ICT Security and Risk Framework

Parent Policy
ICT Security and Risk Policy

Definitions

Scope
All Australian campuses

Version Number
1.0

Effective Date
10/08/2015

Table of Contents

1 Organisation of ICT Security and Risk Management

1.1 Internal Organisation

2 Human Resource Security

2.1 Prior to People Accessing the University’s Electronic Information

2.2 People’s Information Security Responsibilities

2.3 Termination or Change of People’s Responsibilities

3 Asset Management

3.1 Responsibility for The University’s Electronic Information, Information Systems, Information Services, and Information System Facilities

3.2 Information Classification, Management and Handling

4 Access Control

4.1 Access control requirements and management

4.2 People’s responsibilities

4.3 Information System and Information Service Access Control

5 Physical and Environmental Security

5.1 Secure Areas

5.2 Information Systems

6 Operations Security

6.1 Operational Procedures and Responsibilities

6.2 Key Management

6.3 Logging and Monitoring

6.4 Control of Operational Software

6.5 Technical Vulnerability Management

6.6 Mobile Devices and Remote Working

7 Communications Security

7.1 Network and Communications Management

8 Security in Development and Implementation

8.1 Defined Requirements

8.2 Security in the Development and Implementation Lifecycle

9 External Party Relationship Management

9.1 Relationships with External Parties

9.2 External Service Provider Delivery Management

9.3 Information Services Provided to External Parties

9.4 External Information Services Security Management

10 Information Security Incident Management

10.1 Information Security Incident Management

11 Disaster Recovery and Business Continuity Management

11.1 Information Security Continuity

11.2 Disaster Recovery

12 Compliance

12.1 Compliance with External and Contractual Requirements

12.2 Information Systems Audit Considerations

12.3 Compliance with Information Security Policy and Procedures

Information Security Principles

The following Information Security Principles are based on and customised from the international standard for the governance of information security, ISO/IEC 27014:2013.

No.:

Principle

1

Establish information security and risk management throughout The University.

2

An evolutionary, risk-based approach will be applied to enable The University.

3

Information security will support investment decisions.

4

Ensure compliance with internal and external requirements.

5

Maintain a people-centric security environment.

6

Review performance in relation to business outcomes.


Principle 1: Establish information security and risk management throughout The University

Governance of information security should ensure that information security activities are comprehensive and integrated. Information security should be handled at The University level with decision-making taking into account business, information security, and all other relevant aspects. Activities concerning physical and logical security should be closely coordinated.

To establish University-wide security, responsibility and accountability for information security should be established across the full span of The University’s activities. This regularly extends beyond the generally perceived ‘borders’ of The University e.g. with information being stored or transferred by external parties.

Principle 2: An evolutionary, risk-based approach will be applied to enable The University

Governance of information security should be founded on risk-based decisions where information risk management is consistent and integrated with The University’s overall risk management framework. Acceptable levels of information security should be defined based upon the risk appetite of The University, including the loss of competitive advantage, compliance and liability risks, operational disruptions, reputational harm, and financial losses. Appropriate resources to implement information security and risk management should be allocated by The University’s governing body.

Principle 3: Information security will support investment decisions

Governance of information security should establish an information security investment strategy and/or plan based on achieved business outcomes, resulting in harmonisation between University and information security requirements, both in short and long term, thereby meeting the current and evolving needs of stakeholders.

To optimise information security investments and to support The University’s objectives, The University’s governing body should ensure that information security is integrated with existing University processes for capital and operational expenditure, for legal and regulatory compliance, research ethics and for risk reporting.

Principle 4: Ensure compliance with internal and external requirements

Governance of information security should ensure that information security policies and practices conform to relevant mandatory legislation and regulations, as well as committed contractual requirements and other external or internal requirements.

To address conformance and compliance issues, The University’s governing body should obtain assurance that information security activities are satisfactorily meeting internal and external requirements by commissioning independent audits.

Principle 5: Maintain a people-centric security environment

Governance of information security should be built upon human behaviour, including the evolving needs of all the stakeholders, since human behaviour is one of the fundamental elements to support the appropriate level of information security. If not adequately coordinated, the objectives, roles, responsibilities and resources may conflict with each other, resulting in the failure to meet business objectives. Therefore, harmonisation and concerted orientation between the various stakeholders is very important.

To establish a positive information security culture, The University’s governing body should require, promote and support coordination of stakeholder activities to achieve a coherent direction for information security. This will support the delivery of security education, training and awareness programs.

Principle 6: Review performance in relation to business outcomes

The University’s governance of information security should ensure that the approach taken to protect information is fit for purpose in supporting The University, providing agreed levels of information security. Security performance should be maintained at levels required to meet current and future University requirements.

To review performance of information security from a governance perspective, The University’s governing body should evaluate the performance of information security related to its business impact, not just effectiveness and efficiency of security controls. This can be done by performing mandated reviews of a performance measurement program for monitoring, audit, and improvement, and thereby link information security performance to business performance.

Delegation

 

Accountable

Responsible

Governance

Chief Officer/Executive

Director

Operational Responsibility*

Director

Capability Manager

Assurance

Independent assurance

(Internal/External)

*The operational responsibilities in the framework have been assigned as appropriate to relevant areas within the University.

Introduction

In alignment with The University’s Enterprise Risk Management Framework and the ICT Security & Risk Policy, the application of this framework (ICT security and risk controls) shall be determined through risk-based decisions. Proportionate and effective management of The University’s ICT risks shall enable the conduct of the University's business and necessary protection of the University's people, information and assets. The Risk Management Manual defines the risk methodology and processes to follow when considering application of this framework.

An overview of the various information security and risk policies, frameworks and supporting procedures is shown below. The Framework resides within the second layer and supports the implementation of the ICT Security & Risk Policy.

