Precis | Print Friendly
Adding Bookmark..........
Responsible Officer: Chief Digital Officer, eSolutions
Implementation Officer: Director, eArchitecture

First approved by:
Vice-Chancellor on 17 October 2008

Amendments approved by:
Vice-Chancellor on 30 September 2010
(revision of procedure);

Vice-Chancellor on 15 November 2010
(amendments to Chief Operating Officer
responsibilities)

Policy Manager on 14 March 2014
(admin. changes only
- Deakin eSolutions
- Executive Director, Information Technology
- Chief Digital Officer
- IT Security Manager);

CDO on 9 April 2015
(amendments - IO: ED, IT to Director, eArchitecture & position
titles in paras 2, 5, 15, 25, 26, & 27, in accordance with ICT suite review);

CDO on 14 May 2015
(amendment - new clause 12 + add a) & b))
(amend clause 12 - not new but addition to current
clause 12)



Information and Communications Technology Security Procedure


This procedure was approved by the Vice-Chancellor on 17 October 2008 and incorporates all amendments to 14 May 2015.
This document is pursuant to the Information and Communications Technology Security Policy.
DEFINITIONS

Data: as defined in the Information and Communications Technology Security Policy.

Deakin Directory Service: as defined in the Information and Communications Technology Security Policy.

Information: as defined in the Information and Communications Technology Security Policy.

Information and Communications Technology (ICT) Facilities: as defined in the Information and Communications Technology Security Policy.

Information and Communications Technology (ICT) Services and Materials: as defined in the Information and Communications Technology Security Policy.

Information and Communications Technology (ICT) User: as defined in the Information and Communications Technology Security Policy.

Information Owner: the person who is responsible and accountable for information and records management for an organisational area of Deakin University, and who will ensure appropriate storage, access, use, distribution and disposal of information and records.

