View Current

Information and Communications Technology Security policy

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Preamble

(1) This Policy is effective from 4 October 2023.

Top of Page

Section 2 - Purpose

(2) This Policy documents the University's information and communications technology (ICT) security measures and outlines the framework to manage University information security and protect University assets and resources.

Top of Page

Section 3 - Scope

(3) This Policy applies to students, staff and associates and where not already covered, to ICT facilities, services and materials owned, managed or leased by the University or as applicable by commercial or legal arrangement, including Bring your own device (BYOD).

Top of Page

Section 4 - Policy

(4) The Chief Information and Digital Officer will ensure that sufficient and proportionate controls are implemented to adequately protect the University’s ICT facilities, services and materials and all data and information held electronically is protected from corruption, loss, unauthorised access and disclosure and unacceptable use.

(5) An ICT Security Assessment must be conducted by Digital Services for any ICT facilities, services and materials involving external parties. A reassessment will be required regularly or if changes to the existing service alters the information security risk.

(6) All ICT facilities, services and materials connected to or running on the Deakin University network will have an ICT facilities, services and materials owner accountable for ensuring appropriate security, in compliance with University policies and procedures.

(7) Access to University ICT facilities and assets or information is controlled and monitored based upon job-related function and need-to-know criteria. ICT users will have access only to the ICT facilities, services and materials required to carry out activities that relate to the duties of their role.

(8) The Chief Digital Officer will maintain a schedule that defines the ICT facilities, services and materials’ backup levels, and backups are regularly tested for restoration.

(9) The Chief Information and Digital Officer will ensure that automatically generated logs of system, application and ICT user activity, and audit trails of changes to data, are kept to ensure proper management, risk assessment and security of ICT facilities, services and materials.

(10) The Chief Information and Digital Officer or nominee may monitor and audit ICT user activity on the Deakin University network, in accordance with the Information and Communications Technology Acceptable Use procedure.

(11) ICT system business owners, in consultation with Digital Services, must regularly assess the risk of unauthorised use, disclosure to unauthorised individuals, modification, or destruction of University information, assets, and resources and develop mitigation strategies.

(12) The Chief Information and Digital Officer will designate a representative to receive and act on notifications of alleged breaches of security of ICT facilities, services and materials.

(13) The Chief Information and Digital Officer will maintain the capability and document appropriate plans to respond to Critical IT Security Incidents (Cyber Incidents). Incidents which are categorised as Cyber Incidents will be managed via an agreed process which takes into consideration the unique requirements for privacy, confidentiality and legality.

(14) The Chief Information and Digital Officer and their direct reports will ensure that students, staff and associates and other third parties are aware of and adhere to applicable University ICT policies, procedures and work instructions.

(15) Any staff member or associate who becomes aware of any loss, compromise, or possible compromise of information, or any other incident which has ICT security implications, shall immediately inform the Digital Services Service Desk.

(16) The Chief Information and Digital Officer or nominee will ensure security reviews of any new key ICT systems are conducted before implementation or implementing significant changes to an existing key system. The Chief Information and Digital Officer or nominee will ensure that key ICT systems are periodically reviewed.

(17) Any exemption to this Policy must be approved by the Chief Information and Digital Officer. Exemption requests must set out the rationale, duration that the exemption is required and risks and any mitigating controls. The Chief Information and Digital Officer may approve the request for a set period or deny the request.

(18) The Cyber Security Director is responsible for the regular review of exemptions and may:

  1. extend the period that the exemption is in place
  2. vary the exemption request, including the relevant conditions and controls
  3. cancel the exemption if it is determined that the exemption is no longer appropriate.
Top of Page

Section 5 - Procedure

(19) There is no attendant Procedure.

Top of Page

Section 6 - Definitions

(20) For the purpose of this Policy:

  1. BYOD (Bring your own device) – User’s personal device, not a Deakin provided device.
  2. Data: individual facts or items of content, including symbolic representations that may form the basis of information (e.g. a date, a name, a number).
  3. Information: a collection of data in any form, which may be transmitted, manipulated, and stored, and to which meaning has been attributed. Information may include, but is not limited to: a written document, an electronic document, a webpage, an email, a spreadsheet, a photograph, a database, a drawing, a plan, a video, an audio recording, a label or anything whatsoever on which is marked any words, figures, letters or symbols which are capable of carrying a definite meaning to one or more persons or information systems.
  4. Information and Communication Technology (ICT) Facilities, Services and Materials: all physical spaces (e.g. server rooms, network or communication closets, computer laboratories), hardware and infrastructure (e.g. servers, workstations, voice and data network, wired and wireless networks, audio visual equipment and portable storage devices) and any cloud-based facilities associated with the delivery of ICT services and materials. All software and applications, and services (including but not limited to telephony and internet access), and data contained or stored in any ICT facility.
  5. Information and Communication Technology (ICT) User: any authorised person with access to the University's ICT facilities, services and materials, including but not limited to students, staff, honorary staff members, visiting academics, contractors and alumni.