Bulletin Board - Document Comments

Bulletin Board - Review and Comment

Step 1 of 3: Comment on Document

There are 3 steps in the submission process. You must complete all three steps in one session, otherwise your comments will be lost.

1. Use this Protected Document icon to open a comment box.

2. Type your feedback and then click the"Save Comment" button in the lower-right of the comment box.

3. Do not open more than one comment box at the same time.

4. When you have finished making comments, go to step 2 by clicking on the “Save and Continue” button at the very bottom of this page.

Important Information

During the comment process you are connected to a database. Like internet banking, the session that connects you to the database may time-out due to inactivity or if you close your browser or go to a different tab/window and try to come back.

To ensure that your comments are received:

  1. DO NOT jump between web pages/applications while logging comments.

  2. DO NOT log comments for more than one document at a time.

  3. DO NOT leave your submission unfinished. If you need to take a break, submit your current set of comments now and return later to make a further submission. You will receive a copy of your comments so that you can see what you have already said.

  4. DO NOT exit from the interface until you have completed all three steps of the submission process.  Simply saving a comment in the comment box does not mean it is submitted and if you exit the system, you will not be able to retrieve it later.

When you finalise your submission in step 3 your comments will be emailed to the Document Author with a copy to you, and to policy@mq.edu.au for record keeping purposes.

Third-Party Cyber Risk Management Policy

Section 1 - Purpose

(1) This Policy outlines the requirements to maintain the security of Macquarie University IT Resources which are operated and/or maintained by Third-Parties.

Scope

(2) This Policy applies to all Macquarie University (University) Staff who engage with Third-Parties and Third-Parties with access to the University’s IT Resources.

Background

(3) The University is committed to maintaining a secure technology environment and as such has established requirements to manage Third-Party risks. By establishing these requirements, the University aims to reduce the risk attached to the use of Third-Parties.

Top of Page

Section 2 - Policy

(4) All Third-Parties engaging with the University are expected to protect the confidentiality, integrity, availability, non-repudiation and authentication of the University’s Information and IT Resources, commensurate with the risks posed to them.

(5) Third-Parties with access to IT Resources should complete University cyber security awareness and training upon induction.

(6) An Information Sharing Agreement should be established prior to any engagement/disclosure of Information between the University and Third-Parties.

(7) All Information shared between the University and Third-Parties should be performed using an approved secure file transfer method.

(8) Third-Parties engaged to provide products or services to the University should only be done so under an appropriate contract or agreement.

(9) A risk assessment must be carried out for each Third-Party requiring access to IT Resources, and Information prior to entering into a contract or agreement, as per the ‘Third-Party Risk Assessment’ section of this Policy.

(10) Third-Parties must inform the University’s IT Cyber Security team (cyber@mq.edu.au) of Relevant Cyber Security Incidents within 72 hours of detection.

(11) Third-Parties should agree to abide by the University’s cyber security Policies.

Third-Party Acquisition

(12) Prior to entering into a contract or agreement, Third-Parties should be evaluated per the Procurement Policy and the selection criteria outlined in the ‘Third-Party Acquisition Criteria’ Section of this Policy.

(13) Selection criteria of Third-Parties must be re-evaluated when expanding an existing relationship to include different products or services.

(14) Cyber security clauses within contracts with Third-Parties providing services or technology related products to the University should be reviewed by the IT Cyber Security team, the Procurement team and the Office of General Counsel before execution.

(15) Decisions regarding the engagement of a Third-Party should be made in conjunction with the relevant business unit, the Cyber Security team, the Procurement team and the Office of General Counsel, once the risks of engaging the Third-Party have been determined and the contract has been reviewed.

Third-Party Risk Management

(16) A register of the University’s Third-Parties should be established, maintained and regularly reviewed.

(17) The Cyber Security Team should develop, maintain and regularly review A Third-Party cyber security questionnaire.

Third-Party Risk Assessment

(18) Prior to entering into a contract or agreement, the Area that is engaging a supplier should assess, evaluate, and manage risks associated with Third Parties in accordance with the Risk Management Policy and Enterprise Risk Management Framework (ERMF).

(19) Risk assessments should consider the information outlined in the ‘Third-Party Risk Assessment Considerations’ Section of this Policy.

(20) Third-Parties should be re-assessed periodically, or when an existing agreement/contract expands to include additional/different products or services.

Monitoring Third-Parties

(21) Third-Parties should be monitored for non-conformance against the agreed security requirements by the Area responsible for their engagement.

(22) If a Third-Party has been identified as non-conforming, the engaging Area should mitigate the risks associated with the identified non-conformance. The IT Cyber Security team will:

  1. perform a risk assessment on the instance of non-conformance, as per the ERMF;
  2. determine appropriate mitigation strategies to reduce the risk to the University; and
  3. implement appropriate mitigation strategies in conjunction with the Third-Party.

Contract termination

(23) When a Third-Party relationship is terminated, the relevant Information Technology team will action the following to maintain the security of its IT Resources:

  1. De-provision access rights for relevant Third-Party personnel, in accordance with the Computer and Network Security Procedure.
  2. Require that any University Information classified as Confidential or above be returned and Securely Deleted from Third-Party infrastructure.
  3. Data deletion should be accompanied by an attestation of deletion from the Third-Party.
  4. Reassert information confidentiality requirements and intellectual property ownership determinations; and
  5. Ensure that all IT Resources provided to Third-Party personnel are returne

(24) Third-Parties must provide the University with timely access to any data held on its behalf:

  1. Data must be delivered in a complete, accurate, and usable format, (e.g., CSV, JSON, XML) unless otherwise agreed; and
  2. Third-Parties must not delay, withhold, or condition access to data and must ensure that retrieval is performed in a manner that supports the University’s operational, legal, and regulatory obligations.

Compliance and Exemptions

(25) Any exemption to this Policy must be sought from the Chief Information Security Officer (CISO).

(26) Breaches of this Policy will be managed in accordance with the applicable provisions of the Staff Code of Conduct and other relevant policy instruments.

Top of Page

Section 3 - Procedures

Third-Party Acquisition Criteria

(27) The following selection criteria should be considered when evaluating a prospective Third-Party:

  1. the Third-Party’s reputation and history;
  2. the University’s prior history with the Third-Party;
  3. the Third-Party’s country of origin; and
  4. the Third-Party’s ability to deliver the required products or services.

Third-Party Risk Register

(28) The Third-Party Risk Register should include, at a minimum, the following:

  1. the name of the Third-Party;
  2. the services/products they offer;
  3. key contacts;
  4. the University Business Owner;
  5. whether the Third-Party has access to University’s IT Resources (and if they are critical);
  6. whether the Third-Party has access to the University’s Information (and the classification);
  7. whether a cyber security questionnaire has been completed by the Third-Party; and
  8. the risk level presented by engaging the Third-Parties for products and/or services.

Third-Party Risks

(29) To effectively manage risks posed by Third-Parties, the following should occur:

  1. Third-Parties should be required to complete the cyber security questionnaire and provide the responses along with required supporting artefacts (e.g., evidence);
  2. the IT Cyber Security team should review the responses to the cyber security questionnaire to determine the level of risk the Third-Party will pose to the business; and
  3. Third-Parties should be required to complete the cyber security questionnaire as part of their review cycle, for the University to determine if the level of risk posed by the Third-Party has changed.

