Information Strategy and Technology Services

UniSA home

Directory

Staff Email

myUniSA

Library

About UniSA

Study at UniSA

Research

Community

• ISTS
  • AskIT
  • Resources for students
    • Service status
    • Computer barns and pools
    • Getting help
    • Getting started
    • Getting Connected
    • Internet Allowance
    • Printing Allowance
    • Work At Home Software
    • Computer Purchasing Offers - restricted access
    • Feedback Form
  • Resources for staff
    • Service status
    • Getting Connected
    • Usage information
    • Computer Pools
    • Hardware purchasing
    • Software purchasing
    • Governance and Planning
    • Policies and procedures
    • Tenders
    • Telephony System Upgrade Project (TSUP)
    • Using Email
    • Feedback Form
  • For ISTS Staff
  • For IT Support Staff
    • Technical Resources
    • IT Support Staff Workshops-Restricted Access
    • Service Delivery
    • Support Matrix-Restricted Access
    • HP Service Desk - Hints
    • Dipam Distributions

Security and information policy

1 PRINCIPLES

1.1 Purpose
1.2 Scope
1.3 Risk Assessment
1.4 Users
    1.4.1 Rights
    1.4.2 Responsibilities
    1.4.3 Privacy
1.5 Account Management
1.5.1 Responsibilities
1.5.2 Detection and Prevention of Account Misuse
1.6 Password Management
1.7 Security Breaches
    1.7.1 Physical Security
    1.7.2 Security Incident Reviews
1.8 Security Audits
1.9 Review and Amendment of Security Principles, Procedures and Guidelines
1.10 Training
1.11 Security Guidelines for University Workstations
1.12 Legal Responsibilities

 

2 PROCEDURES

2.1 Physical Access
2.2 Hardware
2.3 Software
2.4 Data Security
2.5 Communications
2.6 Internet Security
2.7 Mobile computing devices
2.8Electronic Mail
    2.8.1 Electronic Mail Privacy
    2.8.2 Voluntary Granting of Access to Electronic Mail
2.9 Reporting Alleged MisUse of IT Facilities-Procedures
   2.9.1 Procedures
2.10 Security Breaches-ISTS Staff

 

1     PRINCIPLES

1.1 Purpose

This document states the information technology security principles and procedures of the University. Information technology (IT) facilities as used here includes computer systems, data networks, user workstations, PABX systems and telephones.

The principles and procedures cover the conditions of use of the University’s IT facilities, the rights and responsibilities of users and Administrators and the methods used to implement the principles and procedures.

The aim is to ensure:

• the provision of high quality IT services;
• the integrity and validity of data;
• an ability to recover effectively and efficiently from disruption; and
• the protection of all the University’s IT assets including data, software and hardware.

1.2 Scope

The principle and procedures cover all areas of the University, all Staff, all students and all other users of the University’s IT facilities.

The management of the Division, School or Unit which maintains the facility are responsible for adhering to the principles. The local IT support staff who administer the facility are responsible for following the security procedures for the facility.

The Information Strategy & Technology Services Unit (ISTS) is responsible for those facilities which it manages.

1.3 Risk Assessment

The University will, through the ISTS, carry out regular risk assessments of its IT security environment. The aim of such an assessment is to estimate the University’s potential vulnerability, to ensure that security measures being taken are sufficient to reduce the risk to acceptable levels and to estimate the costs associated with achieving an appropriate level of security.

The potential risks include:

• users with higher than necessary levels of access;
• workstations not logged off correctly;
• shared usernames and Passwords;
• lack of adherence to procedures;
• disaffected employees;
• lack of security awareness;
• unauthorised access;
• viruses;
• dial-in access;
• lack of control over changes made to systems or data;
• legal consequences of Security breaches;
• fire;
• water;
• sabotage;
• risks associated with Internet access;
• public embarrassment;
• dependence on a small number of staff for security management; and
• inability to satisfy contracts with commercial clients.

1.4 Users

1.4.1 Rights

Users have a right to privacy while engaged in legitimate activity on University IT facilities. This right may, on occasion, be superseded as indicated in 2.4.3 Privacy below.

