Policy

Cyber Security - Policy

Printer-friendly version
Body

1.0   Purpose and Scope

Cyber security enables confidentiality, integrity and availability of information by providing protection against malicious and accidental threats. Cyber security threats take advantage of weaknesses in technology, people and processes to harm information. The University of Queensland (UQ or the University) manages cyber security risk to safeguard its mission and protect the interests of the people whose personal information it holds. 

This policy establishes UQ’s cyber security risk management and responsibilities, and is based on the principle that cyber security is everyone’s business. Management of cyber security risk requires a concerted effort across all of UQ and cannot be considered just an aspect of information technology.

UQ’s approach to cyber security is informed by the Queensland Government Information Security Policy (IS18:2018).

1.1   Scope

This policy is broad and applies to parties at UQ that hold or process UQ information, including:

  • Students;
  • Staff;
  • Third parties (e.g. suppliers, contractors, consultants and partners);
  • Visitors.

Consumers using UQ networks or services must comply with this policy, irrespective of location or device ownership (e.g. consumers with personally owned computers). Exceptions to this policy must be approved by the Chief Information Officer.

2.0   Principles and Key Requirements

2.1   Information Security Management Systems (ISMS)

UQ’s ISMS supports the UQ Cyber Security Strategy, which seeks to mitigate risk and protect UQ's critical information against increasingly aggressive and sophisticated cyber threats whilst continually adapting to UQ’s rapidly evolving needs. The key components of the ISMS are:

  • A Cyber Security Framework comprised of policies, procedures, local operating procedures, standards, guidelines and systems governing and facilitating cyber security management at UQ.
  • Technical cyber security controls to protect information systems.
  • A cyber security awareness program to reduce the vulnerability of staff and students to cyber security threats and foster a culture that facilitates cyber security.

2.2   Cyber Security Framework

The key platforms of the framework are information management, cyber security risk management and cyber security incident management, as explained below.

  • The specification of cyber security controls is incorporated into relevant IT standards or as separate cyber security standards.
  • The University will have sufficient IT and cyber security standards to facilitate the effective implementation of cyber security controls across all IT infrastructure, systems and applications.
  • Standards will be developed in consultation with key stakeholders to support business requirements, provide adequate cyber security risk mitigation, and align with the cyber security strategy. 
  • The Cyber Security Standard Exception Procedure is available for instances where the standard is not suitable, otherwise the standard must be followed.
  • Standards will be updated as required to reflect changes in security controls.

2.3   Information Management

Information management is critical to robust cyber security. Underpinning the cyber security framework, UQ’s Information Management Framework facilitates identification, management and governance of information assets. It mandates the security classification of information assets which provides the basis for consistent, risk-based protection.

Systems storing or processing UQ information must meet the minimum technical controls outlined in the Application Security Controls Standard. Where a system is external to UQ (hosted by a third party), it is the responsibility of the Contract Manager to ensure the system meets these standards.

2.4   Cyber Security Risk Management

Cyber security controls seek to reduce cyber security risk by either reducing the likelihood or impact of an incident, or both. UQ will continue to identify and treat cyber security risk via the following measures:

  • Maintaining a register of key information assets.
  • Establishing a framework for performing cyber security risk assessments aligned with UQ’s Enterprise Risk Management Framework.
  • Incorporating cyber security risk identification and assessment into processes impacting the use and processing of UQ information. 
  • Maintaining a register of cyber security risks with related controls.
  • Reviewing risks at regular intervals and as a result of significant security incidents, threats or changes to business requirements.
  • Implementing and strengthening controls to reduce risk.
  • Evaluating the effectiveness of controls.

2.5   Cyber Security Incident Management

A cyber security incident is an event involving an actual or potential malicious actor that threatens the confidentiality, integrity or availability of UQ information assets (electronic or paper) or otherwise contravenes the University’s Cyber Security Policy. The source of a cyber security incident may be accidental, malicious or significant exposure to a known threat.

