Chapter 9.1 – ICT Management Principles

Home 9 Policy 9 Chapter 9.1 – ICT Management Principles
Back to Policies & Procedures
[ivory-search id="40" title="AJAX Search Form"]

Purpose

To ensure that Information Security measures are in place, commensurate with their Information Asset classification, to protect Information Assets, Information and Communication Technology (ICT) Assets and Information Systems within the Company ICT environment against unauthorised use or accidental modification, loss or release; and assist our company to mitigate any damage or liability arising from the use of these Information Assets and Information Systems for purposes contrary to our company’s policies and relevant Regulatory Compliance Instrument.

Scope

This policy applies to all Employees and Research Workers, (hereafter referred to as ‘users’) who have access to our company’s Information Assets and related Information Systems. ICT Management Principles.

Policy Statement

Our company is committed to the management of risks associated with ICT Assets and Information Systems and the reduction of ICT security incidents. This policy provides the governance framework for Information management and security within our company and defines the company policy in all aspects of Information Security as stipulated under the relevant Information standards.

Principles

A. Internal governance

Information Security governance arrangements are established and endorsed by the company ICT Strategy Board and assisted by other relevant committees. The implementation, maintenance and control of operational Information Security is the responsibility of ICT Services. The ICT Security Committee is responsible for monitoring and recommending Information Security strategy, controls and associated operational security matters. All Information System users are responsible for familiarising themselves with this policy and related policies and procedures, as appropriate to their role within the company. Effective communication of this ICT Information Management and Security Policy, and all associated policies and procedures, form part of this ongoing commitment to Information Security governance and is critical to ensuring that ICT Assets and Information Assets are protected from unauthorised use, accidental modification, loss or release.

In the event of a cyber breach such as, but not limited to, malware, computer hacking, ransomware, or denial of service attack, the Executive Director (ICT Services) is authorised to implement a range of measures, including removal of individual access to the network and removal of ICT Assets and ICT Systems from the network to minimise the risk of loss or misuse of Information Assets.

B. External party governance:

The Executive Director (ICT Services) is delegated with ensuring that appropriate arrangements are established and documented to ensure that third party ICT service level agreements, operational level agreements, hosting agreements or similar contracts clearly articulate the level security required and are regularly monitored.

C. Information Security and Cyber Security

Information Security activities, including Cyber Security awareness, are concerned with the protection of Information from unauthorised use or accidental modification, loss or release. Information Security is based on the following five elements:

  • Confidentiality – ensuring that Information is only accessible to those with authorised access
  • Integrity – safeguarding the accuracy and completeness of Information and processing methods
  • Availability – ensuring that authorised users have access to Information when required
  • Compliant Use – ensuring that the company meets all Regulatory Compliance Instruments and contractual obligations
  • Responsible Use – ensuring that appropriate controls are in place so that users have access to accurate, relevant and timely Information but that users of the company’s ICT resources do not adversely affect other users or other Information Systems.

D . Policy, planning and governance

Our company recognises the importance of, and demonstrates a commitment to, maintaining a robust company Information Security environment. The company at a minimum will reasonably:

  • develop and implement an Information Security policy (this policy)
  • develop and implement an Information Security Plan, ensuring alignment with the company business planning, general security plan and risk assessment findings
  • establish and document Information Security internal governance arrangements (including roles and responsibilities) to implement, maintain and control operational Information Security within the company. Relevant information shall be provided as needed including provision of timely and relevant information to the Company’s senior executive and Council regarding Information Security matters.
  • establish, document and regularly monitor Information Security external governance arrangements to ensure that third party service level agreements and operational level agreements clearly articulate the level of security required.

E. Recordkeeping and Information Privacy

For the purposes of the Company’s records management System and Information management, the Company is required to comply with multiple Regulatory Compliance Instruments, including but not limited to:

  • Information Privacy Act 2009
  • Public Records Act 2002
  • Records Governance Policy
  • Queensland Information Standard 18: Security.

The University will meet its data retention obligations under the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (section 187) recognising that the Company will rely on the ‘immediate circle’ exclusion for any relevant services provided only to persons who are ‘inherently connected to the functions of our company’.

