Policy Digital Infrastructure Cybersecurity Policy
Cybersecurity Policy
- Aboriginals and Torres Strait Islanders in Marine Science
- Courses
- Future Students
- Current Students
- Research and Teaching
- Partners and Community
- About JCU
- Reputation and Experience
- Celebrating 50 Years
- Academy
- ALTAR
- Anton Breinl Research Centre
- Agriculture Technology and Adoption Centre
- Living on Campus
- Advanced Prawn Breeding Research Hub
- Advanced Analytical Centre
- Applying to JCU
- Alumni
- AMHHEC
- JCU Aquaculture Solutions
- AusAsian Mental Health Research Group
- ARCSTA
- Area 61
- Association of Australian University Secretaries
- Australian/NZ Students
- Australian Lions Stinger Research
- Boating and Diving
- JCU-CSIRO Partnership
- Employability Edge
- Career Ready Plan
- Australian Tropical Herbarium
- Careers at JCU
- Careers and Employability
- Australian Quantum & Classical Transport Physics Group
- Centre for Tropical Bioinformatics and Molecular Biology
- CITBA
- Chancellery
- CMT
- CASE
- College of Business, Law and Governance
- College of Healthcare Sciences
- WHOCC for N&M Education and Research
- College of Medicine and Dentistry
- College of Science and Engineering
- CPHMVS
- COVID-19 Advice
- Centre for Disaster Solutions
- CSTFA
- Cyclone Testing Station
- The Centre for Disaster Studies
- Daintree Rainforest Observatory
- Diploma of Higher Education
- Discover Nature at JCU
- Research Division
- Services and Resources Division
- Education Division
- Division of Tropical Environments and Societies
- Division of Tropical Health and Medicine
- Economic Geology Research Centre
- Elite Athletes
- eResearch
- ERC
- Estate
- Financial and Business Services Office
- Fletcherview
- Foundation for Australian Literary Studies
- Gender Equity Action and Research
- GetReady4Uni
- Give to JCU
- Governance
- Information for JCU Cairns Graduates
- Graduate Research School
- Graduation
- Indigenous Education and Research Centre
- Indigenous Engagement
- Indigenous Legal Needs Project
- Inherent Requirements
- IsoTropics Geochemistry Lab
- IT Services
- International Schools
- International Students
- Research and Innovation Services
- JCU Eduquarium
- JCU Events
- JCU Global Experience
- JCU Ideas Lab
- JCU Job Ready
- JCU Motorsports
- JCU Prizes
- JCU Sport
- JCU Turtle Health Research
- Language and Culture Research Centre
- CEE
- LearnJCU
- Library
- Mabo Decision: 30 years on
- National Reconciliation Week
- MARF
- Marine Geophysics Laboratory
- New students
- Off-Campus Students
- Office of the Vice Chancellor and President
- Virtual Open Day
- Orpheus
- Outstanding Alumni
- Parents and Partners
- Pathways to university
- Planning for your future
- Placements
-
Policy
- Academic Governance
- Academic Management
- Engagement
-
Corporate Governance
- Academic Freedom and Freedom of Speech Policy
- Affiliation of a Residential College Policy
- Bullying, Discrimination, Harassment, and Sexual Misconduct Policy
- Business Continuity Policy
- Child Safety Policy
- Code of Conduct – University Council
- Compliance Policy
- Conduct of Council Elections Policy
- Conflicts of Interests Policy – University Council and its Committees
- Controlled and Non-Controlled Entities Policy
- Critical Incident Policy
- Data Governance Policy
- Distinguished Professor Policy
- Domestic and Family Violence Policy
- Emeritus Professor Policy
- Foreign Interference Policy
- General Practice Training Governance Policy
- Incident Management Policy
- Information Privacy Policy
- Legal Services Claims and Litigation Assistance Policy
- Organisational Structure Policy
- Records Management Policy
- Right to Information Policy
- Risk Management Policy
- Social Media Policy
- Staff Code of Conduct
- University Archives - Access
- University Seal Policy
- Visiting Speaker and Event Policy
- Policy Development and Review Policy
- Quality Enhancement Framework
- Reviews of Organisational Units and Thematic Areas - Policy and Procedures
-
Estate and Facility Management
- Advertising on Campus
- Alcohol Consumption on University Property
- Approval of Works to University Buildings and Site Infrastructure
- Authorised Use of University Facilities, Premises and/or Grounds for Non-core Purposes
- Environmental Policy
- High Voltage Access Policy
- Memorial Plaques
- Noise on University Sites
- Pets on Campus
- Real Estate Dealings Policy
- Security Policy
- Space Allocation and Management Policy
- Timetable and Class Registration Policy
- Tree Protection
- Vehicle Fleet Policy
- Weapons Policy
