IT Security Procedures

Overview

These Procedures are made under the IT Acceptable Use and Security Policy, to support the principles enunciated in that Policy by:

a) Establishing clear mechanisms for rapidly responding to threats to the IT infrastructure (for instance, via hacking or virus threats);

b) Providing processes to appropriately handle other security incidents, from minor breaches of Policy through to serious misconduct; and

c) Clearly delineating the lines of responsibility for handling security incidents within the University.

Procedures

1. Personal Computer Security

Responsibility: All University IT account holders

a) All IT account holders are expected to familiarise themselves with the Security Best Practice Standards (available on the Information Technology Services (ITS) website) and comply with them

b) All University owned or leased personal computers, desktops or laptops must be configured to have a password enabled screensaver that activates after a set period of account holder inactivity.

c) Account holders must either log off or leave screensavers locked when leaving their workstations unattended.

d) Account holders must not allow another person to use their IT account and password. Similarly, an account holder must not attempt to initiate or operate a computer session by using another person's account and password, or by any other means.

2. Reporting IT Security Issues

Responsibility: All University IT account holders

All University IT account holders must:

a) Report any security weakness or threat to University IT facilities that they suspect or observe to the ITS Helpdesk immediately on 8303 3000.

b) Report any known or suspected breaches of the IT Acceptable Use and Security Policy and its associated Procedures to the ITS Helpdesk as soon as possible. If the breach is particularly sensitive or serious, they may choose to report the breach directly to the Network Operations and Information Security Team by emailing infosec@adelaide.edu.au

c) Report lost, stolen or damaged computers or other IT equipment to the ITS Helpdesk as soon as possible. The loss or damage should also be reported to Prudential Services on 8303 4539 as an adverse event for insurance purposes.

3. University Monitoring and Logging

Responsibility: ITS, Marketing & Strategic Communications, Heads of School and Branch Heads

a) All use of University IT facilities is logged by the University.

b) The logs are routinely monitored to assist in the detection of breaches of these Procedures and the IT Acceptable Use and Security Policy.

c) In addition to routine monitoring, individual account holder's use of IT facilities will be examined if;

i. A potential breach of University Policy, or State or Commonwealth Law, is detected or reported, or

ii. The University needs to retrieve or examine the content of electronic documents or messages for purposes such as finding lost files or messages, complying with legal authorities, or recovering from system failure, or

iii. An account holder's supervisor requests in writing that the account holder's use of IT facilities, be examined.

d) Monitoring the use of IT facilities may be undertaken with or without prior notice to the account holder or user.

e) The University periodically monitors the content of web pages and may request that nominated material be updated or removed.

f) The University conducts its monitoring and logging of information in accordance with the Privacy Policy and Management Plan.

4. Procedure for handling breaches of IT Policy that constitute illegal activity, misconduct or serious misconduct

Responsibility: Director, Human Resources and General Manager, Student Services

a) If a breach of IT policy is detected or reported to ITS which potentially constitutes illegal activity, misconduct or serious misconduct, then ITS must refer the breach to the Director, Human Resources (for staff, titleholders or visitors) or the General Manager, Student Services (for students).

b) If the account holder is both a staff member and student, then the breach will be referred to the Director, Human Resources, who will consult with the General Manager, Student Services as required.

c) If there is any uncertainty about whether a breach of IT policy potentially constitutes illegal activity, misconduct or serious misconduct, ITS must consult with Human Resources and/or Student Services to determine whether the matter should be referred under this Procedure.

d) When ITS refers the breach to Human Resources or Student Services, any offending material on the IT facilities will be provided without viewing by ITS.

e) The Director, Human Resources or General Manager, Student Services will:

i. Advise and report on the breach to the relevant Senior Manager;

ii. Assess the material and utilise outside experts or internal expertise as required;

iii. If emergency suspension of any IT account is required, authorise the suspension of the account;

iv. Authorise the impounding of IT facilities if necessary;

v. Consult with the relevant Executive Deans, Head of Schools and Branch Heads;

vi. Refer the breach to South Australia Police if required; and

vii. Follow the standard disciplinary or misconduct procedures for any internal treatment of the breach.