1. Organisation of ICT Security and Risk Management

Operational Responsibilities:

Responsibility

Scope

IT Security and Risk

Manager

Organisation of ICT security and risk management

Project Management Office /
SI Planning and Control
Manager

ICT security and risk management in projects

1.1 Internal Organisation

Objective: To establish a framework to initiate and control the implementation and operation of ICT security and risk management within The University. #ISO27002.2013:6.1

1.1.1 Establish, Implement and Maintain an ICT Security and Risk Framework

C1 A framework shall be developed, implemented, published and maintained to support the management of ICT security and risk within The University. #ISO27002.2013:5.1.1, #ISO27002.2013:5.1.2, #ISO27002.2013:6.1, #ISO27002.2013:10.1.1

1.1.2 Information Security and Risk Roles and Responsibilities

C2 All users who have access to, or control of, The University’s electronic information are responsible for information security and risk management. Where relevant, ICT security and risk responsibilities shall be defined and allocated to specific capabilities and/or roles. #ISO27002.2013:6.1.1

C3 Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorised or unintentional modification or misuse of The University’s electronic information, information systems, and information services. #ISO27002.2013:6.1.2, #LSA:2.5

1.1.3 ICT Security and Risk in Programs and Projects

C4 ICT security and risk management shall be addressed from the early planning phase of a program and/or project and throughout its entire lifecycle. #ISO27002.2013:6.1.5

1.1.4 Business Change Management

C5 Where relevant, business processes change management procedures will consider ICT security and risk. #ISO27002.2013:12.1.2

1.1.5 Establish and Maintain Relationships with Authorities

C6 The University shall establish and maintain relationships with relevant authorities, such as law enforcement and regulatory bodies, to enable effective partnerships and enhanced information security incident response with the relevant authorities. #ISO27002.2013:6.1.3

1.1.6 Establish and Maintain Relationships with Specialist Partners

C7 The University shall establish and maintain relationships with specialist external partners, such as other universities and specialist organisations and associations, to share information in relation to best practice and threat intelligence. #ISO27002.2013:6.1.4

2. Human Resource Security

Operational Responsibilities:

Responsibility

Scope

**(TBC) Workforce Policy & Performance Manager

Human Resource Security

IT Security and Risk

Manager

Information Security Awareness, Education and Training

Supply Chain Management Office Manager

Confidentiality or Non-Disclosure Agreements

2.1 Prior to People Accessing the University’s Electronic Information

Objective: To ensure that people who will have access to, or control of, The University’s electronic information are suitable for the roles for which they are considered and understand their information security responsibilities. #ISO27002.2013:7.1

2.1.1 Screening

C8 People who will have access to, or control of, The University’s electronic information may be subject to background checks. #ISO27002.2013:7.1.1

C9 The rigour and depth of background checks shall be proportional to the information security classification accessed, perceived risks, and/or business requirements. #ISO27002.2013:7.1.1

C10 Background checks shall be performed in accordance with all relevant laws, regulations, and ethics. #ISO27002.2013:7.1.1

2.1.2 Terms and Conditions of Employment

C11 Contracts or agreements made with people who will have access to, or control of, The University’s electronic information shall state their and The University’s responsibilities for the protection of the information. #ISO27002.2013:7.1.2

2.2 People’s Information Security Responsibilities

Objective: To ensure that people who have access to, or control of, The University’s electronic information understand and fulfil their responsibilities to protect the information. #ISO27002.2013:7.2

2.2.1 Information Security Awareness, Education and Training

C12 People who have access to, or control of, electronic information shall receive education, training and awareness regarding but not limited to The University’s policies and procedures for the protection of the information, relevant to their role. #ISO27002.2013:7.2.2

2.2.2 Management Responsibilities

C13 Management shall ensure that people who have access to, or control of, electronic information protect the information in accordance with The University’s policies and procedures. #ISO27002.2013:7.2.1

2.2.3 Acceptable Use of The University’s Electronic Information, Information Systems, and Information Services

C14 Rules for the acceptable use of The University’s electronic information, information systems, and information services shall be identified, documented, implemented and published. #ISO27002.2013:8.1.3

2.2.4 Disciplinary Process

C15 People who have access to, or control of, The University’s electronic information and information services who do not protect or use the information and information services in accordance with The University’s policies and procedures shall be subject to The University’s formally documented disciplinary processes. #ISO27002.2013:7.2.3

C16 The University’s disciplinary processes shall be communicated to all people who have access to, or control of, The University’s electronic information and information services. #ISO27002.2013:7.2.3

2.2.5 Confidentiality or Non-Disclosure Agreements

C17 Requirements for confidentiality or non-disclosure agreements related to The University’s electronic information shall be identified, regularly reviewed and documented. #ISO27002.2013:13.2.4

2.3 Termination or Change of People’s Responsibilities

Objective: To ensure the ongoing protection and appropriate use of The University’s electronic information as part of the process of changing a person’s responsibilities or terminating employment. #ISO27002.2013:7.3

2.3.1 Termination or Change of Responsibilities

C18 Responsibilities and duties that remain valid after termination or change of a person’s access to, or control of, The University’s information and information services shall be defined, communicated to that person and enforced. #ISO27002.2013:7.3.1

2.3.2 Return of The University’s Information and Information Systems

C19 All people who are in possession of The University's information systems or removable media shall return them on conclusion of their employment, contract, agreement, or relationship with The University. #ISO27002.2013:8.1.4

C20 All people who are in possession of The University's electronic information shall return it to The University on conclusion of their employment, contract, agreement, or relationship with The University in accordance with The University's disposal procedures. #ISO27002.2013:8.1.4