The University policies on confidentiality will be observed. These are documented at:

• Policy A-46. CONFIDENTIALITY OF STUDENTS' PERSONAL INFORMATION at http://www.unisa.edu.au/policies/policies/academic/a46.asp
• Policy C-20.2 UNIVERSITY ACTIVITIES POLICY at  https://www-p.unisa.edu.au/policies/policies/corporate/C20.asp 
• CODE OF ETHICAL CONDUCT at http://www.unisa.edu.au/policies/codes/ethics/ethics.asp

1.4.2 Responsibilities

Users’ responsibilities include:

• ensuring that confidentiality and privacy of data is maintained;
• the safekeeping of their username and password;
• ensuring the security of their workstation by logging off or locking it when it is left unattended;
• ensuring the security and privacy of print-outs produced from University computer systems;
• compliance with all relevant State, Federal and International law;
• compliance with University policy, procedures and guidelines;
• avoiding excessive use of IT resources, which may conflict with the rights of others;
• compliance with any quotas or limits imposed by the University;
• adherence to accepted community standards of expression when communicating with other people using any computer system; (see http://www.unisa.edu.au/ists/GovernanceInIT/Policies/others/netiqtte.asp for more information)
• not harassing or causing annoyance to other users by direct or indirect communication;
• not forging electronic mail messages, news articles, or any other type of electronic correspondence; and
• not using the username or password of other users.

1.4.3 Privacy

Users have a legitimate expectation to privacy in the carrying out of approved activity on University IT facilities. However, the University also has a legitimate right to inspect any data on a computer system (regardless of data ownership), to prevent, detect or minimise unacceptable behaviour on that computer system. Where such action is taken, users who have data inspected, and are found to be conforming to this policy, have a legitimate expectation that confidentiality will be preserved. This section formalises this agreement.

The University may monitor or use any Account, device, or workstation without notice.

The University may inspect, without notice, any data on any resource owned by the University (regardless of data ownership), including electronic mail and other forms of communication. In this situation, the approval of the Vice Chancellor must be obtained before a staff member's electronic mail box is accessed.

In the course of carrying out computer system auditing operations, the University may access and copy any file on any computer system owned by the University. Subject to all other conditions of this Statement, the University is obliged to maintain confidentiality as a result of such access.

The University reserves the right to capture and inspect any data on any networking infrastructure owned by the University.

The University has the right to give to any appropriate member of the University community, or law enforcement bodies, any information it possesses regarding the use of the University's IT resources.

These conditions apply to:

• data which is limited by contractual obligation including copyrighted software and software that is patented or which contains trade secrets;
• financial data relating to the operation of the University which, if subject to manipulation or errors, may adversely affect the University; and
• personal data - both Staff and student - which is held by the University.

1.5 Account Management

1.5.1 Responsibilities

The overall responsibility for the management of the security of data rests with the Director: Information Strategy & Technology Services.

The responsibility for the administration of information security procedures must be assigned to specific personnel in such a way that the procedures can be implemented and monitored while still guaranteeing that the overall security of the University’s computing facilities is not compromised.

As part of the security procedures, it is desirable that access to critical systems is monitored on a continuing basis and audit trails or access logs maintained.

1.5.2 Detection and Prevention of Account Misuse

It is in the interests of all account holders that the University negates or minimises any potential or actual Security breach. The University may disable accounts without notice, regardless of whether the Account itself is suspected of having been misused.

All other accounts owned by the account holder may also be disabled without notice. The University decides the nature and period of account suspension. IT Services may choose to notify local IT support staff or cost centre managers of accounts disabled on a case by case basis.

All unsuccessful attempts to logon to University computer systems must be logged. In some cases for some systems, the account will be disabled after three unsuccessful attempts.

Workstations which are logged in and inactive for an extended period of time, and which are not being used to process or monitor foreground or background tasks, must be automatically logged off and the details logged for later review.

1.6 Password Management

Passwords are a primary defence mechanism on many computer systems. Careful selection of passwords improves security. Individual users are responsible for the robustness and maintenance of their own passwords. Individual users are responsible for the defence of any accounts held by them. The following guidelines for use of passwords shall apply.

• Passwords must be used where possible.
• Passwords must be at least eight characters in length.
• A newly-issued password must be changed as soon as possible after issue.
• Passwords must be changed regularly, within a period determined by the ISTS.
• Passwords must not be displayed in a manner where they are easily seen by others.
• Users, when logging on, must not permit anyone to see their password being entered.
• Passwords must not be disclosed to others.
• Passwords should not be easily associated with a particular user.
• Users must not save passwords electronically within Applications.
• Guest logons will be used only in special circumstances and only with the specific approval of the Director: Information Strategy & Technology Services, or nominee.
• A user who realises that a password has been compromised shall change the password, if possible. The user is required to report all details of the breach to the IT Help Desk.