f) If a breach of IT policy is detected or reported to ITS which is not potentially illegal, serious misconduct or misconduct:

i. ITS will arrange for an email to be sent to the account holder advising them of the potential breach and asking them to desist from any breaching conduct.

ii. Where the account holder is a staff member, titleholder or visitor, the email will be copied to their supervisor. Where the account holder is a student (unless they are also a staff member or titleholder), the email will be copied to Student Policy and Appeals.

iii. If the breaching conduct continues after the first email is sent, then the matter will be treated as potential misconduct and referred under paragraph 4 (a) above.

5. Data Security

Responsibility: All Staff, Title Holders and Visitors with IT Accounts

a) All electronically held University information should be stored in such a way that it is backed up regularly; usually by saving it on a network drive that is backed up nightly.

b) All electronically held University information should be stored and disposed of in accordance with the University's Records management procedures outline in Procedure 3 of the IT Acceptable Use and Security Policy and the Records and Archives Management Manual at http://www.adelaide.edu.au/records/manual/

c) University IT facilities that become obsolete must be disposed of in a manner that renders any information illegible and irretrievable at the time of disposal. ITS provides a safe computer disposal service in conjunction with a third party provider.

d) The University will manage its IT facilities in such a way that its IT facilities and data are protected from;

i. unauthorised and unacceptable use,

ii. wilful, malicious damage or any activity undertaken to purposely bypass security controls on University IT facilities, and

iii. virus infection and malicious software.

e) The University will manage its IT facilities in such a way that its IT facilities and data are;

i. accurate and complete,

ii. available to be accessed by authorised users, and only those users, when required, and

iii. recovered as soon as practicable in the event of serious IT systems failures or disasters.

6. Responsibility for security of IT facilities

Responsibility: Heads of School and Branch Heads

a) ITS is responsible for the physical and technological security of all the IT facilities that it owns, leases, or manages on behalf of another area of the University.

b) Heads of School and Branch Heads are responsible for the security of all IT facilities owned or leased by their area. Where these IT facilities are managed by ITS, the responsibility is shared between the area (physical security) and ITS (data and systems security).

c) The security of personally owned computers and IT equipment used in conjunction with the University's IT facilities is the responsibility of the owner. Owners of this equipment must comply with the security guidelines if the equipment is connected to the University's IT infrastructure.

d) Third party providers of IT facilities to the University are responsible for the security of the systems they provide. The security should adhere to the same standards as are required for University owned and manages facilities.

Date uploaded 30 July 2008


This document is a component of IT Acceptable Use and Security Policy

Policy Control Information

RMO File No. 2021/8007
Policy custodian Chief Operating Officer
Responsible policy officer Chief Information Officer, Information Technology and Digital Services
Endorsed by Vice-Chancellors Executive
Approved by Vice-Chancellor and President
Related Policies IT Acceptable Use Procedures

IT Security Procedures

Information Classification and Handling Guideline

Third Party Hosting Security Guideline

Code of Conduct Policy

Behaviour and Conduct Policy

Student Misconduct Rules

Copyright Policy

Information Management Policy

Privacy Policy

Related legislation Criminal Code Act 1995 (Cth)

Spam Act 2003 (Cth)

Copyright Act 1968 (Cth)

Telecommunications (Interception and Access) Act 1979 (Cth)

Security of Critical Infrastructure Act 2018 (Cth)

Teritary Education Quality Standards Agency Act 2011 (Cth) (TEQSA Act) ss 114A and 114B

Effective from 10 May 2022
Review Date 9 May 2025
Contact for queries about the policy ITS Helpdesk, telephone 8313 3000

Please refer to the Policy Directory for the latest version.