Third-Party Risk Assessment Considerations

(30) Third-Party Risk Assessment considerations include:

  1. recent assurance activities/independent audits conducted against the Third-Party (e.g., System and Organization Controls 2 - Type 2, Information Security Registered Assessors Program) and existing certifications (e.g., ISO 27001) maintained by the Third-Party;
  2. the classification of the Information and/or IT Resources involved in the service;
  3. the type, level and duration of access to be granted to the Third-Party (logical and/or physical);
  4. the controls implemented and managed by the University to manage the Third-Party’s access to the Information and/or IT Resources;
  5. the controls required to be implemented or managed by the Third-Party;
  6. if the controls of the service or product align with:
    1. authorisation and authentication requirements defined within the Computer and Network Security Procedure;
    2. logging and monitoring capabilities (e.g., application logs);
    3. data security capabilities (e.g., encryption);
    4. continuity capabilities (e.g., backup services, disaster recovery services);
    5. incident management capabilities; and
    6. physical security expectations; and
  7. if the Third-Party uses its own suppliers (i.e., a Third-Party's Third-Party) to provide products or services to the University.

Third-Party Contract Requirements

(31) Third-Party contracts and service level agreements should clearly specify cyber security requirements that pertain to the product/service. Where applicable, contracts or agreements should specify, at a minimum:

  1. Information handling requirements (e.g., confidentiality, non-disclosure, data sovereignty);
    1. the University is to retain ownership of all University Information stored or processed by the Third-Parties; and
    2. upon request by the University, Third-Parties should securely delete any Information they hold and provide proof of secure deletion;
  2. the duration of the contract or agreement;
  3. the level, purpose and duration of access to IT Resources and Information;
  4. the requirement to adhere to the University’s cyber security Policies;
  5. any/all expectations regarding the Third-Party’s security controls to ensure that they are aligned with the requirements of the University’s cyber security Policies;
  6. that the University reserves the right to conduct security audits of the Third-Party’s conformance to the University’s cyber security Policies, as deemed necessary;
  7. any security requirements as mandated by the governing law and/or other legal or contractual obligations;
  8. that individuals who have access to IT Resources or Information are bound by the contract with the Third-Party;
  9. that a background verification is required for the Third-Party’s personnel prior to them being provisioned access to the University’s IT Resources and Information;
  10. obligations to report and assist with the resolution of any security weaknesses and/or incidents or suspected incidents that may impact the products or services provided by the Third-Party;
  11. the requirement to notify the University within 72 hours of detecting a Relevant Cyber Security Incident that occurs within the Third-Party’s environment and has/may have an impact to the University:
  12. a notice that the University reserves the right to engage an independent auditor to review or observe any Third-Party incident response activities undertaken in the Third-Parties environment.
  1. resilience and recovery requirements based on the criticality of the products or services provisioned by the Third-Party;
  2. requirements for the return or disposal of IT Resources upon termination of the contract or agreement;
  3. break clauses associated with failure to meet security requirements;
  4. access to all logs generated by the Third-Party relating to the University’s data and services;
  5. use of any additional suppliers (i.e., fourth parties to the University) relied on by the Third-Party to deliver their products and/or services as part of the contract, and the obligations of the Third-Party to ensure their suppliers also meet the requirements of the contract; and
  6. definition of key terms (e.g., incident, vulnerability, information) to avoid any misunderstanding.
Top of Page

Section 4 - Guidelines

(32) Nil.

Top of Page

Section 5 - Definitions

(33) The following definitions apply for the purpose of this Policy:  

  1. Information means any information in either physical or electronic format that is generated, created, stored, purchased or received during the conduct of University operations.
  2. Intellectual Property means all forms of intellectual property rights throughout the world including copyright, patent, design, trademark, trade name, and all confidential Information including know-how and trade secrets.
  3. IT Resource means any device or software that has value to the University and consequently needs to be suitably protected, including hardware (e.g., laptops, desktops, servers, network equipment, phones, printers, storage devices), and applications (e.g., cloud/desktop/server based).
  4. Relevant Cyber Security Incident an actual event that originates from a cyber based threat, which impacts the confidentiality, integrity or availability of a product or service provided by a Third-Party.
  5. Securely Deleted means the deletion of Information in such a way that it is unrecoverable (g., shredding, degaussing, cryptographic erasure).
  6. Staff means an individual directly employed by the University.
  7. Third-Party means an individual or organisation working under contract with the University.