The UQ Cyber Security Incident Management Procedure details how incidents are managed and aims to comply with applicable legal requirements, minimise harm to impacted individuals, and minimise damage and risk to UQ.     

Incidents should be reported immediately to IT support.

2.6   Cyber Security Vulnerability Testing

Security testing will be performed against systems, processes and people to determine UQ’s vulnerability to cyber threats. The results of these test processes will only be used to measure and improve service quality and UQ’s protection against cyber threats.

3.0   Roles, Responsibilities and Accountabilities

3.1   Consumers

Consumers are responsible for reporting potential cyber security incidents to IT support, including those of an accidental nature such as a lost laptop or device.

UQ staff and contractors are responsible for:

  • Participating in cyber security training where relevant to their work role; and
  • Acting consistently and responsibly to protect the University’s information assets by –
    • Complying with procedures in place to protect information assets;
    • Incorporating safe cyber security practices into their work; and
    • Reporting risks to IT support.

3.2   IT Management and Staff

IT managers manage relevant cyber security risks and are accountable for compliance with relevant cyber security standards.

IT staff are responsible for:

  • Complying with relevant IT and cyber security standards and local operating procedures.
  • Assisting the Chief Information Officer to identify and develop suitable cyber security frameworks, standards and local operating procedures.
  • Monitoring IT systems and services for potential cyber security risks and threats.

3.3   Security Architect

The Security Architect is responsible for:

  • Facilitating, monitoring and supporting cyber security risk management and compliance practices.
  • Developing and maintaining cyber security strategy, policy, procedures, frameworks, local operating procedures and standards.
  • Incorporating cyber security into IT frameworks, local operating procedures and standards.
  • Overseeing the implementation and operation of UQ’s cyber security controls with broad impact.
  • Providing cyber security risk management information, resources and training to consumers.

3.4   Chief Information Officer

The Chief Information Officer is responsible for:

  • Promoting the importance of cyber security risk management to UQ leadership and staff delivering IT services.
  • Providing adequate resourcing for the management of cyber security risk.
  • Reporting on cyber security risk to the University Senior Management Group and Senate.

3.5   Information Technology Governance Committee (ITGC)

The ITGC will approve cyber security procedures, local operating procedures, and standards.

3.6   Strategic Information Technology Council (SITC)

The SITC provides guidance and governance of the provision and direction of University-wide information technology and cyber security strategy, reporting to the University Senior Management Group on these areas.

3.7   Enterprise Risk

Enterprise Risk, within the Governance and Risk Division, facilitates the effective management of risk at UQ. It is responsible for providing the Enterprise Risk Management Framework and risk appetite statements for cyber security.

3.8   Contract Managers

Unless otherwise stated in a contract or agreement with UQ, Contract Managers are responsible for ensuring suppliers or partners processing UQ information are:

  • Managing cyber security risk to protect UQ information.
  • Providing assurance to UQ about cyber security risk management activities.
  • Reporting to UQ any breaches impacting or potentially impacting UQ information as soon as practical after detection of the breach.

4.0   Monitoring, Review and Assurance

4.1   Ongoing Review

The Chief Information Officer will review this policy at least every three years to ensure it aligns with UQ’s cyber security strategy and industry best practice.

Information Technology Services will assess the ongoing maturity of UQ’s cyber security practices and review this policy in response to significant cyber security incidents and changes in UQ’s cyber security strategy and applicable legislation.

Information Technology Services will drive compliance with the policy through:

  • ongoing cyber security awareness activities;
  • checks in key IT processes to ensure cyber security risk management activities are performed;
  • technical enforcement;
  • regular reporting of self-assessments by Organisational Units on required cyber security controls implemented to protect information assets; and
  • audits to assess compliance and effectiveness of technical controls.

4.2   Internal Audit

Internal Audit will provide independent oversight, review and assurance on the effectiveness of cyber security controls to manage risk and meet compliance requirements.

5.0   Recording and Reporting

The IT Security Architect is accountable for the maintenance of cyber security metrics for periodic reporting to stakeholders. The metrics will cover the following aspects of UQ’s cyber security management:

  • Current risk level;
  • Control effectiveness;
  • Maturity of the University’s approach to cyber security against best practice frameworks;
  • Financial status.

