(1) This Procedure was approved by the Vice-Chancellor on 17 October 2008 and incorporates all amendments to 25 August 2016.
(2) This Procedure is pursuant to the Information and Communications Technology Security Policy.
(3) The procedure documents the university's ICT security measures.
(4) This Procedure applies throughout the university.
(5) Refer to the Information and Communications Technology Security Policy.
(6) The IT Security Manager will develop information and communications technology (ICT) security standards and maintain them according to industry-wide standards.
(7) The IT Security Manager will undertake an ICT security risk assessment annually, and report to the Chief Digital Officer and the Director, ICT Infrastructure Services on ICT security incidents, current security concerns and service improvement needs for the coming year.
(8) Staff members with responsibilities for managing or supporting ICT facilities, services and materials will ensure that:
(9) Staff members with responsibilities for managing ICT facilities, services and materials used for financial transactions will ensure that digital certificates and encryption are used for the transfer and storage of payment information, such as account numbers and credit card information.
(10) The Chief Digital Officer and the Director, ICT Infrastructure Services will determine which staff members can authorise access to the operating systems or security systems of any ICT facility, service or material connected to the Deakin University network.
(11) Staff members will ensure that new connections of, or changes to, any ICT facility, service or material connected to the Deakin University network are managed and approved according to the Deakin University ICT change management process, facilitated by the Division of eSolutions.
(12) Staff members will ensure that any ICT facilities, services or materials installed or configured to protect Deakin University information are of a type and standard approved by the IT Security Manager prior to being implemented on any Deakin University-owned or managed ICT facility or service.
(13) Staff members will ensure that non-Deakin University owned ICT devices, excluding personal computing devices such as laptops or personal digital assistants (PDAs), connected to the Deakin University network abide by the same ICT security standards and requirements as those applied to the Deakin University-owned assets.
(14) Deakin University usernames in the Deakin University directory service will not be reused within 12 months, unless for use by the same staff member as previously assigned that Deakin University username.
(15) Depending on the class of user, the following minimum requirements apply to user passwords where technically possible:
(16) Vendor-supplied default passwords must be changed before or immediately after any ICT facility, service or material is connected to the Deakin University network.
(17) Where access is granted to vendors, partners, consultants and other users who are not staff or students of Deakin University, this access will be reviewed at least annually to ensure that the access and the privileges granted are still applicable.
(18) Where available, mechanisms to detect and prevent multiple failed login attempts to a user account must be enabled and configured in one of two ways. After multiple failed login attempts, an account:
(19) The Director, ICT Infrastructure Services may monitor for security breaches as specified in the Information and Communications Technology Use Procedure.
(20) Excluding personal computing devices, logs of system, application and ICT user activity that are generated automatically must be kept for a minimum of two years. Such logs will contain both non-identifying and identifying data, which may include Deakin University username, computer name and location, time of activity and screens accessed.
(21) All changes to production data must be made via an application or system interface that automatically logs activity or via standard batch jobs. Where this is not possible, changes must be made and tracked via the ICT change management process, with the details of the change record kept for a minimum of two years.
(22) All changes to logging mechanisms that affect the ability to monitor or audit system, application and ICT user activity must be authorised through the Deakin University ICT change management process and must be able to be audited.
(23) The IT Security Manager will provide an ICT security awareness program for ICT users, including information about their obligations in relation to:
(24) Managers will ensure that their staff members, including consultants and contractors, are aware of and educated about ICT security, including the ICT security requirements appropriate to their role.
(25) Staff will comply with the ICT security requirements required by their role, including but not limited to:
(26) The IT Security Manager will ensure that all external parties with connectivity to the Deakin University ICT network have a formal agreement in place defining access provisions, which will be commensurate with Deakin University measures, to protect unauthorised or improper use of the Deakin University ICT facilities, services or materials.
(27) Staff will obtain approval in writing from the IT Security Manager before disclosing outside of the University any specific matter regarding security controls that are in use or the way in which these controls are implemented.
(28) Where an exemption from the ICT security policy, procedure or standards is required, approval in writing must be obtained from the Director, ICT Infrastructure Services and the information owner where applicable.
(29) ICT Users must immediately report any suspected or perceived breach of the Information and Communications Technology Security Policy, procedure or standards to the Director, ICT Infrastructure Services or nominee via the IT Service Desk.
(30) The Director, ICT Infrastructure Services may deny or restrict an ICT User's access to the University's ICT facilities, services and materials, and/or remove or disable any data, service or device from the ICT facilities, as a result of violations of the Information and Communications Technology Security Policy, procedure or standards pending further investigation, disciplinary and/or judicial action.
(31) If the Chief Digital Officer and the Director, ICT Infrastructure Services are satisfied, based on investigations, that a violation of policy and/or law has occurred, he or she will undertake disciplinary action in accordance with that outlined in the Information and Communications Technology Use Procedure.
(32) For the purpose of this Procedure: