James Cook University (JCU) has responsibility for a significant amount of information which, like other important assets, has value and needs to be suitably protected. JCU is committed to the preservation of information security in order to maintain business continuity and minimize the risk of business damage by preventing or limiting the impact of security breaches.
This policy provides a governance process that seeks to set the appropriate balance between risks to business processes and the costs of risk mitigations. Information asset aspects that require protection include the confidentiality, integrity and availability of both data and the information systems that organise and present information.
Ensures that information is accessible only to those authorized to have access;
Ensures and safeguards the accuracy and completeness of information and processing methods; and
Ensures that authorized users have access to information and associated assets when required;
Provides the foundation for information security management within JCU and supports the achievement of JCU’s teaching, learning and research, and corporate outcomes;
Supports JCU’s commitment to meet its statutory, legal and moral obligations by administering its information holdings in a lawful, ethical and cost-effective manner.
This policy applies to all personnel of JCU, including students, staff, temporary employees, casual employees and agents and staff engaged to work under contract.
The JCU assets included in the scope of this security policy statement are:
JCU’s information in any medium or form such as electronic (digital, video or audio representations) or printed paper;
JCU’s information systems which process information;
JCU’s communication systems which transport information.
The university will maintain an organisational culture that appreciates the value of information and will:
Facilitate adequate controls to protect JCU’s information assets and related information systems,
Determine the adequacy of controls via the risk management processes of JCU’s risk management framework on a periodic basis, and
Monitor the effectiveness of the information security controls environment,
To achieve the above objectives JCU will;
Adhere to all legal and legislative requirements;
Satisfy the Queensland Government’s mandatory information security principles as defined in Information Standard 18 and ISO 27001;
Periodically develop, document, implement and review information security controls to ensure the controls are commensurate with the information’s value, business significance and sensitivity to:
Ensure university information systems operate with a high degree of assurance and integrity; and
Protect university information from:
Unauthorized or inappropriate use;
Accidental or fraudulent modification; and
Failure to comply with the terms of this policy is a potential disciplinary offence under the Code of Conduct and Public Service Act 1996 as well as the JCU Code of Conduct. Conduct in contravention of this policy may constitute an offence or crime under relevant State or Commonwealth legislation, resulting in legal prosecution.
Information security roles and responsibilities for the university will be detailed in:
the JCU – Information Security Framework and
the ICT Strategic Plan
Monitoring and Review
The Director of Information Technology & Resources or another senior university officer appointed by the Vice Chancellor is responsible for the monitoring, reporting and review of this policy.
This officer shall ensure that:
This policy is reviewed at least once in every calendar year or following a major change in the University’s business environment;
Compliance with this policy is monitored on a regular basis to determine that residual risks are acceptable;
Effectiveness of this policy is reported as directed by the Accountable Officer or their nominee.
Activities in support of Information Security
The following table defines the activities JCU will maintain as part of the ongoing operation of this policy.
IS 18 Principle
Information Security Activity
Description and Applicable Policies or Procedures
Policy, planning & governance
JCU will maintain an Information Security policy that provides a foundation for information security management and outlines commitments to meeting legal and ethical obligations regarding information asset management.
A clear set of guidelines for the identification and protection of sensitive information. The identification shall be in accordance with sensitivity, confidentiality of content and business importance, and based on legislative, regulatory and contractual obligations will be established.
JCU will maintain an Information Security Management Framework that will establish responsibilities for the maintenance and control of information security, both within JCU and during interactions with customer agencies and third party providers
JCU Information Management Framework <link>
Human resources management
Security controls will be incorporated into recruitment, training, supervision and separation processes for all personnel, contractors and consultants to minimise the risk of loss or misuse of information assets.
Physical and environmental management
Information assets within JCU will be protected by levels of physical and environmental security.
Physical Security Information
Communications and operations management
Staff responsible for the operation of information systems will ensure the correct operation of technical controls.
IT&R Policy Documentation
Security control mechanisms will be established to determine and control access to information, information systems, networks and applications
Conditions for Use of Computing and Communication Facilities Policy
Library Use PolicyWeb Security Policy
System acquisition, development and maintenance
Information systems, networks and applications will have security controls in place at all stages of development and in all operational environments to protect JCU and customer agency information assets and infrastructure.
ICT Strategic PlanIT&R Policy Documentation
JCU will ensure effective management and response to information security incidents including: establishing an incident register, and escalation and investigation of incidents where necessary.
Business continuity management
Information loss and system availability risks will be managed by an appropriate balance of preventive controls and contingency plans. Continuity planning shall focus on critical information systems.
Business Continuity Policy
Information security controls for all information processes, systems and infrastructure will adhere to all legislative or regulatory obligations under which JCU operates.
Audit and Compliance Committee Charter
Financial Accountability Act 2009 (Qld)Public Sector Ethics Act 1994 (Qld)Public Service Act 2008 (Qld)Right to Information Act 1992 (Qld)Libraries Act 1988 (Qld)Electronic Transactions Act 2001 (Qld)Telecommunications Act 1997 (Commonwealth)
Information Privacy Act 2009 (Qld)
JCU related documents
Deputy Vice Chancellor, Services and Resources
Date for next review:
Description of changes
Policy sponsor amended to reflect approved policy framework
Endorsed at ICTAC meeting
There are no related procedures.
There are no other related documents.