F. Information Asset management

The Company has developed the Information Asset and Security Classification Procedure which establishes the process for classifying and handling Company Information Assets based on their level of sensitivity, value and criticality to the our company.

G. Human resources management

Our company will implement measures to minimise the risk of loss or misuse of Information Assets by ensuring that Security Safeguards are incorporated into our company human resource management, including the development of supporting policies and processes. Our company at a minimum will reasonably:

  1. implement induction and ongoing training and security awareness programs to ensure that all Employees are aware of and acknowledge this policy and related policies and procedures on Information Security and security responsibilities
  2. document and assign security roles and responsibilities where Employees have access to security classified Information or perform specific security related roles, and ensure that security requirements are addressed in recruitment and selection and in job descriptions
  3. develop and implement procedures for the separation of Employees from, or relocation within our company.

G. Physical and environmental management

Our company will apply measures to ensure that the level of physical controls implemented will minimise or remove the risk of equipment or Information being rendered inoperable or inaccessible, or being accessed, used or removed without authorisation. Our company at a minimum will reasonably ensure that:

  1. building and entry controls for areas used in the processing and storage of security classified ICT Information are established and maintained, consistent with the Information Asset and Security Classification Procedure
  2. all ICT Assets that store or process Information are located in Secure Areas with control mechanisms in place to restrict access to authorised personnel only
  3. Policies, procedures and processes are implemented to monitor and protect the use and/or maintenance of Information Assets and mobile ICT Assets away from company premises
  4. Policies, procedures and processes are implemented for the secure disposal or reuse of ICT Assets, commensurate with the Information Asset’s security classification level.

H. Communications and operations management

Our company will ensure that operational procedures and controls are documented and implemented to ensure that all Information Assets and ICT Assets are managed securely and consistently, in accordance with the level of required security. The Company at a minimum will reasonably ensure that:

  1. operational change control procedures and release management control procedures are implemented to ensure that changes to Information processing facilities or Systems are appropriately approved and managed.
  2. System capacity is regularly monitored to ensure risks of System overload or failure, which could lead to a security breach, are avoided.
  3. adequate controls are defined and implemented to mitigate the impact of threats and vulnerabilities to the network, including the prevention, detection, removal and reporting of attacks of malicious code on all ICT Assets.
  4. Systems maintenance processes and procedures, including operator and audit/ fault logs, media handling procedures, Information backup procedures and archiving, will be implemented
  5. methods for exchanging Information within the company, outside the company, through online services, and/or with third parties, will be consistent with the Queensland Government Information Security Classification Framework (QGISCF) and the Network Transmission Security Assurance Framework (NTSAF) and Company policies and procedures
  6. confidentiality requirements or non-disclosure agreements reflecting the need for protecting Information are to be undertaken in accordance with the Company’s Intellectual Property Policy and related procedures and identified and reviewed regularly
  7. each Employee must use the company authorised and supplied communications methods, including electronic mail, when transacting official company business.
  8. the Student Communication Policy and related policies and procedures cover Handling Personal Student Information Policy and Procedure, Student Communication Procedure, Use of Electronic Mail Procedure establish the framework for all electronic communications with Students.

I. Access management and passwords

Our company will put in place control mechanisms based on business requirements, assessed/accepted risks, Information classification and Regulatory Compliance Obligations for controlling access to all Information Assets and ICT Assets. The Company at a minimum will reasonably ensure that:

  1. access will be provided to users for the purpose of carrying out work, study or other activities as agreed with the company
  2. access will be granted on the ‘least privilege’ principle in which each user is granted the most restricted set of privileges needed for the performance of the relevant tasks
  3. authentication requirements, including on-line transactions and services, must be appropriate for the security classification of the Information
  4. access to the company network and Information Systems requires specific authorisation and each user must be assigned an individually unique personal identification code and secure means of authentication
  5. access to shared ICT Assets in teaching and research laboratories may be subject to shared access management rules as agreed by our company
  6. policies and/or procedures for user registration, authentication management, access rights and privileges are defined, documented and implemented for all ICT Assets
  7. ‘restricted access’ and ‘authorised use only’ warnings must be displayed upon access to all Systems which have this capability.

