
Policy Digital Infrastructure Cybersecurity Policy
Cybersecurity Policy
- Courses
- Future Students
- Current Students
- Research and Teaching
- Partners and Community
- About JCU
- Celebrating 50 Years
- Anton Breinl Research Centre
- Agriculture Technology and Adoption Centre
- Living on Campus
- Advanced Prawn Breeding Research Hub
- Advanced Analytical Centre
- Applying to JCU
- Alumni
- AMHHEC
- Australian/NZ Students
- Australian Lions Stinger Research
- Boating and Diving
- Australian Tropical Herbarium
- ATSIP
- Careers at JCU
- Association of Australian University Secretaries
- Careers and Employability
- Australian Quantum & Classical Transport Physics Group
- CITBA
- Centre for Tropical Bioinformatics and Molecular Biology
- Chancellery
- CMT
- CASE
- College of Business, Law and Governance
- College of Healthcare Sciences
- College of Medicine and Dentistry
- College of Science and Engineering
- CPHMVS
- COVID-19 Advice
- CSTFA
- Centre for Disaster Solutions
- Cyclone Testing Station
- Daintree Rainforest Observatory
- Diploma of Higher Education
- Discover Nature at JCU
- Division of Research and Innovation
- Division of Tropical Environments and Societies
- Division of Tropical Health and Medicine
- Staff Intranet
- Economic Geology Research Centre
- Elite Athletes
- Estate
- Fletcherview
- Foundation for Australian Literary Studies
- Gender Equity Action and Research
- GetReady4Uni
- Give to JCU
- Information for JCU Cairns Graduates
- Graduate Research School
- Graduation
- JCU Ideas Lab
- Indigenous Education and Research Centre
- Indigenous Legal Needs Project
- IT Services
- Information for Agents
- International Students
- JCU College
- JCU Contact Information
- JCU Eduquarium
- JCU Global Experience
- JCU Motorsports
- JCU Prizes
- JCU Sport
- Language and Culture Research Centre
- LTSE
- LearnJCU
- Library
- MARF
- Marine Geophysics Laboratory
- New Students
- Off-Campus Students
- Office of the Provost
- Office of the Vice Chancellor and President
- Open Day
- Orpheus
- Outstanding Alumni Awards
- Parents and Partners
- Pathways to University
- Planning and Performance
- Planning for your future
- Placements
-
Policy
- Academic Governance
- Community, Marketing and Alumni
-
Corporate Governance
- Distinguished Professor Policy
- Bullying, Discrimination, Harassment, and Sexual Misconduct Policy
- Business Continuity Policy
- Child Safety Policy
- Code of Conduct
- Code of Conduct – Explanatory Statement
- Code of Conduct – University Council
- Code of Conduct – University Council Explanatory Statement
- Compliance Policy
- Conduct of Council Elections Policy
- Conflicts of Interests Policy – University Council and its Committees
- Controlled and Non-Controlled Entities Policy
- Critical Incident Policy
- Domestic and Family Violence Policy
- General Practice Training Governance Policy
- Incident Management Policy
- Indemnity, Insurance and Legal Claims Policy
- Information Privacy Policy
- Legal Services Policy
- Litigation Assistance
- Emeritus Professor Policy
- Affiliation of a Residential College Policy
- Records Management Policy
- Reportable Gifts Policy
- Social Media Policy
- Risk Management Policy
- Right to Information Policy
- University Archives - Access
- University Seal Policy
- Visiting Speaker and Event Policy
- Organisational Structure Policy
- Academic Freedom Policy
- Equity
-
Estate and Facility Management
- Advertising on Campus
- Alcohol Consumption on University Property
- Approval of Works to University Buildings and Site Infrastructure
- Authorised Use of University Facilities, Premises and/or Grounds for Non-core Purposes
- Environmental Policy
- High Voltage Access Policy
- Memorial Plaques
- Noise on University Sites
- Pets on Campus
- Real Estate Dealings Policy
- Space Allocation and Management Policy
- Timetable and Class Registration Policy
- Tree Protection
- Vehicle Fleet Policy
- Weapons Policy
- Security Policy
-
Financial Management
- Appendices
-
Assets (FMPM 200 - FMPM 399)
- FMPM 200 Overview - Assets & Cash Management
- FMPM 210 Cash
- FMPM 220 Policy - Bank Accounts
- FMPM 230 - Petty Cash Advances
- FMPM 300 Investments
- FMPM 320 Plant and Equipment
- Financial FMPM 322 - Acquisitions of Plant and Equipment
- FMPM 260 Other Advances
- FMPM 330 Non-Capital Assets
- FMPM 280 Official Stores
- FMPM 290 Prepayments
- FMPM 323 - Disposal of Property, Plant and Equipment Procedure
- FMPM 324 Stocktake
- FMPM 350 Intangible Assets
- FMPM 270-2 Accounts Receivable - Student Debtors - Penalties
- FMPM 240 Travel Advances (Students)
- FMPM 330 Non-Capital Assets
- FMPM 270-1 Accounts Receivable
- FMPM 250 - Policy Salary Advances
- Equity (FMPM 500 - FMPM 599)
- Expenses (FMPM 700 - FMPM799)
- Financial Management and Control (FMPM 800 - FMPM 899)
- Further Applications (FMPM 900 - FMPM 999)
- Introduction (FMPM 100 - FMPM 199)
- Liabilities (FMPM 400 - FMPM 499)
- Revenue (FMPM 600 - FMPM 699)
-
Human Resources
- Academic Promotion Policy
- Adjunct Appointments and Vice Chancellor's Fellow Policy
- Awards for Excellence Policy
- Bullying, Discrimination, Harassment, and Sexual Misconduct Policy
- Community and Indigenous Language Allowance
- Competency Pay for Tradespersons Policy
- Early Retirement Policy
- Enterprise Agreement 2016
- Employment and Recruitment of Casuals
- Infectious Diseases Policy and Immunisation Guidelines
- Market Loading Policy
- Optional Working Hours System (Op-Time)
- Overpayment of Wages Policy
- Recruitment, Selection and Appointment Policy
- Relocation Assistance Policy
- Salary Packaging Program Policy
- Special Studies Program Policy
- Staff Study Assistance Policy
- Statement on Staff External Activities - Existing
- Supported Wage System (SWS) Policy
- Visiting Appointments
- Equal Employment Opportunity
- Conflict of Interest Policy
- Remote Working Policy
- Digital Infrastructure
-
International
- Attendance Monitoring Policy - English Language and Foundation Programs
- Enrolment Requirements for International Student Visa-Holders Policy
- Management of Off-Campus Operations, Ventures and Partnerships
- Satisfactory Academic Progress (SAP) Requirements for US Federal Aid Loans Eligibility
- Transfer of International Student Visa Holders to Other Educational Institutions
- US Federal Aid Loans – Return to Title IV
-
Learning and Teaching
- Annual Review of Subjects with Low Enrolments
- Blended Learning Policy
- Charter of Responsibilities for Academic Quality and Governance
- Curriculum Approval, Accreditation, Monitoring, Review and Improvement Policy
- English Language and Numeracy Policy
- Framework for Postgraduate Courses Policy
- First Year Experience and Retention Policy
- Graduate Attributes
- Graduate Certificate of Education (Academic Practice) Internal Sponsorship Policy
- Honours Assessment and Postgraduate Coursework Awards Policy
- Learning Teaching and Assessment Policy
- Policy Glossary
- Review of a Student’s Suitability to Continue a Course Involving Placement
- Student Digital Experience Policy
- Student Experience of Learning and Teaching (SELT) Policy
- Student Retention Policy
- Coursework Academic Integrity Policy
-
Quality and Planning
- Annual Report Policy
- Course Performance Reports and Division Academic Program Reports – Policy
- Financial and Operational Performance Management Policy
- Planning Management Policy
- Policy Development and Review Policy
- Reviews of Organisational Units and Thematic Areas - Policy and Procedures
- Quality Enhancement Framework
- Research Education
- Research Management
-
Student Services
- Academic Progression Policy
- Administration of Commonwealth Scholarships Policy
- Admissions Policy
- Attendance Monitoring Policy - English Language and Foundation Programs
- Award Finalisation and Graduation Policy
- Bullying, Discrimination, Harassment, and Sexual Misconduct Policy
- Copyright Policy and Procedure
- Coursework Scholarships, Bursaries, Grants and Prizes Policy
- Coursework Enrolment Policy
- Enrolment Requirements for International Student Visa-Holders Policy
- Intervention Strategy for Students Who Have Not Made Satisfactory Academic Progress
- Library Use Policy
- Publications by Members of Staff
- Student Review and Appeals Policy
- Student Code of Conduct
- Student Complaint Management Policy and Procedures
- Student Fee Payments and Refunds Policy
- Student Results Policy
- Transfer of International Student Visa Holders to Other Educational Institutions
- Work Health and Safety
- Policy search
- PAHL
- Publications
- Professional Experience Placement
- Queensland Research Centre for Peripheral Vascular Disease
- Rapid Assessment Unit
- Researcher Development Portal
- JCU Connect
- Safety and Wellbeing
- Scholarships @ JCU
- SICEM
- Staff
- Student Equity and Wellbeing
- SWIRLnet
- TESS
- TREAD
- TropEco
- TQ Maths Hub
- TUDLab
- Unicare Centre and Unicampus Kids
- UAV
- VAVS Home
- Work Health and Safety
- WHOCC for Vector-borne & NTDs
- Media
- Copyright and Terms of Use
- Australian Institute of Tropical Health & Medicine
Intent
This policy:
- Provides the foundation for Cybersecurity management within the University;
- Supports the achievement of the University’s teaching, learning and research, and corporate outcomes; and
- Supports the University’s commitment to meet its statutory, legal, and moral obligations by administering its information holdings in a lawful, ethical, and cost-effective manner.
