IT Security Procedures
- Personal Computer Security
- Reporting IT Security Issues
- University Monitoring and Logging
- Procedure for handling breaches of IT Policy that constitute illegal activity, misconduct or serious misconduct
- Data Security
- Responsibility for Security of IT Facilities
These Procedures are made under the IT Acceptable Use and Security Policy, to support the principles enunciated in that Policy by:
a) Establishing clear mechanisms for rapidly responding to threats to the IT infrastructure (for instance, via hacking or virus threats);
b) Providing processes to appropriately handle other security incidents, from minor breaches of Policy through to serious misconduct; and
c) Clearly delineating the lines of responsibility for handling security incidents within the University.
Responsibility: All University IT account holders
a) All IT account holders are expected to familiarise themselves with the Security Best Practice Standards (available on the Technology Services (TS) website) and comply with them
b) All University owned or leased personal computers, desktops or laptops must be configured to have a password enabled screensaver that activates after a set period of account holder inactivity.
c) Account holders must either log off or leave screensavers locked when leaving their workstations unattended.
d) Account holders must not allow another person to use their IT account and password. Similarly, an account holder must not attempt to initiate or operate a computer session by using another person's account and password, or by any other means.
e) Any person connecting a personally owned computing or communications device to the University network must take reasonable steps to ensure it does not provide a threat to University IT facilities and services.
Responsibility: All University IT account holders
All University IT account holders must:
a) Report any security weakness or threat to University IT facilities that they suspect or observe to the Technology Service Desk immediately on 8303 3000.
b) Report any known or suspected breaches of the IT Acceptable Use and Security Policy and its associated Procedures to the Technology Service Desk as soon as possible. If the breach is particularly sensitive or serious, they may choose to report the breach directly to the IT Risk Management Team by emailing email@example.com
c) Report lost, stolen or damaged computers or other IT equipment to the Technology Service Desk as soon as possible. The loss or damage should also be reported to Legal and Risk on 8303 4539 as an adverse event for insurance purposes.
Responsibility: TS, Marketing & Strategic Communications, Executive Managers, Heads of School and Branch Heads
a) The University reserves the right to log all use of University IT facilities and services.
b) The logs are routinely monitored to assist in the detection of breaches of these Procedures and the IT Acceptable Use and Security Policy.
c) In addition to routine monitoring, individual account holder's use of IT facilities will be examined if;
i. A potential breach of University Policy, or State or Commonwealth Law, is detected or reported, or
ii. The University needs to retrieve or examine the content of electronic documents or messages for purposes such as finding lost files or messages, complying with legal authorities, or recovering from system failure, or
iii. An account holder's Head of School/Branch Head requests that the account holder's use of IT facilities be examined; and that request is deemed reasonable by the Team Leader, IT Risk Management. All information requested will be provided to the requesting Head of School/ Branch Head.
d) Monitoring the use of IT facilities may be undertaken with or without prior notice to the account holder or user.
e) The University periodically monitors the content of web pages and may request that nominated material be updated or removed.
4. Procedure for handling breaches of IT Policy that constitute illegal activity, misconduct or serious misconduct
Responsibility: Director, Human Resources and General Manager, Student Services
a) If an alleged breach of IT policy is detected or reported to TS which potentially constitutes illegal activity, misconduct or serious misconduct, then TS must refer the breach to the Director, Human Resources (for staff, titleholders or visitors) and the General Manager, Student Services (for students).
b) If the account holder is both a staff member and student, then the alleged breach will be referred to the Director, Human Resources, who will consult with the General Manager, Student Services as required.
c) Alleged breaches by staff will be dealt with under clause 8.2 of the Enterprise Agreement 2010-2013.
d) When TS refers the breach to Human Resources or Student Services, any offending material on the IT facilities will be provided without viewing by TS.
