Welcome to the University Policy Library.
If you are unable to find what you are looking for please use the 'search' function below.
Delegations of Authority Policy is the key document for who is responsible to exercise a delegation – Note: Policies and procedure documents may not reflect the current delegations. Please refer to the Delegations of Authority Policy to identify who the delegate is.
DITM and Records Management Policy Manual
Purpose:
The purpose of this manual is to outline the University’s principles concerning the use of technology. The primary areas of focus are IT Security, Acceptable Use and Enterprise Architecture.
The University’s primary functions depend on the quality of information provided by DITM resources. This policy manual will ensure the following:
The University’s primary functions depend on the quality of information provided by DITM resources. This policy manual will ensure the following:
- Availability and reliability in the provision of ºÚÁϳԹÏÍø technology services.
- Accuracy and integrity in the management and delivery of information.
- Protection of the University’s assets, including information, knowledge, software, hardware, and facilities.
- Information privacy and confidentiality is maintained according to legislative requirements.
- The University’s operations are secure from disruption.
- DITM resources are used in an appropriate manner.
- Protection of the University’s reputation.
Scope:
This manual covers all policies relating to Digital, Information and Technology Management and applies to all staff, students, and members of the ºÚÁϳԹÏÍø community.
Principles:
- IT Security and Acceptable Use
- Acceptable Use
- Purpose and Scope
- This section provides information on the access available to staff, students, and other members of the University community to the University’s computer network, and through it to the Internet, and their obligations when using the University network.
- Principles
- The University network is provided for use for educational, research and administrative business of the University including related social interactions. Limited personal use is permitted but the University network must not be used for personal gain.
- Users must comply with all legislation and University policies relating to access and use of the network and other IT resources.
- Users must act in a courteous and responsible manner in all technology- enabled communications and must not use these in a manner which misrepresents the University or brings it into disrepute.
- The account owner is responsible for all information access and all changes which are carried out while accessing a system through their account/password combination.
- The University’s systems must not be used to harass, abuse, or otherwise seek to offend individuals.
- The University’s systems must not be used to access, store, or transfer illegal material, such as unauthorised copyright material or child pornography.
- It is the responsibility of departing staff or affiliates and their supervisors to ensure that any required electronic business files, documents, and emails are appropriately stored, transferred or otherwise made accessible to the supervisor well in advance of the departing staff or affiliates’ termination date.
- Purpose and Scope
- General IT Security
- Purpose and Scope
- This section covers assets including, but not limited to:
- Information assets (e.g. databases, files, electronic documents);
- Software assets (e.g. applications, software tools, licences); and
- Physical assets (e.g. computers, servers, network infrastructure, information storage media, printers, communications equipment, AV equipment, projectors, telephones, and facilities).
- Security breaches or any risk of threats arising from:
- On-campus devices not approved for network connection;
- On-campus networks not installed or approved by DITM; and
- Off-campus networks and devices are within the scope of this policy insofar as taking any necessary action required to mitigate, remove, or neutralise any apparent risk or threat to ºÚÁϳԹÏÍø IT security.
- All staff, students, and users, including affiliates, alumni, tenants, guests and visitors who are given access to the University’s information systems must agree to abide by the University’s information security and privacy policies, practices and procedures.
- This section covers assets including, but not limited to:
- Principles
- At any point that University IT resources are being used, all relevant ºÚÁϳԹÏÍø policies will be applicable, whether on or off campus. The University retains the right to monitor and control ºÚÁϳԹÏÍø systems and their content, including network and system activity, in accordance with the University’s Charter of Conduct and Values and Privacy Policy and in a manner which respects the rights and legitimate interests of those concerned.
- The authority to inspect machines, servers and files resides with the Chief Information Officer or appointed delegate. Disclosure to an external organisation will only be considered on production of a legal authority or to the University’s vetted and approved vendors covered by contractual obligations (e.g., a vendor may be allowed to perform system audits under the terms of a licence agreement).