Quarterly cyber security reports will be provided to the Senate Risk and Audit Committee.

5.1   Mandatory Reporting of Private Data Breaches

Under the Privacy Act 1988 (Cth), UQ must report to the Australian Information Commissioner breaches of certain private data likely to cause serious harm, unless remediation occurs before any serious harm results from the breach. In UQ’s case, this is limited to breaches involving tax file numbers and metadata collected under the Telecommunications (Interception and Access) Act 1979 (Cth). Additional notification obligations may be imposed under contracts entered into by the University.

6.0   Appendix 

6.1   Related Policies and Procedures

Information Management - Policy

Cyber Security Incident Management Procedure (UQ login required)

Cyber Security Framework (UQ login required)

Cyber Security Risk Management Procedure (UQ login required)

Cyber Security Exceptions Procedure

Custodians
Chief Information Officer Mr Rowan Salt

Procedures

Cyber Security Incident Response - Procedure

Printer-friendly version
Body

1.0    Purpose and Scope

This procedure sets requirements for responding to cyber security incidents and aligns with the preparedness, response and recovery phases described in the UQ Incident Management Procedure.

This procedure aims to:

  • minimise the impact of cyber security incidents that occur, and

  • ensure continuous improvement of cyber security incident response and related security controls.

The Cyber Security Incident Response Procedure applies to UQ staff, contractors, title holders and third parties. It applies in a limited capacity to students (see section 2.1).

Cyber security incident response at UQ is primarily managed and coordinated by teams within the

Information Technology Services (ITS) division but relies on collaboration with multiple other organisational units and functions across UQ. Sections 3.3.2 and 4.0 of this procedure outline the various units and functions involved in UQ’s cyber security incident response, and their responsibilities. 

Cyber security at UQ is everyone’s responsibility. All staff and students are responsible for reporting potential cyber security concerns or incidents, including accidental incidents such as a lost device, to IT Support. UQ staff are further responsible for supporting incident response activities as requested.

2.0    Process and Key Controls

2.1    Incident Reporting

Staff and students must report any suspicious activity they observe, and any cyber security events impacting them via the cyber security website.

If IT staff receive reports of activity that could be related to a cyber security incident, they must escalate these to the Cyber Security Operations Centre (CSOC).

External parties should report security incidents impacting UQ data using the cyber security incident reporting form.

2.2    Incident Handling

Cyber security incident response and recovery consists of five phases occurring in the following sequence.

  1. Identification determines key facts about the incident such as timing, source, exploits, and vulnerabilities, the actual and potential impact level of the incident, correlation with existing or previous events or incidents, and notification requirements. 

  2. Containment aims to minimise the actual and potential impacts of the incident as quickly as possible to avoid overwhelming resources for handling the incident, while avoiding actions that could compromise later phases. 

  3. Eradication eliminates all possible components of the incident.

  4. Recovery restores normal operations and mitigates the risk of a similar incident re-occurring.  

  5. Lessons learned improves security controls and future responses to similar incidents.

Some phases may need to be returned to as new information and impacts are discovered or occur. Appendix 7.1 list activities that typically occur during each phase of incident handling.  

Figure 1 Cyber Security Incident Handling

2.3    Incident Notification 

Incident notification is performed to minimise harm and satisfy regulatory and legal requirements. This includes (but is not limited to):

  • Obligations arising from data sharing agreements (i.e. where third party data has been provided to UQ): notifications are performed by the University owner of the data sharing agreement.

  • Obligations arising from the Privacy Act 1988 and Information Privacy Act 2009 (Qld): UQ may need to notify impacted persons and authorities in the event of a personal information breach. View the Personal Information Breach Response Plan for more detail.

  • Obligations arising from the Security of Critical Infrastructure Act 2018: UQ must notify the Australian Cyber Security Centre (ACSC) about significant incidents. Notifications are performed by the CSOC – see the Appendix Section 7.1 for more detail.

