View Document

Cyber Security Policy

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Purpose

(1) This Policy specifies the cyber security responsibilities of Macquarie University staff, students, and other authorised users in order to protect the University’s people, information, and technology assets.

Background

(2) Information and information systems are vital for delivering the University’s broad range of functions and services. The University is committed to maintaining a respectful, safe, reliable, and secure technology environment that allows it to meet organisational objectives, contractual obligations, regulatory requirements, and ethical responsibilities.

Scope

(3) This Policy applies to:

  1. all technology resources used by, operated by, or provided on behalf of the University (including its controlled entities);
  2. all information collected, created, stored, or processed by, or for, the University on computer and network resources; and
  3. all individuals who utilise, or are involved in deploying and supporting, computer and network resources provided by the University.
Top of Page

Section 2 - Policy

(4) It is the responsibility of all individuals who are provided access to information or information systems operated by, or on behalf of, the University to:

  1. only access information, applications, and systems where access is authorised by the University;
  2. access and make use of the University’s computer and network resources in a secure and respectful manner;
  3. maintain the security and confidentiality of information generated or collected by the University in accordance with the Information Classification and Handling Procedure;
  4. handle information generated or collected by the University in accordance with the University’s Privacy Policy and Records and Information Management Policy;
  5. follow the cyber security guidance of the University delivered through training and awareness activities or communicated through official University channels;
  6. refrain from deliberately damaging or reducing the security of University systems;
  7. seek guidance from Macquarie Information Technology (IT) Cyber Security if unsure of secure practices; and
  8. promptly report Suspicious Events, Data Breaches, or policy violations to their manager or supervisor and the IT Service Desk.

POSITION AND ROLE-SPECIFIC CYBER SECURITY RESPONSIBILITIES

(5) The Chief Information Officer (CIO) is responsible for:

  1. ensuring that this Policy and related procedures align with the University’s goals and applicable government regulations, and are reviewed and updated in accordance with operational needs;
  2. overseeing the treatment of critical security incidents that impact the University in accordance with the Vulnerability Management provisions in the Computer and Network Security Procedure;
  3. sponsoring the implementation of agreed security controls to address identified risks; and
  4. approving exemptions to this Policy or the Acceptable Use of IT Resources Policy and supporting procedures.

(6) The members of the University Executive Group are responsible for ensuring that within their portfolios:

  1. all information collected, created, stored, or processed using the University’s computer and network resources is handled and protected in accordance with this Policy and related procedures.

(7) Macquarie IT Cyber Security is responsible for:

  1. authoring and requesting appropriate updates to this Policy and related procedures;
  2. aligning this Policy and related procedures to comply with applicable government regulations; and
  3. providing guidance to authorised users on best practice for cyber security.

(8) Managers and supervisors are responsible for:

  1. ensuring individuals under their supervision undergo the cyber security training provided by the University, and are aware of this Policy, the Privacy Policy and related procedures before access is to University systems or information is granted;
  2. promptly requesting the removal of access to University systems and information for individuals when no longer required; and
  3. promptly reporting Suspicious Events, Data Breaches, or policy violations identified by or reported to them, to the IT Service Desk.

(9) University staff, students, and other authorised users who handle highly sensitive information, per the Information Classification and Handling Procedure, are responsible for:

  1. only collecting or creating the information required for the designated purpose in accordance with the University’s Privacy Policy;
  2. only retaining the required information for the length of time necessary;
  3. employing the additional security measures specified in the Information Classification and Handling Procedure for the computers and mobile devices used for handling highly sensitive information;
  4. restricting access to information to only those who require access; and
  5. promptly notifying the IT Service Desk in the case of a suspected Data Breach.

(10) University staff who deploy or manage applications, computer, or networking systems are responsible for:

  1. implementing systems with security controls that align with the Computer and Network Security Procedure;
  2. maintaining the reliability and security of computer and networking systems;
  3. decommissioning systems and removing unneeded information in a secure manner;
  4. ensuring third parties are aware of their cyber security responsibilities when receiving University information or accessing University information systems; and
  5. promptly reporting Suspicious Events, Data Breaches, or policy violations to their manager/supervisor and the IT Service Desk.
Top of Page

Section 3 - Procedures

(11) Refer to the Computer and Network Security Procedure and Information Classification and Handling Procedure.

Top of Page

Section 4 - Guidelines

(12) Nil.

Top of Page

Section 5 - Definitions

(13) Commonly defined terms are located in the University Glossary. The following definitions apply for the purpose of this Policy:

  1. Authorised means given explicit permission by the University to access University systems with the username provided;
  2. Chief Information Officer means the person holding or acting in that position in the University, or any other person nominated by the Vice-Chancellor to exercise that role for the purpose of this Policy;
  3. Data Breach means the accidental or deliberate access or exposure of University information to unauthorised parties;
  4. Exemptions are defined as any deviation from the requirements of this Policy or the Acceptable Use of IT Resources Policy and related procedures;
  5. IT Service Desk means the Macquarie IT function that provides direct IT support for staff, students, and other authorised users;
  6. Macquarie IT means the Macquarie University Information Technology office;
  7. Macquarie IT Cyber Security means the staff within Macquarie IT who are responsible for cyber security functions;
  8. Suspicious Event refers to an unusual event or incident that raises concerns of fraud or system attack by malicious individuals; and
  9. Technology assets means University computer and network systems that facilitate data access, processing, storage, or transfer.