- Any systems, equipment or devices that are deemed to pose a threat to the University network will be disconnected from the network without prior notice.
- The University reserves the right to suspend or terminate access to any network account in cases of suspected security breaches, inappropriate or illegal activity, or unauthorised access. This includes all account types, e.g.: Staff, student affiliate, visitor guest, tenant, system, and service accounts.
- Security incidents will be handled in accordance with DITM Cyber Security incident response plans.
- All University enterprise systems and information assets, irrespective of hosting arrangements or location, must be accounted for and have a nominated custodian who is responsible for the implementation and management of this policy in relation to those assets. Where no custodian is nominated the most senior manager of the area most responsible for the system is accountable.
- All University enterprise systems and information assets, irrespective of hosting location, management or control arrangements must be maintained to a base line of security through best practice security controls such as regular patching and centralised management.
- Network services and software applications which require higher levels of security will only be accessible remotely via the University’s Virtual Private Network (VPN).
- Members of the University community who use public access or other non-University IT services to access University of Canberra resources are obliged to respect the University’s security and access conditions as well as the relevant conditions of the remote access provider.
- To ensure that no private or confidential information is exposed, any user accessing a secure University system remotely, should do so only on known trusted networks.
- University-owned data or information may not be stored using public cloud services, i.e. Dropbox or similar, except under a University-approved contractual arrangement nor can it be forwarded to separate email accounts outside the university.
- Any data breaches, or suspected data breaches, must be reported to the DITM Service Desk immediately upon discovery.
- Access to the University’s network services by students will be granted six months prior to their course commencement date, and the network account will be removed thirty days from their discontinuation date, or graduation date. Access to University network services by staff or affiliates will be removed on the user’s termination date.
- Purpose and Scope
- User Account and Password
- Purpose and Scope
- This section will define the principles governing the creation, use, ongoing management and control of user accounts and passwords for any IT system associated with the University of Canberra.
- Principles
- Users must activate a password protection method to secure their workstation or devices with University network access or content. All devices should be locked prior to leaving them unattended. Where multifactor authentication (MFA) is available in a system it must be used.
- All mobile devices, including phones, tablets and laptops, that are used to access or store University data or information must be password or passcode protected. This applies whether the device is a University asset or a personal device.
- Members of the University will be issued with a University Network Account user ID, which will be based on the University staff, student or affiliate ID number.
- All general access to University corporate systems should be configured to utilise the University Network Account and associated password. Exceptions to this rule are:
- Systems that do not store or transmit the password in encrypted format. Such systems must NOT use the University Network Account and password.
- Systems that that are not under the control of the University of Canberra, and which are not operating under a contract or agreement with the University. Such systems must NOT use the University Network Account and password.
- Systems which require an additional level of security which warrants a separate password due to elevated levels of access in accordance with the Privileged Account Guide documentation.
- The onus of protecting the University Network Account password is on each individual. The University password must not be used on other systems, shared, or disclosed with anyone, including assistants or family.
- The possession of an account and a password that enables access to read or update information does not constitute the authority to do so. Such authority must be explicitly granted by a System Custodian. It is the responsibility of the System Custodians to audit key corporate system privileges and ensure they are commensurate with current staff roles.
- Password complexity for University account passwords is determined by the strongest accepted rules of our weakest system and subject to change as systems mature or are updated. The strongest password that can be used within the restrictions of a specific facility, system or service shall be used.
- It is recommended that user-level passwords be changed at least every six months. User-level passwords must be changed if the accounts with Multi-factor Authentication do not meet the University’s complexity requirements or are known to other individuals.
- Passwords for privileged accounts must be changed at intervals as follows:
- Corporate Systems Group members and System Custodians: every 8 weeks in addition to the requirements for user-level passwords.
- System-level passwords (e.g. root, administrator): as per user-level passwords and otherwise changed every 6 months automatically where possible. Where auto changes are not supported, system-level passwords must be changed every time a staff member with access to the password leaves the University.
