2194/1999 (replaces 1601/1995)
2. University IT systems and the services they support are provided to further the objectives of the University and are integral to the ability of the University to effectively carry out its operations.
3. IT security is essential to ensuring that IT services are delivered to all users in an environment in which the University's obligations for security, privacy and intellectual property rights are met.
4. The University's policy on IT security applies to all members of the University community in their interactions with any IT system, operated either by the University or any other agency, while acting in their capacity as a member of the University community or while using University IT services. Members of the University community who use Public Access IT services are also obliged to respect University IT security policy.
5. The University recognises that successful implementation of IT security measures relies on having a well-informed user [see Appendix] community combined with effective management procedures.
University IT systems, and the services they deliver, will be protected by effective management of IT security risks at all levels of the University.
University IT systems will be provided, managed and operated in such a way that:
a) specific objectives and security requirements regarding availability, confidentiality and integrity of each IT system are met;
b) the legal obligations of the University are met;
c) every effort is made to protect copyright, licensing conditions and intellectual property rights of the University and third parties.
In accordance with the University's policy on access to University-provided IT systems, users may access and use only those University IT systems:
a) for which they have been individually authorised by the manager of that system;
b) for which they have been granted access by virtue of their affiliation with the University; or
c) that operate as a Public Access IT service.
Users of IT systems are accountable for their own behaviour and are personally responsible for:
a) understanding and adhering to University IT security policy;
b) complying with all official notices regarding the terms and conditions applying to use of IT services provided by the University;
c) complying with relevant University policies, Statutes, Rules and Orders;
d) notifying any breach of local or University IT security to the manager of the IT system or the Director IT Services..
Information about the existence and general extent of policies, requirements, measures and procedures for the security of University IT systems will be readily available to all users. The University will provide IT security awareness, training and support services to allow users to acquire the information and develop the skills needed to carry out their obligations under paragraph 6.3.
Breaches of this Policy may be dealt with under the relevant Statutes, Rules and Orders of the University. In addition, the University may advise law enforcement agencies when it considers that a criminal offence may have been committed. The Australian National University Information Technology Services Rules, Discipline Rules and relevant industrial awards contain provisions which will be used to deal with users in breach of this policy.
Deans, directors and other heads of areas, through their nominated IT system managers, are responsible for addressing breaches of IT security. Failure to address security breaches may result in disconnection of relevant IT systems from the Campus Network [see Appendix]
7. Responsibity for Implementation of IT Security
The Director, IT Services is responsible for:
Deans of Faculties, Heads of Research Schools, the University Librarian, Heads of Centres, Divisions and Units and Heads of IT Services Agencies.
Each of the above officers is responsible for:
Managers of University IT Systems are responsible for:
The Audit Coordinator, in consultation with the Director, IT Services, will undertake audits to gauge the effectiveness of IT security measures.