Passwords shall be checked to ensure that they comply with guidelines and are non-trivial.

Information on correct selection of passwords shall be readily available and widely distributed.

The use of automatic logons for workstations is not permitted.

1.7 Security Breaches

The University will refer incidents involving a breach of State, Federal or International law to the appropriate authority for investigation. The University will give that authority all reasonable assistance requested.

If a security breach occurs in which a person or organisation external to the University is involved as a potential victim of the breach, the University will provide to the external party the details specific to that party.

If a security breach involves facilities strictly internal to the University, the ISTS will be responsible for coordinating any investigations that may follow. These investigations may lead to disciplinary procedures in accordance with the Acceptable Use of University Information Technology Facilities policy.

1.7.1 Physical Security

The ISTS and the Security team in Services are jointly responsible for physical security of publically accessible IT facilities. Alarm systems may be used and alarm incidents will be attended by security officers.

Breaches of physical security or of physical abuse of IT facilities should be reported directly to Security on the relevant campus if the incident is happening, or to the IT Help Desk (internal telephone 25000, external 8302 5000) if the effects of an incident are discovered after the event.

1.7.2 Security Incident Reviews

The person who carries out the technical investigation of a security breach shall submit a report to the Director: Information Strategy & Technology Services, or nominee, outlining the following details (where possible):

• the general nature of the security breach;
• the general classification of people involved in the security breach, (such as external client, privileged staff member);
• the computer systems involved in the security breach;
• the details of the security breach;
• the impact of the security breach;
• unrealised, potential consequences of the security breach;
• possible courses of action to prevent a repetition of the security breach;
• side-effects of those courses of action.

Where appropriate, remedial action should be taken on the basis of this report.

1.8 Security Audits

Regular auditing procedures shall be carried out on all computer systems to check for conformance to policy, and to satisfy the requirements of the University's internal and external auditors. The depth and regularity of each level of audit should be part of the University’s planning process.

The ISTS is responsible for auditing the computer systems which it manages. Systems managed by local IT support staff should be audited by those staff in accordance with these procedures.

Audit procedures, of any level, may be carried out on any IT facilities at the discretion of the University.

In particular all Administrator groups and Accounts will be audited regularly and a list of requirements to meet for granting of Administrator privileges will be used to decide which staff have Administrator rights on which systems. The group identified as managing the system will be made aware of any changes to the Administrators of that system.

All unauthorised access attempts must be noted and logged. The Audit Trail/System Access Log must be reviewed daily, exception reports generated and inspected by the appropriate ISTS staff member and appropriate action taken.

Copies of all access logs should be securely archived for at least one year and an off –site copy should also be retained.

1.9 Review and Amendment of Security Principles, Procedures and Guidelines

Security Principles, Procedures and Guidelines shall be reviewed on a regular basis and may be amended as required.

1.10 Training

The level of security that can be implemented within the University depends to a large extent on the understanding and co-operation of all staff. The key to good security is based on staff awareness and training.

Personnel who have been granted access to computer systems have a responsibility for the safe keeping of data within their own area of work. Users must be aware of the ways in which the security of data can be enhanced.

To assist staff to gain an understanding of how system security can be enhanced it is necessary to:

• define staff responsibilities and related procedures;
• provide education and appropriate supervision; and
• ensure an understanding of confidentiality requirements.

It is essential that all aspects of IT security, including confidentiality, privacy and procedures relating to system access, should be incorporated into formal staff induction procedures for all new Staff` and be conveyed to existing staff on a regular basis.

All staff, on commencement of employment, should be made aware that they must not divulge any information that they may have access to in the normal course of their employment. Staff must also be made aware that they should not seek access to data that is not required as part of their normal duties. 

1.11 Security Guidelines for University Workstations

ISTS will be responsible for creating, maintaining and publicising guidelines for configuration settings that will improve the security of all operating systems approved by the Information Technology Advisory Committee.

ISTS will also make these settings available to approved suppliers where appropriate and request that these settings are loaded on all machines delivered to the University.

