Skip to content | Change text size
 

IT Security Policy

Please note that this policy has not yet been revised or converted to the new format .

1.  Preamble

Monash University’s Information Technology (IT) systems and services are provided to further the objectives of the University and are integral to the effective performance of its operations.

IT Security is the process that ensures the availability, integrity and confidentiality of IT systems and services. Effective IT security is essential to ensure the University meets its obligations for security, privacy and preservation of intellectual property.

Monash University recognizes that all Authorized Users should be made aware of their responsibilities for IT security and for the need for effective IT security management.

2.  Purpose

The purpose of this document is to define the Monash University Information Technology (IT) Security Policy and the procedures for implementation of the policy.

This policy authorizes the establishment of: -

  1. an IT Security Steering Committee, and

  2. ‘The IT Security Framework’ – a document which defines the security processes and administrative procedures compliant with this policy.

3.  Policy Status

This document is a University wide policy

4.  Responsible Officer

Executive Director, ITS.

5.  Approving Body

UNITPOL

6.  Definitions

Authorized Users

Any user who has been authorized by the relevant Monash supervisor/officer to access any Monash system or IT facility, and includes (but is not limited to) staff of Monash or any company in which Monash has an interest or any company or organisation with which Monash is pursuing a joint venture, students, consultants, Visitors, Honorary appointees and Alumni.
IT

Information Technology
IT services and systems

All information technology hardware, software, processes and procedures utilized by Monash University. ‘IT services and systems’ includes all stored data and information regardless of their storage or presentation media. ‘IT services and systems’ includes all environmental and support facilities.
ITS Authorised Staff

Monash University staff authorised by the Executive Director, ITS to monitor accounts, files, stored data and network data, and to disconnect IT equipment in the event of an IT security breach. 
ITS Division

Information Technology Services Division

Monitoring, to monitor

Tasks (including testing and scanning) undertaken by ITS Authorised Staff to ensure maintenance of security of IT services and systems
Monash University Academic and Administrative Managers

The Executive, Deans of Faculties, the University Librarian, Heads of Centres, Divisions, Schools, Departments, Groups and Units.

 
Responsible IT Security Officer

Monash University staff member delegated to be responsible for IT security matters within his or her Faculty, Centre, School, Department, Group or Unit. 
University

Monash University

7.  Policy Scope

This policy applies to all Authorized Users of Monash University in their use of IT services and systems utilized by Monash University. IT services and systems covered by this policy may not necessarily be provided by or owned by the University.

8.  IT Security Policy and Framework

8.1  The IT Security Policy authorizes ‘The IT Security Framework’. The Framework defines the security processes and administrative procedures compliant with the IT Security Policy.

8.2  ‘The IT Security Framework’ is a collection of documents structured by security topics for the implementation and maintenance of IT security at Monash. It documents generic instructions regarding the implementation of security processes, and references existing procedures for administrative, security or maintenance functions where such procedures exist. Where Monash-specific documented procedures do not exist, are incomplete, or are not yet enacted, the ‘IT Security Framework’ provides default mandatory instructions.

8.3  Monash University Academic and Administrative Managers, Monash University staff and Authorized Users are required to adhere to the IT security procedures and processes as specified in the ‘IT Security Framework’ document.

8.4  ‘The IT Security Framework’ registers the owners of framework documents, and assigns maintenance responsibilities to the appropriate maintainers of the framework documentation. The framework documentation has mandatory document control.

9. The Right to Use

9.1  Authorised Users have the right to use IT services and systems consistent with the terms of the University's policies on "Information Technology Use Policy - Staff & Other Authorised Users" and "Acceptable Use of Information Technology Facilities by Students".

9.2  Subject to correct registration of IT equipment through the University’s ‘Addhost’ service, Authorised Users have the right to connect such IT equipment to the Monash University network via wall outlets or radio links installed by or on behalf of the ITS Division.

9.3  ITS Authorised Staff have the right to disconnect IT equipment from the Monash University network in the event of a breach outlined in 12. below.

10. The Right to Monitor

10.1  As owner, Monash University has the right to monitor the use of its IT systems and services.

10.2  Monitoring will be undertaken routinely by ITS Authorized Staff in the normal course of their duties to maintain technical security and operational efficiency of the system/service. Any extraordinary action taken to monitor IT services must be authorized by the Executive Director, ITS.

10.3  Monitoring will occur in cases of suspected breach of law, condition of employment, or University policy, including the University's policies "Information Technology Use Policy - Staff & Other Authorised Users"." and "Acceptable Use of IT Facilities for Students". In these cases, inspection of personal information will be undertaken in accordance with requirements of Privacy legislation and only after approval by the Divisional Director, Student & Staff Services.

10.4  Electronic data, information and material created by Authorized Users will be treated as confidential during monitoring and all monitoring references destroyed if determined not relevant. Access to such information will be strictly on a need- to-know basis for technical or administrative purposes.