Scope
This Policy applies to:
- University Information and Communication Technology (ICT) Services;
- All Authorised Users of University ICT Services managed by the University or third party providers on behalf of the University, both on and off campus; and
- The University’s tangible and intangible assets including:
- the University’s reputation and public image; and
- the University’s information in any medium or form such as electronic (digital, video or audio representations) or printed paper.
This Policy does not apply to University Controlled Entities.
Definitions
Acceptable Use – means those behaviours and actions, in connection with the use of University ICT Services, which are permitted under the ICT Acceptable Use Policy.
Accountable Officer – means the senior staff member with accountability for Cybersecurity within the University.
Asset Owner – means an individual or collective group with accountability and authority for University ICT Services.
Authorised User – means a person who has been provided with an Authentication Credential by the University to access University ICT Services. Various categories of users are documented in the ICT Acceptable Use Procedures.
Authentication Credential – means a userID/password, username/passcode, PIN or other secret keys used to gain access to ICT Services.
Capability – the capacity, materials and expertise an organisation needs in order to perform a business function.
Control – means a measure put in place to eliminate or minimise risk.
Cybersecurity – means the methods (policies, strategies, behaviours and techniques) through which necessary and commensurate measures can be identified, implemented, and maintained to effect Information Security.
Information Security – means the protection and preservation of the confidentiality, integrity and availability of information in digital or other means.
Reasonably Practicable – means that which is, or was at a particular time, reasonably able to be done to ensure Information Security, taking into account and weighing up all relevant matters including:
- the likelihood of risk concerned occurring;
- the consequence that might result from the threat or the risk;
- what the person concerned knows, or ought reasonably to know, about the risk, and about the ways of eliminating or minimising the risk;
- the availability and Suitability of Controls to eliminate or minimise the risk; and
- after assessing the extent of the risk and the available ways of eliminating or minimising the risk, the cost associated with available ways of eliminating or minimising the risk, including whether the cost is grossly disproportionate to the risk.
Responsible Officer – means a senior staff member or committee who makes, or participates in making, decisions that affect the whole, or a substantial part, of the business, namely the Vice Chancellor, Provost, Deputy Vice Chancellors, Pro Vice Chancellors, Deans, Directors, Chief of Staff, Committees of Council and Committees of the Vice Chancellor.
Suitability of Control – means the suitability of a particular Control having regard to whether or not the Control:
- is effective in eliminating or minimising risk or the likelihood of risk
- does not introduce new and higher risks in the circumstances; and
- is practical to implement in the circumstances in which risk exists
University ICT Services – means facilities and services provided to an Authorised User including software, communication devices, and computing infrastructure under the control of the University (or a third-party provider on the University's behalf) that provides access to information in online or electronic format.
Introduction
Effective protection of business information creates a competitive advantage, both in the ability to preserve the reputation of the University brand and in reducing the risk of the occurrence of negative events and incidents.
Our aim is to be more resilient to cyber-attacks and better able to protect our interests in the digital economy.
Effective Cybersecurity requires an enterprise approach to ensure each responsible entity has the procedures, tools and support required to undertake its business effectively while managing the risk of adverse security incidents and events.
This policy does not assure protection against all security threats or attacks that may interrupt core University services. Instead, this Policy supports the University Council and its committees in demonstrating that Cybersecurity risks and measures are being identified and managed in a way that is appropriate for the information value, business environment, and objectives of the University, namely:
- The sponsorship of a Cybersecurity Capability;
- The institution of accountability and responsibilities with respect to Cybersecurity;
- Promotion of a an intentional Information Security culture;
- The establishment of an Information Security risk management program including criteria through which security risks will be evaluated and accepted; and
- Establishing methods for the response to Information Security threats and incidents.