1.12 Legal Responsibilities

All users of the University IT facilities and services are subject to relevant State, Federal and International laws. Examples of these laws include the South Australian Summary Offences Act and the Commonwealth Crimes Act 1914. Persons committing breaches of these laws may be charged under the act relevant to the state or territory in which the offence was committed.

 

2     PROCEDURES

2.1 Physical Access

Critical IT facilities managed by ISTS shall be restricted to authorised staff through the use of Passwords, locks or access-control devices. These facilities include, but may not be limited to, ISTS computer rooms, ISTS rooms containing key servers, network & communication rooms and wiring closets.

Visitors to such areas shall be permitted only under the supervision of authorised ISTS staff. Details of visitors including name, time in, time out, and reason for entry shall be recorded in a log. Visitors include all non ISTS staff.

During non-working hours, secure areas shall be protected against intrusion by appropriate surveillance systems or by security staff.

2.2 Hardware

The effect of electrical power outages and fluctuations are protected against by the uninterrupted power supplies (UPS) and surge protection devices.

Critical IT facilities are adequately protected against fire and water damage and the effect of electrical power outages and fluctuations.

2.3 Software

All material associated with any computer system, including software and printed materials, which is not in the public domain must be treated in accordance with any applicable copyright agreements, restrictions and usage agreements. Such material must be licensed (if required) in an appropriate manner and may be obtained only in a legal manner from a legal source.

Users will not use the facilities of any computer system for storing, accessing or otherwise using any material which in any way infringes a copyright or usage agreement.

2.4 Data Security

An appropriate regular back-up schedule shall be implemented to protect all server-based data and software deemed critical. A sufficient number of backups of all data and software is stored off-site to protect against major damage at one location.

The backup procedures are clearly defined, tested and documented.

The use of a computer system supplies the user with information about the computer system, as well as information about the University. This information is essentially private to the University and, in some cases, essential for the user to know in order to carry out useful work. Therefore, a trust relationship exists between the user and the University.

A user will not use a computer system or any Account, or otherwise attempt to access any file or device, to access, modify or disclose information that he or she is not authorised to use or possess.

Highly sensitive data should be Password protected and encrypted.

2.5 Communications

The University grants the user an account or accounts to permit users to either access IT services within the University or to access IT facilities from a source external to the University.

The user will access (or attempt to access) remote accounts in a manner that abides by the conditions of use of the remote computer system.

The University may impose restrictions on an outgoing connection from any system under the University’s control.

2.6 Internet Security

The Internet will be treated as a potentially hostile environment.

No University IT systems will have access to the Internet without approval of the Director: Information Strategy & Technology Services or nominated delegate.

Security on systems which do have access to the Internet will be subject to ISTS guidelines.

For many systems, access to the Internet will be via a Firewall. Only explicitly permitted traffic is allowed through the firewall. All other traffic is rejected. Management of a firewall for Internet access is the responsibility of the ISTS.

All traffic passing through the account may be logged and may be audited.

Packet filtering will be used with rules which keep the risk to the University community to a minimum.

Where possible, access by outside users will be restricted.

2.7 Mobile Computing devices

Mobile computing devices and portable electronic storage media that contain confidential, personal, or sensitive University of South Australia information should use encryption or equally strong measures to protect the data while it is being stored. Mobile computing devices must be configured to require a password or PIN to be entered in order to gain access to the device.

2.8 Electronic Mail

The University provides electronic mail facilities to support its academic and administrative functions. Any use of the facilities which interferes with these activities is forbidden.

The following are also forbidden in the use of electronic mail:

• use for any purpose which is illegal under State, Federal or International law;
• use of another’s identity;
• concealment or misrepresentation of name or affiliations;
• alteration of source or destination Address;
• use for commercial or private business purposes; and
• sending material which harasses, intimidates, abuses or offends others.

All users of the University electronic mail system are subject to the Acceptable Use of University Information Technology Facilities policy. There are penalties for breaches of this policy.

2.8.1 Electronic Mail Privacy

Users of electronic mail are advised that the privacy and confidentiality of electronic mail cannot be guaranteed. Staff supporting electronic mail systems will not monitor the contents of electronic mail messages in normal circumstances, but the University reserves the right to inspect, copy, store and disclose the contents of electronic mail messages at any time. However, it will only do so when appropriate to prevent or correct improper use, satisfy a legal obligation, assist in internal investigations related to University policy or ensure proper operation of the electronic mail facilities. A system administrator who believes such action is necessary must first obtain the approval of the Director: Information Strategy & Technology Services, or nominee. If the mailbox involved belongs to a Staff member, approval must be granted by the Vice Chancellor.

