View Current

Information Security Policy

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Purpose of Policy

(1) This Policy defines the principles to ensure that the University of Wollongong’s (the University) Information Technology (IT) Resources are appropriately secured. 

(2) The University has established an Information Security Management System (ISMS) aligned to the ISO/IEC 27001:2022 Information Security Standard, and a set of Security Objectives, to implement these principles.

Top of Page

Section 2 - Application and Scope

(3) This Policy applies to:

  1. all users, including students, staff, suppliers and affiliates of the University;
  2. all University IT Resources and all IT Resources owned, leased or operated by third parties on behalf of the University;
  3. all individuals who access, use or manage University IT Resources on behalf of the University; and
  4. all University campuses and offices, including, controlled entities and subsidiaries, in Australia and overseas.
Top of Page

Section 3 - Policy / Procedure / Guideline

(4) The University’s IT Resources must be securely managed, maintained and protected. This is achieved through the University’s Policy Framework and the ISMS Local Protocols, including, but not limited to:

  1. Acceptable Use Policy;
  2. Asset Management Policy;
  3. Asset Disposal Policy;
  4. Business Continuity Management Policy;
  5. Controlled Entity Policy;
  6. Copyright Policy;
  7. Data Breach Policy;
  8. Data Governance and Management Policy;
  9. Enterprise Risk Management Policy;
  10. Managing and Investigating Potential Breaches of the Research Code Policy;
  11. Privacy Policy;
  12. Purchasing and Procurement Policy;
  13. Records Management Policy;
  14. Research Data Management Policy;
  15. Telephone and Mobile Use Policy;
  16. Workplace Health and Safety Policy;
  17. Backup and Archiving Local Protocol;
  18. Encryption and Key Management Local Protocol;
  19. Identity and Access Management Local Protocol;
  20. Information Asset Management Local Protocol;
  21. Information Asset Security Classification Local Protocol;
  22. Log Management and Monitoring Local Protocol;
  23. Malicious Code Local Protocol;
  24. Mobile Devices and Teleworking Local Protocol;
  25. Network Infrastructure and Configuration Local Protocol;
  26. Patch and Vulnerability Management Local Protocol;
  27. Physical Security Local Protocol;
  28. Secure Deletion and Disposal Local Protocol;
  29. Secure Development Local Protocol;
  30. Security Assurance Local Protocol; and
  31. Supplier Security Local Protocol.
Top of Page

Section 4 - Principles

(5) The University is committed to the following Information Security Objectives: 

  1. maintaining a high level of security awareness among all staff, students and affiliates by emphasising that everyone is responsible and accountable for protecting information; 
  2. implementing effective security controls in collaboration with stakeholders to maintain the University’s reputation and ensure robust information protection; 
  3. operating an ISMS in accordance with the University’s Enterprise Risk Management Policy and adhering to the best practices of ISO/IEC 27001:2022 Standard; 
  4. providing staff, students and affiliates assurance of robust security practices and to support their continual improvement; 
  5. providing a structured and comprehensive approach to information security risk management, ensuring consistent and comparable results; 
  6. monitoring the University’s IT resources and investigating all detected security breaches and weaknesses; 
  7. providing timely reporting of information security events and making decisions based on the best available information, including historical data, current insights, and future expectations; and 
  8. supporting compliance with all legal, regulatory and contractual requirements.
Top of Page

Section 5 -  Roles and Responsibilities

Chief Information Digital Officer

(6) The Chief Information Digital Officer has the following responsibilities:

  1. enacting this Policy and the supporting ISMS policies and procedures; 
  2. approving local protocols and supporting operational procedures to support this Policy; 
  3. ensuring effectiveness of cyber security measures through monitoring programs; 
  4. approving the isolation or disconnection of any equipment or IT facility from the University Network which poses a severe and unacceptable risk; 
  5. approving exemptions where it is impractical to satisfactorily comply with this Policy in whole or part and it is demonstrated that the risk is acceptable; 
  6. approving access to the University’s Information Assets; and 
  7. reporting to appropriate governance bodies including but not limited to the Risk, Audit and Compliance Committee on matters pertaining to cyber security.

