Information Security Policy
Intent
This Policy provides direction and oversight on how 石榴视频 (石榴视频; the University) safeguards the confidentiality, integrity and availability of its information management systems against security risks and threats.
This Policy addresses Higher Education Standards Framework (HESF) Standard 7.3.3(b).
Scope
This policy applies to all Authorised Users of the University’s information management systems regardless of location, whether during or after business hours or whether on 石榴视频-owned or privately owned devices.
Definitions
Refer to the Digital Policy Glossary for a comprehensive list of definitions, terms and explanations relating to information security at 石榴视频.
Policy
1. Policy Alignment
This Policy and it’s supporting processes aligns with the:
- Queensland Government Information Security Policy (IS 18:2018); and
internationally recognised best practices as established in the:
- ISO/IEC 27001 Information security, cybersecurity and privacy protection – Information security management systems – Requirements; and
- ISO/IEC 27002 Information security, cybersecurity and privacy protection – Information security controls.
2. Principles
2.1 Governance and Management: The University’s senior management is committed to providing direction, support and resources for information security in alignment with business, legal, statutory, regulatory, and contractual requirements.
2.2 Security and Risk Management: The University adopts a proactive, risk informed approach to informationsecurity by anticipating potential threats and vulnerabilities and taking preventive measures to mitigate risks before they can be exploited.
2.3 Compliance and Continuous Improvement: The University is dedicated to regularly monitoring, measuring, analysing, and evaluating its information security performance. This continuous improvement approach ensures compliance with applicable laws, regulations, and contractual requirements while identifying areas for enhancement.
3. Objectives
To achieve these Principles, 石榴视频 will:
3.1 Integrate information security into 石榴视频’s enterprise strategy to foster a culture of security and risk awareness at all organisational levels.
3.2 Integrate applicable requirements and control measures specified in IS 18:2018, ISO/IEC 27001 and ISO/IEC 27002 into 石榴视频’s practices and processes (including policies, procedures, standards, guidelines and similar) with clearly defined roles and responsibilities.
3.3 Use metrics for Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) to:
3.3.1 Provide management insight on organisation-wide cybersecurity and data privacy controls including functions performed by third parties.
3.3.2 Predict optimal performance, ensure continued operations and identify areas for improvement.
3.3.3 Make informed decisions about changes and process improvements.
3.4 Utilise the Vice Chancellor’s Committee (VCC) for its management of information security functions and the Audit, Risk and Compliance Committee (ARCC) for its governance oversight of information security, cybersecurity and privacy protection.
3.5 Establish processes to ensure compliance requirements are identified, documented, managed, reported and reviewed at appropriate levels.
3.6 Promote a culture of continuous improvement and awareness through education, training and relevant resources (including documented procedures, standards, website, etc).
3.7 Maintain open communication channels for reporting security incidents and vulnerabilities.
3.8 Encourage and promote innovation in security measures and management.
3.9 Formalise and manage these objectives through an Information Security Management Framework and associated documents (including procedures, standards, playbooks, manuals, guidelines, etc).
4. Responsibilities
4.1 The Chief Information Security Officer (CISO) is the Accountable Officer delegated to lead the implementation, management, and reporting of information security across 石榴视频 including establishing and maintaining an Information Security Management Framework.
4.2 All users of the University’s information management systems are responsible for information security in accordance with this Policy and its supporting framework, processes and procedures.
Related policy instruments
Cyber Incident Response Plan
Digital Technologies Acceptable Use Policy
General Data Protection Regulation (GDPR) Procedure
Information Privacy Statement and Collection Notice
Information Security Management Framework
Personal Information Data Breach Procedure
Requests for Access and Amendment to Personal Information Procedure
Risk Management Framework and Plan
Schedules/Appendices
Nil
Related documents and legislation
ISO/IEC 27001 Information security, cybersecurity and privacy protection – Information security management systems – Requirements
ISO/IEC 27002 Information security, cybersecurity and privacy protection – Information security controls
Administration
NOTE: Printed copies of this policy are uncontrolled, and currency can only be assured at the time of printing.
Approval Details
Policy Domain | Corporate Governance |
Policy Sub-domain | Risk, Assurance, Regulatory and Compliance |
Policy Custodian | Vice Chancellor |
Approval Authority | Council |
Date for next Major Review | 01/08/2029 |
Revision History
Version no. | Approval date | Approved by | Implementation date | Details | Author |
24-1 | 01/08/2024 | Council | 07/08/2024 | Policy established – replaces Cybersecurity Policy | Information Security – Governance, Risk and Compliance Manager |
Keywords | Information security, cyber security, cybersecurity, NIST, ISO27001, ISO27002, IT |
Contact person | Information Security – Governance, Risk and Compliance Manager |