of the University’s information security management program.

Pro Vice-Chancellor (Information Services) is responsible for reporting on the effectiveness of the University’s information security management to the Senior Executive and Council.

5.  Information Asset Classification

The University will maintain a formal  Information Classification Framework (PDF 326KB) that includes, but is not limited to, the following requirements:

  • A series of classification categories that reflect the sensitivity and criticality of the information or IT System Asset in question;
  • Guidelines for the effective selection and usage of classification categories; and
  • All digital Information Assets (as categories) and IT System Assets must have nominated owners (Responsible Officers).

Information Owners are responsible for:

  • Assigning a security classification to their respective assets, to reflect the sensitivity and criticality of the information or IT System Asset in question; and
  • Ensuring asset descriptions and classifications are formally documented and maintained.

6.  Access to Information Assets

Access to digital Information Assets must be restricted to authorised users and mechanisms must be in place to prevent unauthorised access as per requirements of the Identity and Access Management Policy.

7.  Network and Communications

The University’s IT network infrastructure must be configured to protect information assets according to the following requirements:

  • Incoming Internet traffic must access only approved IT resources and services;
  • IT System Assets classified at different Information Classification categories must be isolated from lower classification IT System Assets using network segmentation;
  • Access to network services must be limited to that required to meet user access needs;
  • Network traffic should be monitored for signs of malicious activity;
  • Secure deployment, use and maintenance of Flinders University owned mobile computing devices will be in accordance with the Secure Mobile Computing Policy;
  • All IT System Assets connected to the Flinders University network must maintain a basic level of security where recommended by Information Technology Services, at a minimum this must include:
    • Anti-virus software that is up to date and actively running;
    • All available operating system security updates are installed.

8.  Physical and Environmental

Physical security and environmental controls protecting University IT System Assets must meet the following requirements:

  • Physical IT System Assets deemed critical to the University must be housed in an approved location with sufficient access controls, barriers, and perimeter defences;
  • All users with physical access to locations housing critical IT System Assets must be documented, monitored and recorded; and
  • Sufficient environmental controls must be implemented including power backup and air-conditioning to protect critical IT System Assets from damage to ensure reliable operation.

9.  IT Disaster Recovery

The University aims to ensure critical IT systems are recoverable in the event of a disaster (Refer to IT Disaster Recovery Policy).

10.  Policy Review

The Information Security Policy together with all supporting policies and procedures will be reviewed annually or as the result of significant changes. Reviews will:

  • Assess opportunities for improvement;
  • Consider new risks, threats and vulnerabilities to Information Assets and supporting IT Resources;
  • Consider changes to the organisational environment, business circumstances, legal conditions, and the technical environment.

11.  Compliance and Enforcement

  • Manager, ITS Security Services is responsible for monitoring user compliance with this policy and investigating and reporting breaches of this policy.
  • Supervisors/Managers are responsible for reporting any security incidents or breaches of this policy by staff under their supervision to the ITS Service Desk.
  • Users are responsible for reporting any security incidents and breaches of this policy to the ITS Service Desk.
  • Failure by Users to comply with any element of this policy may result in disciplinary action in accordance with the relevant disciplinary procedures. These are:

12.  Related Documents

This policy should be read in conjunction with other relevant University policies, procedures and standards, including:

IT Acceptable Use Policy

IT Asset Management Policy

IT Disaster Recovery Policy

Secure Mobile Computing Policy

IT Application Acquisition and Development Policy

Identity and Access Management Policy

Risk Management Policy

Information Classification Framework (PDF 326KB)

Records Management Policy