Bulletin Board - Document Comments

Bulletin Board - Review and Comment

Step 1 of 3: Comment on Document

There are 3 steps in the submission process. You must complete all three steps in one session, otherwise your comments will be lost.

1. Use this Protected Document icon to open a comment box.

2. Type your feedback and then click the"Save Comment" button in the lower-right of the comment box.

3. Do not open more than one comment box at the same time.

4. When you have finished making comments, go to step 2 by clicking on the “Save and Continue” button at the very bottom of this page.

Important Information

During the comment process you are connected to a database. Like internet banking, the session that connects you to the database may time-out due to inactivity or if you close your browser or go to a different tab/window and try to come back.

To ensure that your comments are received:

  1. DO NOT jump between web pages/applications while logging comments.

  2. DO NOT log comments for more than one document at a time.

  3. DO NOT leave your submission unfinished. If you need to take a break, submit your current set of comments now and return later to make a further submission. You will receive a copy of your comments so that you can see what you have already said.

  4. DO NOT exit from the interface until you have completed all three steps of the submission process.  Simply saving a comment in the comment box does not mean it is submitted and if you exit the system, you will not be able to retrieve it later.

When you finalise your submission in step 3 your comments will be emailed to the Document Author with a copy to you, and to policy@mq.edu.au for record keeping purposes.

Cyber Travel Policy

Section 1 - Purpose

(1) This Policy outlines the requirements when travelling to High-Risk Countries with the University’s IT Resources and Information, in physical or digital form.

Scope

(2) This Policy applies to University Staff travelling to High-Risk Countries with IT Resources and Information, for personal and work-related purposes.

(3) This Policy is not applicable to the Defence Industry Security Program (DISP).

Background

(4) Macquarie University (the University) is committed to maintaining a secure technology environment and as such, has established requirements to when travelling to High-Risk Countries for personal or work-related purposes. Establishing these requirements aims to decrease the likelihood of compromise to the University’s IT Resources and Information.

Top of Page

Section 2 - Policy

(5) Prior to travelling to High-Risk Countries with IT Resources or University Information, Staff should notify the IT Cyber Security team (cyber@mq.edu.au).

(6) The IT Cyber Security Team should undertake a cyber risk assessment of the travel request to determine whether it is within the University’s risk appetite, per Section 3 of this Policy.

(7) Staff should seek a brief from the IT Cyber Security Team for travel guidance in accordance with the:

  1. Australian government Smartraveller website; and
  2. topic specific threat intelligence received by the University.

(8) Additional cyber security measures should be implemented to IT Resources taken overseas, including but not limited to:

  1. requiring a cyber security team approved Virtual Private Network (VPN) connection to access IT Resources;
  2. geo-restricting a user’s access to Information classified as Confidential or above; and
  3. restricting a user’s access to resources that are not specifically necessary during the trip (e.g., SharePoint sites, applications/software, Information).

(9) When accessing University IT Resources and Information, whether in physical or digital form, in locations not controlled by the University, Staff should take all reasonable steps to ensure compliance to the Acceptable Use of IT Resources Policy and this Policy.

Protection of Physical IT Resources

(10) IT Resources should not be taken when travelling unless required for fulfilment of work duties.

(11) IT Resources storing, or resources classified as Confidential or above (refer Information Classification and Handling Procedure) may be permitted to be taken overseas if a cyber risk assessment is undertaken to determine whether it is within the University’s risk appetite (per Section 3 of this Policy).

(12) Unique IT Resources (i.e., burner devices) should be issued to Staff with only the required Information stored on them. Upon return, these devices should be re-flashed prior to re-issue to other travellers.

(13) Unauthorised persons must not be provided with access to IT Resources.

(14) IT Resources should:

  1. not be left unlocked;
  2. not be connected to public or hotel Wi-Fi;
  3. not be left unattended in public areas or in motor vehicles;
  4. be turned off when going through airport security;
  5. be up to date with the latest software patches installed (e.g., software browsers and operating systems);
  6. have Wi-Fi and Bluetooth auto-connecting capabilities disabled; and
  7. have wireless file sharing capabilities disabled when not in use (e.g. ‘AirDrop’ on iOS or ‘Nearby Share’ on Android).