- All passwords must:
- Contain eight characters or more.
- Contain lower-case letters, upper-case letters, numbers, and non- alphanumeric characters.
- Purpose and Scope
- Special Case Data Access
- Purpose and Scope
- This section covers the access of staff members’ files or data under special circumstances.
- Principles
- Access to a current staff member’s electronic data, which includes email, and documents stored centrally (e.g. H: drive and Microsoft Office 365) or locally (e.g. C: drive), is only permitted if accompanied by a business case, approved by the relevant Executive Dean/Director, and approved by the Chief Information Officer or nominated delegate, in consultation with the Chief People Officer. A record of access including the business case and authorising Executive Dean/Director must be created and kept.
- Where reasonable grounds exist to justify accessing a former staff member’s email or electronic files, access may be provided to the supervisor or other nominated staff as approved by the relevant area’s Executive Dean or Director after consideration of a business case by the Chief Information Officer or nominated delegate, in consultation with the Chief People Officer.
- Purpose and Scope
- Email Use
- Purpose and Scope
- This section covers the use of email originating from University email accounts for staff or students.
- Principles
- University staff will utilise University email for University-related communication with staff, students and affiliates.
- Email copies of highly sensitive information must be encrypted when transferring to an external entity or recorded to an external data storage device.
- The content of email sent by University staff and students must not be offensive, harassing, discriminatory or illegal. In addition, University email accounts must not be used for personal gain or commercial purposes.
- While the University makes every endeavour to ensure that email delivered to and from University accounts is free from spam and malware, it is not responsible for damages caused by the failure to detect spam or malware or the inadvertent blocking of a legitimate email.
- Students are required to use their student email when contacting the University via email for pastoral, administrative or academic matters.
- Staff are expected to use the University-provided email account for all University email correspondence and may not automatically forward their email to private addresses unless authorised by the Chief Information Officer or nominated delegate.
- All staff members are required to include a signature on all emails sent externally, which should be aligned with the University’s standardised signature block.
- Purpose and Scope
- Privately Owned Devices
- Purpose and Scope
- This section defines University policy with respect to privately owned devices which are brought onto the University campus, connected to the University network and/or used for University business.
- Principles
- Privately owned devices may be connected to the University network (wired or wireless) provided that these meet basic levels of security.
- The University reserves the right to inspect any and all privately owned devices, which are connected to the University network, to investigate suspected security breaches, inappropriate or illegal activity, or unauthorised access.
- Privately owned devices that are deemed to pose a threat to the University network will be disconnected from the network without prior notice.
- The University accepts no responsibility for any loss or damage to either the physical device or data contained within it as a result of bringing the device onto the University campus, connecting it to the University network and/or using it for University business.
- The University accepts no responsibility for the support and maintenance of privately owned devices whether or not they are used for University business. This includes privately owned data storage media connected to staff or student workstations.
- University-owned data or information must not be stored on privately owned equipment.
- Purpose and Scope
- Third Party Contract and Access Security
- Purpose and Scope
- This section sets out the conditions that are required to maintain the security of the University’s IT resources when contractors, outsourced providers, service suppliers or any other third-party providers are involved in the University’s operations. This may include, but is not limited to, the following circumstances:
- Third-party system design, development or operation of University services; access granted from remote locations where computer and network facilities
- may not be under the control of the University; or
- when authorised third-party providers are given access to information or information systems.
- Principles
- All third-party providers who require access to the University’s information systems must agree to comply with all relevant University policies at the time of engagement or contract signing. Should the said policies change within the contract period, a deed of variation may be drawn up if required, and third-party providers must agree to comply.
- Due to the confidentiality, sensitivity or value of the information that may be accessed, the University may require third-party providers to sign a confidentiality agreement to protect its information assets.
- All contracts with third-party providers for the supply of services to the University must be monitored and regularly reviewed to ensure that information security requirements are being satisfied.
- Authorised third-party providers must be given minimum access privileges to meet their contractual requirements. They are not permitted to copy or store any University information for any reason other than that required to complete the terms of their contract.