3. Asset Management

Operational Responsibilities:

Responsibility

Scope

Head of Information Management

Electronic information asset - governance

Information Owners

Electronic information - identification and handling

Information System,
Information Service,
and Information System Facility

Owners

Information systems, services and system facilities - identification,  inventory maintenance and handling

Service Management Office Manager

Information systems and services - service asset and configuration management

Supply Chain Management Office Manager

Information systems and services - identification, inventory maintenance and handling

3.1 Responsibility for The University’s Electronic Information, Information Systems, Information Services, and Information System Facilities

Objective: To ensure responsibilities for the protection of The University’s electronic information, information systems, information services, and information system facilities, are developed and implemented. #ISO27002.2013:8.1

3.1.1 Inventory of The University’s Electronic Information, Information Systems, Information Services, and Information System Facilities

C21 Subject to risk-based decisions, The University's electronic information, information systems, information services, and information system facilities shall be identified. #ISO27002.2013:8.1.1

Subject to risk-based decisions, an inventory of The University’s electronic information, information systems, information services and information system facilities shall be drawn up and maintained. #ISO27002.2013:8.1.1

3.1.2 Ownership of The University’s Electronic Information, Information Systems, Information Services, and Information System Facilities

C22 Owners shall be appointed for each of The University’s electronic information, information systems, information services, and information system facilities where those assets are maintained in the inventory. #ISO27002.2013:8.1.2

3.2 Information Classification, Management and Handling

Objective: To ensure that The University’s electronic information, information systems, information services, and information system facilities, are appropriately classified and managed in accordance with their risk to The University. #ISO27002.2013:8.2, #ISO27002.2013:8.3

3.2.1 Classification of The University’s Electronic Information, Information Systems, Information Services, and Information System Facilities

C23 An information security classification schema shall be established, documented, and maintained. #ISO27002.2013:8.2.1

C24 The information security classification of The University’s electronic information, information systems, information services, and information system facilities shall take account of any statutory, legal and contractual requirements placed upon it in terms of its value, criticality and sensitivity to unauthorised disclosure or modification. #ISO27002.2013:8.2.1

C25 Each of The University’s electronic information, information systems, information services, and information system facilities maintained in the inventory shall be classified in accordance with The University's information security classification schema. #ISO27002.2013:8.2.1

3.2.2 Information Security Classification Labelling of The University’s Electronic Information, Information Systems, Information Services, and Information System Facilities

C26 Procedures for information labelling should be developed, maintained and implemented in accordance with The University’s information security classification schema. #ISO27002.2013:8.2.2.

3.2.3 Management and Handling of The University’s Electronic Information

C27 Procedures for the management and handling of The University’s electronic information, associated information systems and information services, and removable media, shall be developed, maintained and implemented, and will consider the University's retention and disposal obligations. #ISO27002.2013:8.2.3, #ISO27002.2013:8.3, #ISO27002.2013:8.3.1.

C28 The University’s electronic information, associated information systems and information services, and removable media, shall be handled in accordance with its information security classification. #ISO27002.2013:8.2.3, #ISO27002.2013:8.3, #ISO27002.2013:14.3, #ISO27002.2013:14.3.1

3.2.4 Disposal of The University’s Electronic Information and Information Systems

C29 Procedures and decision criteria for the secure disposal of The University’s electronic information, associated information systems and information services, and removable media, shall be developed, maintained and implemented. #ISO27002.2013:8.3.2, #ISO27002.2013:11.2.7

C30 The secure disposal of The University’s electronic information, information systems, information services, and removable media shall be in accordance to its information security classification, the perceived risks, or business requirements. #ISO27002.2013:8.3.2, #ISO27002.2013:11.2.7

3.2.5 Protection of The University’s Electronic Information during Transportation

C31 Physical media containing The University’s electronic information shall be protected in accordance with its information security classification during transportation. #ISO27002.2013:8.3, #ISO27002.2013:8.3.3

4. Access Control

Operational Responsibilities:

Responsibility

Scope

Identity & Desktop Solutions Manager

User access control

Service Desk Manager

User access control

Information Owner

Authorisation controls

Information System,
Information Service,
and Information System Facility

Owners

User access control

4.1 Access control requirements and management

Objective: To appropriately control access to The University’s electronic information, information systems, information services, and information system facilities. #ISO27002.2013:9.1, #ISO27002.2013:9.2

4.1.1 Access Control Procedures

C32 Access control procedures defining rules, rights, and restrictions to The University’s information, information systems, information services, and information system facilities shall be developed, maintained and implemented. #ISO27002.2013:9.1.1, #ISO27002.2013:9.1.2, #LSA:2.5

4.1.2 Access Control Registration, Provisioning, and Removal

C33 A formal process shall be developed, maintained and implemented to register users, provision access, and to de-register users and de-provision access, for all user types. #ISO27002.2013:9.2.1, #ISO27002.2013:9.2.2, #ISO27002.2013:9.2.3, #LSA: 2.5

4.1.3 Review of Access Rights

C34 Information, information system, and information service owners shall conduct reviews, and amend access rights to electronic information under their responsibility. The frequency of reviews shall be based on risk. #ISO27002.2013:9.2.5

4.1.4 Adjustment of Access Rights

C35 Access rights shall be appropriately adjusted on change or termination of employment, contract or agreement. #ISO27002.2013:9.2.6

4.2 People’s responsibilities

Objective: To ensure that people with access to The University’s electronic information, information systems, information services, and information system facilities are accountable for safeguarding their authentication information. #ISO27002.2013:9.3

4.2.1 Use of Authentication Information

C36 People with access to The University’s electronic information, information systems, information services and information system facilities shall be required to follow The University’s policies, procedures and practices regarding the use of authentication information. #ISO27002.2013:9.3.1