  • Obligation to notify the Queensland government: UQ must report all cyber security incidents with an impact rating of Minor and above to the Queensland Government Cyber Security Unit.

Notification requirements must be identified as early as possible. Notifications must be prioritised to meet obligations and allow third parties to respond quickly to minimise potential impacts.

3.0    Key Requirements

3.1    Preparedness

3.1.1    Incident Response Capability

The Chief Information Officer (CIO) and Director, Cyber Security must ensure that: 

  • the CSOC and relevant IT support teams are sufficiently staffed and resourced for effective incident response, and 

  • suitable arrangements are in place with external organisations to provide additional expertise and resources when required.

The CSOC and IT managers must ensure staff involved in cyber security incident response receive sufficient training to enable them to follow this procedure.

The CSOC Manager is responsible for establishing and maintaining relationships with government agencies, industry peers and security service providers to improve cyber security incident response. 

3.1.2    Incident Communication Mechanisms

The CSOC Manager must ensure that suitable mechanisms are in place for reporting cyber security incidents or suspicious activity.

The Chief Information Officer (CIO) must ensure that resilient mechanisms are in place to enable communications during an incident that disrupts normal IT services.  

3.1.3    Cyber Security Incident Plans and Procedures

The Security Architect is responsible for developing and maintaining cyber security incident response plans for significant types of incidents in consultation with key stakeholders which are approved by the Cyber Security Risk and Compliance Committee (CSRCC). These plans are stored in the IT Governance Document Library and must include:

  • description of the applicable incident/s,

  • key roles and responsibilities,

  • key actions and resources required as part of preparedness, identification, containment, eradication, and recovery,

  • key positions regarding incident response and relevant considerations,

  • relevant legislative requirements, and

  • communications plan and associated templates.

Technical procedures for handling specific aspects of an incident are maintained by the Cyber Security Operations Centre (CSOC) and IT teams. 

3.1.4    Cyber Security Tabletop Exercises

Cyber security tabletop exercises simulate cyber security incidents to train participants, validate response plans and investigate dilemmas arising from particular scenarios. Members of the University Incident Management Team (UIMT) and Crisis Management Team (CMT) must participate in annual cyber security tabletop exercises coordinated by the Cyber Security Improvements Manager. Actions resulting from tabletop exercises are added to the IT Outstanding Actions Register for tracking. 

3.2    Identification

3.2.1    Incident Assessment

Once an incident is identified, the CSOC (with support from relevant staff) will assess the potential impact  of the incident based on what has already occurred, and what could reasonably be expected to occur. A consequence rating is assigned based on UQ’s risk matrix.

Incidents with a large or complex scope may be difficult to assess accurately, and other phases such as containment may need to proceed first. Throughout the incident response process, the Cyber Security Incident Manager must revise incident assessments as new information is received and escalate (or deescalate) accordingly. 

3.3    Response

3.3.1    Response Priorities

Response activities must be prioritised to minimise the following impacts (listed in order of importance):

  1. harm to people,

  2. damage to information and operations,

  3. harm to the broader community,

  4. compliance with contractual agreements and government regulations, and

  5. harm to UQ’s reputation.

3.3.2    Incident Response Team

The following table indicates the makeup of the incident response team, based on the potential impact rating.

Potential impact (response tier)

Key decisions

Cyber

Security

Incident

Manager

Technical response

General response

Internal 

Communicatio ns Lead

External

Communications Lead

Insignificant (Tier 1)

CSOC Manager

CSOC staff

/ IT

Manager

CSOC/ IT teams

As required

Cyber Security

Incident

Manager

N/A

Minor (Tier 1)

CSOC Manager

CSOC Manager

CSOC, IT teams

As required

Cyber Security

Change and

Communications

N/A

 

Moderate (Tier 1)

Director,

Cyber

Security

CSOC

Manager

/ Director,

Cyber

Security

CSOC, IT teams, external services as required

As required

Cyber Security

Change and

Communications

Senior Manager,

Internal

Communication

( informed)

