Purpose | The University recognises its responsibility to ensure the security of the electronic information that is used in its activities. This policy defines how information stored electronically is to be classified in terms of its risk of disclosure, loss or damage, in order that an appropriate level of security, recoverability and availability is implemented. |
Scope | University wide – to be implemented in a phased way, firstly, addressing administrative information and, subsequently, education and research information. |
Policy Statement |
-
The Information Owner shall classify information in accordance with the following information classification levels – Critical, Protected, Restricted and Public.
-
The Information Owner will use the standard access, storage, use, transportation and disposal methods as described in the associated Procedures for information in their area, unless an approved waiver is obtained.
-
The Information Owner will complete an annual certification that their responsibilities have been met.
-
The Information Custodian will access and use the information in accordance with this policy, procedures and the classification defined by the Information Owner.
-
Information classified as Critical must be stored and secured on servers managed by Information Technology Services Division. These servers must be located in designated data centres.
|
Supporting procedures | Procedures for Electronic Information Secure Handling and Protection
|
Responsibility for implementation | Information Owners
Executive Director Information Technology Services Division
Heads of University Divisions
Heads of Monash subsidiaries
Manager Records & Archives Services
Deans of University Faculties
Campus Directors
University Faculty Managers
University Faculty Information Technology Managers
Responsible Information Technology Security Officers
Director, Audit and Risk Management Office |
Status | New |
Key Stakeholders | Audit and Risk Management Office
Monash Information Technology Security Steering Committee
Monash Security and Risk Section, Information Technology Services Division
Corporate Finance Division
Human Resources Division
Privacy Officer, Human Resources Division
Student and Community Services Division
University Solicitor’s Office |
Approval body | Name: Strategy and Resources Committee
Meeting: 5/2008
Date: 05-June-2008
Agenda item: 8.4
|
Endorsement body | Name: Vice Chancellors Group, Property and Information
Meeting: 2
Date: 09-April-2008
Agenda item: 15
|
Definitions | all definitions: Can be found in the Procedures for Electronic Information Secure Handling and Protection |
Related legislation | Information Privacy Act (Vic) 2000
Privacy Act 1988 (Commonwealth)
Health Records Act 2001 (VIC)
Whistleblowers Protection Act 2001 (VIC)
Higher Education Support Act 2003 (Commonwealth)
Public Records Act 1973 (VIC)
Epidemiological Studies (Confidentiality) Act 1981 (Commonwealth) |
Related policies | Information Technology Security Policy
Collection, Storage and Destruction of Credit Card Details Policy
Monash Privacy Policies
Confidentiality of Student Records Policy
Monash University Recordkeeping Policy
Electronic Mail Recordkeeping Protocol |
Related documents | Information Technology Security Framework |
Date Effective | 05-June-2008 |
Review Date | 08-February-2010 |
Owner | Vice-Chancellor Monash University |
Author | Monash Information Technology Security Steering Committee |
Contact Person | Policy Role
|