4.3 Information System and Information Service Access Control

Objective: To prevent unauthorised access to information systems and information services. #ISO27002.2013:9.4

4.3.1 Restriction of Access to Functions

C37 Access shall be restricted to information system and information service functions in accordance with the access control procedures. #ISO27002.2013:9.4.1, #LSA:2.4, #LSA:2.5

4.3.2 Secure Log-On Procedures

C38 Where required by the access control procedures, access to information systems and information services shall be controlled by a secure log-on procedure. #ISO27002.2013:9.4.2, #LSA:2.4

4.3.3 Access Control System

C39 Access control systems shall be interactive and enforce access control procedure requirements. #ISO27002.2013:9.4.3, #LSA:2.5

4.3.4 Use of Privileged Tools

C40 The use of privileged tools that are capable of overriding information system and information service controls shall be restricted and tightly controlled. #ISO27002.2013:9.4.4, #LSA:2.5

4.3.5 Access Control to Source Code

C41 Access to source code shall be restricted. #ISO27002.2013:9.4.5, #LSA:9.10, #LSA:2.5

5. Physical and Environmental Security

Operational Responsibilities:

Responsibility

Scope

Access Control Coordinator

Building access controls

Information System,
Information Service,
and Information System Facility

Owners

Physical access controls

**(TBC) Facilities and Services Manager

Physical and environmental controls

5.1 Secure Areas

Objective: To prevent unauthorised physical access, damage and interference to The University’s electronic information, information systems, information services, and information system facilities. #ISO27002.2013:11.1

5.1.1 Physical Security Perimeter

C42 Physical security perimeters shall be defined and used to protect areas that contain information systems and information system facilities. #ISO27002.2013:11.1.1

5.1.2 Physical Entry Controls

C43 Secure areas shall be protected by appropriate entry controls to restrict access to authorised persons. #ISO27002.2013:11.1.2

5.1.3 Securing Buildings

C44 Physical security requirements for buildings, including offices, rooms and facilities that contain information systems and information system facilities shall be developed, maintained and implemented. #ISO27002.2013:11.1.3

5.1.4 Protecting Against External and Environmental Threats

C45 Physical protection requirements against natural disasters, malicious attack or accidents, for buildings that contain information systems and information system facilities, shall be developed, maintained and implemented. #ISO27002.2013:11.1.4

5.1.5 Working in Secure Areas

C46 Procedures for working in secure areas shall be developed, maintained and implemented.  #ISO27002.2013:11.1.5

5.1.6 Delivery and Loading Areas

C47 Access points such as delivery and loading areas and other points where unauthorised persons could enter the premises shall be controlled and, if possible, isolated from secure areas. #ISO27002.2013:11.1.6

5.2 Information Systems

Objective: To prevent loss, damage, theft or compromise of The University’s electronic information and information systems. #ISO27002.2013:11.2

Objective: To prevent interruption to The University’s operations. #ISO27002.2013:11.2

5.2.1 Equipment Siting and Protection

C48 The University's information systems, information services, and information system facilities shall be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorised access. #ISO27002.2013:11.2.1, #LSA:2.4, #LSA:2.5 #LSA:6.11, #LSA:6.12

5.2.2 Supporting Utilities

C49 Subject to risk-based decisions, The University's information systems, information services, and information system facilities shall be protected from power failures and other disruptions caused by failures in supporting utilities. #ISO27002.2013:11.2.2

5.2.3 Cabling Security

C50 Telecommunications cabling carrying The University’s electronic information or supporting information services shall be protected from interception, interference or damage. #ISO27002.2013:11.2.3, #LSA:2.7

C51 Power cabling supporting The University’s information systems, information services, and information system facilities shall be protected from interference or damage. #ISO27002.2013:11.2.3

5.2.4 Equipment Maintenance

C52 The University's information systems, information services, and information system facilities shall be correctly maintained to ensure its continued availability and integrity. #ISO27002.2013:11.2.4

5.2.5 Removal of Information Systems

C53 The University’s information systems shall not be relocated or taken off-site without prior authorisation. #ISO27002.2013:11.2.5

5.2.6 Security of Information Systems Off-Premises

C54 Physical security controls shall be applied to off-site information systems and information services storing, processing, transmitting, or accessing The University’s electronic information to take account of the different risks of working outside the University premises. #ISO27002.2013:11.2.6

5.2.7 Unattended Information Systems

C55 Information systems, information services, and information system facilities that are used to store, process, transmit, or access The University’s electronic information shall be appropriately secured while unattended. #ISO27002.2013:11.2.8, #ISO27002.2013:11.2.9

6. Operations Security

Operational Responsibilities:

Responsibility

Scope

Information System,
Information Service,
and Information System Facility

Owners

Operations Security

Service Management Office Manager

Change management

IT Security & Risk Manager

Security related assurance

6.1 Operational Procedures and Responsibilities

Objective: To ensure correct and secure operations of The University’s information systems, information services, and information system facilities. #ISO27002.2013:12.1, #ISO27002.2013:12.2

6.1.1 Documented Operating Procedures

C55 Formal operating procedures required to manage and maintain the security of The University’s information systems, information services, and information system facilities shall be developed, maintained, implemented and made available to all users who need them. #ISO27002.2013:12.1.1

6.1.2 Change Management

C56 Change management procedures will consider security and technology risk, and shall be developed, maintained and implemented for changes to The University’s information systems, information services and information system facilities. #ISO27002.2013:14.2.2, #ISO27002.2013:14.2.3

6.1.3 Capacity Management

C57 The use of The University’s information systems, information services, and information system facility resources shall be monitored, tuned, and projections made of future capacity requirements to ensure the required system performance. #ISO27002.2013:12.1.3, #LSA:2.8