10.5  Except for normal administrative processes, the accounts, files, stored data and network data including e-mail messages created by Authorized Users, are held secure from intervention by other users.

11. Security Awareness

11.1  Information Technology Services will:

  • Publish Security bulletins and relevant sections of ‘The Security Framework’ on the ITS Web pages

  • Periodically conduct seminars for Monash staff on IT security issues

12. Breaches/Sanctions

12.1  ITS Authorised Staff may disconnect IT equipment from the Monash University network when monitoring detects a breach in IT security or a breach of the law or University policy. Such disconnection would normally be preceded by notice to the relevant Authorised User and Responsible IT Security Officer, but in an emergency, notice will follow disconnection.

12.2  In the event of a breach in the law or University policy, disciplinary proceedings, where appropriate, will be instituted in accordance with Monash University Statutes and regulations, or according to relevant contracts and/or workplace agreements.

13. Procedures and Responsibilities

13.1  Each of the Monash University Academic and Administrative Managers is responsible for:

  • Appointing a Responsible IT Security Officer

  • Executive authority as contained in University Statutes and regulations

13.2  The Executive Director, ITS is responsible for:

  • Management of IT security policy including the maintenance of the IT Security Policy and ‘IT Security Framework’ documents

  • Authorizing certain Monash University staff of the ITS Division to monitor accounts, files, stored data and network data or to disconnect IT equipment in the event of an IT security breach.

  • Authorizing any extraordinary action taken to monitor IT services (as per 10.2 above)

  • Instructing ITS Authorised staff in privacy, confidentiality and need-to-know principles in relation to treatment of data, information and material discovered by ITS Authorised staff whilst monitoring.

  • Assisting Authorized Users to be made aware of their responsibilities for IT Security

  • Executive authority as contained in University Statutes and regulations

13.3  Responsible IT Security Officers

  • Under delegation from their Academic and Administrative Managers IT Security Officers are responsible for IT security matters within their Faculty, Centre, School, Department, Group or Unit.

  • IT Security Officers are responsible for receiving reports of IT security breaches from Authorised Users, passing such reports to ITS Authorised staff, and working with ITS Authorised Staff to take appropriate remedial action.

  • The Responsible IT Security Officer will abide by the University Privacy Policy.

13.4  Security Incidents

Security incidents can directly affect the availability of IT systems and services. Where Authorized Users become aware of any incident that may impact Monash IT security, it is in the interests of maintaining system security and availability that they notify any breach of IT security:

  • to their relevant Responsible IT Security Officer,

  • the Executive Director, ITS, or

  • other ITS divisional staff acting under delegated authority.

It is not appropriate for Authorized Users to broadcast or publicize widely any security incident, breach or suspected breach of security. All communication should be directed solely to the above-named officers. Authorized Users should be aware that any such broadcast or widespread publicity will result in increased risk to the integrity of IT services and systems.

13.5  Conduct of ITS Authorised Staff

In relation to actions carried out by ITS Authorised Staff outlined in 9, 10 and 12 above, ITS Authorised Staff will abide by the University Privacy Policy and relevant University codes of practice, or, in the event that there is no relevant code applicable to IT staff, the Australian Computer Society’s Code of Professional Conduct and Professional Practice at Australian Computer Society Inc.

13.6  Terms of Reference - IT Security Steering Committee

The IT Security Steering Committee, reporting to the Deputy Vice Chancellor (Resources) shall be established with the following terms of reference:

  1. To oversee the development and implementation of IT Security Policy and Framework.

  2. To authorize and publicize changes to the IT Security Framework

  3. To consider and determine appropriate actions with regard to sensitive security issues relating to IT.

  4. To provide a forum of last resort where Authorized Users might raise issues relating to IT security, especially when all other avenues of redress have appeared to fail, and

  5. To relate IT security issues to the broader user community with authority to establish working groups.

Membership is recommended to be:

  • Executive Director (ITS), Chair

  • Director Audit and Risk Management

  • Director Infrastructure Services (ITS)

  • Director Client Services (ITS)

  • Representative of the academic community using IT services

  • Representative of the non-academic community using IT services

  • IT Security Manager (ITS)

  • A Faculty IT Manager.

Meetings are to be held every two months, or when required. Any member can initiate a meeting.

Amendment History 

Policy Information
Title of Policy Monash University IT Security Policy
Policy Reference ITEC13
Authors Members of the IT Security Steering Committee
Central Registry File No. RMO2001/1469
Approval Process
Authorising Person ITS Directors' Group UNITPOL
  Meeting No.  29/01 Meeting No. 01/01
  Meeting Date 9 October 2001  Meeting Date 12 November 2001
  Agenda Item 7.2  Agenda Item 4.3
Policy effective on 12 November 2001 
Policy expires on  
Policy next reviewed on December 2006
Related ITS regulations  
Comments Monash only access

Attachments

‘The IT Security Framework’ defines the security processes and administrative procedures compliant with this policy. ‘The IT Security Framework’ exists as a separate set of documents.