Information technology information security policy

Intent and objectives

RMIT’s Information Security policies define the rules concerning information security that must be observed while conducting RMIT business, teaching, learning and research activities. They provide a foundation for additional practices and standards that will more specifically communicate RMIT rules related to information security.

  • Reduce the risks and exposures to RMIT with respect to the use of information resources
  • Establish prudent and reasonable policies and guidelines for the protection of information resources.
  • Provide guidance for staff, students, users and others about their responsibilities and acceptable use of RMIT information resources..
  • Provide a foundation for the subsequent development of related procedures, practices and processes.

Scope

University wide. No exclusions

Provisions

1. Information asset security classification and control

a. Information asset control. All major information assets must be classified, accounted for and have a nominated owner – the Information Owner. The accounting for major information assets will be done in accordance with RMIT’s general asset management policy.

b. Information classification. Information and data available through Information Systems will be classified into different security levels according to the confidentiality and protection required by the information owner.

2. Personnel security

a. Security in resourcing. Users who have access rights to sensitive RMIT information assets may be required to sign a non-disclosure agreement and for highly sensitive information assets, undergo and pass a security screening process. This will be at the discretion of the related Information Owner.

b. Security Awareness. As part of their employment orientation process, all RMIT staff shall be briefed on RMIT’s information security policies and related procedures and their respective responsibilities.

As part of their enrolment process, all RMIT students shall be briefed on RMIT’s information security policies, related procedures and their respective responsibilities. Major updates to information security policies shall be communicated to all RMIT staff and students on a regular basis.

c. Security incidents and enforcement. All information custodians and users are to report any information security incidents to the Information Security Co-ordinator for their respective portfolio or business unit as soon as is reasonably possible.

3. Physical and environmental security

a. Secured areas. RMIT shall take reasonable measures to safeguard its business areas and resources to protect and preserve the availability, confidentiality, and integrity of the University’s information systems and assets. Critical or sensitive information processing facilities and equipment shall be housed in secured areas, protected by a defined security perimeter, with appropriate security barriers, entry controls and environmental conditions. Only authorised individuals shall be granted physical access to these secured areas.

b. General security controls. No computer equipment belonging to RMIT may be removed from its normal operating environment with out the approval of the relevant school or branch head.

c. Equipment and media security. All equipment and media that are disposed of must have all RMIT information and RMIT licensed software removed and overwritten prior to disposal.

4. Secure operations management.

a. Operational management and security. RMIT’s operational procedures for running information systems and managing incidents shall be designed to ensure secure operation of RMIT’s information processing facilities. Related operational roles will segregate management and execution responsibility with respect to information security related activities.

b. Security in systems planning and acceptance. RMIT’s capacity planning procedures shall take into account RMIT’s information security requirement of minimising the risk of system overload for key elements of IT infrastructure. RMIT’s systems acceptance procedures for new information systems, upgrades or new versions, shall be designed to take into account RMIT’s information security requirements.

c. Network management and security. RMIT’s operational procedures for managing and operating RMIT’s network shall be designed to safeguard information in networks and protect the supporting infrastructure.

d. Media handling and security. RMIT’s operational procedures for managing media shall be designed to reduce the risk of damage to information assets and interruptions to business systems. Systems and Media containing highly sensitive information (e.g. examination results, HR files) should only be managed in the presence of at least two operators or staff.

e. Secure exchange of information and software. RMIT’s operational procedures for exchanging information and software within Portfolios, and externally with other. organisations, shall be designed to prevent loss, modification or misuse of the information or software exchanged.

5. Electronic communications.

a. Internet and e-mail security. See RMIT’s Electronic communications policy

b. Virus protection and control. Information Security Coordinators, information owners, custodians and information users shall take all reasonable actions and steps to ensure that RMIT’s computer assets are protected from all “viruses” that may be introduced intentionally or unintentionally by any means. This includes ensuring that:

  • Mechanisms are put in place to respond to all virus attacks, destroy any virus detected, repair damage and document each incident. These mechanisms will automatically detect and rectify E-mails containing attachments affected by known viruses.
  • Best practice anti-virus software is acquired, installed and maintained on all RMIT’s computer systems.
  • Anti-virus scans are run on a regular basis on all RMIT’s computer systems, including servers and personal computers.