- All third-party providers must report any instance, including physical, of unauthorised access, transmission, or loss (or suspected loss) of ºÚÁϳԹÏÍø data by a third- party. In addition, third-party providers must report IT security incidents that may impact systems connected to the University’s systems.
- Purpose and Scope
- IT Physical Security
- Purpose and Scope
- This section sets out the minimum standards for implementing physical control measures to protect the University’s IT infrastructure. IT assets are generally associated with the physical devices on which information resides and includes, but is not limited to, mobile and portable devices, workstations, servers, and the physical network infrastructure.
- Principles
- Physical access controls around computing locations are to be applied in a manner that reflects the business value and criticality of IT services hosted in the location and the sensitivity of the data stored.
- Computer laboratories and other locations that house IT assets must employ physical access controls including electronic and physical locks.
- No computer equipment is to be removed from any office, work area or computer laboratory unless specific authorisation has been received from the Chief Information Officer.
- Persons who are issued with portable information technology assets, such as laptops, tablets or mobile devices must agree to bear personal responsibility for the equipment. When not in use, all portable information technology assets must be adequately secured.
- Purpose and Scope
- Acceptable Use
- Enterprise Architecture
- Scope
This section of the Policy Manual outlines the University’s principles for the design and implementation of technology.
- Design Principles
- Principles
- DITM offers support for re-designing University systems and assessing new technologies to ensure secure, cohesive, and effective alignment of business, information, processes and technology.
- Cloud services will be adopted, as long as they are fit for purpose, provide better value for money, provide appropriate security and risk measures and have adequate back-out and Disaster Recovery measures.
- Where appropriate, the University may utilise cloud services to enable testing and development of IT systems.
- Suitable, ready to use preconfigured solutions for both cloud and in-house systems should be adopted in preference to solutions that require customisation in order to be fit for purpose.
- Fundamental access control concepts such as the Principle of Least Privilege, where users are only granted minimum levels of access or permissions required, and the Deny by Default principle, where access is blocked by default and only granted by specific authorisation, must be applied to all systems, services and devices connected to the University network. Additionally, security principles and practices defined in ºÚÁϳԹÏÍø’s Cyber Security Strategy must also be referenced.
- The University’s power and Wi-Fi infrastructure will be designed to support the on-campus use of privately owned devices so far as is reasonably practicable.
- Unless specifically required, all new services and applications must be designed to be accessible for users regardless of the network being used, resulting in the same experience whether on campus or off.
- The University will design infrastructure that is flexible and scalable, future-proofed to allow for migration to other platforms (including cloud) and capable of future orchestration. Where hardware must be purchased, it should be reusable and efficient.
- Modifications to any system or network are only permitted where authorised by DITM under the IT Change Management Policy.
- Contracts for new technology systems must be reviewed by the University Legal team. New technology systems must also be reviewed by completing the New Product Questionnaire prior to procurement. New technology systems must then also be approved by the Change Advisory Board (CAB), prior to implementation, to ensure these systems do not conflict with the University’s environment.
- Principles
- Records Management
- Purpose and Scope
- The purpose of this section is to provide direction to all staff on the management of University records and applies to all records created and/or captured during the conducting of University business as detailed in the Records and Information Management Policy
- Backup Policy
- Purpose and Scope
- This section mandates and communicates the University’s principles relating to the backing up and retention of corporate data assets.
- Any non-corporate data assets are considered out of scope of this backup policy.
- Principles
- All corporate data is to be stored on University managed facilities, which are regularly backed up.
- A full backup from each year is retained for a minimum of seven years.
- Where a data custodian has identified or requested a different set of backup requirements, some data sets may be backed up outside of the standard practice described above.
- The physical and logical security of the backup media must be at least equivalent to the security required for the access to the data on the server itself.
- The backup medium must be of a type that will remain readable and be accessible for the length of time for which the backups are to be retained.
