|This procedure was approved by the Vice-Chancellor on 17 October 2008 and incorporates all amendments to 14 May 2015.|
|This document is pursuant to the Information and Communications Technology Security Policy.|
Data: as defined in the Information and Communications Technology Security Policy.
Deakin Directory Service: as defined in the Information and Communications Technology Security Policy.
Information: as defined in the Information and Communications Technology Security Policy.
Information and Communications Technology (ICT) Facilities: as defined in the Information and Communications Technology Security Policy.
Information and Communications Technology (ICT) Services and Materials: as defined in the Information and Communications Technology Security Policy.
Information and Communications Technology (ICT) User: as defined in the Information and Communications Technology Security Policy.
Information Owner: the person who is responsible and accountable for information and records management for an organisational area of Deakin University, and who will ensure appropriate storage, access, use, distribution and disposal of information and records.
|1||The IT Security Manager will develop information and communications technology (ICT) security standards and maintain them according to industry-wide standards.|
|2||The IT Security Manager will undertake an ICT security risk assessment annually, and report to the Chief Digital Officer, Director, eArchitecture or Head of Information Security Risk, eSolutions on ICT security incidents, current security concerns and service improvement needs for the coming year.|
|3||Staff members with responsibilities for managing or supporting ICT facilities, services and materials will ensure that:|
|a)||each device or application is configured and managed according to the ICT security standards developed by Deakin eSolutions|
|b)||where confidential information from production systems is used in development or testing environments, the ICT security requirements for the production system will apply to the development or testing systems.|
|4||Staff members with responsibilities for managing ICT facilities, services and materials used for financial transactions will ensure that digital certificates and encryption are used for the transfer and storage of payment information, such as account numbers and credit card information.|
|Connecting to University Facilities|
|5||The Chief Digital Officer, Director, eArchitecture or Head of Information Security Risk, eSolutions will determine which staff members can authorise access to the operating systems or security systems of any ICT facility, service or material connected to the Deakin University network.|
|6||Staff members will ensure that new connections of, or changes to, any ICT facility, service or material connected to the Deakin University network are managed and approved according to the Deakin University ICT change management process, facilitated by Deakin eSolutions.|
|7||Staff members will ensure that any ICT facilities, services or materials installed or configured to protect Deakin University information are of a type and standard approved by the IT Security Manager prior to being implemented on any Deakin University-owned or managed ICT facility or service.|
|8||Staff members will ensure that non-Deakin University owned ICT devices, excluding personal computing devices such as laptops or personal digital assistants (PDAs), connected to the Deakin University network abide by the same ICT security standards and requirements as those applied to the Deakin University-owned assets.|
|9||Deakin University usernames in the Deakin University directory service will not be reused within 12 months, unless for use by the same staff member as previously assigned that Deakin University username.|
|10||The following minimum requirements apply to all user passwords:|
|a)||Be at least 8 characters long|
|b)||Contain a combination of at least 3 of the following four character types:|
|i) lowercase letters|
|ii) uppercase letters|
|iv) other symbols|
|c)||Changed at least every 180 days. Accounts with passwords older than this will be locked|
|d)||Password History: new passwords must be different from the previous 5 passwords|
|11||Vendor-supplied default passwords must be changed before or immediately after any ICT facility, service or material is connected to the Deakin University network.|
|12||Where access is granted to vendors, partners, consultants and other users who are not staff or students of Deakin University, this access will be reviewed at least annually to ensure that the access and the privileges granted are still applicable.|
|Where available, mechanisms to detect and prevent multiple failed login attempts to a user account must be enabled and configured in one of two ways. After 5 failed login attempts, an account |
|a)||is automatically locked; or|
|b)||has delays between attempts of at least 30 minutes imposed.|
|13||Timeframes for regular password changes for all ICT facilities, services or materials will be set by the IT Security Manager, and implemented by staff members with responsibility for managing or supporting the ICT facilities, services or materials.|
|14||ICT users may only be provided with ICT passwords on provision of appropriate identification. Identification requirements will be prescribed by the IT Security Manager.|
|Monitoring and Auditing|
|15||The Director, eArchitecture or Head of Information Security Risk, eSolutions may monitor for security breaches as specified in the Information and Communications Technology Use Procedure.|
|16||Excluding personal computing devices, logs of system, application and ICT user activity that are generated automatically must be kept for a minimum of 2 years. Such logs will contain both non-identifying and identifying data, which may include Deakin University username, computer name and location, time of activity and screens accessed.|
|17||All changes to production data must be made via an application or system interface that automatically logs activity or via standard batch jobs. Where this is not possible, changes must be made and tracked via the ICT change management process, with the details of the change record kept for a minimum of 2 years.|
|18||All changes to logging mechanisms that affect the ability to monitor or audit system, application and ICT user activity must be authorised through the Deakin University ICT change management process and must be able to be audited.|
|Awareness and Education|
|19||The IT Security Manager will provide an ICT security awareness program for ICT users, including information about their obligations in relation to:
- access to and use of ICT facilities, services and materials
- reporting of ICT security incidents, breaches or concerns
|20||Managers will ensure that their staff members, including consultants and contractors, are aware of and educated about ICT security, including the ICT security requirements appropriate to their role.|
|21||Staff will comply with the ICT security requirements required by their role, including but not limited to:
- compliance with ICT security policy, procedure and standards
- ensuring that their computers are not left unattended and logged into the Deakin University network, without first activating a screen saver with password protection.
|22||The IT Security Manager will ensure that all external parties with connectivity to the Deakin University ICT network have a formal agreement in place defining access provisions, which will be commensurate with Deakin University measures, to protect unauthorised or improper use of the Deakin University ICT facilities, services or materials.|
|23||Staff will obtain approval in writing from the IT Security Manager before disclosing outside of the University any specific matter regarding security controls that are in use or the way in which these controls are implemented.|
|24||Where an exemption from the ICT security policy, procedure or standards is required, approval in writing must be obtained from the IT Security Manager and the information owner where applicable.|
|25||ICT Users must immediately report any suspected or perceived breach of the Information and Communications Technology Security Policy, procedure or standards to the Director, eArchitecture or Head of Information Security Risk, eSolutions or nominee via the IT Service Desk.|
|26||The Director, eArchitecture or Head of Information Security Risk, eSolutions may deny or restrict an ICT User’s access to the University’s ICT facilities, services and materials, and/or remove or disable any data, service or device from the ICT facilities, as a result of violations of the Information and Communications Technology Security Policy, procedure or standards pending further investigation, disciplinary and/or judicial action.|
|27||If the Chief Digital Officer, Director, eArchitecture or Head of Information Security Risk, eSolutions is satisfied, based on investigations, that a violation of policy and/or law has occurred, he or she will undertake disciplinary action in accordance with that outlined in the Information and Communications Technology Use Procedure.|
Information and Records Management Policy
Information and Communications Technology Use Policy
Information and Communications Technology Use Procedure
The Chief Digital Officer is responsible for the development, compliance monitoring and review of this procedure.
The Director, eArchitecture is responsible for the promulgation and implementation of this procedure throughout Deakin University.