Information Security Policy

decisioncrunchΔίκτυα και Επικοινωνίες

20 Νοε 2013 (πριν από 3 χρόνια και 11 μήνες)

118 εμφανίσεις

Division of Information Technology


Policy Document No:






Page
1

of
10



Title
:

Information Security Policy



Version

Version 6.1

TRIM file number


Short description

DIT Policy f
or Information

Security

Relevant to


Approved by

Executive Director
,

Department of Information Technology

Responsible officer

Executive Officer

of Information Technology

Responsible office

Office of Executive Director of Information
Technology

Date introduced

20 Fe
bruary 2002

Date(s) modified

19 October 2007

Next scheduled review
date

19 October 2010

Related legislation


Key words


Division of Information Technology


Policy Document No:






Page
2

of
10

Policy for
Information
Security


1.

Introduction

................................
................................
.............................

2

2.

Scope

................................
................................
................................
.....

2

3.

Objectives

................................
................................
...............................

2

4.

Timing

................................
................................
................................
.....

2

5.

References

................................
................................
.............................

3

6.

Responsibilities

................................
................................
.......................

3

7.

Method
................................
................................
................................
....

7

8.

Author History

................................
................................
.......................

10


1.

Introduction

Charles Sturt
University’s

information technology resources a
re

valuable
asset. Information security is an enabling mechanism that
seeks to
minimize

risks associated with

the sharing of info
rmation.

This policy details the
intent,
princ
ipals,
goals

and
responsibilities associated
with the security

of
Charles Sturt University
owned and operated computing
and communications systems and infrastructure

and the information stored or
transported
on

them
.


2.

Scope

This policy applies to all
autho
rised
users of computing and communication
systems, services
,
facilities
, physical IT assets and information assets

owned

or utilized by CSU.


Exemptions from specific provisions of this policy may be granted by the
Executive Director, Division of Informat
ion Technology on application from
members of the Senior Executive group, Dean, Executive Directors,
Directors, Heads of School or Heads of Section.


3.

Objectives

This policy is intended to inform the CSU Community on the allocation of
responsibilities for t
he protection of CSU computing and communications
facilities.


4.

Timing

This policy is effective immediately and subject to review annually and/or
review due to changing circumstances.


Division of Information Technology


Policy Document No:






Page
3

of
10

5.

References


This policy shall operate in conjunction with:


(a)

The Charles Sturt University “Policy for the Use of University
Computing Communication Facilities”

(b)

The Charles Sturt University “Pol
icy for Approval, Requirements and
Responsibilities for Connecting Servers to the CSU Network”.

(c)

The Charles Sturt University
IST

Security Matrix.

(d)

The Charles Sturt University Password Policy

(e)

DIT Staff Exit Procedure

(f)

DIT Staff Exit Form

(g)

Termination process for all users

(h)

Incident Report Form

(i)

C
SU Master Data Security Classification and Governance

6.

Responsibilities

Executive Director, Information Technology

The Executive Director, Information Technology is responsible for developing,
maintaining, overseeing and interpreting organization
-
wide infor
mation
security management policies, standards, guidelines, procedures and
practices as they apply to CSU owned
or utilized information assets.


CSU
Information Security Team

(IST)

Day to day management of
information

security is the responsibility of the
Information Security

Team
(IST)
.



IST
:

a)

Reports to the Executive Director, Information Technology.

b)

Is convened by the Director,
Operations.

c)

Has a membership drawn from computing and communications
technical specialists across the University.


IST is requi
red to meet regularly to:


Division of Information Technology


Policy Document No:






Page
4

of
10

a)

Develop and maintain a proactive security and risk control program

that
incorporates governance, processes, architectures and controls with
time frames for implementation.

b)

Identify metrics and implement monitoring for information

security
reporting and trend analysis.

d)

Respond to
information

security incidents

e)

Review and report upon security incidents that may arise

f)

Make recommendations in respect of
information

security policies,
standards and guidelines.

g)

Monitor the implementati
on of new
information

security policies,
standards and guideline
s
.

h)

Facilitate

information systems risk assessments for client areas,

i)

Facilitate the preparation of information security action plans,

j)

Evaluate information security products and;

k)

Facilitate
other activities necessary to ensure a secure information
systems environment.


IST

is also required to:


a)

Keep the CSU Internet Community informed of important issues
affecting the safe and secure exchange of information within CSU.

b)

Promote the adoption o
f good information security practices across the
CSU Community.


Security Technical Specialist


The Security Technical Specialist with work with the Enterprise Archi
tecture
group and the IST to:


a)

Provide a leading role in the provision of information secu
rity
governance.

b)

Recommend controls to identified information security risks
.

c)

Assist with the purchase, configuration and deployment of
inf
ormation security technologies.

d)

Provide a contact point for DIT and CSU information security
related advice.


