[ANU IT Services] - Policies & Rules

untitled

• • •

2194/1999 (replaces 1601/1995)

Statement on University Information Technology Security

INTRODUCTION

1. This Statement sets out University policy on Information Technology (IT) Security and procedures for implementation of that policy including monitoring and reporting of security incidents. IT Security is the process that ensures the availability, integrity and confidentiality of IT systems. [See Appendix for definitions.]

2. University IT systems and the services they support are provided to further the objectives of the University and are integral to the ability of the University to effectively carry out its operations.

3. IT security is essential to ensuring that IT services are delivered to all users in an environment in which the University's obligations for security, privacy and intellectual property rights are met.

4. The University's policy on IT security applies to all members of the University community in their interactions with any IT system, operated either by the University or any other agency, while acting in their capacity as a member of the University community or while using University IT services. Members of the University community who use Public Access IT services are also obliged to respect University IT security policy.

5. The University recognises that successful implementation of IT security measures relies on having a well-informed user [see Appendix] community combined with effective management procedures.

POLICY

6. The University's Policy on IT Security is as follows:

6.1 Management

University IT systems, and the services they deliver, will be protected by effective management of IT security risks at all levels of the University.

University IT systems will be provided, managed and operated in such a way that:

a) specific objectives and security requirements regarding availability, confidentiality and integrity of each IT system are met;

b) the legal obligations of the University are met;

c) every effort is made to protect copyright, licensing conditions and intellectual property rights of the University and third parties.

6.2 Access

In accordance with the University's policy on access to University-provided IT systems, users may access and use only those University IT systems:

a) for which they have been individually authorised by the manager of that system;

b) for which they have been granted access by virtue of their affiliation with the University; or

c) that operate as a Public Access IT service.

6.3 User Responsibilities

Users of IT systems are accountable for their own behaviour and are personally responsible for:

a) understanding and adhering to University IT security policy;

b) complying with all official notices regarding the terms and conditions applying to use of IT services provided by the University;

c) complying with relevant University policies, Statutes, Rules and Orders;

d) notifying any breach of local or University IT security to the manager of the IT system or the Director IT Services..

6.4 Information and Training

Information about the existence and general extent of policies, requirements, measures and procedures for the security of University IT systems will be readily available to all users. The University will provide IT security awareness, training and support services to allow users to acquire the information and develop the skills needed to carry out their obligations under paragraph 6.3.

6.5 Breaches

Breaches of this Policy may be dealt with under the relevant Statutes, Rules and Orders of the University. In addition, the University may advise law enforcement agencies when it considers that a criminal offence may have been committed. The Australian National University Information Technology Services Rules, Discipline Rules and relevant industrial awards contain provisions which will be used to deal with users in breach of this policy.

Deans, directors and other heads of areas, through their nominated IT system managers, are responsible for addressing breaches of IT security. Failure to address security breaches may result in disconnection of relevant IT systems from the Campus Network [see Appendix]

6.6 Monitoring

Where monitoring of IT security involves the activities of an individual user or access to information stored on IT systems by users, it will be carried out in accordance with the University's Privacy Policy and in a manner which respects the rights and legitimate interests of those concerned, including the University.

IMPLEMENTATION OF UNIVERSITY IT SECURITY POLICY

7. Responsibity for Implementation of IT Security

The Director, IT Services is responsible for:

a) carriage of University IT security policy;

b) providing campus-wide support services;

c) assisting managers of IT systems in the development and provision of IT security awareness and training programs;

d) issuing guidelines, with the approval of the IT Strategy Committee, for the secure operation of specific aspects of University IT systems;

e) authorising the disconnection from or restricted access to the Campus Network of any IT system or area in which it operates that fails to comply with IT security policy or relevant guidelines;

f) determining the effectiveness of IT security measures through regular monitoring programs;

g) reporting annually to the IT Strategy Committee on security incidents and implementation of University IT Security Policy.

Deans of Faculties, Heads of Research Schools, the University Librarian, Heads of Centres, Divisions and Units and Heads of IT Services Agencies.

Each of the above officers is responsible for:

a) appointing a manager for each IT system connected to the Campus Network and for advising the Director, IT Services of the name of this officer. Areas which wish to appoint a systems administrator or manager who is not a member of the University staff must seek the approval of the Director, IT Services;

b) developing an IT security program for each Faculty, School, Centre, Division or Unit and providing the Director, IT Services with a copy of the program;

c) ensuring security incidents and breaches of security are dealt with in a co-ordinated and timely manner and reported to the Director, IT Services.

Managers of University IT Systems are responsible for:

a) developing, operating and managing those IT systems in accordance with University IT security policy and relevant guidelines, and the requirements of deans, directors and heads of other areas;

b) maintaining and operating IT systems in a manner which effectively balances IT security with users need to use them free from undue intervention;

c) maintaining IT security awareness by provision of information and training on IT security to users of those IT systems which they manage;

d) periodically monitoring and reassessing their IT security measures to ensure their effectiveness and to respond to changes in requirements;

e) reporting all security incidents to the Director, IT Services, immediately it is known that a breach has occurred.

The Audit Coordinator, in consultation with the Director, IT Services, will undertake audits to gauge the effectiveness of IT security measures.

Appendix: DEFINITIONS

Campus Network: The Campus Network comprises:

the inter-building and off campus network links comprising the Campus Backbone Network;
network cabling and other transmission media up to and including wall outlets and other access points that are connected to the Campus Backbone Network;
equipment associated with the low level data transfer on the above;
low level services associated with the operation of the network infrastructure. The above definitions apply independently of how any item is funded, installed or operated.

IT system: An IT system is:

a related set of hardware, software used for the communication, processing and storage of information;
the electronic form (not content) of information that they hold or process. University IT systems connect to and in some cases deliver services across the Campus Network, but are not part of the Campus Network. This definition includes, but is not limited to, computers and their peripherals and other communication equipment, communication networks and other telecommunication facilities used to link such equipment together, the operating software used on all such equipment, and the people involved in the maintenance and administration of the equipment.

User: means a person who accesses University IT services and systems whether that access is from within the University or from outside of the University.

Please direct enquiries regarding this page to the Webmaster.
The information on this page was updated on Tue, 16 Nov 1999. The page has been authorised by the Director, Information Infrastructure Services as relevant officer.
© 2000 The Australian National University