(15) Untrusted removable storage media (e.g., USB drives and external hard drives) should not be connected to IT Resources.

(16) IT Resources should be stored in hand luggage when travelling.

(17) IT Resources should only be charged using trusted charging devices (e.g., charger, cables, power adapters), and public charging stations or USB ports (e.g. airports, restaurants, conference rooms) should not be used.

Confidentiality of Information:

(18) Information should be handled in accordance with the Information Classification and Handling Procedure and the Privacy Policy.

(19) Physical documents that are not required should not be taken when travelling.

(20) Physical documents should be stored in hand luggage when travelling.

(21) Screens and documents displaying Information classified as Confidential or above should not be shared with, or seen by, unauthorised persons (e.g., shoulder surfing).

(22) Work-related conversations should remain confidential and not be discussed where other persons may hear (e.g., elevators, lobbies, cafes, public transport).

(23) Confidential Information or above:

  1. should be securely stored when not in use; and
  2. that is no longer necessary should be securely disposed of (e.g., shredding).

Personal Devices

(24) If travelling with personal electronic devices with access to University Information classified as Confidential or above, the following applications should be removed:

  1. identity authentication solution; and
  2. any applications with access to University data.

Incident Notification

(25) Any Cyber Security incident should be reported to the IT Service Desk team or IT Cyber Security Team (cyber@mq.edu.au), in accordance with the Acceptable Use of IT Resources Policy.

Compliance and Exemptions

(26) Any exemption to this Policy must be sought from the Chief Information Security Officer (CISO).

(27) Breaches of this Policy by Staff will be managed in accordance with the applicable provisions of the Staff Code of Conduct and other relevant policy instruments.

Top of Page

Section 3 - Procedures

(28) A summary of the process to review travel requests is provided below:

Step

Description

Individual
Initiation: Travel request is submitted to the IT Cyber Security Team (cyber@mq.edu.au).
1
Review the request details:
• Destination: Confirm the country of destination and country(s) of transit (e.g., countries the traveller will transit on route to the destination):
  - Identify any security concerns (e.g., High-Risk Countries or regions); and
• Purpose of Travel: Understand the purpose/objectives of the trip.
CISO
2
Review the Staff member’s details:
• Clearance Level: Ensure the Staff member has the appropriate security clearance for any Information or activities involved in the travel; and
• Training: Confirm the Staff member has completed any relevant cyber security awareness training.
CISO
3
Undertake a cyber risk assessment and consider the following:
• Threat Landscape: Assess cyber security risks of the destination and transit country(s) (e.g., high levels of cybercrime or political instability);
• Data Sensitivity: Determine the classification of Information that the Staff member has/may have access to. Some destinations may be a higher data security risk (e.g., countries with restrictive data laws or heightened surveillance); and
• Security Controls: Confirm what safeguards will be in place (e.g., secure travel devices, VPN access, geo-restrictions):
  – Identify if additional security controls are required.
CISO
4
Engage with the Staff member to:
• Provide a travel guidance brief;
• Ensure the Staff member has read this Policy and understood its requirements;
• Travel Conditions: Set any specific conditions (e.g., mandatory daily check-ins, providing itinerary details, or restrictions on accessing IT Resources) for during travel;
• Capture the Staff member’s details (e.g., phone number and email); and
• Advise the staff member to debrief on return of there was suspicious activity or a lost or stolen device.
CISO
Top of Page

Section 4 - Guidelines

(29) Nil.

Top of Page

Section 5 - Definitions

(30) The following definitions apply for the purpose of this Policy:

  1. High-Risk Countries means countries with a Level 2 or above rating, as per the Smartraveller website.
  2. Information means any information in either physical or electronic format that is generated, created, stored, purchased or received during the conduct of University operations.
  3. IT Resource means any device or software that has value to the University and consequently needs to be suitably protected, including hardware (e.g., laptops, desktops, servers, network equipment, phones, printers, storage devices), and applications (e.g., cloud/desktop/server based).
  4. Staff means an individual directly employed by the University.
  5. Third-Party means an individual or organisation working under contract with the University.