Policy principles
1. Capability
The Deputy Vice Chancellor Services and Resources will:
- Sponsor a Cybersecurity Capability to identify, analyse, and mitigate Information Security risk to the organisation, including its business units, subsidiaries, related interconnected infrastructure, stakeholders and suppliers in accordance with this Policy.
- Nominate an Accountable Officer.
The Accountable Officer will:
- Establish the University’s Cybersecurity Capability based on the following principles:
- Positive reinforcement of Information Security responsibilities.
- Proactive assessment, evaluation and management of Information Security risk(s).
- Proactive monitoring and response to Information Security threats and incidents.
2. Responsibilities
The Accountable Officer will:
- Establish the University Cybersecurity Management Plan that aligns to the core requirements of the Queensland Government’s information security policies and standards.
- Establish Cybersecurity roles and responsibilities and document these responsibilities in the JCU Cybersecurity Management Plan.
- Establish measurable objectives, targets and outcomes to drive continual improvement aimed at reducing Information Security risks, events and incidents.
- Assure the effectiveness of the Cybersecurity Capability, as required.
The Responsible Officers will:
- Support the Cybersecurity Capability through the establishment and implementation of relevant processes, procedures, standards, and guidelines as outlined in the University Cybersecurity Management Plan.
3. Culture
The Responsible Officers will:
- Promote and sustain an intentional Information Security culture throughout the University, ensuring all Authorised Users:
- develop a sense of ownership in the protection of all information; and
- hold themselves accountable for their actions, (including the Acceptable Use of University ICT Services).
- Support role specific awareness, training and education to Authorised Users.
- Promote the reporting of Information Security events and incidents, including recognition for those Authorised Users who act in support of Information Security.
- Ensure Information Security is considered as a requirement in all new projects and initiatives, regardless of the type of project.
- Proactively collaborate and support stakeholders (including audit) on Information Security matters.
4. Risk Management
The Accountable Officer will:
- Establish and operate an information-centric risk management program that provides a systematic approach to the identification, analysis and evaluation of Information Security risk including business units, related interconnected infrastructure, subsidiaries, stakeholders and suppliers.
- Facilitate informed risk acceptance by ensuring recognised risks are appropriately documented and passed to the appropriate Responsible Officer, in line with the University’s Risk Management Policy and Framework and accompanying risk appetite statement.
- Establish the University’s Cybersecurity Management Plan that:
- Establishes the Cybersecurity goals; and
- Details the baseline Information Security Controls for the University in the management of Information Security risks.
- Report on Information Security risks and achievement of goals on a routine basis.
The Responsible Officers and Asset Owners will:
- Implement relevant Controls from the University Cybersecurity Management Plan.
- Treat identified risks through the implementation of Reasonably Practicable Controls to protect the University’s information and related information systems against loss of confidentiality, integrity or availability.
- Monitor, assess and continually improve the Suitability of Controls on a periodic basis.
5. Response and Recovery
The Accountable Officer will:
- Establish, implement and rehearse a Cybersecurity Incident Response Plan to prepare for, respond to, and recover from disruptive cyber-incidents.
The Responsible Officers and Asset Owners will:
- Provide reasonable resources to support the implementation and operation of the Cybersecurity Incident Response Plan.
Related policy instruments
Risk Management Framework and Plan
Schedules/Appendices
None.
Related documents and legislation
Queensland Australia
James Cook University Act 1997 (QLD)
Information Privacy Act 2009 (QLD)
Telecommunications Interception Act 2009 (QLD)
Queensland Right to Information Act 2009 (QLD)
Queensland Information Standards (Qld IS) 18
Commonwealth Australia
Criminal Code Act (1995) (Cth)
Telecommunications (Interception and Access) Act 1979 (Cth)
Telecommunications Act 1997 (Cth)
Higher Education Standards Framework (Threshold Standards) 2015
Administration
Approval Details
Policy Sponsor | Deputy Vice Chancellor, Services and Resources |
Approval Authority | Finance Committee |
Date for next review | 21/11/2020 |
Revision History
Version | Approval date | Implementation date | Details | Author |
18-1 | 30/04/2018 | Changes made to reflect headline restructure 30/04/2018. | Quality, Standards and Policy | |
17-1 | 21/11/2017 | 06/12/2017 | Policy established | ICT |
Keywords | Information, security, cybersecurity, risk, privacy, copyright, |