Senior

Manager,

Corporate

Communication

Major (Tier 2)

Chief

Operating

Officer

(COO)

Director,

Cyber

Security

CSOC, IT Teams, external services as required

University

Incident

Management

Team (UIMT)

Senior Manager,

Internal

Communication

Senior

Manager,

Corporate

Communication

Critical (Tier 3)

ViceChancellor

(VC)

Director,

Cyber

Security

CSOC, IT Teams, external services as required

UIMT, Crisis

Management

Team (CMT)

CMCO (CMT)

Senior Manager,

Internal

Communication

Senior

Manager,

Corporate

Communication

Table 1 Incident Response Team Makeup

3.3.2.1    Cyber Security Incident Manager

The Cyber Security Incident Manager is responsible for coordinating incident response activities according to this procedure, directing teams and staff members as required, and for effective coordination between the technical and general response teams. The Cyber Security Incident Manager will activate support arrangements with external security service providers when needed and ensure that the required incident notifications occur. 

Incidents of a particular type may be handled by an IT support team by prior agreement with the CSOC. In these instances, the team manager acts as the Cyber Security Incident Manager, who must inform the CSOC about the incident.

The Cyber Security Incident Manager has the CIO’s authority to direct actions to remedy impacted IT services.

3.3.2.2    Incident Escalation

Incidents are escalated to UQ’s incident response teams when the potential impact of the incident is Major or Critical

Escalation is initiated by the CSOC Manager. They escalate to the Chief Information Officer (CIO) or Director, Cyber Security who escalates to the Chief Operating Officer (COO) and the Crisis and Resilience Manager. 

The Crisis and Resilience Manager activates the University Incident Management Team (UIMT) and Crisis Management Team (CMT).

The CSOC Manager will alert the Crisis and Resilience Manager if a Minor or Moderate (Tier 1) incident occurs in case further escalation is required.  

3.3.2.3    Additional support

Cyber security incident response may require a broad cross-section of skills and knowledge beyond cyber security and IT. Additional teams may support the general response depending on the scope of the incident, including (but not limited to):

  • Governance & Risk (RTI & Privacy) regarding personal information.

  • Legal Services regarding government regulations, contracts, and significant legal risks.

  • Integrity Unit regarding staff policy breaches or criminal activities.

  • Student Complaints and Grievance Resolution regarding student policy breaches or criminal activities.

  • Health, Safety and Wellness and Student Services for staff and student victim support.

  • Property and Facilities Security regarding physical security.

  • Information Domain Custodians regarding SENSITIVE or PROTECTED information.

3.3.3    Threat Intelligence Sharing

If feasible, The CSOC should generate and distribute timely threat intelligence during or after an incident to help prevent similar attacks on other organisations. Threat intelligence must be sanitised to deidentify any third party as the victim of the attack and the University itself when appropriate. Threat intelligence must only be provided to the approved threat intelligence sharing networks listed in Appendix section 7.3.

3.3.4    Documentation

Members of the incident response team must document events, actions and key discoveries as they occur to improve decision-making during the response process and for post-incident analysis. Records should be kept in a single location where they are visible to all incident responders. The cyber security incident manager must ensure that minutes are taken for meetings held to facilitate incident handling including a record of decisions. In cases that may involve legal proceedings, responders must consult the UQ Integrity Unit for advice regarding note taking, evidence collection and safe storage. 

3.3.5    Communications

The timing and quality of communications is critical to minimising harm to individuals and reducing the reputational impact of significant incidents. Communication must be timely and accurate and should convey empathy with impacted persons and demonstrate action.

All communications to parties outside the incident response team must be strictly controlled by the internal and external communications leads (see Table 1), with the exception of incident notification requirements defined in section 2.3 and in specific incident response plans. 

Where possible, a thorough understanding of the incident's possible impacts should be determined before communications are released. However, communications should consider the impact on individuals and potential reputation damage caused by delays while waiting for more accurate information.

The ITS Cyber Security Team are responsible for ensuring communication plans and templates are produced and approved in advance to facilitate a more rapid response. Plans should take into account that some channels may not be available during a severe incident. 

