Bulletin Board - Document Comments

Bulletin Board - Review and Comment

Step 1 of 3: Comment on Document

There are 3 steps in the submission process. You must complete all three steps in one session, otherwise your comments will be lost.

1. Use this Protected Document icon to open a comment box.

2. Type your feedback and then click the"Save Comment" button in the lower-right of the comment box.

3. Do not open more than one comment box at the same time.

4. When you have finished making comments, go to step 2 by clicking on the “Save and Continue” button at the very bottom of this page.

Important Information

During the comment process you are connected to a database. Like internet banking, the session that connects you to the database may time-out due to inactivity or if you close your browser or go to a different tab/window and try to come back.

To ensure that your comments are received:

  1. DO NOT jump between web pages/applications while logging comments.

  2. DO NOT log comments for more than one document at a time.

  3. DO NOT leave your submission unfinished. If you need to take a break, submit your current set of comments now and return later to make a further submission. You will receive a copy of your comments so that you can see what you have already said.

  4. DO NOT exit from the interface until you have completed all three steps of the submission process.  Simply saving a comment in the comment box does not mean it is submitted and if you exit the system, you will not be able to retrieve it later.

When you finalise your submission in step 3 your comments will be emailed to the Document Author with a copy to you, and to policy@mq.edu.au for record keeping purposes.

Computer and Network Security Policy

Section 1 - Purpose

(1) This Policy outlines how IT Resources and User accounts are to be secured, in support of the Cyber Security Policy.

Scope

(2) This Policy applies to University Staff and Third-Parties who:

  1. have access to IT Resources; and
  2. are responsible for implementing and managing IT Resources.

Background

(3) Macquarie University (the University) is committed to maintaining a secure technology environment and as such, has established requirements to secure the University’s IT Resources. Establishing these requirements aims to decrease the likelihood of negative consequences impacting the confidentiality, integrity and availability of IT Resources.

Top of Page

Section 2 - Policy

General Access Management

(4) User access provisioning, account management, and password allocation should only be performed by the Central IT team, in accordance with approved operational procedures.

(5) Access to IT Resources should be controlled through a central identity management platform(e.g., Active Directory(AD) group membership).

(6) Access to applications should be facilitated via Single-Sign-On(SSO), where possible.

(7) User accounts must be configured with Multi Factor Authentication(MFA) and User accounts should be unique to an individual.

(8) A User access provisioning process should be implemented to assign or revoke access to IT Resources. User access should be:

  1. assigned in accordance with the principle of least privilege and segregation of duties;
  2. assigned after formal approval from the User’s Manager or relevant Business Owner (or authorised delegate). Additionally, Privileged User access must also be reviewed by the Business Owner (or authorised delegate) and Cyber Security team before being provided;
  3. uniquely identifiable and accountable to a single individual;
  4. removed on the same day when no longer required (e.g., upon termination, role change, or responsibility change); and
  5. configured with an expiry date for Third-Party accounts that aligns with the User’s contract end date.

(9) User access permissions should be reviewed for suitability by the Business Owner (or authorised delegate) or Cyber Security team, at the following cadences:

  1. Standard User accounts: at least annually; and
  2. Privileged User accounts: at least every six months.

(10) User access permissions should also be reviewed in response to one of the following:

  1. a User’s role or position changes;
  2. an incident (e.g., account compromise or data breach); and
  3. disciplinary breaches (e.g., breaches of Policy).

Account Management

(11) User accounts should be locked for 30 minutes after 15 consecutive failed access attempts.

(12) Access management systems must be configured to ‘deny by default’ unless explicit access is granted.

(13) Both privileged and unprivileged access to IT Resources should be automatically disabled after 90 days of inactivity.

(14) Privileged Users should maintain a Standard User account for their day-to-day non-privileged work and use a specific Privileged User account for any tasks that require elevated privileges.

(15) Elevated/higher privileges should not be granted to a Standard User account.

(16) The owner of a User Account will be held responsible for all actions undertaken by the account.

