Security policies and standards
Staff can access information to help them understand and comply with cyber policies and standards.
Cyber security policies, standards and guidelines
Supported by the UNSW Executive and reflecting University cyber security risk management objectives:
- Policies are high-level statements of University intent and allocation of management responsibilities.Ìý
- Standards describe the mandatory requirements for University-wide IT services.
- Guidelines may exist where more detailed instructions are required.
Together they frame the management of cyber security at our University.
-
As per the UNSW Cyber Security Policies and Standards, the Cyber Security Policy Framework was established in 2023.Ìý
As part of the Framework, Business Owners of UNSW Information Resources are required to:Ìý
- Understand their accountabilities and responsibilities concerning relevant Cyber Security Policies and Standards.
- Identify UNSW Information Resources and submit these for Cyber Security Risk Rating assessment.
- Perform a cyber security baseline Gap Assessment on all Medium and High-Risk Rated information resources.
Items 2 and 3 above are supported by the UNSW IT Cyber Security Strategy and Governance teams.
°¿²Ô³¦±ðÌýGap AssessmentsÌýare completed in theÌýÌýtool, the Cyber Security Strategy and Governance team will assess the information provided and issue Compliance Reports to:
Business Owners
Reports are by information resource and provide insights into gaps against controls outlined in the Cyber Security Standard - Risk Management. The report also provides remediation recommendations.
Senior leaders (DVCs, VPs, and Deans)
Senior leaders receive a Summary Report for their Faculty/Division which provides an overview of compliance gaps for their area of responsibility.
When the Compliance Reports are issued discussions begin with each area to planÌýremediation activitiesÌýto address gaps.
Under the Cyber Security Policy, Deputy Vice-Chancellors, Vice-Presidents, Deans, and the Rector 91³ÉÈ˰涶Òôare accountable for theÌýannual attestationÌýof compliance to the Cyber Security Risk Management Framework within their area of accountability.Ìýaccountability. Attestation occurs after remediation activities have commenced.
Ìý -
TheÌýCyberPolicyHubÌýis a central directory of the Cyber Policy Framework and is designed to support UNSW staff in understanding their Cyber Security obligations.
The CyberPolicyHub function lies within theÌýÌýplatform. It can be used to search for relevant Cyber Security clauses using your role type and keywords. Refer to theÌýreference guideÌýfor assistance using the CyberPolicyHub.Ìý
Please visit the Cyber SecurityÌýStrategy & GovernanceÌýfor a listing of all support services provided.Ìý
Ìý -
Acceptable Use of UNSW Resources Policy
The policy sets out the principles for ensuring UNSW information resources are used responsibly. This includes defining the conditions of personal use and informing users of their responsibilities, and the penalties for misuse. The policy establishes requirements for compliance and reporting cyber security events to reflect UNSW values.
Acceptable Use of UNSW Resources Policy (pdf, 268KB), opens in a new windowÌý
Cyber Security Policy
The Cyber Security Policy sets out the principles for ensuring University-wide information resources are appropriately protected. This policy;
- outlines appropriate governance of cyber security
- management of cyber security risk
- ensures cyber security events are detected and responded to promptly
- UNSW Information Resources recover from cyber security incidents in a secure and timely manner.Ìý
Cyber Security Policy (pdf, 283KB), opens in a new window
Data Security Standard
This standard establishes the minimum requirements related to handling and protection of UNSW Digital Information consistent with data classification, Cyber Security Risk Rating as well as applicable laws, regulations, standards, and contractual obligations.
The following Cyber Security Standards apply to University-wide users.
Risk Management Standard
This standard establishes cyber security risk ratings for UNSW Information Resources and ensures that cyber security risks are appropriately identified, assessed, reported, and treated consistently with the UNSW Risk Management Framework and applicable laws, regulations, standards, and contractual obligations. It defines the minimum set of controls that are required for UNSW Information Resources, consistent with the type of resource and its cyber security risk rating. This standard links the Cyber Security Policy and supporting Cyber Security Standards.
Ìý -
The following Cyber Security Standards apply to all University-wide users including those Division/Faculty users with technology management or operational responsibilities.ÌýÌý
Framework Exemption Standard
This Standard outlines the process by which deviations, from the Cyber Security Policies and Standards, are to be managed and recorded.Ìý
Incident Management Standard
This Standard establishes the detailed responsibilities and requirements related to cyber security incident management, including the relationships between Faculty and Division security incident response processes, Security Operations Centres (SOC), the UNSW IT Service Centre, the UNSW IT Cyber Security Incident Response Team, and other internal and external stakeholders.
Identity and Access Management Standard
This Standard establishes the minimum standards related to user account management including privileged access management and periodic reviews, defining manager and supervisor responsibilities, centralised authentication, and multi-factor authentication.
Information Asset Management Standard
This Standard establishes the minimum cyber security requirements related to management oversight and lifecycle management of UNSW Information Resources, including formally mandating a centralised inventory of UNSW Information Service and Information Assets, as well as prohibiting end-of-life or end-of-support UNSW Information Resources.Ìý
IT Hosting Standard
The purpose of this standard is to establish minimum requirements for the hosting of Cyber Security Risk-Related UNSW Information Resources, including detailed physical access and environmental controls to support the required confidentiality, integrity, and availability.Ìý
Logging and Monitoring Standard
This Standard establishes minimum standards for security event logs, and minimum requirements for log protection, log retention, and log monitoring, including the requirement to utilise a Security Operations Centre (SOC) for UNSW Information Resources.Ìý
Network Security Standard
This Standard establishes the minimum requirements for the configuration of network-related Information Assets, including network segmentation controls, and traffic flow control requirements for specific network devices.
Secure-by-Design Standard
This Standard establishes the minimum requirements related to UNSW Information Resource configuration and hardening, and secure development, including formally mandating the Enterprise Security Architecture.
Secure Continuity Standard
This Standard establishes the minimum cyber security requirements for High-Resilience UNSW Information Resources throughout the Disaster Recovery (DR) lifecycle, including DR vendor risk and security assessments, the continuity of physical access and environmental controls, as well as backup, and restore arrangements to support the required availability.
Threat and Vulnerability Management Standard
This Standard establishes the minimum requirements for malicious code and malware protection and vulnerability management for UNSW Information Resources, including vulnerability scanning, penetration testing, and patch management.
Vendor Risk Management Standard
This Standard establishes the minimum cyber security requirements throughout the vendor management lifecycle, including initial and periodic risk and security assessments, contract inclusions, compliance obligations, data security, and mandatory breach reporting.
Ìý
Reporting cyber incidents
It is important to report any cyber security incidents as quickly as possible so that UNSW IT’s Cyber Security team can address any issues and mitigate risk exposure.
What should I report?
- Suspecting your computer or account has been compromised.
- Having evidence on how technology or University data may be vulnerable.
- Noticing a colleague inappropriately sharing Highly Sensitive or Sensitive data.
- Losing a University asset containing sensitive information.
Report a cyber security incident by calling the UNSW IT Service Centre on 02 9385 1333 or using the link below.
Cyber security is everyone’s responsibility and by learning a few rules, simple steps, and following guidelines, we can protect ourselves and our University from cyber security threats and keep data safe. Go to Cyber Security Training and AwarenessÌýfor more information.
Ìý
"Enhancing cyber security, including protecting information and privacy, is of paramount importance to our core functions of education and research. We all play a part in being cyber smart."Ìý
Professor Attila Brungs, Vice-Chancellor and President, UNSW Sydney