6.1.4 Separation of Environments

C58 Development, testing, and production environments of The University's information systems and information services shall be appropriately separated and protected. #ISO27002.2013:12.1.4, #ISO27002.2013:14.2.6, #LSA:6.5.1

6.1.5 Malware Controls

C59 Detection, prevention, and recovery controls shall be developed, maintained and implemented, including appropriate user awareness, to protect against malware being stored, processed or transmitted by The University’s information systems and information services. #ISO27002.2013:12.2.1, #LSA:2.6, #LSA:11.9.5

6.2 Key Management

Objective: To ensure effective procedures for the management of cryptographic keys. #ISO27002.2013:10.1

6.2.1 Key Management

C60 Procedures for the use, protection, and management of cryptographic keys throughout their whole lifecycle shall be developed, maintained and implemented. #ISO27002.2013:10.1.2, #LSA:7.11.14

6.3 Logging and Monitoring

Objective: To record events and generate evidence. #ISO27002.2013:12.4

6.3.1 Event Logging and Review

C61 Logging facilities and log information requirements shall be defined and applied. #ISO27002.2013:12.4.1, #LSA:2.8

C62 Event logs recording informational, warning and exception events of The University's information systems and information services shall be produced, kept and regularly reviewed. #ISO27002.2013:12.4.1, #LSA:2.8

6.3.2 Protection of Log Information

C63 Log information shall be protected against tampering and unauthorised access. #ISO27002.2013:12.4.2, #ISO27002.2013:12.4.3, #LSA:2.4, #LSA:2.7

6.3.3 Clock Synchronisation

C64 Logs shall be timestamped from a synchronised, single, constant reference time source. #ISO27002.2013:12.4.4

6.4 Control of Operational Software

Objective: To ensure a standard and secure operating environment for The University’s information systems and information services. #ISO27002.2013:12.5

6.4.1 Software Execution

C65 Where deemed appropriate, procedures and controls shall be established, implemented, and maintained to control the execution of software on The University’s information systems and information services. #ISO27002.2013:12.5.1

6.4.2 Restrictions on Software Execution by Users

C64 Subject to risk-based decisions, controls shall be established, implemented, and maintained to manage the installation and execution of software on The University's information systems by users. #ISO27002.2013:12.6.2

6.5 Technical Vulnerability Management

Objective: To identify, manage and prevent exploitation of technical vulnerabilities. #ISO27002.2013:12.6

6.5.1 Management of Technical Vulnerabilities

C66 Information about technical vulnerabilities of The University’s information systems and information services shall be obtained, and exposure to such vulnerabilities shall be evaluated and appropriate measures taken to address the risks. #ISO27002.2013:12.6.1, #LSA:14

6.6 Mobile Devices and Remote Working

Objective: To ensure the security of remote capability and use of mobile devices that access The University's electronic information and information services. #ISO27002.2013:6.2

6.6.1 Mobile Device Security

C67 Mobile devices that are deployed by The University shall be managed with appropriate security and rules of use in order to protect and manage risks to The University’s electronic information, and information services. #ISO27002.2013:6.2.1, #LSA:2.5.1

6.6.2 Remote Working Security

C68 Remote working environments shall be securely deployed and managed to ensure the protection of The University’s electronic information and information services. #ISO27002.2013:6.2.2, #LSA:7, #LSA:8.

7.  Communications Security

Operational Responsibilities:

Responsibility

Scope

Networks Operations Manager

Information systems and information services

Network Installations Manager

Information systems and information services

Audiovisual Design and Installation Manager

Information systems and information services

Production Facilities - Data Centre Operations Manager

Information system facilities

Supply Chain Management Office Manager

Security elements of agreements regarding transfer of electronic information

7.1 Network and Communications Management

Objective: To ensure the protection of The University’s electronic information within The University’s internal and extended networks and network services, including the use of cryptography. #ISO27002.2013:13.1, #ISO27002.2013:10.1

Objective: To ensure the protection of The University’s electronic information transferred within The University and with any external party. #ISO27002.2013:13.2

7.1.1 Network Security

C69 Networks shall be securely designed, implemented and managed with the appropriate controls to protect The University’s electronic information. #ISO27002.2013:13.1.1, #LSA:3

7.1.2 Security of Network Services

C70 Where deemed important, security mechanisms, service levels and management requirements of network services shall be identified and included in associated procedures and agreements. #ISO27002.2013:13.1.2, #LSA:2, #LSA:13

7.1.3 Segregation in Networks

C71 Appropriate segregation controls shall be designed and applied for information systems, information services, and people. #ISO27002.2013:13.1.3, #LSA:13

7.1.4 Securing Network Communications and Information Transfers

C72 Network communications passing over internal and external networks shall be appropriately protected. #ISO27002.2013:14.1.2, #ISO27002.2013:14.1.3, #LSA:13

C73 Formal transfer procedures and controls shall be developed, maintained and implemented to protect the transfer of The University’s electronic information through communication services. #ISO27002.2013:13.2.1, #LSA:3, #LSA:13

C74 Agreements shall address the secure transfer requirements of The University’s electronic information between The University and external parties. #ISO27002.2013:13.2.2

C75 Information involved in electronic messaging and communication tools shall be appropriately protected. #ISO27002.2013:13.2.3, #LSA:3

C76 The use of cryptographic controls for the protection of The University’s information shall be developed, maintained and implemented. #ISO27002.2013:10.1.1

8. Security in Development and Implementation

Operational Responsibilities:

Responsibility

Scope

Business Performance Improvement Manager

Requirements analysis and specification

Application Solutions Manager

Information services

Application Management Manager

Information services

Testing Manager

Information services

Project Management Office /
SI Planning and Control
Manager

ICT security and risk management in projects

Information System,
Information Service,
and Information System Facility

Owners

Information systems and information services

8.1 Defined Requirements

Objective: To ensure that ICT security and risk management is an integral part of the entire development and implementation lifecycle. #ISO27002.2013:14.1

8.1.1 Requirements Analysis and Specification

C77 Information security related requirements and controls shall be designed and applied in the development of new, or enhancements to existing, information systems and information services. #ISO27002.2013:14.1.1, #LSA:9.7

8.2 Security in the Development and Implementation Lifecycle

Objective: To ensure that information security is designed and implemented within the development and implementation lifecycle of The University’s information systems and information services. #ISO27002.2013:14.2

8.2.1 Development and Implementation Procedures

C78 Development and implementation procedures which include requirements for information security shall be developed, maintained and implemented. #ISO27002.2013:14.2, #ISO27002.2013:14.2.5, #LSA:9.7

8.2.2 Security in System Acceptance Testing

C79 Acceptance testing processes and related criteria, for information systems and information services, including upgrades and new versions, shall include information security testing requirements. #ISO27002.2013:14.2.9, #LSA:9.7

9. External Party Relationship Management

Operational Responsibilities:

Responsibility

Scope

Supply Chain Management Office Manager

Security elements of external party management

Information System,
Information Service,
and Information System Facility

Owners

Security elements of external party management

Portfolio Managers & Service Delivery Managers

External service Provider Delivery Management

**(TBC) University Finance and Strategic Procurement

Security elements of external party management

9.1 Relationships with External Parties

Objective: To ensure protection of The University’s electronic information, where information systems, information services, and information system facilities are accessed or controlled by external parties. #ISO27002.2013:15.1

9.1.1 Information Security Requirements for External Party Relationships

C80 Information security requirements shall be developed, maintained and implemented to mitigate the security and technology risks associated with new, potential, or existing external parties accessing The University’s electronic information. This shall include The University’s legal, statutory, regulatory or contractual obligations related to the physical location of The University’s electronic information. #ISO27002.2013:15.1.1

9.1.2 Addressing Security Within External Party Agreements

C81 All relevant information security requirements shall be established, agreed and documented with each external party. #ISO27002.2013:15.1.2

9.1.3 Information and Communication Technology Supply Chain

C82 Agreements with external parties shall include requirements to address the information security risks associated with ICT services and product supply chain. #ISO27002.2013:15.1.3

9.2 External Service Provider Delivery Management

Objective: To maintain an agreed level of information security and service delivery where there are external service provider agreements. #ISO27002.2013:15.2

9.2.1 Monitoring and Review of External Party Services

C83 Subject to risk-based decisions, The University shall regularly monitor, review and audit external party service delivery. #ISO27002.2013:15.2.1, #ISO27002.2013:14.2.7

9.2.2 Managing Changes to External Party Services

C84 Changes to the provision of services by external parties shall be managed, taking into account The University’s electronic information, information systems, information services, information system facilities involved and re-assessment of risks. #ISO27002.2013:15.2.2

9.3 Information Services Provided to External Parties

Objective: To maintain an agreed level of information security and service delivery in line with agreements where The University is the provider of services to external parties.

9.3.1 Information Security Requirements for Services provided to External Party Relationships

C85 Where The University provides services to external parties, information security requirements shall be developed, maintained and implemented to mitigate the security and technology risks. This shall be in accordance with the external parties’ information security classification and include legal, statutory, regulatory or contractual obligations related to the physical location of information.

9.4 External Information Services Security Management

Objective: To ensure protection of The University’s electronic information, where information systems and information services are hosted by external parties. #ISO27002.2013:15.1

9.4.1 Obligation to Co-operate Regarding The University's Compliance Requirements

C86 The external information service provider shall enable The University to fulfil external or internal compliance obligations, including its obligation to facilitate the exercise of a person’s right to access, correct and/or erase PII pertaining to them. #ISO27018:2014:A.1.1, #LSA:7.14

9.4.2 The External Information Service Provider’s Purpose

C87 The University's electronic information shall not be used by the external information service provider for any other purpose other than that defined by The University without express consent of an authorised delegate. #ISO27018:2014:A.2.1, #ISO27018:2014:A.2.2

9.4.3 Secure Disposal

C88 Electronic information created by the external information service provider, which originates from The University’s electronic information, shall be appropriately erased or destroyed in accordance with any procedure and time periods agreed in the contract. #ISO27018:2014:A.4.1

9.4.4 The University's Electronic Information Disclosure Notification

C89 The external information service provider shall notify The University of any request for disclosure by law enforcement authorities in accordance with any procedure and time periods agreed in the contract, unless the notification of the request for disclosure is legally prohibited. #ISO27018:2014:A.5.1

9.4.5 Recording of The University's Electronic Information Disclosures

C90 Disclosures of The University’s electronic information, based on its information security classification, to other parties shall be recorded by the external information service provider, including what information has been disclosed, to whom and at what time in accordance with any procedure and time periods agreed in the contract. #ISO27018:2014:A.5.2

9.4.6 Disclosure of Third Parties Processing

C91 The use of third parties by the external information service provider to access or handle The University’s electronic information based on its information security classification, shall be disclosed to The University prior to any third parties being granted access. #ISO27018:2014:A.7.1

9.4.7 Notification of a Breach Involving The University's Electronic Information

C92 The external information service provider shall notify The University, in accordance with agreed service level agreements, in the event of any unauthorised access resulting in loss, disclosure or alteration of The University’s electronic information based on its information security classification. #ISO27018:2014:A.9.1