All communications must comply with the Communications and Public Comment using The University of Queensland’s Name Policy and the IT Communications Framework. Legal Services must review communications to third parties and the general public. 

3.4    Containment

3.4.1    Authority to Disable and Modify IT Services

During incident containment it may be necessary to fully or partially disable IT services at short notice to avoid significantly increased impacts. It may not be feasible to consult the key stakeholders generally required to approve such changes. Instead, incident responders may obtain timely approval from anyone listed below (in preferential order). Incident responders should seek approval from the person with the highest preference that is available within the required timeframe, while also ensuring to follow the IT Change Management Procedure:

  • Registered business or service owner

  • Director, Cyber Security

  • CIO

  • CSOC Manager

  • After-hours senior CSOC staff

3.5    Eradication

The Cyber Security Incident Manager is responsible for deciding when eradication activities can be terminated, and recovery activities can commence.

3.6    Recovery

Activity to restore damaged services must align with the IT Incident Management Procedure. The Cyber Security Incident Manager directs IT staff and IT Major Incident Managers to ensure restoration activities do not conflict with cyber security incident handling. When applicable, IT service disaster recovery procedures should be enacted during this phase to facilitate rapid restoration and return to business-as-usual operations.      

3.7    Lessons Learned

For complex incidents, the CSOC will perform a root cause analysis during the lessons learned phase to identify vulnerabilities and control weaknesses that contributed to the incident. 

For incidents that caused a Moderate or higher impact, the Cyber Security Incident Manager must organise a post-incident review meeting within 10 business days of incident closure. After the review they must distribute and an incident report within 20 business days. The incident report must include key events and timings, decisions, root-cause analysis, and improvement actions.

The post-incident review meeting should include members of the incident response team and the ITS Security Architect. The objectives of the review meeting are to:

  • acknowledge contributions to the incident response,

  • discuss any issues that may have arisen as a result of the incident, including residual impacts on staff,

  • validate the findings of the root cause analysis,

  • evaluate the impacts of the incident and validate the final impact rating, and

  • identify and validate key lessons and improvement actions.

Proposed improvement actions must be approved by relevant managers, assigned to responsible staff, and added to the IT Outstanding Actions Register for tracking.

 4.0    Roles, Responsibilities and Accountabilities

4.1    Cyber Security Incident Manager

The Cyber Security Incident Manager is responsible for:

  • coordinating cyber security incident response activities according to this procedure,

  • directing teams and staff members as required,

  • coordinating technical and general response teams,

  • activating external incident response support as needed,

  • deciding when eradication activities can be terminated, and recovery activities can commence,

  • ensuring incident notifications occurs when required, 

  • ensuring adequate records are kept during the incident handling process, and

  • ensuring minutes are taken for meetings held to facilitate incident handling including a record of decisions.

4.2    Vice-Chancellor

The Vice-Chancellor is responsible for chairing the Crisis Management Team (CMT) and making key decisions regarding Critical (Tier 3) cyber security incidents.

4.3    Chief Operating Officer (COO)

The COO is responsible for chairing the University Incident Management Team (UIMT) and key decisions regarding Major (Tier 2) cyber security incidents.

4.4    Chief Information Officer (CIO)

The CIO is responsible for resourcing the technical cyber security incident response capability and associated IT functions. The CIO is also part of the UIMT and CMT when required.

4.5    Director, Cyber Security, ITS

The Director, Cyber Security is accountable for cyber security incident management. They are responsible for: 

  • the technical management of Major and higher (Tier 2 and Tier 3) cyber security incidents, 

  • approving cyber security incident response plans. 

The Director, Cyber Security is also part of the UIMT and CMT when required.

4.6    University Crisis Management Team (CMT)          

The CMT provides executive leadership for critical cyber security incidents.

4.7    University Incident Management Team (UIMT) 

The UIMT provides control and coordination of incident resolution actions across multiple UQ functions for Major (Tier 2) cyber security incidents and support to the CMT for Critical (Tier 3). It reports to the CMT as required.  