(17) The use of shared User Accounts must be documented and an owner must be assigned to each shared User Account.

Password Management

(18) Where available, University approved password managers should be used.

(19) IT Resources that manage/enforce passwords should be configured to enforce the following requirements:

Requirement

Settings
Minimum Password Length
Standard User accounts (8 characters); and
Privileged User accounts (16 characters).
Password Expiry
Standard and Privileged User accounts (1 year).
Password History
5 previous passwords.
Password Complexity
Passwords must contain:
at least one uppercase or lowercase character (e.g., A – Z or a – z);
at least once number/digit (e.g., 1 – 9); and
at least one special character (e.g., #, %, $).
Passwords must not contain:
Commonly used words or commonly used passphrases; and
Part of a users’ username, first name, or last name.

(20) Privileged account passwords must be randomly generated at build time and at any time the password is communicated.

(21) Temporary passwords should adhere to the same requirements detailed in clause 19 and be set to expire after 24 hours.

(22) Passwords must be changed in response to one of the following:

  1. a user logs on for the first time; or
  2. if it has been or is suspected of being compromised.

(23) Password resets should be logged to provide an audit trail for any future investigation in accordance with the Logging, Monitoring and Alerting Policy.

(24) Passwords should be securely stored within a University approved password manager.

(25) Password generated by applications/systems should be shared via a secure and approved distribution method.

(26) Passwords must not be shared with another individual.

(27) Scripts, code, or macros should not contain passwords.

(28) Passwords used for encryption keys should comply with the same minimum requirements as required by the Privileged User Accounts.

(29) Passwords used to decrypt keys should only be verbally shared with authorised users.

Network Security

(30) IT Resources should be documented within an asset register, inclusive of the following information:

  1. System Owner’s name;
  2. Business Owner’s name;
  3. asset name/identifier;
  4. Internet Protocol (IP) address;
  5. criticality rating;
  6. confidentiality rating; and
  7. business purpose.

(31) IT Resources not approved by the University should not be connected to the University’s corporate network.

(32) IT Resources should be onboarded, maintained and offboarded in accordance with a defined asset management process.

(33) Networks should be segmented and network zones classified different from public.

(34) Network zones should be protected from the internet and Third-Party environments by perimeter controls including but not limited to a firewall and Access Control Lists (ACLs).

Malware

(35) IT Resources attached to the University’s network must have anti-malware software installed. The software must:

  1. be active;
  2. be scheduled to perform checks at regular intervals;
  3. have its definition files kept up to date; and
  4. initiate an anti-malware signature update at least every four hours.

(36) Malware-infected IT Resources must be removed from the network until it is verified as virus-free.

(37) All encrypted artefacts must be scanned for malware after decryption and before execution.

(38) All artefacts obtained or downloaded must be scanned for malware before executing.

(39) Locally mounted disks should be scanned by anti-malware software on a weekly basis.

Encryption

(40) University information should be encrypted in-transit and at-rest, in accordance with the Australian Signal Directorate (ASD) Approved Cryptographic Algorithms.

(41) Internet-facing website validation should adhere to the criteria below:

  1. certificates should be signed by a well-established commercial certificate authority; and
  2. certificates should have at most, a three-year validity period.

(42) System-to-system interfaces should adhere to the criteria below:

  1. certificates may be self-signed; and
  2. certificates may be valid for up to six-years.

(43) Encryption keys must adhere to the criteria below:

  1. keys must only be provided to those who have a business need to handle the keys;
  2. keys must be protected by strong encryption in-transit;
  3. application keys or private keys for scripts, needed at system startup, must be stored in a location with read permissions only for the application or script user:
    1. all other permissions should be removed.
  4. Key Encrypting Keys (KEKs) should be stored separately to Data Encrypting Keys (DEKs);
  5. keys should be stored in a single encrypted location and regularly backed up to an encrypted repository; and
  6. keys must be replaced if they are no longer considered strong by industry standards or if they are suspected of being compromised.