9.4.8 Administrative Security Policies and Procedures

C93 Security policies and operating procedures shall be developed, implemented, maintained, and retained by the external information service provider and be made available to The University upon request. #ISO27018:2014:A.9.2

9.4.9 The University's Electronic Information Return, Transfer and Disposal

C94 The external information service provider shall have a formally documented capability in respect of the return, transfer and/or disposal of The University’s electronic information based on its information security classification, and shall make this available to The University. #ISO27018:2014:A.9.3, #LSA:7.11

9.4.10 Confidentiality or Non-disclosure Agreements

C95 Individuals under the external information service provider’s control with access to The University’s electronic information shall be subject to appropriate and formally documented confidentiality obligations. #ISO27018:2014:A.10.1

9.4.11 Restriction of the Creation of Hardcopy Material

C96 The creation of hardcopy material containing The University’s information by an external information service provider shall be restricted based on its information security classification. #ISO27018:2014:A.10.2

9.4.12 Secure Disposal of Hardcopy Materials

C97 Where hardcopy materials are destroyed by the external information service provider, they shall be securely disposed in accordance with any procedure and time periods agreed in the contract. #ISO27018:2014:A.10.7

9.4.13 Control and Logging of Data Restoration

C98 There shall be an established, documented, and maintained procedure for, and a log of, data restoration. #ISO27018:2014:A.10.3

9.4.14 Protecting Data on Storage Media Leaving the Premises

C99 The University’s electronic information stored on media leaving the external information service provider’s premises shall be subject to an established, documented, and maintained authorisation procedure based on its information security classification, and shall not be accessible to anyone other than authorised personnel. #ISO27018:2014:A.10.4

9.4.15 Use of Unencrypted Portable Storage Media and Devices

C100 Portable physical media and portable devices that do not permit encryption shall not be used by the external information service provider except where it is unavoidable, and any use of such portable media and devices shall be risk managed based on the University’s electronic classification. #ISO27018:2014:A.10.5

9.4.16 Protection of The University’s Electronic Information Transmitted Over Public Data-transmission Networks

C101 The University’s electronic information that is transmitted by the external information service provider over public data-transmission networks shall be appropriately protected based on its information security classification. #ISO27018:2014:A.10.6, #LSA:7.11, #LSA:7.12

9.4.17 Unique Use of User IDs

C102 Each external information service provider individual with access to The University’s stored electronic information shall each have a distinct user ID for identification, authentication and authorisation purposes. #ISO27018:2014:A.10.8, #LSA:7.9, #LSA:7.10

9.4.18 Records of Authorised Users

C103 The external information service provider shall maintain an up-to-date record of the users and profiles of users who have authorised access to their information systems. #ISO27018:2014:LSA.10.9

9.4.19 User ID Management

C104 The external information service provider shall not grant de-activated or expired user IDs to other individuals. #ISO27018:2014:A.10.10, #LSA:7.10

9.4.20 Contract Measures

C105 Agreements and contracts between The University and external information service providers shall specify minimum technical and organisational measures to ensure that the contracted security arrangements are in place and that information is not processed for any purpose independent of the instructions of The University. Such measures shall not be subject to unilateral reduction by the external information service provider. #ISO27018:2014:A.10.11

9.4.21 Sub-contracted Information Processing

C106 Agreements and contracts between external information service providers and any sub-contractors that process The University's electronic information shall specify minimum technical and organisational measures that meet the information security and information protection obligations of the external information service provider. Such measures shall not be subject to unilateral reduction by the sub-contractor. #ISO27018:2014:A.10.12

9.4.22 Pre-used Storage Space

C107 The external information service provider shall ensure that whenever data storage space is assigned to any other information service customer, any University electronic information previously residing on that storage space is not visible to the service customer. #ISO27018:2014:A.10.13

9.4.23 Geographical Location of The University’s Electronic Information

C108 The external information service provider shall specify and document the countries in which The University’s electronic information might possibly be stored. #ISO27018:2014:A.11.1

9.4.24 Intended Destination of The University’s Electronic Information

C109 The University’s electronic information transmitted using a data-transmission network shall be subject to appropriate controls designed to ensure that data reaches its intended destination. #ISO27018:2014:A.11.2, #LSA:7.11

10. Information Security Incident Management

Operational Responsibilities:

Responsibility

Scope

IT Security and Risk Manager

Security related aspects of incident management

Service Management Office Manager

IT incident management

Objective: To ensure a consistent and effective approach to the management of information security incidents, including communication on security events, threats and vulnerabilities, as part of an overall incident management process. #ISO27002.2013:16.1

10.1 Information Security Incident Management

10.1.1 Responsibilities and Procedures

C110 Incident management responsibilities and procedures shall be developed, maintained and implemented, and include effective, risk-based response to information security incidents, in consideration of the University’s electronic information security classification. #ISO27002.2013:16.1.1, #LSA:14.6

10.1.2 Reporting Events and Weaknesses

C111 Any suspected or actual information security event, weakness, and technology risk related event shall be reported through approved procedures as quickly as possible. #ISO27002.2013:16.1.2, #ISO27002.2013:16.1.3, #LSA:3.7, #LSA:14.6

10.1.3 Assessment and Response

C112 Information security events, weaknesses, and ICT risk related events shall be risk assessed. Information security incidents shall be classified based on approved, risk-based criteria and the incident management priority matrix. #ISO27002.2013:16.1.4, #LSA:14.6

C133 Information security incidents shall be responded to in accordance with the approved incident response procedures. #ISO27002.2013:16.1.5, #LSA:14.6

10.1.4 Learning From Incidents

C114 Incident management procedures shall include the use of a post-incident review process, and the knowledge gained from analysing and resolving information security incidents shall be used to reduce the likelihood or impact of future incidents. #ISO27002.2013:16.1.6

