Information Security Policy

Print Friendly and PDFPrint Friendly

Intent

James Cook University (JCU) has responsibility for a significant amount of information which, like other important assets, has value and needs to be suitably protected. JCU is committed to the preservation of information security in order to maintain business continuity and minimize the risk of business damage by preventing or limiting the impact of security breaches.

This policy provides a governance process that seeks to set the appropriate balance between risks to business processes and the costs of risk mitigations. Information asset aspects that require protection include the confidentiality, integrity and availability of both data and the information systems that organise and present information.

  • Confidentiality:
    Ensures that information is accessible only to those authorized to have access;

  • Integrity:
    Ensures and safeguards the accuracy and completeness of information and processing methods; and

  • Availability:
    Ensures that authorized users have access to information and associated assets when required;

This policy:

  • Provides the foundation for information security management within JCU and supports the achievement of JCU’s teaching, learning and research, and corporate outcomes;

  • Supports JCU’s commitment to meet its statutory, legal and moral obligations by administering its information holdings in a lawful, ethical and cost-effective manner.

Scope

This policy applies to all personnel of JCU, including students, staff, temporary employees, casual employees and agents and staff engaged to work under contract.

The JCU assets included in the scope of this security policy statement are:

  • JCU’s information in any medium or form such as electronic (digital, video  or audio representations) or printed paper;

  • JCU’s information systems which process information;

  • JCU’s communication systems which transport information.

Policy

The university will maintain an organisational culture that appreciates the value of information and will:

  • Facilitate adequate controls to protect JCU’s information assets and related information systems,

  • Determine the adequacy of controls via the risk management processes of JCU’s risk management framework on a periodic basis, and

  • Monitor the effectiveness of the information security controls environment,

Objectives

To achieve the above objectives JCU will;

  • Adhere to all legal and legislative requirements;

  • Satisfy the Queensland Government’s mandatory information security principles as defined in Information Standard 18 and ISO 27001;

  • Periodically develop, document, implement and review information security controls to ensure the controls are commensurate with the information’s value, business significance and sensitivity to:

    • Ensure university information systems operate with a high degree of assurance and integrity; and

    • Protect university information from:

      • Unauthorized or inappropriate use;

      • Accidental or fraudulent modification; and

      • Loss

Failure to comply with the terms of this policy is a potential disciplinary offence under the Code of Conduct and Public Service Act 1996 as well as the JCU Code of Conduct. Conduct in contravention of this policy may constitute an offence or crime under relevant State or Commonwealth legislation, resulting in legal prosecution.


Responsibilities

Information security roles and responsibilities for the university will be detailed in:

  • the JCU – Information Security Framework and

  • the ICT Strategic Plan

Monitoring and Review

The Director of Information Technology & Resources or another senior university officer appointed by the Vice Chancellor is responsible for the monitoring, reporting and review of this policy.

This officer shall ensure that:

  • This policy is reviewed at least once in every calendar year or following a major change in the University’s business environment;

  • Compliance with this policy is monitored on a regular basis to determine that residual risks are acceptable;

  • Effectiveness of this policy is reported as directed by the Accountable Officer or their nominee.

Activities in support of Information Security

The following table defines the activities JCU will maintain as part of the ongoing operation of this policy.

IS 18 Principle

Information Security Activity

Description and Applicable Policies or Procedures

1

Policy, planning & governance

JCU will maintain an Information Security policy that provides a foundation for information security management and outlines commitments to meeting legal and ethical obligations regarding information asset management.

2

Asset management

A clear set of guidelines for the identification and protection of sensitive information. The identification shall be in accordance with sensitivity, confidentiality of content and business importance, and based on legislative, regulatory and contractual obligations will be established.

JCU will maintain an Information Security Management Framework that will establish responsibilities for the maintenance and control of information security, both within JCU and during interactions with customer agencies and third party providers

JCU Information Management Framework <link>

3

Human resources management

Security controls will be incorporated into recruitment, training, supervision and separation processes for all personnel, contractors and consultants to minimise the risk of loss or misuse of information assets.

Code of Conduct Policy

4

Physical and environmental management

Information assets within JCU will be protected by levels of physical and environmental security.

Physical Security Information
Security & Room Access

5

Communications and operations management

Staff responsible for the operation of information systems will ensure the correct operation of technical controls.

IT&R Policy Documentation

6

Access management

Security control mechanisms will be established to determine and control access to information, information systems, networks and applications

Conditions for Use of Computing and Communication Facilities Policy

Library Use PolicyWeb Security Policy

7

System acquisition, development and maintenance

Information systems, networks and applications will have security controls in place at all stages of development and in all operational environments to protect JCU and customer agency information assets and infrastructure.

ICT Strategic PlanIT&R Policy Documentation
Information Security Framework

8

Incident management

JCU will ensure effective management and response to information security incidents including: establishing an incident register, and escalation and investigation of incidents where necessary.

9

Business continuity management

Information loss and system availability risks will be managed by an appropriate balance of preventive controls and contingency plans. Continuity planning shall focus on critical information systems.

Business Continuity Policy

10

Compliance management

Information security controls for all information processes, systems and infrastructure will adhere to all legislative or regulatory obligations under which JCU operates.

Audit and Compliance   Committee Charter
Risk Management Policy

Related documents, legislation or JCU Statutes

Legislation

Financial Accountability Act 2009 (Qld)Public Sector Ethics Act 1994 (Qld)Public Service   Act 2008 (Qld)Right to Information Act 1992 (Qld)Libraries Act 1988 (Qld)Electronic Transactions Act 2001 (Qld)Telecommunications Act 1997 (Commonwealth)
Information Privacy Act 2009 (Qld)

JCU related documents

Code of   Conduct PolicyRisk Management Policy
Risk Management Framework

Risk Registers

Approval Details

Policy sponsor:

Deputy Vice Chancellor, Services and Resources

Approval authority:

Future Committee

Approval date:

24/06/2015

Version no:

15-1

Date for next review:

27/08/14

Modification History

Version

Revision date

Description of changes

Author

15-1

22/06/2015

Policy sponsor amended to reflect approved policy framework

QSP

Version no.

Approval date

Implementation date

Details

12-1

14/08/12

04/10/12

Endorsed at ICTAC meeting

There are no related procedures.

There are no other related documents.