- Adaptive Workplace Policy
-
Financial Management
- Appendices
-
Assets (FMPM 200 - FMPM 399)
- FMPM 200 Overview - Assets & Cash Management
- FMPM 210 Cash
- FMPM 220 Policy - Bank Accounts
- FMPM 230 - Petty Cash Advances
- FMPM 300 Investments
- FMPM 320 Plant and Equipment
- Financial FMPM 322 - Acquisitions of Plant and Equipment
- FMPM 260 Other Advances
- FMPM 330 Non-Capital Assets
- FMPM 280 Official Stores
- FMPM 290 Prepayments
- FMPM 323 - Disposal of Property, Plant and Equipment Procedure
- FMPM 324 Stocktake
- FMPM 350 Intangible Assets
- FMPM 270-2 Accounts Receivable - Student Debtors - Penalties
- FMPM 240 Travel Advances (Students)
- FMPM 330 Non-Capital Assets
- FMPM 270-1 Accounts Receivable
- FMPM 250 - Policy Salary Advances
- Equity (FMPM 500 - FMPM 599)
- Expenses (FMPM 700 - FMPM799)
- Financial Management and Control (FMPM 800 - FMPM 899)
- Further Applications (FMPM 900 - FMPM 999)
- Introduction (FMPM 100 - FMPM 199)
- Liabilities (FMPM 400 - FMPM 499)
- Revenue (FMPM 600 - FMPM 699)
-
Human Resources
- Awards for Excellence Policy
- Bullying, Discrimination, Harassment, and Sexual Misconduct Policy
- Community and Indigenous Language Allowance
- Competency Pay for Tradespersons Policy
- Conflict of Interest Policy
- Early Retirement Policy
- Enterprise Agreement 2016
- Equal Employment Opportunity
- Honorary Appointments Policy
- Human Resources Policy Glossary
- Market Loading Policy
- Overpayment of Wages Policy
- Performance, Development and Recognition Policy
- Recruitment, Selection and Appointment Policy
- Relocation Assistance Policy
- Remote Working Policy
- Salary Packaging Program Policy
- Special Studies Program Policy
- Supported Wage System (SWS) Policy
- Digital Infrastructure
-
International and Admissions
- Attendance Monitoring Policy - English Language and Foundation Programs
- Enrolment Requirements for International Student Visa-Holders Policy
- Management of Off-Campus Operations, Ventures and Partnerships
- Transfer of International Student Visa Holders to Other Educational Institutions
- US Federal Student Aid-SAP & Return to Title IV Policy
- Admissions Policy
-
Learning and Teaching
- Blended Learning Policy
- Charter of Responsibilities for Academic Quality and Governance
- Coursework Academic Integrity Policy
- English Language and Numeracy Policy
- Graduate Attributes
- Graduate Certificate of Education (Academic Practice) Internal Sponsorship Policy
- Learning Teaching and Assessment Policy
- Policy Glossary
- Review of a Student’s Suitability to Continue a Course Involving Placement
- Student Digital Experience Policy
- Student Evaluation of Subjects and Teaching Policy
- Student Retention Policy
- Research Education
- Research Management
-
Student Matters
- Academic Progression Policy
- Administration of Commonwealth Scholarships Policy
- Attendance Monitoring Policy - English Language and Foundation Programs
- Award Finalisation and Graduation Policy
- Bullying, Discrimination, Harassment, and Sexual Misconduct Policy
- Copyright Policy and Procedure
- Coursework Enrolment Policy
- Coursework Scholarships, Grants and Prizes Policy
- Library Use Policy
- Student Code of Conduct
- Student Complaints Policy
- Student Disability Policy
- Student Fee Payments and Refunds Policy
- Student Results Policy
- Student Review and Appeals Policy (effective from 01/01/2023)
- Student Special Circumstances Policy
- Transfer of International Student Visa Holders to Other Educational Institutions
- Work Health and Safety
- Policy search
- PAHL
- Publications
- Professional Experience Placement
- Queensland Research Centre for Peripheral Vascular Disease
- Rapid Assessment Unit
- RDIM
- Researcher Development Portal
- Safety and Wellbeing
- Scholarships
- Contextual Science for Tropical Coastal Ecosystems
- Staff
- State of the Tropics
- Strategic Procurement
- Student Equity and Wellbeing
- Student profiles
- SWIRLnet
- TARL
- TESS
- TREAD
- TropEco
- TQ Maths Hub
- TUDLab
- Unicare Centre and Unicampus Kids
- UAV
- VAVS Home
- Work Health and Safety
- WHOCC for Vector-borne & NTDs
- Media
- Copyright and Terms of Use
- Australian Institute of Tropical Health & Medicine
Intent
This policy:
- Provides the foundation for Cybersecurity management within the University;
- Supports the achievement of the University’s teaching, learning and research, and corporate outcomes; and
- Supports the University’s commitment to meet its statutory, legal, and moral obligations by administering its information holdings in a lawful, ethical, and cost-effective manner.