There is an obligation on Employees who are working in our company, who also have a level of administration access to related Company Systems, to contact the Course Examiner for the Course/s the Employee is studying to alert them to this fact. This also applies to Employees with relationships to Students studying Courses resulting in a perceived, potential or actual conflict of interest, as identified in the Employee Conflict of Interest Procedure. During the course of their study, the Employee is not permitted to access the relevant Course environments, or applicable Systems, using their administrator access.

Our company requires users to keep user-level passwords confidential and change these immediately if they suspect that their password has been comprised.

A Clear Desk and Clear Screen is required to reduce the risk of unauthorised access or damage to Information Assets and ICT Assets.

J. System acquisition, development and maintenance

The Company will apply measures to ensure that during System acquisition, development and maintenance, Security Safeguards will be established and will be commensurate with the security classifications of the Information contained within, or passing across, Information Systems, network infrastructure and applications. The Company at a minimum will reasonably ensure that:

  1. security requirements are addressed in the specifications, analysis and/or design phases and internal and/or external audit are consulted when implementing new or significant changes to financial or critical business Information Systems.
  2. Security Safeguards are established during all stages of System development, as well as when new Systems are implemented and maintained in the operational environment
  3. appropriate change control, acceptance and System testing, planning and migration control measures are carried out when upgrading or installing software in the operational environment
  4. a patch management program for operating Systems, firmware and applications of all ICT Assets is implemented to maintain vendor support, increase stability and reduce the likelihood of threats being exploited.

k. Incident management

Our company will ensure the effective management of and response to Information Security incidents to maintain secure operations within the company. The company at a minimum will reasonably:

  1. establish and maintain an Information Security incident and response register and record all incidents
  2. ensure all Information Security incidents are reported and escalated (where applicable) through appropriate management channels and/or authorities
  3. ensure that incidents are investigated and apply formal disciplinary processes
  4. ensure responsibilities and procedures for the timely reporting of security events and incidents, including breaches, threats and security weaknesses, are communicated to all Members.

L. Business continuity management

Our company will ensure that a managed process, including documented plans, is in place to enable Information and ICT Assets to be restored or recovered in the event of a disaster or major security failure. The company at a minimum will reasonably:

  1. establish plans and processes to assess the risk and impact of the loss of Information and ICT Assets on company business in the event of a disaster or security failure and develop methods for reducing known risks to Company Information and ICT Assets
  2. ensure business continuity Information and ICT Asset disaster recovery plans are maintained and tested to ensure Systems and Information are available and consistent with agency business and service level requirements.

 Members should also refer to the Business Continuity Policy and Crisis Management Policy (under development).

M. Compliance management

Our company will implement practices to ensure compliance with, and appropriate management of, all Regulatory Compliance Instruments relating to Information Security. The Company at a minimum will reasonably ensure that:

  1. all Information Security policies, procedures and processes, including contracts with ICT third parties, are reviewed for compliance on a regular basis
  2. all reporting obligations relating to ICT Security are complied with and managed appropriately
  3. all reasonable steps are taken to monitor, review and audit Company Information Security compliance, including the engagement of internal and/or external auditors and specialist organisations where required.

Members should also refer to the Policy and Procedure Framework.

N. Penalties and discipline

Conduct in contravention of this policy may constitute a criminal offence under relevant State and Commonwealth legislation, resulting in legal prosecution. Where the violation is considered a criminal offence, the police (Federal and State) will be informed. Where applicable, the Director (Integrity and Professional Conduct) will also be advised.

This will be irrespective of whether the violation is internal (e.g. unauthorised access to Information), external (e.g. unauthorised remote access to our company network by a non-Employee ), or where assistance is provided by an Employee to provide unauthorised access to the Company network.

O. Other considerations

Our company will make no warranty, explicit or implied, regarding the ICT services offered, nor their fitness for any particular purpose. Similarly, no responsibility can be accepted by the company or its Employees, for any damage arising directly or indirectly from the use of these services.

The responsibility for protecting ICT resources and services is shared with all users who use these services. The Company will make all reasonable efforts to protect Members from possible ICT and computer-related dangers but cannot always protect Members from all potential threats. The Company cannot guarantee to protect an individual against exposure to material that may be offensive to them. University Members will be warned that they may traverse or receive material that they find offensive.