IT Security Procedures
- Personal Computer Security
- Reporting IT Security Issues
- University Monitoring and Logging
- Procedure for handling breaches of IT Policy that constitute illegal activity, misconduct or serious misconduct
- Data Security
- Responsibility for Security of IT Facilities
These Procedures are made under the IT Acceptable Use and Security Policy, to support the principles enunciated in that Policy by:
a) Establishing clear mechanisms for rapidly responding to threats to the IT infrastructure (for instance, via hacking or virus threats);
b) Providing processes to appropriately handle other security incidents, from minor breaches of Policy through to serious misconduct; and
c) Clearly delineating the lines of responsibility for handling security incidents within the University.
Responsibility: All University IT account holders
a) All IT account holders are expected to familiarise themselves with the Security Best Practice Standards (available on the Information Technology Services (ITS) website) and comply with them
b) All University owned or leased personal computers, desktops or laptops must be configured to have a password enabled screensaver that activates after a set period of account holder inactivity.
c) Account holders must either log off or leave screensavers locked when leaving their workstations unattended.
d) Account holders must not allow another person to use their IT account and password. Similarly, an account holder must not attempt to initiate or operate a computer session by using another person's account and password, or by any other means.
Responsibility: All University IT account holders
All University IT account holders must:
a) Report any security weakness or threat to University IT facilities that they suspect or observe to the ITS Helpdesk immediately on 8303 3000.
b) Report any known or suspected breaches of the IT Acceptable Use and Security Policy and its associated Procedures to the ITS Helpdesk as soon as possible. If the breach is particularly sensitive or serious, they may choose to report the breach directly to the Network Operations and Information Security Team by emailing email@example.com
c) Report lost, stolen or damaged computers or other IT equipment to the ITS Helpdesk as soon as possible. The loss or damage should also be reported to Prudential Services on 8303 4539 as an adverse event for insurance purposes.
Responsibility: ITS, Marketing & Strategic Communications, Heads of School and Branch Heads
a) All use of University IT facilities is logged by the University.
b) The logs are routinely monitored to assist in the detection of breaches of these Procedures and the IT Acceptable Use and Security Policy.
c) In addition to routine monitoring, individual account holder's use of IT facilities will be examined if;
i. A potential breach of University Policy, or State or Commonwealth Law, is detected or reported, or
ii. The University needs to retrieve or examine the content of electronic documents or messages for purposes such as finding lost files or messages, complying with legal authorities, or recovering from system failure, or
iii. An account holder's supervisor requests in writing that the account holder's use of IT facilities, be examined.
d) Monitoring the use of IT facilities may be undertaken with or without prior notice to the account holder or user.
e) The University periodically monitors the content of web pages and may request that nominated material be updated or removed.
4. Procedure for handling breaches of IT Policy that constitute illegal activity, misconduct or serious misconduct
Responsibility: Director, Human Resources and General Manager, Student Services
a) If a breach of IT policy is detected or reported to ITS which potentially constitutes illegal activity, misconduct or serious misconduct, then ITS must refer the breach to the Director, Human Resources (for staff, titleholders or visitors) or the General Manager, Student Services (for students).
b) If the account holder is both a staff member and student, then the breach will be referred to the Director, Human Resources, who will consult with the General Manager, Student Services as required.
c) If there is any uncertainty about whether a breach of IT policy potentially constitutes illegal activity, misconduct or serious misconduct, ITS must consult with Human Resources and/or Student Services to determine whether the matter should be referred under this Procedure.
d) When ITS refers the breach to Human Resources or Student Services, any offending material on the IT facilities will be provided without viewing by ITS.
e) The Director, Human Resources or General Manager, Student Services will:
i. Advise and report on the breach to the relevant Senior Manager;
ii. Assess the material and utilise outside experts or internal expertise as required;
iii. If emergency suspension of any IT account is required, authorise the suspension of the account;
iv. Authorise the impounding of IT facilities if necessary;
v. Consult with the relevant Executive Deans, Head of Schools and Branch Heads;
vi. Refer the breach to South Australia Police if required; and
vii. Follow the standard disciplinary or misconduct procedures for any internal treatment of the breach.
f) If a breach of IT policy is detected or reported to ITS which is not potentially illegal, serious misconduct or misconduct:
i. ITS will arrange for an email to be sent to the account holder advising them of the potential breach and asking them to desist from any breaching conduct.
ii. Where the account holder is a staff member, titleholder or visitor, the email will be copied to their supervisor. Where the account holder is a student (unless they are also a staff member or titleholder), the email will be copied to Student Policy and Appeals.
iii. If the breaching conduct continues after the first email is sent, then the matter will be treated as potential misconduct and referred under paragraph 4 (a) above.
Responsibility: All Staff, Title Holders and Visitors with IT Accounts
a) All electronically held University information should be stored in such a way that it is backed up regularly; usually by saving it on a network drive that is backed up nightly.
b) All electronically held University information should be stored and disposed of in accordance with the University's Records management procedures outline in Procedure 3 of the IT Acceptable Use and Security Policy and the Records and Archives Management Manual at http://www.adelaide.edu.au/records/manual/
c) University IT facilities that become obsolete must be disposed of in a manner that renders any information illegible and irretrievable at the time of disposal. ITS provides a safe computer disposal service in conjunction with a third party provider.
d) The University will manage its IT facilities in such a way that its IT facilities and data are protected from;
i. unauthorised and unacceptable use,
ii. wilful, malicious damage or any activity undertaken to purposely bypass security controls on University IT facilities, and
iii. virus infection and malicious software.
e) The University will manage its IT facilities in such a way that its IT facilities and data are;
i. accurate and complete,
ii. available to be accessed by authorised users, and only those users, when required, and
iii. recovered as soon as practicable in the event of serious IT systems failures or disasters.
Responsibility: Heads of School and Branch Heads
a) ITS is responsible for the physical and technological security of all the IT facilities that it owns, leases, or manages on behalf of another area of the University.
b) Heads of School and Branch Heads are responsible for the security of all IT facilities owned or leased by their area. Where these IT facilities are managed by ITS, the responsibility is shared between the area (physical security) and ITS (data and systems security).
c) The security of personally owned computers and IT equipment used in conjunction with the University's IT facilities is the responsibility of the owner. Owners of this equipment must comply with the security guidelines if the equipment is connected to the University's IT infrastructure.
d) Third party providers of IT facilities to the University are responsible for the security of the systems they provide. The security should adhere to the same standards as are required for University owned and manages facilities.
This document is a component of IT Acceptable Use and Security Policy
Policy Control Information
|RMO File No.||2009/6907|
|Policy custodian||Vice-President (Services & Resources)|
|Responsible policy officer||Director, Infrastructure (Property and Technology)|
|Endorsed by||Vice-Chancellors Committee|
|Approved by||Vice-Chancellor and President|
|Procedures approved by||Vice-Chancellor and President|
|Related Policies||Copyright Policy
Records Management Policy
|Related legislation||Spam Act 2003
|Superceded Policies||All Student Email Policy F. 2003/1976
Guidelines for Posting on MyUni Forums
|Effective from||13 February 2012|
|Review Date||30 June 2015|
|Contact for queries about the policy||ITS Helpdesk, telephone 8313 3000|
Hardcopies of this document are considered uncontrolled. Please refer to the University Policy and Procedures website for the latest version.