1.0 Introduction
- Scope of the Guidelines
- University Information Principles
- Responsibility for University Information
- Risks Related to Computerised University Data
- Technology Applications
- Structure of the Guidelines
1.1 Scope of Guidelines
- The Security and Privacy Guidelines for University Information Systems are published by the Computer Security Committee of Central Queensland University (CQU).
- These guidelines are provided as a resource to assist the university to:
a) minimise the risk of unauthorised collection, use, disclosure, modification or destruction of university data;
b) maximise the integrity, availability and efficacy of administering authorised access to university information; and
c) protect the privacy of users and providers of university services.
- Implementation of these guidelines should be regarded as a goal to be attained to improve the security and privacy of university data held by the university. Since no system can be absolutely secure, application of the guidelines does not guarantee the confidentiality, integrity or availability of university data.
- The university must make decisions concerning security and privacy based on an objective assessment of potential risks. Such risks must be balanced against the costs and other organisational priorities. Responsibility and accountability for the security and privacy of university data rests solely with the university.
The university should make use of the Threat Risk Assessment Process to identify solutions that are cost effective while meeting security and privacy requirements.
Note: Information on the Threat Risk Assessment Process is found in Annex 1
1.2 University Information Principles
These guidelines have been produced in consideration of the following fundamental principles:
- Individuals have a right to privacy of personal university information. Such information cannot be disclosed without their authorisation;
- University staff require access to university data for the delivery of services to the individual;
- The university (eg. faculties, divisions, departments, service units, campus and program administrators) require aggregate data to manage resources and programs for the delivery of effective services;
- Government departments, agencies and regulatory bodies may require university data to develop, promote and protect the university, and to manage university resources at a macro level.
- Corporations and other entities working within the university environment may require data to support the development of products and services of value to students/clients, university staff, the university, and governing bodies.
- Other individuals and institutions may require access to the university information technology infrastructure without being able to access university data.
1.3 Responsibility for University Information
These guidelines are intended for any individual or organisation who is responsible for the management of university data. In general, the guidelines are directed to anyone whose responsibilities include the following:
- Collection of university data
- Control of access to data by employees, university staff and students/clients
- Protection of data from unauthorised access, modification or destruction
- Storage and archiving of data
- Analysis and distribution of university data, as appropriate, to government authorities, funding agencies, and other organisations
1.4 Risks Related to Computerised University Data
These guidelines address the following risks to university data, and provide practical suggestions to assess and minimise such risks:
- Unauthorised disclosure
- Interruption in access to critical information or systems
- Unauthorised or accidental modification
- Unauthorised removal
- Unauthorised or accidental destruction
- Unauthorised collection
1.5 Technology Applications
These guidelines apply to the processing, maintenance, retention, reproduction, destruction, storage and communication of university data regardless of the technology platform or mode used. This includes:
- Mainframe systems
- Client/server systems
- Microcomputers
- Local, wide area and wireless networks
- Facsimile communications
- Cellular telephones
- Advanced card technologies
- Data storage devices (magnetic, optical, etc.)
While the guidelines are specifically targeted to the computerised information processing environment, many of the same principles will apply to traditional paper-based university information systems.
1.6 Structure of the Guidelines
The Central Queensland University Security and Privacy Guidelines for University Information Systems are structured as follows:
- Introduction [This section]
- Administrative and Organisational Security
- Personnel Security
- Physical and Environmental Security
- Hardware Security
- Communications Security
- Software Security
- Operations Security
- Guidelines for Small Systems
Parts 2 through 8 are intended for the larger university systems, such as local and wide area networks, interconnected systems, central computer facilities and the Information Technology Division. These organisations typically have complex operational environments, large numbers of staff/users, and significant information technology assets.
Part 9 is intended for small systems, either stand-alone or independently operated. Typically operated by a single staff member, researcher, or student these might include a system in a faculty or department, clinic, lab, individual office (on campus or home-based) or small campus. These enterprises typically have limited technology assets, a smaller client base and fewer staff than the larger enterprise. Part 9 also applies to remote access from satellite locations (eg. remote access to the Library collection), labs, employee homes, or smaller campuses.
Contents
Background:
[1]
[2]
[3]
_Section:
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
_Annex:
[1]
[2]
[3]
[4]
[Index]
Guidelines for Computer Security at CQU, A C Lynn Zelmer, PhD; Editor/Adaptor
Copyright © 1996 CQU Computer Security Committee
Central Queensland University Home Page