The development of viruses by RMIT staff, students and contractors is strictly prohibited. No RMIT system or equipment is to be used to author, develop or knowingly distribute any computer virus.

c. Web server policy. See RMIT’s Electronic communications policy

6. Security in systems development and maintenance

a. Security requirements for information systems. A structured process will be followed to ensure adequate evaluation, planning and design of security for new information systems or information systems undergoing major upgrade. The need for and cost of system security measures shall be included in the related business case for each information system acquired, developed or enhanced.

b. Application development and design and security. Appropriate security controls, and audit trails / activity logs shall be designed into application systems, including user written applications and third party packages. These will include:

  • User identification and access authorisation mechanisms.
  • Protection of application data at a “systems” level.
  • Validation of input data, internal processing and output data
  • Data encryption requirements

c. Cryptographic controls. Cryptographic systems and techniques shall be used for the protection of information that is considered at risk by the information owner and for which other controls do not provide adequate protection.

d. Security of application system files. Mechanisms shall be put in place to maintain system file integrity whilst systems are being enhanced, developed, implemented or changed.

e. Security in development and support processes. All proposed system changes shall be reviewed to check that they do not compromise the security of either the system, the operating environment or other RMIT Information systems.

f. Security Hardening. All IT systems must be hardened in accordance with RMIT operational procedures and standards. Where standards do not exist systems should be hardened in a manner consistent with RMIT’s security practices.

g. Patching. All System and application owners will ensure operating system and application security patches are applied in a timely manner.

7. Access control

a. User authentication and passwords. All RMIT information systems providing services to staff, students, contractors, customers or external parties, may only be accessed by authorised information users. The respective information owner will govern the access rights of users for each system. All users, utilities and applications must go through a user authentication process before being given access to any system.

Access shall be restricted to those capabilities and information that are appropriate to each user’s role within RMIT’s business environment and/or university community.

As a minimum, access to each information system, shall be controlled by a log on identification (LogonID) and password based security system. Each user must be able to be uniquely identified by the LogonID. Passwords should be changed on a regular basis and not be obvious (easy to guess).

A single sign on system, providing access to multiple information systems, via one LogonID, shall be made available to certain groups of users, where it does not pose a security risk to RMIT and it is feasible to do so. Access to public domain information systems provided by RMIT across the Internet, will not require a user authentication system, but will require protective measures such as those outlined in b) below.

b. Network access control and firewalls. Access to all RMIT’s systems shall be automatically monitored and controlled via an intrusion detection system, for unauthorised intrusion and to ensure all users are only accessing information systems they are authorised to do so.

Access to all information systems running on RMIT’s networks must be through a firewall facility. A restrictive policy for firewall parameters shall be adopted, so that all services are denied unless specifically permitted.

Access to RMIT’s network components will be segmented and segregated according to the nature of users accessing systems on that segment.

Access to any non-public (i.e. internal RMIT) network segments must be in accordance with the user authentication requirements of this policy (7a above).

Access across network segments, whether internal or external to RMIT’s network, must be through a firewall facility.

Network traffic prioritisation mechanisms, commonly called policy-based networking, shall be put in place to ensure data traffic flow and performance across the network is aligned with RMIT’s business priorities.

c. Operating system access control. The security features at the operating system level shall be used to restrict access to computer resources to only those users or applications authorised to do so by the information custodian. Access to any operating system files and utilities must be in accordance with the user authentication requirements of this policy (7a above).

d. Application access control. Access to application system files, systems utilities and databases shall be in accordance with the authentication policy outlined above.

8. Information integrity and business continuity.

a. Information integrity and housekeeping. Periodic and automated data back up and recovery mechanisms shall be put in place for all information resources, which will ensure that all information services can be recovered relatively quickly in the event of a minor or major malfunction.

The speed, at which information services can be recovered, will be commensurate with importance of the information resource to RMIT’s day to day business operations, but constrained by the ability and speed at which the malfunction can be reasonably rectified.

b. Business continuity management. RMIT’s Disaster Recovery Plan shall provide the basis for prioritising and invoking recovery processes for critical information resources to be available in the event of a major loss, owing to natural disasters or major breakdowns of any kind.

9. Information security compliance

a. Compliance with intellectual property and privacy laws. RMIT and information users shall comply with all Australian and International laws regarding intellectual property and all Australian laws with respect to privacy of staff, student and client data.

b. Information security policy compliance and audit. The implementation of security policies contained in this document shall undergo independent reviews and audits to provide RMIT assurance that organisational practices properly reflect these policies, and that they are feasible and effective.

[Next: Supporting documents and information]