Bulletin Board - Document Comments

Bulletin Board - Review and Comment

Step 1 of 3: Comment on Document

There are 3 steps in the submission process. You must complete all three steps in one session, otherwise your comments will be lost.

1. Use this Protected Document icon to open a comment box.

2. Type your feedback and then click the"Save Comment" button in the lower-right of the comment box.

3. Do not open more than one comment box at the same time.

4. When you have finished making comments, go to step 2 by clicking on the “Save and Continue” button at the very bottom of this page.

Important Information

During the comment process you are connected to a database. Like internet banking, the session that connects you to the database may time-out due to inactivity or if you close your browser or go to a different tab/window and try to come back.

To ensure that your comments are received:

  1. DO NOT jump between web pages/applications while logging comments.

  2. DO NOT log comments for more than one document at a time.

  3. DO NOT leave your submission unfinished. If you need to take a break, submit your current set of comments now and return later to make a further submission. You will receive a copy of your comments so that you can see what you have already said.

  4. DO NOT exit from the interface until you have completed all three steps of the submission process.  Simply saving a comment in the comment box does not mean it is submitted and if you exit the system, you will not be able to retrieve it later.

When you finalise your submission in step 3 your comments will be emailed to the Document Author with a copy to you, and to policy@mq.edu.au for record keeping purposes.

Cyber Security Policy

Section 1 - Purpose

(1) This Policy outlines how IT Resources are to be secured at the University and the responsibilities of Staff and Third-Parties with access to the University’s IT Resources.

Scope

(2) This Policy applies to University Staff and Third-Parties with access to the University’s IT Resources.

Background

(3) Macquarie University (the University) is committed to maintaining a secure technology environment and as such, has established requirements to secure the University’s IT Resources. Establishing these requirements aims to decrease the likelihood of negative consequences impacting the Confidentiality, Integrity and Availability of IT Resources.

Top of Page

Section 2 - Policy

Roles and Responsibilities

Role/Team

Responsibilities
Chief Information and Digital Officer (CIDO)
Ensuring this Policy and related artefacts align with the University’s goals and applicable government regulations;
Ensuring this Policy and related artefacts are reviewed and updated in accordance with operational needs;
Sponsoring the implementation of cyber security controls to address identified risks;
Approving (where warranted) exemptions to this Policy and related artefacts; and
Overseeing cyber security incident response activities, as required.
Chief Information Security Officer (CISO)
Managing the day to day operations of the Cyber Security team;
Reviewing and updating this Policy and related artefacts in accordance with operational needs;
Ensuring the implementation of cyber security controls to address identified risks;
Managing cyber security incident response activities, as required; and
Reporting information to the CIDO, as required.
Cyber Security team
Implementing cyber security controls to address identified risks;
Providing cyber security guidance based on best practice, as required;
Ensuring Third-Parties are aware of their cyber security responsibilities when receiving University information or accessing University information systems;
Assisting in cyber security incident response activities, as required; and
Reporting information to the CISO, as required.
Service Desk
Acting as a first point of contact for IT support requests;
Providing basic troubleshooting and technical assistance for hardware and software issues; and
Reporting cyber security events to the IT Cyber Security team.
Central IT
Implementation and maintenance of IT Resources to ensure reliability and availability of the University’s services;
Supporting with the implementation of security controls to address identified risks, as required; and
Assisting in cyber security incident response activities, as required.
Managers and Supervisors
Ensuring Staff under their supervision undertake cyber security awareness training;
Ensuring Staff under their supervision conform to this Policy and related artefacts; and
Requesting the removal of access to University IT Resources and information for Staff/Academics when no longer required.
University Staff who deploy or manage applications, computer or networking systems
Implementing IT Resources with security controls that align with the Computer and Network Security Policy;
Maintaining the reliability and security of computer and networking systems;
Decommissioning IT Resources and securely deleting information; and
Ensuring Third-Parties are aware of their cyber security responsibilities when receiving University information or accessing University information systems.
Third-Parties
Meeting the requirements defined in contracts and Service Level Agreements (SLAs).
Vice-Chancellors
Ensuring Staff and IT Resources comply with this Policy and supporting artefacts.
Audit and Risk Committee (ARC)
Overseeing and auditing the Information Technology programs, to ensure they are operating appropriately.
Information Technology Management Committee (ITMC)
Overseeing and auditing the Information Technology programs, to ensure they are operating appropriately.
All Individuals/Groups
Complying to this Policy and related artefacts; and
Reporting cyber security events to the IT Service Desk team or the IT Cyber Security team (cyber@mq.edu.au).

Acceptable Use of IT Resources

(4) IT Resources should be handled in accordance with the Acceptable Use of IT Resources Policy.

Information Handling

(5) Information should be generated, stored, processed and transmitted in accordance with the:

  1. Information Classification and Handling Procedure;
  2. Records and Information Management Policy; and
  3. Privacy Policy

Access Management

(6) Logical access to IT Resources should be managed in accordance with the Computer and Network Security Policy.

Logging, Monitoring & Alerting

(7) Logging, monitoring and alerting activities should be conducted in accordance with the Logging, Monitoring and Alerting Procedure.

Vulnerability & Patch Management

(8) Vulnerability and patch management activities should be conducted in accordance with the Vulnerability Management Policy. 