Scope
This Policy applies to:
- University Information and Communication Technology (ICT) Services;
- All Authorised Users of University ICT Services managed by the University or third party providers on behalf of the University, both on and off campus; and
- The University’s tangible and intangible assets including:
- the University’s reputation and public image; and
- the University’s information in any medium or form such as electronic (digital, video or audio representations) or printed paper.
This Policy does not apply to University Controlled Entities.
Definitions
Acceptable Use – means those behaviours and actions, in connection with the use of University ICT Services, which are permitted under the ICT Acceptable Use Policy.
Accountable Officer – means the senior staff member with accountability for Cybersecurity within the University.
Asset Owner – means an individual or collective group with accountability and authority for University ICT Services.
Authorised User – means a person who has been provided with an Authentication Credential by the University to access University ICT Services. Various categories of users are documented in the ICT Acceptable Use Procedures.
Authentication Credential – means a userID/password, username/passcode, PIN or other secret keys used to gain access to ICT Services.
Capability – the capacity, materials and expertise an organisation needs in order to perform a business function.
Control – means a measure put in place to eliminate or minimise risk.
Cybersecurity – means the methods (policies, strategies, behaviours and techniques) through which necessary and commensurate measures can be identified, implemented, and maintained to effect Information Security.
Information Security – means the protection and preservation of the confidentiality, integrity and availability of information in digital or other means.
Reasonably Practicable – means that which is, or was at a particular time, reasonably able to be done to ensure Information Security, taking into account and weighing up all relevant matters including:
- the likelihood of risk concerned occurring;
- the consequence that might result from the threat or the risk;
- what the person concerned knows, or ought reasonably to know, about the risk, and about the ways of eliminating or minimising the risk;
- the availability and Suitability of Controls to eliminate or minimise the risk; and
- after assessing the extent of the risk and the available ways of eliminating or minimising the risk, the cost associated with available ways of eliminating or minimising the risk, including whether the cost is grossly disproportionate to the risk.
Responsible Officer – means a senior staff member or committee who makes, or participates in making, decisions that affect the whole, or a substantial part, of the business, namely the Vice Chancellor, Provost, Deputy Vice Chancellors, Pro Vice Chancellors, Deans, Directors, Chief of Staff, Committees of Council and Committees of the Vice Chancellor.
Suitability of Control – means the suitability of a particular Control having regard to whether or not the Control:
- is effective in eliminating or minimising risk or the likelihood of risk
- does not introduce new and higher risks in the circumstances; and
- is practical to implement in the circumstances in which risk exists
University ICT Services – means facilities and services provided to an Authorised User including software, communication devices, and computing infrastructure under the control of the University (or a third-party provider on the University's behalf) that provides access to information in online or electronic format.
Introduction
Effective protection of business information creates a competitive advantage, both in the ability to preserve the reputation of the University brand and in reducing the risk of the occurrence of negative events and incidents.
Our aim is to be more resilient to cyber-attacks and better able to protect our interests in the digital economy.
Effective Cybersecurity requires an enterprise approach to ensure each responsible entity has the procedures, tools and support required to undertake its business effectively while managing the risk of adverse security incidents and events.
This policy does not assure protection against all security threats or attacks that may interrupt core University services. Instead, this Policy supports the University Council and its committees in demonstrating that Cybersecurity risks and measures are being identified and managed in a way that is appropriate for the information value, business environment, and objectives of the University, namely:
- The sponsorship of a Cybersecurity Capability;
- The institution of accountability and responsibilities with respect to Cybersecurity;
- Promotion of a an intentional Information Security culture;
- The establishment of an Information Security risk management program including criteria through which security risks will be evaluated and accepted; and
- Establishing methods for the response to Information Security threats and incidents.