IT Resource Decommissioning

(44) University records must be retained in accordance with the Records and Information Management Policy.

(45) Information that is not required to be retained for regulatory or University purposes on printed material or in a digital format should be securely destroyed so that the information is not able to be recovered by unauthorised parties.

(46) Destruction of University records should be approved by authorised Staff and documented.

(47) Printed documents should be destroyed by using secure facilities provided by the University by:

  1. depositing printed documents in a locked secure destruction bin supplied by a AAA certified National Association for Information Destruction organisation; or
  2. use of a DIN 66399 security level P-4 to DIN 66399 security level P-7 document shredder.

(48) Optical media and hard disks that contain University information should be securely deleted/wiped before being repurposed.

(49) Optical media and hard disks should be physically destroyed before being disposed, by disintegration, incineration, pulverising, shredding, melting or through a AAA certified National Association for Information Destruction organisation, with a certificate of destruction.

(50) Decommissioned, disposed and repurposed IT Resources should have:

  1. their storage devices/media securely deleted/wiped, by either:
    1. the University; or
    2. a AAA certified National Association for Information Destruction organisation, with a certificate of destruction;
  2. their serial numbers recorded within a register;
  3. their settings/configurations reset to factory default;
  4. associated firewall rules and IP access control lists removed;
  5. Virtual Private Networks (VPN) profile associations removed;
  6. forward and reverse Domain Name Service (DNS) entries removed;
  7. entries in support databases removed (e.g, Configuration Management Database);
  8. system specific domain-level service accounts removed; and
  9. virtual machines and associated virtual disks deleted.

Compliance and Exceptions

(51) Exemption from this Policy must be sought from the Chief Information Security Officer (CISO).

(52) Breaches of this Policy will be managed in accordance with the applicable provisions of the Staff Code of Conduct and other relevant policy instruments.

Top of Page

Section 3 - Procedures

(53) IT Resources must be built/configured in accordance with, but not limited to, the following requirements:

  1. be synchronised with a common trusted time source;
  2. have unneeded services and software packages disabled or removed;
  3. have unneeded accounts removed, default credentials changed, and anonymous access disabled;
  4. be configured to deny network, shell, console and file system access unless specifically permitted;
  5. have the latest security patches applied, in accordance with the Vulnerability Management Policy;
  6. have media and network drive auto-play functions disabled;
  7. restrict privileged actions to Privileged User accounts only;
  8. forward security event logs to a central Security Information and Event Management (SIEM) solution, in accordance with the Logging, Monitoring and Alerting Procedure;
  9. be configured with a personal firewall if operating on premises that are not owned or operated by the University;
  10. be located in an appropriate network zone;
  11. be located in a Demilitarised Zone (DMZ) if they require direct connection to external locations (inbound and outbound);
  12. prohibit access to malicious or potentially dangerous websites;
  13. enforce user access in accordance with the access control sections of this Policy;
  14. be monitored by intrusion detection and/or prevention solutions that notify the IT Cyber Security team; and
  15. have centrally managed real-time anti-malware software installed, in accordance with the Malware section in this Policy.

(54) IT Resources that handle Highly Sensitive information (refer Information Classification and Handling Procedure) must be built/configured in accordance with, but not limited to, the following requirements:

  1. application whitelisting to restrict application and script execution to only those folders or directories required to perform the business function;
  2. have USB ports, floppy disk drives and optical drives disabled;
  3. be monitored by change detection software that monitors critical system files; and
  4. log all data-level access to Highly Sensitive information to a central log server.