Associate Director Cyber Security

(7) The Associate Director Cyber Security has the following responsibilities:

  1. owning and operating processes required by the ISMS policies, procedures and local protocols;
  2. undertaking continuous development, monitoring and improvement of cyber defences;
  3. conducting educational activities to ensure awareness of cyber security threats and defences; and
  4. reporting all relevant security incidents and breaches in line with the University’s Data Breach Response Plan.

Risk, Audit and Compliance Committee

(8) The Risk, Audit and Compliance Committee has the following responsibilities:

  1. monitoring cyber security risks and controls by reviewing the outcomes of cyber risk management processes and monitoring emerging risks; and
  2. overseeing the adequacy of cyber security capability and controls. 

Staff with Responsibility for Managing any IT Resource

(9) Staff who manage any IT resource have the following responsibilities:

  1. developing, operating and managing the IT Resources according to the ISMS;
  2. regularly monitoring and assessing the related cyber security controls to ensure ongoing effectiveness; and
  3. immediately reporting all security incidents and breaches to the Cyber Security Team via Service Desk
Top of Page

Section 6 - Definitions

Word/Term Definition (with examples if required)
Affiliate
Affiliate means any individual who is not an employee of the University but is formally appointed or engaged to perform duties or functions on behalf of the University, or who has a recognised association with the University. This includes, but is not limited to:
• holders of University Honorary Awards (e.g., Emeritus Professors, Honorary Doctors, University Fellows);
• individuals appointed under the University’s Appointment of Visiting and Honorary Academics Policy;
• consultants, contractors, and agency staff;
• volunteers and work experience students;
• office holders in University entities, boards, committees, or foundations; and
• individuals affiliated through formal education or research partnerships.
Business Continuity The processes and information assets required to maintain the University’s core services to its stakeholders.
Contract/Agreement Legally binding document establishing the minimum requirements to which both parties of the contract must adhere.
Cyber security The practice of defending computing devices, networks and stored data from unauthorised access, use, disclosure, disruption, modification, or destruction.
Governance For the purposes of this Policy, governance means the rules outlining which individual, role or group can approve what actions or documents throughout the University.
Incident An information security event which may impact the confidentiality, integrity or availability of an information asset.
Information Any digital or physical raw, processed, organised, presented or structured data created, stored or used by the University.
Information Asset
Any process or technology used to deliver business objectives or services.
An information asset is, but not limited to: 
 i. a physical device such as a laptop; 
 ii. a physical server; 
 iii. virtual server; 
 iv. a cloud system; 
 v. a database; 
 vi. an application; or
 vii. a file. 
For the purposes of this policy, information assets are the University’s: 
 a. Computing facilities; 
 b. Collaboration hardware and software; 
 c. Artificial intelligence capabilities; and
 d. Communications facilities. (Examples include, but are not limited to, telephones, facsimiles,     mobile telephones, computers, tablets, printers, photocopiers, other devices, email, internet   access, network infrastructure, web services and cloud services.)
Information Technology (IT) Resources IT Resources are also known as the University’s information and information assets.
Monitoring An information asset (IT system or person) watching an information asset (IT system) for anomalous activity.
Remote/Teleworking Accessing the University’s information assets or performing work on behalf of the University while not physically present on the University’s controlled sites or campuses.
Staff All people employed by the University including conjoint appointments, whether on continuing, permanent, fixed term, casual or cadet or traineeship basis.
Supplier/Third Party/Vendor Any legal entity or contractor provider, legally distinct from the University, which provides services to the University.
University Network
The network infrastructure used by the University including all network services on main campus and satellite campuses with trusted access to the University’s services. 
The connections can be physical (e.g. cables) or remote/wireless. 
User A person assigned a user account by the University or a person who is otherwise authorised to use the University’s IT Resources.
User Account An identity assigned to a user, with an associated username, for the purpose of accessing IT Resources that require authentication by the user. Also referred to as account throughout this document.