Policy

Cyber Security - Policy

Printer-friendly version
Body

1.0   Purpose and Scope

Cyber security enables confidentiality, integrity and availability of information by providing protection against malicious and accidental threats. Cyber security threats take advantage of weaknesses in technology, people and processes to harm information. The University of Queensland (UQ or the University) manages cyber security risk to safeguard its mission and protect the interests of the people whose personal information it holds. 

This policy establishes UQ’s cyber security risk management and responsibilities, and is based on the principle that cyber security is everyone’s business. Management of cyber security risk requires a concerted effort across all of UQ and cannot be considered just an aspect of information technology.

UQ’s approach to cyber security is informed by the Queensland Government Information Security Policy (IS18:2018).

1.1   Scope

This policy is broad and applies to parties at UQ that hold or process UQ information, including:

  • Students;
  • Staff;
  • Third parties (e.g. suppliers, contractors, consultants and partners);
  • Visitors.

Consumers using UQ networks or services must comply with this policy, irrespective of location or device ownership (e.g. consumers with personally owned computers). Exceptions to this policy must be approved by the Chief Information Officer.

2.0   Principles and Key Requirements

2.1   Information Security Management Systems (ISMS)

UQ’s ISMS supports the UQ Cyber Security Strategy, which seeks to mitigate risk and protect UQ's critical information against increasingly aggressive and sophisticated cyber threats whilst continually adapting to UQ’s rapidly evolving needs. The key components of the ISMS are:

  • A Cyber Security Framework comprised of policies, procedures, local operating procedures, standards, guidelines and systems governing and facilitating cyber security management at UQ.
  • Technical cyber security controls to protect information systems.
  • A cyber security awareness program to reduce the vulnerability of staff and students to cyber security threats and foster a culture that facilitates cyber security.

2.2   Cyber Security Framework

The key platforms of the framework are information management, cyber security risk management and cyber security incident management, as explained below.

  • The specification of cyber security controls is incorporated into relevant IT standards or as separate cyber security standards.
  • The University will have sufficient IT and cyber security standards to facilitate the effective implementation of cyber security controls across all IT infrastructure, systems and applications.
  • Standards will be developed in consultation with key stakeholders to support business requirements, provide adequate cyber security risk mitigation, and align with the cyber security strategy. 
  • The Cyber Security Standard Exception Procedure is available for instances where the standard is not suitable, otherwise the standard must be followed.
  • Standards will be updated as required to reflect changes in security controls.

2.3   Information Management

Information management is critical to robust cyber security. Underpinning the cyber security framework, UQ’s Information Management Framework facilitates identification, management and governance of information assets. It mandates the security classification of information assets which provides the basis for consistent, risk-based protection.

Systems storing or processing UQ information must meet the minimum technical controls outlined in the Application Security Controls Standard. Where a system is external to UQ (hosted by a third party), it is the responsibility of the Contract Manager to ensure the system meets these standards.

2.4   Cyber Security Risk Management

Cyber security controls seek to reduce cyber security risk by either reducing the likelihood or impact of an incident, or both. UQ will continue to identify and treat cyber security risk via the following measures:

  • Maintaining a register of key information assets.
  • Establishing a framework for performing cyber security risk assessments aligned with UQ’s Enterprise Risk Management Framework.
  • Incorporating cyber security risk identification and assessment into processes impacting the use and processing of UQ information. 
  • Maintaining a register of cyber security risks with related controls.
  • Reviewing risks at regular intervals and as a result of significant security incidents, threats or changes to business requirements.
  • Implementing and strengthening controls to reduce risk.
  • Evaluating the effectiveness of controls.

2.5   Cyber Security Incident Management

A cyber security incident is an event involving an actual or potential malicious actor that threatens the confidentiality, integrity or availability of UQ information assets (electronic or paper) or otherwise contravenes the University’s Cyber Security Policy. The source of a cyber security incident may be accidental, malicious or significant exposure to a known threat.

The UQ Cyber Security Incident Management Procedure details how incidents are managed and aims to comply with applicable legal requirements, minimise harm to impacted individuals, and minimise damage and risk to UQ.     

Incidents should be reported immediately to IT support.

2.6   Cyber Security Vulnerability Testing

Security testing will be performed against systems, processes and people to determine UQ’s vulnerability to cyber threats. The results of these test processes will only be used to measure and improve service quality and UQ’s protection against cyber threats.

3.0   Roles, Responsibilities and Accountabilities

3.1   Consumers

Consumers are responsible for reporting potential cyber security incidents to IT support, including those of an accidental nature such as a lost laptop or device.