Network Security

(9) Network security controls should be implemented in accordance with the Computer and Network Security Policy.

Encryption

(10) The use of encryption should be conducted in accordance with the Computer and Network Security Policy.

Decommissioning & Destruction

(11) IT Resources should be decommissioned and destroyed in accordance with the Computer and Network Security Policy.

Software Development

(12) Software development activities will be conducted in accordance with the Secure Software Development Policy. 

Risk Management

(13) The University will assess, evaluate and manage cyber security risks in accordance with Confidentiality, Integrity and Availability requirements of IT Resources and information:

  1. this must be performed in accordance with the Risk Management Policy and Enterprise Risk Management Framework (ERMF); and
  2. risks should be reviewed annually at minimum.

(14) A register documenting the University’s cyber risks will be established. The register should include, at a minimum:

  1. risk statement;
  2. inherent risk rating;
  3. current mitigating controls;
  4. residual risk rating;
  5. risk owner;
  6. risk action; and
  7. reference to a recommendations plan (if required).

(15) Third-Party risks should be managed in accordance with the Third-Party Cyber Risk Management Policy.

Human Resources

(16) All Staff and Third-Parties with access to IT Resources should be screened in accordance with the Pre-Employment Checks Document.

(17) Contractual agreements between the University, Staff and Third-Parties (in accordance with the Third-Party Cyber Risk Management Policy), should outline their respective cyber security obligations and responsibilities:

  1. additionally, where appropriate, obligations and responsibilities contained within contractual agreements should continue for a defined period after termination (e.g., confidentiality requirements).

(18) Modifications and updates to this and all related policies must be communicated to all University Staff/Academics and Third-Parties in a timely manner, using the University’s official communication channels.

Incident Response

(19) An Incident Response Plan (IRP) should be defined and document the relevant roles and responsibilities. The IRP should be reviewed and tested annually.

(20) University related cyber security events should be reported immediately to the IT Service Desk team or Cyber Security team (cyber@mq.edu.au), in accordance with the Acceptable Use of IT Resources Policy.

(21) University related cyber security incidents should be responded to in accordance with the IRP:

  1. the University is not responsible for managing cyber security breaches to Academic or Student personal emails, accounts or devices.

Compliance and Exemptions

(22) Exemption from this Policy should be sought from the Chief Information Security Officer (CISO).

(23) Breaches of this Policy by Staff and Students will be managed in accordance with the applicable provisions of the Student Code of Conduct ,Student Conduct Rules, Student Conduct Procedure, Staff Code of Conduct and other relevant policy instruments.

Top of Page

Section 3 - Procedures

Software Acquisition

(24) The Cyber Security team should be involved in the process of acquiring Commercial Off-the-Shelf (COTS) software (e.g., Software as a Service).

(25) A risk assessment should be conducted prior to acquiring software solutions in accordance with the approved Cyber Data Protection Impact Assessment (DPIA) Checks Procedure.

(26) Software should be patched prior to deployment, in accordance with the Vulnerability Management Policy.

(27) Controls should be implemented commensurate with the application rating, in accordance with the Cyber DPIA Checks Procedure.

(28) Software nearing end-of-life should not be acquired unless there is a documented plan for mitigating risks associated with the lack of future updates and vendor support.

Backups

(29) Backups should be:

  1. retained in accordance with the requirements specific to the IT Resource and its classification;
  2. managed and maintained by the Operations Services team and Infrastructure and Cloud Operations team;
  3. tested monthly; and
  4. reviewed quarterly by the Operations Services team and Infrastructure and Cloud Operations team.

(30) Accurate and complete records of all backups should be kept.

(31) Backups should be retained for a period based on business importance as well as legislative and compliance requirements.

(32) Backup and recovery procedures should be documented and reviewed regularly.

(33) Backup strategies (e.g. full, differential and incremental) along with frequency, should comply with the security and recovery needs of the University.

(34) Backup media should receive adequate physical and environmental protection.

(35) All backup information should be afforded the same level of protection as the original information based on its classification in accordance with the Information Classification and Handling Procedure.

Business Continuity and Disaster Recovery

(36) Resources involved in critical business processes should be identified and the timelines for restoration and recovery should be defined.

(37) Cyber security risks that could cause interruptions to business processes should be identified, along with the probability and impact of such interruptions and their consequences;

(38) A Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) should be defined and document the relevant roles and responsibilities. The BCP and DRP should be reviewed and tested annually.

(39) Business continuity and disaster recovery activities should be conducted in accordance with the:

  1. Business Continuity Management Policy; and
  2. Information Technology Disaster Recovery Policy.
Top of Page

Section 4 - Guidelines

(40) Nil.

Top of Page

Section 5 - Definitions

(41) The following definitions apply for the purpose of this Policy:  

  1. Information means any information in either physical or electronic format that is generated, created, stored, purchased or received during the conduct of University operations.
  2. IT Resource means any device or software that has value to the University and consequently needs to be suitably protected, including hardware (e.g., laptops, desktops, servers, network equipment, phones, printers, storage devices), and applications (e.g., cloud/desktop/server based).
  3. Staff means an individual directly employed by the University.
  4. Third-Party means an individual or organisation working under contract with the University.