e) The Director, Human Resources or General Manager, Student Services will:
i. Advise and report on the breach to the relevant Senior Manager;
ii. Assess the material and utilise outside experts or internal expertise as required;
iii. If emergency suspension of any IT account is required, authorise the suspension of the account;
iv. Authorise the impounding of IT facilities if necessary;
v. Consult with the relevant Executive Deans, Head of Schools and Branch Heads;
vi. Refer the breach to South Australia Police if required; and
vii. Follow the standard disciplinary or misconduct procedures for any internal treatment of the breach.
f) If an alleged breach of IT policy is detected or reported to TS which is not potentially illegal, serious misconduct or misconduct:
i. TS will arrange for an email to be sent to the account holder advising them of the alleged breach and asking them to desist from any breaching conduct.
ii. Where the account holder is a staff member, titleholder or University visitor, the email will be blind copied to their supervisor and the Director, Human Resources. Where the account holder is a student (unless they are also a staff member or titleholder), the email will be blind copied to Student Policy and Appeals. Where the account holder is an External visitor, a record will be kept of the email by the Infrastructure Branch.
iii. If the breaching conduct continues after the first email is sent, then the matter will be treated as potential misconduct and referred under paragraph 4 (a) above.
Responsibility: All Staff, Title Holders and Visitors with IT Accounts
a) All electronically held University information should be stored in such a way that it is backed up regularly; usually by saving it on a network drive that is backed up nightly.
b) All electronically held University information should be stored and disposed of in accordance with the University's Records management procedures outlined in Procedure 3 of the IT Acceptable Use and Security Policy and the Records and Archives Management Manual at http://www.adelaide.edu.au/records/manual/
c) University IT hardware that becomes obsolete must be disposed of in a manner that renders any information illegible and irretrievable at the time of disposal. TS provides a safe computer disposal service in conjunction with a third party provider.
d) The University will manage its IT facilities in such a way that its IT facilities and data are protected from;
i. unauthorised and unacceptable use,
ii. wilful, malicious damage or any activity undertaken to purposely bypass security controls on University IT facilities, and
iii. virus infection and malicious software.
e) The University will manage its IT facilities in such a way that its IT facilities and data are;
i. accurate and complete,
ii. available to be accessed by authorised users, and only those users, when required, and
iii. recovered as soon as practicable in the event of serious IT systems failures or disasters.
Responsibility: Executive Managers, Heads of School and Branch Heads
a) TS is responsible for the physical and technological security of all the IT facilities that it owns, leases, or manages on behalf of another area of the University.
b) Heads of School and Branch Heads are responsible for the security of all IT facilities owned or leased by their area. Where these IT facilities are managed by TS, the responsibility is shared between the area (physical security) and TS (data and systems security).
c) The security of personally owned computers and IT equipment used in conjunction with the University's IT facilities is the responsibility of the owner. Owners of this equipment must comply with the security guidelines if the equipment is connected to the University's IT infrastructure.
d) Third party providers of IT facilities to the University are responsible for the security of the systems they provide. The University expects third party providers to apply reasonable security controls to ensure that they do not provide a threat to University IT facilities and services. The University reserves the right to review such security controls.
This document is a component of IT Acceptable Use and Security Policy
Policy Control Information
|RMO File No.||2009/6907|
|Policy custodian||Vice-President (Services & Resources)|
|Responsible policy officer||Director, Infrastructure (Property and Technology)|
|Endorsed by||Vice-Chancellors Committee|
|Approved by||Vice-Chancellor and President|
|Procedures approved by||Vice-Chancellor and President|
|Related Policies||Copyright Policy
Records Management Policy
|Related legislation||Spam Act 2003
|Superceded Policies||All Student Email Policy F. 2003/1976
Guidelines for Posting on MyUni Forums
|Effective from||13 February 2012|
|Review Date||30 June 2015|
|Contact for queries about the policy||ITS Helpdesk, telephone 8313 3000|
Hardcopies of this document are considered uncontrolled. Please refer to the University Policy and Procedures website for the latest version.