- Backups of corporate data assets are distinct from the University’s records management system and are purely Business continuity mechanisms.
- Purpose and Scope
- Scope
Responsibilities:
Who | Responsibilities |
Chief Digital Officer and Vice President, Digital | Policy Owner |
Chief Information Officer | Policy Custodian |
Chief Information Officer | Responsible for implementing this policy |
|
Legislation:
- In all instances relevant law supersedes ºÚÁϳԹÏÍø policy.
- This policy manual has as its underpinning relevant legislation including but not limited to, the Information Privacy Act 2014 (ACT), the Copyright Act 1968 (Cth), the Freedom of Information Act 2016 (ACT) and the Crimes Act 1914 (Cth). A Legislative Responsibility Schedule is maintained by the Governance Unit and lists all legislation pertaining to the University.
- This policy’s record management principles are governed by the Territory Records Act 2002 (ACT).
Supporting Information:
Definitions:
TERM | MEANING |
Account Owner | Any person granted a user account with the University of Canberra |
Activities | Activities are the major tasks performed by the University to accomplish each of its functions. Several activities may be associated with each function. Activities are often described as actions or verbs, such as Reporting. |
Approved Devices | University-owned and DITM-configured devices. |
Archival Record | Archival records are those records that have been appraised as having long-term, enduring or permanent value such as Council Minutes, University Research Reports (of major national or international significance) and Examination Results. |
Authorised User | Any user who has been authorized by the relevant supervisor/officer to access a system or IT facility, and includes (but is not limited to) staff of the University of Canberra or any company in which the University of Canberra has an interest or any company or organisation with which the University of Canberra is pursuing a joint venture, students, consultants, visitors, Honorary appointees. |
Availability | Availability refers to the ongoing operations and delivery of intended services by a system (e.g. finance or payroll) and its components. |
Business Information Systems (BIS) |
|
Confidentiality | Confidentiality refers to the need to ensure that information is accessible only to those authorized to have access. |
Corporate Data | Data which forms a part of the University’s records for internal, external or public use pertaining to the University’s business including operational, administrative, teaching and/or research activities. For example: All Home Drive Data (H:\) – Staff and Students All Group Shares (\\ucstaff\dfs\...) |
Data Custodian | The custodian is the individual responsible for the content of any data file or system. Note that it is not usually the creator of a document or a system operator. |
Database Data | The content and configuration of all databases. |
Default to deny | Means the setting of the norm to denying access so that specific instruction must be provided to all access. |
Designated authority | The person with the authority to formally assume responsibility for the action or decision in question |
Email Data | All email and calendar items in all subfolders of staff email accounts. |
Full Backup | Back up of all targeted files. |
Functions | Functions are “the largest unit of business activity”. They represent the major responsibilities that are managed by the University of Canberra to fulfill its goals. Functions are high-level aggregates of the University’s activities. Functions are often described as things or with nouns, such as Teaching and Learning, Research and Student Management. |
Incremental Backup | An incremental backup is a type of backup that only copies files that have changed since the last backup. For example; if you had 10 files on your desktop which you backed up to a USB drive, making a copy of all 10 files is termed as a FULL backup. If you have made changes to 2 of those files since your last FULL then copying only the two files that have changed to your USB drive is termed an INCREMENTAL backup. The strength of incremental backups include significant time savings and effective use of storage. The downside is that an incremental is dependent on the last successful full backup. |
Integrity | Integrity refers to the veracity of data. Loss of data integrity may be gross and evident, as when a computer disc fails, or subtle, as when a character in a file is altered. |
IT services and systems | All information technology hardware, software, networks, processes and procedures utilised by the University of Canberra. ‘IT services and systems’ includes all stored data and information regardless of their storage or presentation media. ‘IT services and systems’ includes all environmental and support facilities. |
DITM | Digital Information and Technology Management |
DITM applications |
Includes all software owned or licensed by the University. |
DITM architecture |
The University's information, DITM applications, and DITM infrastructure |
DITM assets | Include all computers, terminals, telephones, end host devices, licences, centrally managed data, computing laboratories, video conference rooms, and software owned or leased by the University. |