PROCEDURE
Security Standards
1The IT Security Manager will develop information and communications technology (ICT) security standards and maintain them according to industry-wide standards.
2The IT Security Manager will undertake an ICT security risk assessment annually, and report to the Chief Digital Officer, Director, eArchitecture or Head of Information Security Risk, eSolutions on ICT security incidents, current security concerns and service improvement needs for the coming year.
3Staff members with responsibilities for managing or supporting ICT facilities, services and materials will ensure that:
a)each device or application is configured and managed according to the ICT security standards developed by Deakin eSolutions
b)where confidential information from production systems is used in development or testing environments, the ICT security requirements for the production system will apply to the development or testing systems.
4Staff members with responsibilities for managing ICT facilities, services and materials used for financial transactions will ensure that digital certificates and encryption are used for the transfer and storage of payment information, such as account numbers and credit card information.
Connecting to University Facilities
5The Chief Digital Officer, Director, eArchitecture or Head of Information Security Risk, eSolutions will determine which staff members can authorise access to the operating systems or security systems of any ICT facility, service or material connected to the Deakin University network.
6Staff members will ensure that new connections of, or changes to, any ICT facility, service or material connected to the Deakin University network are managed and approved according to the Deakin University ICT change management process, facilitated by Deakin eSolutions.
7Staff members will ensure that any ICT facilities, services or materials installed or configured to protect Deakin University information are of a type and standard approved by the IT Security Manager prior to being implemented on any Deakin University-owned or managed ICT facility or service.
8Staff members will ensure that non-Deakin University owned ICT devices, excluding personal computing devices such as laptops or personal digital assistants (PDAs), connected to the Deakin University network abide by the same ICT security standards and requirements as those applied to the Deakin University-owned assets.
Usernames
9Deakin University usernames in the Deakin University directory service will not be reused within 12 months, unless for use by the same staff member as previously assigned that Deakin University username.
Passwords
10The following minimum requirements apply to all user passwords:
a)Be at least 8 characters long
b)Contain a combination of at least 3 of the following four character types:
i) lowercase letters
ii) uppercase letters
iii) numbers
iv) other symbols
c)Changed at least every 180 days. Accounts with passwords older than this will be locked
d)Password History: new passwords must be different from the previous 5 passwords
11Vendor-supplied default passwords must be changed before or immediately after any ICT facility, service or material is connected to the Deakin University network.
12Where access is granted to vendors, partners, consultants and other users who are not staff or students of Deakin University, this access will be reviewed at least annually to ensure that the access and the privileges granted are still applicable.
Where available, mechanisms to detect and prevent multiple failed login attempts to a user account must be enabled and configured in one of two ways. After 5 failed login attempts, an account
a)is automatically locked; or
b)has delays between attempts of at least 30 minutes imposed.
13Timeframes for regular password changes for all ICT facilities, services or materials will be set by the IT Security Manager, and implemented by staff members with responsibility for managing or supporting the ICT facilities, services or materials.
14ICT users may only be provided with ICT passwords on provision of appropriate identification. Identification requirements will be prescribed by the IT Security Manager.
Monitoring and Auditing
15The Director, eArchitecture or Head of Information Security Risk, eSolutions may monitor for security breaches as specified in the Information and Communications Technology Use Procedure.
16Excluding personal computing devices, logs of system, application and ICT user activity that are generated automatically must be kept for a minimum of 2 years. Such logs will contain both non-identifying and identifying data, which may include Deakin University username, computer name and location, time of activity and screens accessed.
17All changes to production data must be made via an application or system interface that automatically logs activity or via standard batch jobs. Where this is not possible, changes must be made and tracked via the ICT change management process, with the details of the change record kept for a minimum of 2 years.
18All changes to logging mechanisms that affect the ability to monitor or audit system, application and ICT user activity must be authorised through the Deakin University ICT change management process and must be able to be audited.
Awareness and Education
19The IT Security Manager will provide an ICT security awareness program for ICT users, including information about their obligations in relation to:
  • access to and use of ICT facilities, services and materials
  • reporting of ICT security incidents, breaches or concerns
20Managers will ensure that their staff members, including consultants and contractors, are aware of and educated about ICT security, including the ICT security requirements appropriate to their role.
21Staff will comply with the ICT security requirements required by their role, including but not limited to:
  • compliance with ICT security policy, procedure and standards
  • ensuring that their computers are not left unattended and logged into the Deakin University network, without first activating a screen saver with password protection.
External Parties
22The IT Security Manager will ensure that all external parties with connectivity to the Deakin University ICT network have a formal agreement in place defining access provisions, which will be commensurate with Deakin University measures, to protect unauthorised or improper use of the Deakin University ICT facilities, services or materials.
23Staff will obtain approval in writing from the IT Security Manager before disclosing outside of the University any specific matter regarding security controls that are in use or the way in which these controls are implemented.
Exemptions
24Where an exemption from the ICT security policy, procedure or standards is required, approval in writing must be obtained from the IT Security Manager and the information owner where applicable.
Breaches
25ICT Users must immediately report any suspected or perceived breach of the Information and Communications Technology Security Policy, procedure or standards to the Director, eArchitecture or Head of Information Security Risk, eSolutions or nominee via the IT Service Desk.
26The Director, eArchitecture or Head of Information Security Risk, eSolutions may deny or restrict an ICT User’s access to the University’s ICT facilities, services and materials, and/or remove or disable any data, service or device from the ICT facilities, as a result of violations of the Information and Communications Technology Security Policy, procedure or standards pending further investigation, disciplinary and/or judicial action.
27If the Chief Digital Officer, Director, eArchitecture or Head of Information Security Risk, eSolutions is satisfied, based on investigations, that a violation of policy and/or law has occurred, he or she will undertake disciplinary action in accordance with that outlined in the Information and Communications Technology Use Procedure.
ASSOCIATED INFORMATION

Information and Records Management Policy
Information and Communications Technology Use Policy
Information and Communications Technology Use Procedure

RESPONSIBLE OFFICER

The Chief Digital Officer is responsible for the development, compliance monitoring and review of this procedure.

IMPLEMENTATION OFFICER

The Director, eArchitecture is responsible for the promulgation and implementation of this procedure throughout Deakin University.



Printed copies of this document may not be current. Please refer to The Guide for the most recent version.
Deakin University 2015