(1) QUT is committed to protecting its information assets and the information it holds about its students, partners and employees. The information security policy outlines how QUT protects its information assets against unauthorised access and use, theft, modification, destruction and unauthorised disclosure. (2) This Policy applies to: (3) QUT implements an Information Security Management System (ISMS) which supports the Information Security Strategy (QUT staff access only) and is based on the current version of the ISO/IEC27001 information security management standard, informed by Queensland Government Information Security Policy (IS18:2018). The scope of the ISMS includes the protection of all information, application and technology assets. (4) The Information Security Management System (ISMS) is based on the following information security principles which are designed to support and defend QUT from a variety of information security risks. (5) Logical access and physical access to QUT information assets is granted on the "least privilege" principle, whereby each user is granted the most restricted set of privileges needed for the performance of relevant tasks. (6) Information security related risks must be identified, reported to concerned stakeholders and adequate controls are recommended to manage the risk. (7) Operational security practices must be in place to manage information security related risks. (8) Information security incidents must be actively managed in a defined manner in line with QUT’s incident management process. (9) Information maintained in QUT’s information systems and in printed format is protected based on the assigned information classification level (F/1.2.5). (10) The established information security management processes must be conducted in line with regulatory requirements and be regularly audited to promote improvements in practices. (11) QUT must have processes in place to screen candidates, on-board and off-board employees, and educate employees on security awareness. (12) These principles assist in governing behaviour, objectives, approach and activities, in order to promote good practice in information security. The Vice-President (Digital) and Chief Digital Officer approves information security standards which further explain the implementation of the information security principles and define the information security controls. (13) QUT’s Information security classification approach is based on the Information security classification framework (QGISCF). This approach uses three categories Confidentiality, Availability and Integrity to classify QUT’s information and data. A risk rating will be assigned to each of the classification categories. (14) The assessment of security categories for relevant classes of information assets is used by the Vice-President (Digital) and Chief Digital Officer and the data custodian to determine appropriate security measures and controls to be adopted for the information asset class. (15) QUT staff and students engaged under a contract requiring Defence Industry Security Program (DISP) membership must assess and protect information in accordance with the Protective Security Policy Framework, as specified in the Information Security Standard – Defence Industry Security Program. (16) The University maintains logs and audit trails of network and system activities which may include personal information about users. (17) Information Security Team at QUT performs information security audits and monitoring activities which include the following: (18) Where diagnosis of problems, investigations or security audits are required, the University reserves the right to access logs, audit trails and individual files. In carrying out these tasks, cooperation with the Information Security team may be required. Cooperation and collaboration with law enforcement authorities may also be required from time to time. (19) A breach of information security, reported as an information security incident, is an identified occurrence or activity that has been successful in adversely affecting the integrity of the data, confidentiality of protected information and availability of information and major IT systems of QUT. (20) QUT has an incident management process for managing IT incidents irrespective of their origin. Information security incidents are reported through this practice. (21) Security breaches relating to personal information should be reported in accordance with QUT’s Information Privacy Policy and associated protocols. (22) Serious breaches of information security by an individual user may result in disciplinary action (for staff and students) or the suspension or termination of access rights and computer accounts in accordance with the Acceptable Use of Information and Communications Technology Resources Policy. This Policy supports and complements State and Commonwealth laws. Illegal access to and use of computer systems at QUT may constitute a criminal offence under the relevant legislation. Breaches of information security which are also suspected of breaching State or Commonwealth laws will be reported to law enforcement authorities for appropriate action. (23) QUT staff and students engaged under a contract requiring Defence Industry Security Program (DISP) membership must comply with the Information Security Standard - Defence Industry Security Program and associated procedures. (24) Regular reporting on information security activities and risks is provided to the Information Security Steering Group and Risk and Audit Committee. (25) The information security principles are further explained in the Information Security Strategy (QUT staff access only) which cover the required information security controls. (26) QUT staff and students engaged under a contract requiring Defence Industry Security Program (DISP) membership must also comply with the following information security standard; and associated procedures:Information Security Policy
Section 1 - Purpose
Section 2 - Application
Top of PageSection 3 - Roles and Responsibilities
Top of Page
Section 4 - Information Security Management System
Section 5 - Information Security Principles
Logical Access and Physical Access Security
Information Security Risk Management
Operational Security
Information Security Incident Management
Information Classification
Audit and Compliance
Human Resource Security
Section 6 - Information Security Classification Approach
Section 7 - Information Security Audits and Monitoring
Section 8 - Security Breaches
Section 9 - Defence Industry Security Program
Section 10 - Reporting
Section 11 - Definitions
Top of Page
Term
Definition
Logical Access
The ability to access the QUT’s information systems using a username and a password either directly or through remote access.