(55) Firewalls must be built/configured in accordance with, but not limited to, the following requirements:

  1. firewalls must only allow the ports required for the business function and deny all other traffic;
  2. firewalls protecting an IT Resource in a DMZ should not be configurable from the IT Resource they are protecting;
  3. non-production environments must be separated from production environments by a firewall solution;

(56) Firewall rule changes must be reviewed and approved by the Cyber Security team to determine if they meet one or more of the following conditions:

  1. permits traffic to or from external (internet or Third-Party) locations;
  2. permits traffic between production and non-production environments;
  3. permits a large number of source or destination addresses (greater than 10);
  4. permits all source or destination protocols (an “ANY” rule);
  5. permits a broad range of source or destination protocols (greater than a range of 20 ports);
  6. establishes a new network path to an external party;
  7. uses protocols that pass credentials or data in clear text (SNMP, POP3, IMAP, LDAP, FTP, TFTP, Telnet, rexec, rlogin, rsh/.);
  8. uses protocols that are known as an avenue for computer worms (SMB/CIFS TCP445 & TCP139, MS-RPC TCP135, RDP TCP3389); and
  9. facilitates remote control of computers (RDP TCP3389, VNC TCP5500 TCP5800 TCP5900, pcANYWHERE TCP5631 UDP5632).

(57) Web application environments should adhere to the following requirements:

  1. reside in at least a two-tier network architecture (application and database);
  2. servers in the database zone should not be permitted to initiate connections directly with the application zone; and
  3. servers directly involved in hosting internet-facing web applications should be blocked from initiating outbound connections.

(58) Access to specific IT Resources should adhere to the requirements outlined within the following table:

Type

Requirements
Database Access
non-production applications and databases must not contain production data;
the System Administrator (SA) account must only be used in the case of an emergency;
all direct access to databases must be conducted with the users unique ID;
applications that integrate with a database must be assigned a unique application account, used exclusively for the interactions with the database; and
applications that allow users to access data directly from a database must log the identity of the user within user activity logs for data create, read, update or delete activities.
Root Access
root Access accounts should only be used in the case of an emergency;
root Access account passwords should be stored in a secure digital format protected by strong encryption;
root Access accounts should only be accessible by the minimum number of support staff required; and
root Access account passwords should not be sent by email, instant message technology. Verbally over the phone is only permitted with verification of the user and in an area that cannot be overheard.
Console Access
require re-authentication after 20 minutes of inactivity if facilitating access to Highly Sensitive information; and
not be directly accessible from the internet with a single factor of authentication.
System-to-System Access
not be used by individuals for day-to-day operations;
be either certificate based or consist of a password of at least 16 characters;
can be set to never expire; and
be protected by strong encryption or restrictive file system permissions when stored (only permit access to the required application accounts).
Remote Access
only be permitted via an approved Virtual Private Network (VPN) solution;
be protected by strong encryption; and
be removed immediately when no longer required.

(59) A message that discourages unauthorised access and notifies the User of activity monitoring should be displayed before a User attempts to logon to an IT Resource, as outlined in the table below:

IT Resource Type

Warning Message
Computers and Network Devices
WARNING! This system belongs to Macquarie University. AUTHORISED ACCESS ONLY.

Access to this system is restricted to authorised users only. Actions performed by users on this system are logged and monitored. Activities conducted on this system that contravene the University’s policies and procedures will be reported to the relevant authorities.
Application
This application is operated by Macquarie University. Access to this application is restricted to authorised users only. Actions performed by users within this application are logged and monitored. Misuse of this application and its facilities will be reported to the relevant authorities.
Top of Page

Section 4 - Guidelines 

(60) Nil.

Top of Page

Section 5 - Definitions

(61) The following definitions apply for the purpose of this Policy:

  1. Information means any information in either physical or electronic format that is generated, created, stored, purchased or received during the conduct of University operations.
  2. IT Resource means any device or software that has value to the University and consequently needs to be suitably protected, including hardware (e.g., laptops, desktops, servers, network equipment, phones, printers, storage devices), and applications (e.g., cloud/desktop/server based).
  3. Privileged User Account means an account with elevated permissions to manage and make system-wide changes (e.g., configure systems, install software, access sensitive data).
  4. Staff means an individual directly employed by the University.
  5. Standard User Account means an account used for day-to-day tasks with a restricted set of permissions.
  6. Third-Party means an individual or organisation working under contract with the University.