2.8.2 Voluntary Granting of Access to Electronic Mail

Users of electronic mail systems at the University may grant Permissions to a system administrator to examine their electronic mail messages under circumstances where such access would permit the resolution of a problem relating to the use of, or an incident relating to, the electronic mail environment. Users may grant permission for a specific system administrator to access their electronic mail provided that;

• the access is subject to University confidentiality provisions,
• the access is by a specific person and
• the access is not open ended but limited to a specific time frame which achieves the desired outcome of solving the user’s problem.

 

2.9 Reporting Alleged Misuse of IT Facilities-Procedures

"Misuse" is defined as any use outside that permitted under University Council Corporate Policy C-22.0 Acceptable Use of University Information Technology Facilities. This policy may be read on the University Web site at

http://www.unisa.edu.au/policies/policies/corporate/C22.asp

Information Strategy & Technology Services Unit (ISTS), in dealing with misuse, is concerned principally with managing the information technology resource of the University for its most effective use for authorised work, and in being good "network citizens" by following up complaints about University of South Australia users from outside organisations.

If you receive an abusive or inappropriate email:

• do not delete the message.  Important information can be gleaned from email messages that can help positively identify the real offender or their location.
• if you have reason to believe that someone other than yourself is using the account, record your recent logins (date, time and location)

2.9.1 Procedures

In general, reports from staff or students of the University should be directed to the IT Help Desk (Internal telephone 2 5000, external 8302 5000). Staff members receiving complaints from outside the University should pass them on to the Help Desk and inform the complainant that the report has been passed on.

Occasionally, where issues of possible serious misconduct arise, a senior staff member (Senior Management Group, Divisional, School or Unit Head) may prefer to report directly to the Director: Information Strategy & Technology Services.

ISTS receives frequent complaints about students misusing IT facilities in general purpose computing pools.

• If misuse is observed, immediately telephone Security and ask for urgent attendance of a Security Officer. Dealing with an offender "caught in the act" is preferable to lengthy investigations "after the event". The IT Help Desk needs to be notified as soon as possible.

• In reporting to the IT Help Desk, if possible provide;
• offender’s identity (or description),
• number of the PC used and where it is located, and
• exact time an offence was observed. (To permit tracing the activity in computer logs).

Unless the activity can be traced back to a particular user, little remedial action is possible.

• IT Help Desk will notify the Coordinator, IT Accounts and Security of the Security breach

Policy C-22.0 details procedures for handling reports of misuse. The ISTS maintains a record of reports, with particular note of those traced back to particular user Accounts.

Action following identification of a user may vary from a formal warning to a disciplinary hearing which may lead to closure of a computer Account or other disciplinary action. The University may also refer a complaint to an external authority such as the police, where this is considered appropriate.

Return to PPPG Index

 

2.10 Security Breaches-ISTS Staff

Once a breach of security is confirmed, the following steps should be taken as urgently as possible. These steps are listed in the order that they should be taken by ISTS staff. If a particular step is not appropriate to the breach, then the reader should ignore it and move to the next step.

• The Director: Information Strategy & Technology Services, or nominee, should be notified as soon as practicable.
• If continuation of the breach will cause serious damage to property or persons, action should be taken as soon as possible to halt or minimize this effect.
• If the Security breach involves a breach of State, Federal or International law, the appropriate authorities should be notified as soon as possible.
• If another academic or administrative unit is involved, that unit should be notified as soon as possible, preferably via the cost centre manager or an approved representative.
• If an organisation or person external to the University is involved in any capacity, then the Australian Computer Emergency Response Team (AUSCERT) should be contacted.

If an organisation or person external to the University is involved as a potential victim, then that organisation or person should be advised as soon as possible.

top^

Footer Navigation

• Disclaimer |
• Copyright |
• Privacy |
• Web accessibility |
• CRICOS Provider no 00121B |
• Contact UniSA

• Site help |
• Midyear entry |
• Open Day |
• UniSA Events |
• Read this page

Latest content revision:Wednesday, 8 December 2010

This site will work and look better in a browser that supports web standards, but it is accessible to any browser or Internet device.