4.8    Cyber Security Operations Centre Manager, ITS

The Manager, CSOC is responsible for:

  • Acting as the Cyber Security Incident Manager and making key decisions for Insignificant and Minor (Tier 1) cyber security incidents, and

  • cyber security incident statistics, and

  • maintaining the register of cyber security incident reports. 

4.8.1    Cyber Security Operation Centre 

The CSOC is responsible for technical cyber security incident response processes including the initial assessment of incidents.

4.9    Cyber Security Change and Communications Officer, ITS

The Cyber Security Change and Communications Officer is responsible for:

  • Acting as the internal communications lead for Minor and Moderate (tier 1) incidents, and

  • drafting communication templates and plans for cyber security incidents. 

4.10    IT Managers

IT Managers are responsible for:

  • creating and maintaining local cyber security incident response procedures related to security controls or IT systems they are responsible for, and 

  • incident response activities performed by their team. 

4.11    Business Resilience Manager, Governance and Risk

The Business Resilience Manager is responsible for:

  • facilitating incident escalation from Tier 1 to Tier 2 and Tier 3 levels, 

  • coordinating the standing up of the UIMT and CMT as required,

  • assisting with the coordination of the UIMT and CMT, and 

  • facilitating incident de-escalation for critical and crisis incidents.

The Business Resilience Manager is also a single point of contact for mobilising incident response resources in the Enterprise Governance and Risk Team.

4.12    Security Architect, ITS

The Security Architect is responsible for: 

  • Maintaining this procedure (including implementation and compliance monitoring) as part of the Information Security Management System (ISMS).

  • Maintaining and developing cyber security incident response plans. and the overall cyber security framework. 

  • Overseeing the high-level deployment of technical security controls.

4.13    Cyber Security Improvements Manager, ITS

The Cyber Security Improvements Manager is responsible for: 

  • organising and recording cyber security incident tabletop exercises and  

  • distributing summary reports of exercises, and 

  • ensuring tabletop exercises are recorded in the cyber security training register. 

4.14    Senior Manager, Internal Communication, Marketing and Communication

The Senior Manager, Internal Communication is responsible for communications to the UQ community that occur during Major (Tier 2) and Critical (Tier 3) incidents.

4.15    Senior Manager, Corporate Communication, Marketing and Communication

The Senior Manager, Corporate Communication is responsible for communications to parties outside UQ during incidents.

4.16    IT support teams

IT support teams are responsible for triaging reports of potential cyber security incidents and escalating to the CSOC as required.

4.17    Right to Information and Privacy

Right to Information and Privacy are responsible for notifying external regulators of privacy breaches.

4.18    Integrity Unit 

The Integrity Unit is responsible for providing advice and assistance with incidents involving internal staff actors and liaising with law enforcement agencies if required.

4.19    Student Complaints and Grievance Resolution 

The Student Complaints and Grievance Resolution division is responsible for providing advice and assistance with incidents involving internal student actors.

4.20    Information Domain Custodians             

Information Domain Custodians are responsible for key decisions impacting their information domains.

4.21    External service providers             

Service providers engaged by UQ are responsible for: 

  • Reporting potential and actual cyber security incidents that may impact UQ data or services using the cyber security incident reporting form, and

  • providing regular incident status updates and information as part of UQ’s cyber security incident response.

5.0    Monitoring, Review and Assurance

The Security Architect will: 

  • Review and update this procedure as required to ensure its accuracy and efficacy. 

  • Report on the maturity of cyber security incident response in the cyber security dashboard to UQ and IT risk committees. 

  • Provide updates and monitoring regarding development of cyber security incident plans and execution of tabletop exercises to the Cyber Security Risk and Compliance Committee (CSRCC). 

Cyber Security Incident Managers will report any significant deficiencies or deviations from this procedure (identified as part of the lessons learned phase) to the CSRCC. 