UQ staff and contractors are responsible for:

  • Participating in cyber security training where relevant to their work role; and
  • Acting consistently and responsibly to protect the University’s information assets by –
    • Complying with procedures in place to protect information assets;
    • Incorporating safe cyber security practices into their work; and
    • Reporting risks to IT support.

3.2   IT Management and Staff

IT managers manage relevant cyber security risks and are accountable for compliance with relevant cyber security standards.

IT staff are responsible for:

  • Complying with relevant IT and cyber security standards and local operating procedures.
  • Assisting the Chief Information Officer to identify and develop suitable cyber security frameworks, standards and local operating procedures.
  • Monitoring IT systems and services for potential cyber security risks and threats.

3.3   Security Architect

The Security Architect is responsible for:

  • Facilitating, monitoring and supporting cyber security risk management and compliance practices.
  • Developing and maintaining cyber security strategy, policy, procedures, frameworks, local operating procedures and standards.
  • Incorporating cyber security into IT frameworks, local operating procedures and standards.
  • Overseeing the implementation and operation of UQ’s cyber security controls with broad impact.
  • Providing cyber security risk management information, resources and training to consumers.

3.4   Chief Information Officer

The Chief Information Officer is responsible for:

  • Promoting the importance of cyber security risk management to UQ leadership and staff delivering IT services.
  • Providing adequate resourcing for the management of cyber security risk.
  • Reporting on cyber security risk to the University Senior Management Group and Senate.

3.5   Information Technology Governance Committee (ITGC)

The ITGC will approve cyber security procedures, local operating procedures, and standards.

3.6   Strategic Information Technology Council (SITC)

The SITC provides guidance and governance of the provision and direction of University-wide information technology and cyber security strategy, reporting to the University Senior Management Group on these areas.

3.7   Enterprise Risk

Enterprise Risk, within the Governance and Risk Division, facilitates the effective management of risk at UQ. It is responsible for providing the Enterprise Risk Management Framework and risk appetite statements for cyber security.

3.8   Contract Managers

Unless otherwise stated in a contract or agreement with UQ, Contract Managers are responsible for ensuring suppliers or partners processing UQ information are:

  • Managing cyber security risk to protect UQ information.
  • Providing assurance to UQ about cyber security risk management activities.
  • Reporting to UQ any breaches impacting or potentially impacting UQ information as soon as practical after detection of the breach.

4.0   Monitoring, Review and Assurance

4.1   Ongoing Review

The Chief Information Officer will review this policy at least every three years to ensure it aligns with UQ’s cyber security strategy and industry best practice.

Information Technology Services will assess the ongoing maturity of UQ’s cyber security practices and review this policy in response to significant cyber security incidents and changes in UQ’s cyber security strategy and applicable legislation.

Information Technology Services will drive compliance with the policy through:

  • ongoing cyber security awareness activities;
  • checks in key IT processes to ensure cyber security risk management activities are performed;
  • technical enforcement;
  • regular reporting of self-assessments by Organisational Units on required cyber security controls implemented to protect information assets; and
  • audits to assess compliance and effectiveness of technical controls.

4.2   Internal Audit

Internal Audit will provide independent oversight, review and assurance on the effectiveness of cyber security controls to manage risk and meet compliance requirements.

5.0   Recording and Reporting

The IT Security Architect is accountable for the maintenance of cyber security metrics for periodic reporting to stakeholders. The metrics will cover the following aspects of UQ’s cyber security management:

  • Current risk level;
  • Control effectiveness;
  • Maturity of the University’s approach to cyber security against best practice frameworks;
  • Financial status.

Quarterly cyber security reports will be provided to the Senate Risk and Audit Committee.

5.1   Mandatory Reporting of Private Data Breaches

Under the Privacy Act 1988 (Cth), UQ must report to the Australian Information Commissioner breaches of certain private data likely to cause serious harm, unless remediation occurs before any serious harm results from the breach. In UQ’s case, this is limited to breaches involving tax file numbers and metadata collected under the Telecommunications (Interception and Access) Act 1979 (Cth). Additional notification obligations may be imposed under contracts entered into by the University.

6.0   Appendix 

6.1   Related Policies and Procedures

Information Management Policy

Cyber Security Incident Management Procedure

Cyber Security Framework

Cyber Security Risk Management Framework

Cyber Security Standard Exception Procedure

Custodians
Chief Information Officer Mr Rob Moffatt

Procedures

Cyber Security Exceptions - Procedure

Printer-friendly version
Body

1.0   Purpose and Scope

The University of Queensland (UQ or the University) establishes cyber security standards to ensure that cyber security controls are implemented consistently and comprehensively and to provide a basis for continual improvement. UQ’s cyber security standards are subject to rigorous review and approval processes to ensure they meet the business and technical requirements of the University, and are continually improved and updated as UQ’s requirements change.

