IT Security Procedures

Overview

These Procedures are made under the IT Acceptable Use and Security Policy, to support the principles enunciated in that Policy by:

a) Establishing clear mechanisms for rapidly responding to threats to the IT infrastructure (for instance, via hacking or virus threats);

b) Providing processes to appropriately handle other security incidents, from minor breaches of Policy through to serious misconduct; and

c) Clearly delineating the lines of responsibility for handling security incidents within the University.

Procedures

1. Personal Computer Security

Responsibility: All University IT account holders

a) All IT account holders are expected to familiarise themselves with the Security Best Practice Standards (available on the Technology Services (TS) website) and comply with them

b) All University owned or leased personal computers, desktops or laptops must be configured to have a password enabled screensaver that activates after a set period of account holder inactivity.

c) Account holders must either log off or leave screensavers locked when leaving their workstations unattended.

d) Account holders must not allow another person to use their IT account and password. Similarly, an account holder must not attempt to initiate or operate a computer session by using another person's account and password, or by any other means.

e) Any person connecting a personally owned computing or communications device to the University network must take reasonable steps to ensure it does not provide a threat to University IT facilities and services.

2. Reporting IT Security Issues

Responsibility: All University IT account holders

All University IT account holders must:

a) Report any security weakness or threat to University IT facilities that they suspect or observe to the Technology Service Desk immediately on 8303 3000.

b) Report any known or suspected breaches of the IT Acceptable Use and Security Policy and its associated Procedures to the Technology Service Desk as soon as possible. If the breach is particularly sensitive or serious, they may choose to report the breach directly to the IT Risk Management Team by emailing infosec@adelaide.edu.au

c) Report lost, stolen or damaged computers or other IT equipment to the Technology Service Desk as soon as possible. The loss or damage should also be reported to Legal and Risk on 8303 4539 as an adverse event for insurance purposes.

3. University Monitoring and Logging

Responsibility: TS, Marketing & Strategic Communications, Executive Managers, Heads of School and Branch Heads

a) The University reserves the right to log all use of University IT facilities and services.

b) The logs are routinely monitored to assist in the detection of breaches of these Procedures and the IT Acceptable Use and Security Policy.

c) In addition to routine monitoring, individual account holder's use of IT facilities will be examined if;

i. A potential breach of University Policy, or State or Commonwealth Law, is detected or reported, or

ii. The University needs to retrieve or examine the content of electronic documents or messages for purposes such as finding lost files or messages, complying with legal authorities, or recovering from system failure, or

iii. An account holder's Head of School/Branch Head requests that the account holder's use of IT facilities be examined; and that request is deemed reasonable by the Team Leader, IT Risk Management. All information requested will be provided to the requesting Head of School/ Branch Head.

d) Monitoring the use of IT facilities may be undertaken with or without prior notice to the account holder or user.

e) The University periodically monitors the content of web pages and may request that nominated material be updated or removed.

f) The University conducts its monitoring and logging of information in accordance with the Privacy Policy and Management Plan.

4. Procedure for handling breaches of IT Policy that constitute illegal activity, misconduct or serious misconduct

Responsibility: Director, Human Resources and General Manager, Student Services

a) If an alleged breach of IT policy is detected or reported to TS which potentially constitutes illegal activity, misconduct or serious misconduct, then TS must refer the breach to the Director, Human Resources (for staff, titleholders or visitors) and the General Manager, Student Services (for students).

b) If the account holder is both a staff member and student, then the alleged breach will be referred to the Director, Human Resources, who will consult with the General Manager, Student Services as required.

c) Alleged breaches by staff will be dealt with under clause 8.2 of the Enterprise Agreement 2010-2013.

d) When TS refers the breach to Human Resources or Student Services, any offending material on the IT facilities will be provided without viewing by TS.

e) The Director, Human Resources or General Manager, Student Services will:

i. Advise and report on the breach to the relevant Senior Manager;

ii. Assess the material and utilise outside experts or internal expertise as required;

iii. If emergency suspension of any IT account is required, authorise the suspension of the account;

iv. Authorise the impounding of IT facilities if necessary;

v. Consult with the relevant Executive Deans, Head of Schools and Branch Heads;

vi. Refer the breach to South Australia Police if required; and

vii. Follow the standard disciplinary or misconduct procedures for any internal treatment of the breach.

f) If an alleged breach of IT policy is detected or reported to TS which is not potentially illegal, serious misconduct or misconduct:

i. TS will arrange for an email to be sent to the account holder advising them of the alleged breach and asking them to desist from any breaching conduct.

ii. Where the account holder is a staff member, titleholder or University visitor, the email will be blind copied to their supervisor and the Director, Human Resources. Where the account holder is a student (unless they are also a staff member or titleholder), the email will be blind copied to Student Policy and Appeals. Where the account holder is an External visitor, a record will be kept of the email by the Infrastructure Branch.

iii. If the breaching conduct continues after the first email is sent, then the matter will be treated as potential misconduct and referred under paragraph 4 (a) above.

5. Data Security

Responsibility: All Staff, Title Holders and Visitors with IT Accounts

a) All electronically held University information should be stored in such a way that it is backed up regularly; usually by saving it on a network drive that is backed up nightly.

b) All electronically held University information should be stored and disposed of in accordance with the University's Records management procedures outlined in Procedure 3 of the IT Acceptable Use and Security Policy and the Records and Archives Management Manual at http://www.adelaide.edu.au/records/manual/

c) University IT hardware that becomes obsolete must be disposed of in a manner that renders any information illegible and irretrievable at the time of disposal.

d) The University will manage its IT facilities in such a way that its IT facilities and data are protected from;

i. unauthorised and unacceptable use,

ii. wilful, malicious damage or any activity undertaken to purposely bypass security controls on University IT facilities, and

iii. virus infection and malicious software.

e) The University will manage its IT facilities in such a way that its IT facilities and data are;

i. accurate and complete,

ii. available to be accessed by authorised users, and only those users, when required, and

iii. recovered as soon as practicable in the event of serious IT systems failures or disasters.

6. Responsibility for security of IT facilities

Responsibility: Executive Managers, Heads of School and Branch Heads

a) TS is responsible for the physical and technological security of all the IT facilities that it owns, leases, or manages on behalf of another area of the University.

b) Heads of School and Branch Heads are responsible for the security of all IT facilities owned or leased by their area. Where these IT facilities are managed by TS, the responsibility is shared between the area (physical security) and TS (data and systems security).

c) The security of personally owned computers and IT equipment used in conjunction with the University's IT facilities is the responsibility of the owner. Owners of this equipment must comply with the security guidelines if the equipment is connected to the University's IT infrastructure.

d) Third party providers of IT facilities to the University are responsible for the security of the systems they provide. The University expects third party providers to apply reasonable security controls to ensure that they do not provide a threat to University IT facilities and services. The University reserves the right to review such security controls.

Please use the following URL instead of linking to individual documents:
https://www.adelaide.edu.au/policies/2783