Division of Information Technology


Policy Document No:






Page
5

of
10

Informa
tion Architect


The Information Architect is responsible for:


a)


Ensuring data classification has been completed by the respective
Data Custodian for each entity within the CSU Master Data Model.

b)

Management of master data classification documentation and
ma
king this classification information available to
the relevant
persons for security control implementation purposes.

c)

Liaising with the IST to provide input on Data Security Governance.


Data Custodians


The data custodians are responsible for:


a)

D
eterminin
g the classification level of this data using the Risk
Assessment process.

b)

Recommending

what users or systems can access master data in
alignment with assigned security classification level.

System Administrators

System Administrators within the Division o
f Information Technology

System administrators within the Division of Information Technology are
responsible for acting as information systems security coordinators. These
individuals are responsible for establishing appropriate user privileges,
monitoring

access control logs, and performing similar security actions for the
systems they administer. For example, they are responsible for ensuring that
users are assisted in avoiding guessed passwords. They are also responsible
for reporting any suspicious info
rmation security related activities to
the
IST
,
via the Information Technology Service Desk.

All System Administrators


For the purposes of this policy, a System Administrator is any person who
holds the “super
-
user” password to any computer system
.


Syst
em Administrators will serve as local information security liaison officers
and are responsible for , implementing the requirements of this, and other
information security policies, standards, guidelines and procedures on the
systems they administer.

Division of Information Technology


Policy Document No:






Page
6

of
10

They
are responsible for ensuring that:




Every multi
-
user system includes sufficient automated tools to assist
the systems administrator in verifying the systems security status.
These tools must include mechanisms for the recording, detection and
correction of

commonly encountered security issues.




All System privileged account (root, administrator, etc) passwords are
made available to the Chair of

the

IST

Division of Information
Technology each time the password is altered.

If this information is
unavailable D
IT reserves the right to remove the device from the
network.




All systems reside in the correct network segment appropriate to the
systems application and security requirements.




The storage,

transfer

or copying

of CSU Master Data is in accordance
with the

CSU Master Data Security Classification and Governance
procedures.




If so requested by
the
IST

they must

use the change management
process to
:


o

promptly load the most recent version of operating systems,

o

promptly apply all relevant security patches to th
e operating
system that have been released by either;


(a)

Knowledgeable and trusted support groups, such as the
Australian Computer Emergency Response Team
(
AusCERT
), the CSU
Information Security

Team (
IST
), the
international Computer Emergency Response Team
(
CERT
), the System Administration, Networking, and
Security Institute (
SANS
) etc.

(b)

The operating system ve
ndor.


Further information is available on the
IST

Web Site
, including links to various
Operating System vendors.

Database Administrators and Application Developers/Administrators

Database Administrators

and
A
pplication Developers will serve as local
security liaison officers and are responsible for implementing the
requirements of this, and other information security policies, standards
guidelines and procedures on the database or application they administer.

Division of Information Technology


Policy Document No:






Page
7

of
10

They are responsible for ensuring that:


a)

All relevant security patches for the database or application are
promptly applied using the change management process.

b)

CSU Master Data is copied, transferred or stored in accordance
with the CSU Master Data Securi
ty Classification and
Governance procedures.

Responsibilities of Supervisors

All senior staff of the University including
Deans, Heads of School, Executive
Directors and Directors
are responsible for ensuring that appropriate
information security measure
s are observed in their area, and that all users
are aware of Charles Sturt University policies related to information security
management. Users are responsible for complying with this, and all other
Charles Sturt University policies defining information
security measures.

Responsibilities of all Staff

All staff of the University are required to make themselves aware of the
general security required when dealing with confidential, private and personal
information, including:


a)

Ensuring laptop devices are

not placed in vulnerable or public areas
unattended

b)

Unattended workstations and laptops will have screen saver security
employed after a period of inactivity of no longer than 30 minutes.

c)

Ensuring the use of not easily guessable passwords

d)

Not disclosing
passwords to any other person

e)

An active compliance with the University’s Policy on the Use of
Computing Facilities (see references section).

f)

Actively reporting any security incidents that may warrant further
investigation

7.

Method


All Information Security
matters are to be cond
ucted in accordance with the
IST
security and risk control program.


1.

Incident Reporting

The
IST

is responsible for conducting investigations into any alleged
information security compromise, incident or problem. All security
compromi
ses, or potential security compromises must be reported to the
Division of Information Technology


Policy Document No:






Page
8

of
10

Information Technology Service desk, and then on to
the
IST

for attention.
Where possible the
Incident Reporting Form

should be used.