Information Security Annual Return
The Information security annual return is a self-assessment of the information security controls mandated by and to the Queensland Government Customer and Digital Group (QGCDG).
Data Accessibility
Sharing of the information asset to the maximum extent possible in accordance with data standards and data security and defining the conditions of use of the data.
Information
Information is any collection of data that is processed, analysed, interpreted, classified or communicated in order to serve a useful purpose, present fact or represent knowledge in any medium or form. This includes presentation in electronic (digital), print, audio, video, image, graphical, cartographic, physical sample, textual or numerical form. Information may also be a public record or an information asset if it meets certain criteria.
Data
The representation of facts, concepts or instructions in a formalised (consistent and agreed) manner suitable for communication, interpretation or processing by human or automatic means. Typically comprised of numbers, words or images. The format and presentation of data may vary with the context in which it is used. Data is not information until it is utilised in a particular context for a particular purpose. Examples include; Coordinates of a particular survey point; Driver licence number; Population of Queensland; Official picture of a minister in jpeg format.
Information Security Management System (ISMS)
An ISMS is a systematic approach to managing sensitive information so that it remains secure. It includes people, processes and IT systems by applying a risk management process.
ISO 27001
ISO 27001 is an internationally recognized Information Security Management System (ISMS) standard. It is a framework for the requirements to manage an organisation's information security risks.
ISO (International Organization for Standardization)
ISO is an independent, non-governmental international organisation with a membership of 164 national standards bodies including Australia.
Section 12 - List of Information Security Standards
View Document
This is the current version of this document. You can provide feedback on this document to the document author - refer to the Status and Details on the document's navigation bar.
Position
Responsibility
All users of QUT information assets
Ensure compliance with all information security requirements in this Policy and standards including reporting breaches of information security.
Maintain awareness of the information security risks and controls appropriate to the information accessed and used at QUT, including completion of required training as required by the University.
Vice-Chancellor and President
Is accountable for information security practices at QUT.
Risk and Audit Committee
Monitors cyber risk on a regular basis and recommends risk management actions where appropriate.
Vice-President (Digital) and Chief Digital Officer
Is responsible for implementation of the Information Security Management System (ISMS).
Promotes awareness of information security and implements systems, practices and processes to enhance information security at QUT.F
Approves the University’s information security strategy and information security standards made under this Policy.
Information Security Steering Group (ISSG)
Provides advice to ensure that there is a co-ordinated, consistent, and managed approach to information security management across QUT.
Provides advice on information security risk and recommends risk management actions where appropriate.
Reviews and endorses the following:
Chief Information Security Officer
Manages information security incidents.
Provides reporting on the state of information security at QUT.
Ensures compliance with regulatory requirements related to information security.
Maintains the Information Security Policy and standards.
Maintains relationship with external security groups (including regulatory authorities, specialist forums and professional and special interest groups) to ensure that QUT responds to the emerging threat landscape and has access to external resources.
Heads of Organisational Units
Foster a positive culture towards information security within the organisational area.
Ensure compliance with the Information Security Policy and supporting standards as applicable to the organisational area.
Project Managers
Ensure compliance with Information Security Policy and standards in the design and implementation of IT projects.
Engage with the Information Security Team (IST) at QUT for information security advice as required.
Data custodians
Identify and implement the requirements related to data security, data accessibility and privacy, for the datasets for which they are responsible.
Classify information and data for the Information Asset Register (IAR).
Information asset owner
Provides the system owner with guidance and specific information security requirements that need to be applied to the information systems and information assets.
System owners
Are accountable to protect QUT’s IT assets.
Are responsible for applying the Information Security Policy and standards to the information systems and information assets they own.
Develop the relevant documentation (process, procedures, or guidelines), where applicable, to capture the specific requirements relevant to the information systems and information assets they own.
Consult and inform the information asset owner on the requirements to apply the information security policy and standards.