This procedure supports UQ’s Cyber Security Policy by providing the required process for effective management of exceptions to UQ’s cyber security standards to mitigate risk and satisfy business requirements at UQ. The procedure applies to all consumers of UQ’s information and communication technology (ICT) resources and systems (UQ consumers) as defined in the Information and Communication Technology Policy.

1.1   Context

A cyber security standard is a document setting out a specification, procedure or guideline. The standard should clearly model the outcome it is designed to produce, so that it is relatively easy to determine compliance. The standard may include permissible variations to a general scheme to provide flexibility and accommodate a broad range of situations.

2.0   Process and Key Controls

  1. Requests for cyber security exceptions must be made in writing to UQ’s Security Architect in accordance with the requirements of this procedure.
  2. UQ’s Security Architect will review all requests for exceptions in consultation with the requester and other key stakeholders and subject matter experts.
  3. Cyber security exceptions must be approved by the Chief Information Officer after considering advice and recommendations from UQ’s Security Architect.

An overview of UQ’s cyber security exception process is set out in section 7.1.

3.0   Key Requirements

3.1   Requesting an Exception

Requests for exceptions to cyber security standards must be submitted to UQ’s Security Architect (governance@its.uq.edu.au) and contain the following information: 

  • A description of the instance.
  • A description of the required exception.
  • The reason the exception is required.
  • How long the exception is needed and a list of actions with time frames to implement compliance before the exception expires.
  • A completed risk assessment, including a description of an alternative cyber security control (if one is proposed).

3.1.1   Risk Assessment

In accordance with UQ’s Enterprise Risk Management Framework, a request for an exception must include a risk assessment to determine the level of risk that the University is exposed to if the exception is granted. The risk assessment will take into account any alternative cyber security controls that may be applicable to ensure the managed risk level remains within the University's risk appetite.

3.2   Criteria for Granting an Exception

Requests for cyber security exceptions will be assessed by UQ’s Security Architect against the following criteria:

  • Any adverse impact of applying the standard and the frequency of similar instances requiring an exception.
  • The length of time the exception is required for.
  • The proposed alternative control to provide acceptable risk mitigation.
  • The net benefit of granting an exception to the standard.

Cyber security exceptions will be granted on a time limited basis only and in alignment with UQ's Enterprise Risk Management Framework and risk appetite statement. Upon expiry of an exception, compliance with the cyber security standard is required or a new exception request must be submitted.

3.3   Review and Assessment of Exception Request

UQ’s Security Architect will review the request and assess whether:

  1. the request satisfies the criteria for granting an exception;
  2. the risk assessment identifies the relevant risks and controls to ensure the managed risk level is within UQ’s risk appetite; and
  3. the exception demonstrates a clear benefit to the University.

UQ’s Security Architect will make a recommendation to the Chief Information Officer based on the above assessment.

3.4   Approval

The Chief Information Officer will review the recommendation from UQ’s Security Architect and will decide whether to grant or refuse the request for a cyber security exception.

The Information Technology Services Division will advise the requester of the Chief Information Officer’s decision.

3.5   Cyber Security Exceptions Register

All cyber security exceptions that have been approved by the Chief Information Officer will be recorded in the University’s Cyber Security Exceptions Register, which will be reviewed annually by the UQ Security Architect and the Information Security Group.

4.0   Roles, Responsibilities and Accountabilities

4.1   UQ consumers

UQ consumers are responsible for submitting requests for exceptions to UQ’s Security Architect in accordance with the process outlined in this procedure.

4.2   UQ Security Architect

The UQ Security Architect is responsible for:

  • Reviewing requests for exceptions in consultation with the requester, relevant stakeholders and subject matter experts.
  • Managing cyber security exceptions including processing requests for exceptions in accordance with this procedure.
  • Maintaining the Cyber Security Exceptions Register.
  • Ensuring the University’s cyber security standards are well maintained.

4.3   Chief Information Officer

The Chief Information Officer is responsible for approving exceptions to cyber security standards after considering advice from UQ’s Security Architect.

5.0   Monitoring, Review and Assurance

The Chief Information Officer will review this procedure as required to ensure it aligns with UQ’s Cyber Security Strategy and industry best practice.

6.0   Recording and Reporting

The UQ Security Architect is responsible for reporting annually to the Chief Information Officer on information collected and held in the Cyber Security Exceptions Register.

7.0   Appendix

7.1   Cyber Security Exception Procedure

The following diagram provides an overview of UQ’s cyber security exception process.

7.2   Related Policies

Cyber Security Policy

Information and Communication Technology Policy

Custodians
Chief Information Officer Mr Rob Moffatt
Custodians
Chief Information Officer Mr Rob Moffatt