The University has a responsibility to protect the information that it creates. Any information created becomes a “record” and must be managed according to its sensitivity and value to the University. See the Records Management Policy.

The concept of “information classification” provides an easy way to assign sensitivity or value to a record (whether document, IT system, book, photograph, etc). The University’s Information Security Policy requires all information assets be assigned a Confidentiality Rating.

 Each information classification category carries specific obligations for how the record will be labelled, stored, accessed and disposed. See  Document Handling Quick Reference Guide (PDF 387KB) and the  Information Classification Framework (PDF 239KB)

 

What are your information classification responsibilities?

If you are the creator of a record, you must ensure an appropriate classification category is assigned that reflects the record’s value to the University. See decision tree below to determine whether you are required to classify your record.

Decision tree for information classification

If you are the user of an existing document or system, you must comply with all information handling obligations for the assigned classifiction. See  Information Classification and Handling (PDF 239KB)

 

What storage options does the University provide?

 University Research Storage Protection (R Drive)

This information is subject to change as the University continues to develop its security processes.

The University central file server enables researchers to securely store, protect and manage unstructured sensitive data of varying sizes. This service is underpinned by fault resilient infrastructure and number of security processes that ensure confidentiality, integrity and availability of the information stored on the service. These controls include:

  • Location – All information is stored within Australia this includes the University’s on premise secure data centre facility and an offsite third-party data centre site within Australia;
  • Backup & Replication – All information stored on R Drive is replicated across the two data centres with monthly offline backups being taken to tape and stored offsite by a third party local provider;
  • Access Control – All R Drives are protected by Windows file server protections that restrict access to a list of specific users (chosen by the user), users are added and removed by request of the owner of each R Drive;
  • Monitoring – The file servers are monitored at multiple levels including the operating system. Individual file changes including modifications/add/delete are not audited;
  • User Protection – The University utilises the Flinders Authentication Name (FAN) to allow staff and students to access digital information services including file services. These accounts are centrally monitored and any unusual behaviour is flagged and acted upon by the security operations team. All users are required to set a nine character password following good security guidelines;
  • Administrative Access – Access to file services by technology specialists is limited to a small number of users, with separate accounts being used for access to the service;
  • Maintenance – File services are vulnerability scanned monthly utilising security scanning tools and operating system patches are applied on a monthly basis automatically to ensure ongoing protection of the service;
  • Change Management – The University operates a change management process that ensures changes to the services are logged, reviewed and approved to ensure any changes adhere to existing policies, and manage risks to service interruption and security.

In addition, the University maintains an Information Security Management Framework that is based on elements of the global security management standard ISO/IEC 27001:2013. The operation and implementation of the framework is overseen by the Security & Risk Steering Committee who represent the interests of risk and user stakeholders. This group meets quarterly to review reports and maintains a risk register.

 

University OneDrive for Business

This information is subject to change without notice as Microsoft update and provide additional information to the University.

Microsoft OneDrive for Business is an enterprise cloud-based document storage platform available to all staff and students. It is provided to the University as part of its arrangements with Microsoft that include email services under the Office 365 set of services.

OneDrive for Business has been certified by the University’s Information Security & Governance team to store any University documents classified as public, internal only and restricted. OneDrive for Business enables researchers to securely store, protect and manage unstructured sensitive data of varying sizes.

This service is hosted by Microsoft in its own dedicated data centres that are designed to withstand cyber security and disaster events. To achieve this Microsoft implements a number of strong controls to protect University information including:

  • Location – All information is stored within Australia on Microsoft’s hosted systems, this is supported by second Microsoft data centre site within Australia;
  • Backup & Replication – All information stored on OneDrive is replicated across the two data centres;
  • Encryption – All information saved to OneDrive is encrypted with the University’s individual encryption key, this means that our information cannot be accessed or viewed by Microsoft other customers or administrators;
  • Access Control – OneDrive access is governed by the owner of files and access can be revoked via self-service. Staff have the choice to require that an external collaborator has are protected by a FAN login or just provide a link to OneDrive files;
  • Monitoring – OneDrive services are monitored by Microsoft at the platform level, with the University’s internal Information Security & Governance team monitoring specific user actions. All file changes, additions and deletions are logged against user information across the service;
  • User Protection – The University utilizes the Flinders Authentication Name (FAN) to allow staff and students to access digital information services including OneDrive. These accounts are centrally monitored and any unusual behaviour is flagged and acted upon by the security operations team. All users are required to set a nine-character password following good security guidelines;
  • Administrative Access – University staff who administer the OneDrive services limited, are required to utilise a second level of authentication and are closely monitored to ensure upmost protection of the University’s data stored within OneDrive;
  • Change Management – The University operates a change management process that ensures changes to the services are logged, reviewed and approved to ensure any changes adhere to existing policies, and manage risks to service interruption and security.

Microsoft maintain a number of globally recognised security certifications. Most importantly the vendor has been certified by the Australian Department of Defence ASD, which has certified the service to an ‘Unclassified’ government level. This means that the service can be used by Government agencies and other organisations. The certification is very rigorous and includes the assessment of over 800 individual protective controls. More information about this important certification can be found here:

 

Guidance Regarding Type of Files on OneDrive

 Any highly confidential documents containing the following should not be stored on OneDrive for Business, this includes:

  • Documents containing identifiable detailed medical information;
  • Documents containing sensitive human resources, legal or highly confidential matters;
  • Documents that if released, would have a significant impact on the University’s reputation, leading to significant distress to the community and/or leading to legislative breaches as defined by the Information Classification Framework;
  • Documents containing research data classified as 'highly confidential'.

 Refer to the University’s website for more information on using OneDrive for Business https://www.flinders.edu.au/its/essentials/onedrive-for-business/.