DITM Authorised Staff |
University of Canberra staff authorized by the Chief Information Officer to monitor accounts, files, stored data and/or network data, and to disconnect IT equipment in the event of an Information Security breach. |
Least privilege | Means that each user be granted the most restrictive set of privileges needed for the performance of authorised tasks. |
Member of the University | University personnel staff, students and other individuals who have a role within the University that entitles them to a University Network Account and/or to the use of University DITM resources. |
Monitoring | Refers to tasks (including testing and scanning) undertaken by DITM Authorised staff to ensure maintenance of security of IT services and systems within the University of Canberra’s domain. |
Network Resources | Include any networks connected to the University’s backbone, any devices attached to these networks and any services made available over these networks. These include network servers, peripheral equipment, workstations and personal computers. |
Normal Administrative Practice (NAP) | A process established to allow for the destruction of ephemeral, duplicate or transitory material of no evidentiary or continuing value. Examples include: Working papers consisting of rough notes, calculations, diagrams, used for the creation of records. |
Offsite storage | Offsite storage is prescribed in consideration of geographical factors, with adequate separation being determined by distance, propensity of fire, flood, structure and materials. Storage at or above ground level, in fireproof containment, within buildings with only concrete and steel structure, in areas of low vegetation will deliver far lower risk than only considering distance. Therefore, this offsite storage policy statement will be superior to industry standards based on separation alone. Given this, the majority of buildings on the ºÚÁϳԹÏÍø campus will fulfil this requirement and therefore can be used as Offsite Storage sites if required. |
Outsourcing | A contractual arrangement whereby services to or on behalf of the University that would otherwise be carried out internally are provided by an external organisation. Examples are financial, personnel, fleet or facilities management functions. |
Physical and Virtual Server Data | Files and configuration required for the normal operation of each server. |
Privacy | Privacy refers to the restriction of access and appropriate use of personal information as defined by law. |
Privately Owned Device | A privately owned device is a device that is not fully owned, leased or controlled by the University. It could be owned by an individual staff member or student of the University or by a third party. Devices which are funded by research or consultancy funding are regarded as University owned. |
Public cloud | A platform that provides resources such as applications or storage to users remotely. The public cloud services may be free or offered through subscription or other pricing models such as pay-pay-usage. |
Public Information | Information that, from time to time, is available for general access without the requirement for authentication. |
Record | A record, in written, electronic or any other form, under the control of the University of Canberra or that it is entitled to control, kept as a record of its activities, whether it was created or received by the University. Briefly records "reflect what was communicated or decided or what action was taken". (AS/ISO 15489 Records Management 2002, Part 1: General, 7.2.1). |
Recordkeeping Systems | Information systems that capture maintain and provide access to records over time. While the term is often associated with computer software, Recordkeeping Systems also encompass policies, procedures, practices and resources which are applied within the University to ensure that full and accurate records of business activity are made and kept. |
Responsible IT Security Officer | University of Canberra staff delegated to be responsible for IT security matters. |
Security | Security is defined as "the state of being free from unacceptable risk". |
System Custodian | The staff authorised as the person responsible for the system and/or its information content. |
Threat | Threats are the potential causes of loss or damage. These threats may be human or non-human, natural, accidental, or deliberate. |
Trusted Network | A network that are only open to authorised users, requiring authentication through login credentials and encryption of data. |
Unauthorised User | Any user who is not an Authorised User and who is accessing information other than Public Information. |
University Network Account | The computer account provided by the University to all current staff, University visitors and students, which has a user ID based on the staff or student ID number, and which is used for user authentication for most IT systems via a corporate directory system. |
User account | A defined user code with an associated set of privileges for access to information and update functionality. Access to the account is controlled by security measures which commonly include a password. The password is the confidential part of the logon process and must be protected by the account holder. |