6.0    Recording and Reporting

For the purposes of reporting, the scope of an incident will include all the events within a single campaign. A campaign is a series of actions taken by the same threat actor within a specific time period. The CSOC will record the following information for each incident:

  • final impact (refer to the Consequence Rating Table),

  • number of people impacted (0, 1-100, 101-1000, 1001-10K, >10K),

  • incident category for insignificant incidents,

  • degree of effort spent on the incident resolution (see Table 4),

  • incident response time, and

  • incident resolution time.

Incident statistics and summaries of significant incidents are included in quarterly cyber security reports to the IT Policy, Risk and Assurance Committee (IT PRAC), the Vice-Chancellors Risk and Compliance Committee (VCRCC), and the Senate Risk and Audit Committee (SRAC).  

Cyber security incident reports are stored in the cyber security incident report register. All incident reports must be distributed to the CSRCC, VCRCC and SRAC. Incident reports are distributed to USET as required.

Tabletop exercises are recorded in the cyber security training register. Summary reports of tabletop exercises must be distributed to attendees and the VCRCC and USET if required.   

Actions from tabletop exercises and improvement actions from post-incident reviews are recorded in the IT Outstanding Actions Register for tracking. 

7.0    Appendix

7.1    Incident Notification – Security of Critical Infrastructure Act 2018

Under the Security of Critical Infrastructure Act 2018, UQ has a responsibility to report cyber security incidents that impact its critical infrastructure assets.

The CSOC will report all cyber security incidents with an impact rating (see risk matrix) of Minor and above to the Australian Cyber Security Centre (ACSC).The following specifications apply:

  • Incidents that significantly impact the availability of an asset: UQ must notify the ACSC within 12 hours after becoming aware of the incident. If the initial report is made verbally, UQ must submit the written report within 84 hours of the verbal notification.

  • Incidents that have a relevant impact on an asset: UQ must notify the ACSC within 72 hours after becoming aware of the incident. If the initial report is made verbally, UQ must submit the written report within 48 hours of the verbal notification.

7.2    Incident Handling Activities

The following table lists activities that typically occur during incident handling processes.

Phase

Activities

Identification     

  • Monitoring threat intelligence for active threats.

  • Reviewing reports from UQ consumers, IT staff, external service providers and security researchers.

  • Collecting specific data related to the incident.

  • Correlating separate data sources.

  • Performing research into similar incidents.

  • Establishing additional monitoring specific to the incident.

  • Tuning or developing scripts to process the available data to see high-level patterns. 

Containment

  • Disconnecting systems from the network.

  • Disabling or resetting system components.

  • Blocking network traffic.

  • Backing up threatened data.

  • Removing malicious email messages from inboxes.

  • Disabling user accounts. 

Eradication

  • Deleting malicious code or software

  • Resetting passwords on compromised accounts.

  • Mitigating vulnerabilities exploited in the incident.

  • Identifying and removing persistent access. 

Recovery

  • System restoration. 

  • System testing. 

  • Remediation of vulnerabilities exploited in the incident. 

  • Adjusting relevant controls. 

  • Adjusting logging and monitoring systems. 

Lessons learned

  • Post-incident review meeting. 

  • Determining the root cause of the incident. 

  • Producing an incident report. 

  • Estimating financial impact for medium and high-impact incidents. 

  • Identifying required updates to response plans and procedures, the cyber security risk register and cyber security standards. 

  • Identifying control improvements. 

  • Debrief staff involved in the incident response, ensuring personal impacts are addressed. 

Table 2 Incident Handling Activities

7.3    Approved Threat Intelligence Networks

The following table lists approved threat intelligence networks:

Organisation

AusCERT

AARNet

ACSC

Table 3 Threat Intelligence Networks

7.4    Key Contacts

7.5    Degree of Effort

The following table defines ratings for the degree of effort required to resolve an incident.

Effort rating

Total time expended

Low

Up to 1 FTE day

Medium

Between 1 FTE day and 1 FTE week

High

More than 1 FTE week

Table 4 Degree of effort

 

Custodians
Chief Information Officer Mr Rowan Salt
Custodians
Chief Information Officer Mr Rowan Salt