2.

Access to CSU IT Facilities

CSU IT facilities are only available to
authorised users
. Limited access is
available to students who have graduated, or who are on Approved Leave
of Absence. Access will be granted in accordance with the speci
fic policies
referred to in the reference section of this policy. In most cases, access
will only be granted to users with a valid username and password.


Staff members terminating their employment with the University undergo a
staff exit interview with H
uman Resources. Additionally, IT staff members
terminating employment are interviewed by
their
manager/supervisor to
ensure security measures are maintained (see references for
documentation)


3.

Fire walling / Network Restriction

In the interest of system se
curity
,

various parts of the CSU network may
be segregated and access to certain facilities may be controlled.
Examples of the segregated network segments which are subject to
certain fire walling restrictions include the campus residential network
segment
s, and administrative server network segments.



Access to certain areas of the network may
require authentication and
require data transfers to be conducted via secure means.

Devices
connecting to the csu network may be inspected for compliance with CSU
s
ecurity policies. Non
-
compliance may result in restricted network access.


4.

Devices Connected to the CSU Computing and Communications
Network

In the interests of protecting the University network:




Only
IST

approved network attachable devices can be attache
d to the
CSU network without the specific approval of the Executive Director,
Information Technology.

Non approved devices may be
isolated and
have limited network access until approval is granted.




No PC or server connected to the CSU network will have di
rect access
to the Internet , without the specific approval of the Executive Director ,
Information Technology



Only
IST

approved methods of remotely accessing the CSU network
may be used.
Devices may be checked for compliance with policies
before access is

granted.

Division of Information Technology


Policy Document No:






Page
9

of
10


5.

Backups / Disaster Recovery / Business Continuity

To protect CSU IT facilities from loss or damage, workstation users are
responsible for backing up the information stored on their own
workstations
to their P: or S
:

drive

(quota limits apply)


or local removable
media
. For multi

user information facilities, the Division of Information
Technology is

responsible for making regular, periodic backups and
archives, as per approved policies and procedures.


The Division of Information Technology has a
n Information Technology
Business Continuity Management Plan (ITBCMP)

(see references
section), and is regularly updated:


The process includes:

(a)

Partial business continuity testing and auditing

(b)

Complete business continuity testing and auditing

(c)

Individual p
lans for key areas

(d)

Appropriate reporting mechanisms


6.

Security Audits

IST

is responsible for facilitating the conduct of regular IT audits
.

The CSU
infrastructure is regularly checked for current security weaknesses.
Weaknesses are dealt with as soon as th
ey arise on the advice and
recommendations of
the
IST
. Further information is linked from the
the
IST

web site
.


7.

Computer Virus Protection

To assure continued uninterrupted service from virus activity,
CSU
pro
vides anti
-
virus software to all authorized users.
All

users must use

approved virus screening software
and may be checked for compliance
.

CSU has a

virus control and response group to monitor and advise on
requirements. Further information is linked from
the
IST

web site
.


8.

Access to Installer/Administrators Rights

All CSU workstations are subject to policy restricting modifications to the
University standard Operating System image. To facilitate authorized
sof
tware installs of required specialized software, users may apply for
temporary installer rights.
Users should be aware
that
the

installation of
specialized software may result in non
-
compliance with CSU IT security
policies

and result in restricted network

access.

Further information is
linked from the
IST

web site
.



Division of Information Technology


Policy Document No:






Page
10

of
10

9.

Physical Access to CSU IT Facility Server Rooms

Access to locations housing CSU IT Facility servers, and/ or CSU IT
network equipment is restric
ted to approved

persons
. These locations will
be kept physically secure at all times by a method deemed appropriate by
the Executive Director Information Technology on the advice of
the
IST
.

All persons entering these locations will be under video surveill
ance and
the images stored in a remote location.


Access to areas housing CSU IT equipment such as System
Administrator

s workstations will be generally restricted to approved
personnel, unless in the direct company of an approved person.


10.

Emergency Plann
ing

All matters deemed an emergency by the Executive Director, DIT (or a
nominee) will be handled in accordance with
standards and guidance

provided by the CSU
Emergency Planning Committee

(EPC) and CSU
Emergency & Critical Incident Management Committee (ECIMC). These
committees are a source for information when dealing with a variety of
emergenc
y and critical incident situations within the University.

8.

Author

History


Date

Author

Version

No.
Pages

Description

20/02/02

G Fieldus

1.1


Draft Document

28/03/03

G.Taylor

2.0


revision

14/08/03

G.Taylor

2.01


Minor changes and typo fixes

10/12/03

M.Rebbechi

3.0


Formatting for SEG

19/10/07

L.Weston

4.0


update including new positions