Policy principles
1. Capability
The Deputy Vice Chancellor Services and Resources will:
- Sponsor a Cybersecurity Capability to identify, analyse, and mitigate Information Security risk to the organisation, including its business units, subsidiaries, related interconnected infrastructure, stakeholders and suppliers in accordance with this Policy.
- Nominate an Accountable Officer.
The Accountable Officer will:
- Establish the University’s Cybersecurity Capability based on the following principles:
- Positive reinforcement of Information Security responsibilities.
- Proactive assessment, evaluation and management of Information Security risk(s).
- Proactive monitoring and response to Information Security threats and incidents.
2. Responsibilities
The Accountable Officer will:
- Establish the University Cybersecurity Management Plan that aligns to the core requirements of the Queensland Government’s information security policies and standards.
- Establish Cybersecurity roles and responsibilities and document these responsibilities in the JCU Cybersecurity Management Plan.
- Establish measurable objectives, targets and outcomes to drive continual improvement aimed at reducing Information Security risks, events and incidents.
- Assure the effectiveness of the Cybersecurity Capability, as required.
The Responsible Officers will:
- Support the Cybersecurity Capability through the establishment and implementation of relevant processes, procedures, standards, and guidelines as outlined in the University Cybersecurity Management Plan.
3. Culture
The Responsible Officers will:
- Promote and sustain an intentional Information Security culture throughout the University, ensuring all Authorised Users:
- develop a sense of ownership in the protection of all information; and
- hold themselves accountable for their actions, (including the Acceptable Use of University ICT Services).
- Support role specific awareness, training and education to Authorised Users.
- Promote the reporting of Information Security events and incidents, including recognition for those Authorised Users who act in support of Information Security.
- Ensure Information Security is considered as a requirement in all new projects and initiatives, regardless of the type of project.
- Proactively collaborate and support stakeholders (including audit) on Information Security matters.
4. Risk Management
The Accountable Officer will:
- Establish and operate an information-centric risk management program that provides a systematic approach to the identification, analysis and evaluation of Information Security risk including business units, related interconnected infrastructure, subsidiaries, stakeholders and suppliers.
- Facilitate informed risk acceptance by ensuring recognised risks are appropriately documented and passed to the appropriate Responsible Officer, in line with the University’s Risk Management Policy and Framework and accompanying risk appetite statement.
- Establish the University’s Cybersecurity Management Plan that:
- Establishes the Cybersecurity goals; and
- Details the baseline Information Security Controls for the University in the management of Information Security risks.
- Report on Information Security risks and achievement of goals on a routine basis.
The Responsible Officers and Asset Owners will:
- Implement relevant Controls from the University Cybersecurity Management Plan.
- Treat identified risks through the implementation of Reasonably Practicable Controls to protect the University’s information and related information systems against loss of confidentiality, integrity or availability.
- Monitor, assess and continually improve the Suitability of Controls on a periodic basis.
5. Response and Recovery
The Accountable Officer will:
- Establish, implement and rehearse a Cybersecurity Incident Response Plan to prepare for, respond to, and recover from disruptive cyber-incidents.
The Responsible Officers and Asset Owners will:
- Provide reasonable resources to support the implementation and operation of the Cybersecurity Incident Response Plan.
Related policy instruments
Risk Management Framework and Plan
Schedules/Appendices
None.
Related documents and legislation
Queensland Australia
James Cook University Act 1997 (QLD)
Information Privacy Act 2009 (QLD)
Telecommunications Interception Act 2009 (QLD)
Queensland Right to Information Act 2009 (QLD)
Queensland Information Security Policy (IS18:2018)
Commonwealth Australia
Criminal Code Act (1995) (Cth)
Telecommunications (Interception and Access) Act 1979 (Cth)
Telecommunications Act 1997 (Cth)
Higher Education Standards Framework (Threshold Standards) 2015
Administration
Approval Details
Policy Domain | Digital Infrastructure |
Policy Sponsor | Deputy Vice Chancellor, Services and Resources |
Approval Authority | Finance Committee |
Date for next review | 21/11/2022 |
Revision History
Version | Approval date | Implementation date | Details | Author |
18-1 | 30/04/2018 | Changes made to reflect headline restructure 30/04/2018. | Quality, Standards and Policy | |
17-1 | 21/11/2017 | 06/12/2017 | Policy established | ICT |
Keywords | Information, security, cybersecurity, risk, privacy, copyright, |
Contact person | Manager, Information and Cyber Security |