View Current

Cyber Security Policy

This is the current version of this document. You can provide feedback on this document to the document author - refer to the Status and Details on the document's navigation bar.

Section 1 -  Purpose of Policy

(1) This document sets out the University’s policy on cyber security.

(2) Cyber security is about defending IT facilities and services and stored data from unauthorised access, use, disclosure, disruption, modification, and destruction. It seeks to ensure integrity, availability, confidentiality and safety of data and services; and ensures controls are proportionate to risk.

(3) This Policy is supported by a cyber security framework which includes supplementary policies; guidelines on specific topics; operational practices; action plans; technology controls; education programs and monitoring and assurance activities.

Top of Page

Section 2 - Application and Scope

(4) This Policy applies to all users and devices of IT facilities and services at the University.

(5) All ssers should be aware of this Policy, their responsibilities, and legal obligations.

(6) All users and devices are required to comply with this Policy and are bound by law to observe applicable statutory legislation.

Top of Page

Section 3 - Policy Principles

(7) All University IT facilities and services will be protected by effective management of cyber security risks.

(8) Use of IT facilities and services must comply with University policies and relevant legislation. Examples of legal regulation include privacy, copyright, government information (public access), equal employment opportunity, intellectual property and workplace health and safety.

(9) IT facilities and services will be provided, managed, and operated such that:

  1. the ‘critical security controls’ maintained by the Centre for Internet Security are adopted to establish a broad and effective defensive base. This is an evidence based, pragmatic and practical approach that recognises an expert consensus agreement on priority controls. The critical security controls have been matured by an international community of institutions and individuals that:
    1. share insight into attacks and attackers, identify root causes, and translate these into classes of defensive action;
    2. document stories of adoption and share tools to solve problems;
    3. track the evolution of threats, the capabilities of adversaries, and current vectors of intrusions;
    4. map the controls to regulatory and compliance frameworks and bring collective priority and focus to them;
    5. share tools, working aids, and translations; and
    6. identify common problems (such as initial assessment and implementation roadmaps) and solve them as a community instead of alone.
  2. These activities ensure that the controls are a prioritized, highly focused set of actions that have a community support network to make them implementable, usable, scalable, and compliant with all industry or government security requirements.
  3. Security critical infrastructure, application services and data are individually identified and are subject to risk-based management and additional controls as appropriate.
  4. A monitoring program is approved annually by the Chief Information Digital Officer, to ensure ongoing effectiveness of cyber security that includes activities such as auditing, log and event analysis, vulnerability scanning and penetration testing.
  5. Disaster recovery plans for security critical applications and foundational IT infrastructure are developed and maintained and an associated testing program is approved annually by the Chief Information Digital Officer.
Top of Page

Section 4 - Roles and Responsibilities

Chief Information Digital Officer

(10) The Chief Information Digital Officer has the following responsibilities:

  1. taking carriage of this Policy and supporting framework;
  2. ensuring effectiveness of cyber security measures through monitoring programs;
  3. ensuring effectiveness of disaster recovery plans through a program of testing;
  4. appointing a cyber security team;
  5. approving supporting operational procedures to support this Policy;
  6. approving the isolation or disconnection of any equipment or IT Facility from the University network which poses a severe and unacceptable risk; and
  7. reporting to appropriate governance bodies including but not limited to the Risk, Audit and Compliance Committee on matters pertaining to cyber security.

Cyber Security Team

(11) The cyber security team has the following responsibilities:

  1. owning and operating processes required by the cyber security policies and framework;
  2. undertaking continuous development and improvement of cyber defences;
  3. undertaking continuous monitoring and review of practices and defences;
  4. conducting educational activities to ensure awareness of cyber security threats and defences; and
  5. reporting all relevant security incidents and breaches in line with the UOW Data Breach Response Plan.

Risk, Audit and Compliance Committee

(12) The Risk, Audit and Compliance Committee has the following responsibilities:

  1. monitoring cyber security risks and controls by reviewing the outcomes of cyber risk management processes and monitoring emerging risks; and
  2. overseeing the adequacy of cyber security capability and controls.

Staff with responsibility for managing any IT Facility or Service

(13) Staff whom manage any IT Facility have the following responsibilities:

  1. developing, operating and managing the IT Facilities and Services according to University cyber security policy documents;
  2. regularly monitoring and assessing the related cyber security controls to ensure ongoing effectiveness; and
  3. immediately reporting all security incidents and breaches to the cyber security team.

Users of IT Facilities and Services

(14) Individual users have the following responsibilities for themselves and their devices:

  1. using IT facilities and services according to IT policies at all times;
  2. being aware of the security requirements of the IT facilities and services they use, and take every precaution to safeguard their access to these systems against unauthorised use; and
  3. immediately reporting any known or suspected security incidents and breaches to IMTS.
Top of Page

Section 5 - Definitions

Word/Term Definition (with examples if required)
Cyber security The practice of defending computing devices, networks and stored data from unauthorised access, use, disclosure, disruption, modification, or destruction
IMTS Information Management & Technology Services at the University of Wollongong.
IT Facilities and Services Information Technology facilities operated by or on behalf of the University. This includes services and systems and associated computing hardware and software used for the communication, processing, and storage of information
University University of Wollongong and controlled entities
University network The network infrastructure used by the University including all network services on main campus and satellite campuses with trusted access to UOW services
User A person assigned a User Account by the University or a person who is otherwise authorised to use University IT Facilities and Services