10.1.5 Collection of Evidence

C115 Evidence shall be identified, collected, acquired, and preserved according to established, documented, and maintained procedures, in consideration of The University’s electronic information security classification. #ISO27002.2013:16.1.7

11. Disaster Recovery and Business Continuity Management

Operational Responsibilities:

Responsibility

Scope

Service Delivery Managers

Disaster recovery management

Servers and Storage Operations Manager

Information systems and information services

Application Management Manager

Information services

Production Facilities - Data Centre Operations Manager

Information system facility

**TBD BCP Manager

Information security within business continuity

11.1 Information Security Continuity

Objective: To ensure information security continuity is embedded in The University’s business continuity management. #ISO27002.2013:17.1

11.1.1 Information Security Continuity

C116 The University shall plan, implement, and review its requirements for information security and the continuity of information security management in The University’s business continuity management policies, procedures, and systems. #ISO27002.2013:17.1.1, #ISO27002.2013:17.1.2, #ISO27002.2013:17.1.3

11.2 Disaster Recovery

Objective: To ensure The University’s electronic information is securely recovered after significant incidents whilst meeting its integrity and availability requirements. #ISO27002.2013:17.2

11.2.1 Availability of Information Systems, Information Services and Information System Facilities

C117 Information systems, information services and information system facilities shall be implemented with sufficient redundancy and tested, to meet business availability requirements. #ISO27002.2013:17.2.1

11.2.2 Information Backup

C118 Backup procedures for The University's electronic information based on its information security classification, and software and system images shall be developed, maintained and implemented. #ISO27002.2013:12.3.1

11.2.3 Developing and Implementing Disaster Recovery

C119 A Disaster Recovery Strategy shall be developed and implemented in consideration of business requirements and The University’s electronic information security classification, to maintain or restore operations and ensure availability of information at the required level and in the required time scales following interruption to, or failure of, information systems, information services, and information system facilities. #ISO27002.2006:14.1.3

11.2.4 Testing, Maintaining and Reassessing Disaster Recovery

C120 Disaster Recovery shall be tested and updated in accordance with the Disaster Recovery Strategy to ensure that it is up to date and effective. #ISO27002.2006:14.1.5

12. Compliance

Operational Responsibilities:

Responsibility

Scope

Chief Officer/Executive

Compliance governance

IT Security and Risk Manager

Assurance for information security and technical compliance

Supply Chain Management Office Manager

External party compliance

**(TBC) University Risk and Compliance Unit

Director

University's risk and compliance

University Internal and External Audit

Measurement of the adequacy and effectiveness of controls.

12.1 Compliance with External and Contractual Requirements

Objective: To understand and comply with The University’s legal, statutory, regulatory or contractual obligations related to information security. #ISO27002.2013:18.1

12.1.1 Identification of Applicable Legislation and Contractual Requirements

C121 All relevant legislative statutory, regulatory, contractual requirements for The University's information, and The University’s compliance approach, shall be explicitly identified, documented and maintained. #ISO27002.2013:18.1.1

12.1.2 Intellectual Property Rights

C122 Procedures shall be developed, maintained and implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of intellectual property. #ISO27002.2013:18.1.2

12.1.3 Protection of Records

C123 Records subject to legislative, regulatory, contractual, and business requirements shall be protected from loss, unauthorised destruction, falsification, unauthorised access and unauthorised release. #ISO27002.2013:18.1.3

12.1.4 Privacy and Protection of Personally Identifiable Information

C124 Privacy and protection of personally identifiable information shall be ensured as required in relevant legislation and regulation. #ISO27002.2013:18.1.4

12.1.5 Regulation of Cryptographic Controls

C125 Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations. #ISO27002.2013:18.1.5

12.2 Information Systems Audit Considerations

Objective: To ensure the impact of audit activities on operational systems is considered during planning. #ISO27002.2013:12.7

12.2.1 Information Systems and Information Services Audit Controls

C126 Audit requirements and activities involving verification of The University’s operational information systems, and information services shall be carefully planned and agreed with all relevant parties to minimise disruptions to business processes. #ISO27002.2013:12.7.1

12.3 Compliance with Information Security Policy and Procedures

Objective: To validate the security of The University’s operational information systems and information services. #ISO27002.2013:18.2

12.3.1 Independent Review of Information Security

C127 The University’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) shall be reviewed independently at planned intervals or when significant changes occur. #ISO27002.2013:18.2.1

12.3.2 Compliance with Security Policies and Standards

C128 Managers shall regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements. #ISO27002.2013:18.2.2

12.3.3 Technical Compliance and Testing

C129 The University will establish and execute a program of technical compliance reviews to ensure risks are being appropriately managed. #ISO27002.2013:18.2.3, #LSA:11, #LSA:14.13

C130 Testing and assurance of information security functionality and requirements shall be conducted #ISO27002.2013:14.2.8, #LSA:9.5

Framework OwnerChief Information Owner

Content Enquiries
eSolutions Service Desk

Related Policies

ICT Security and Risk Policy

Electronic Information Security Policy

Recordkeeping Policy

Information Technology Use Policy - Staff & Other Authorised Users

Acceptable Use of Information Technology Facilities by Students Policy

Research Data Management Policy

Related Documents

ICT Security Procedures
Electronic Information Security: Callista Access ProceduresElectronic Information Security: Responsibilities, Classifications and Standards ProceduresElectronic Information Security: Payment Card Industry Data Security Standard (PCI DSS) Procedures (Australia Only)
Recordkeeping: Retention and Disposal of University Records Procedures (Australia only)
Acceptable Use of Information Technology Facilities by Students Procedures