2.0 Administrative and Organisational Security

1. Written Security and Privacy Policy
2. Standard Operating Procedures
3. Designated Responsibility
4. Use of Data and Information Systems
5. Review and Audit
6. Collection, Access and Release
7. Student/Client/Staff Member Access to University Information
8. Quality of University Information
9. Information System Activity Records

2.1 Written Security and Privacy Policy

1. The university (and its operating units, eg. faculties, departments, divisions) should establish a written Security and Privacy Policy concerning the collection, processing, maintenance, retention, reproduction, destruction, storage, communication and release of university information.

   [CQU Council has adopted the University Policy: Information Technology Security and the Code of Conduct: Information Technology Security, a copy of which is available at . Individual units need to adopt an appropriate policy and procedures to implement the general university policy.]

2. The Security and Privacy Policy must conform to the requirements of state and Commonwealth legislation, and international treaties, including legislation respecting the administration and delivery of university services, the protection of human rights and freedoms, as well as specific laws governing access to information and protection of personal privacy.

3. The Security and Privacy Policy should state the university's commitment to maintain the security and privacy of university information and contain specific measures to honour that commitment. The policy should include:

   a) The specific responsibilities of all users of university information.

   Examples: use of ID's and passwords; reporting security incidents; care and storage of university information media.

   b) The specific responsibilities of management.

   Examples: administration of the security and privacy policy; addressing violations of the security and privacy policy or threats to university data.

   c) The specific responsibilities of information system and university records/information staff.

   Examples: maintenance and control of hardware, software and data; enforcement of security measures; conducting risk and threat assessments.

   d) The conditions surrounding collection, access and release of university data as it applies to staff, university staff, students/clients and others.

   Examples: data collected and released only with student/client/interviewee consent; defined levels of access for individuals or positions; release of aggregated data for statistical or research purposes.

   e) The consequences of violating the Security and Privacy Policy.

   Examples: disciplinary action; loss of privileges; legal action; liability for damages.

2.2 Standard Operating Procedures

1. The university should have standard operating procedures that govern the acquisition, development, installation, maintenance and operation of all aspects of information management and information systems.

2. Standard operating procedures should contain specific step-by-step processes to ensure the security and privacy of university data.

   Examples: procedures to back up data and ensure that the backup storage media is stored in a secure manner; to scan new hardware and software for viruses.

3. Standard operating procedures should specify the person responsible for the completion or execution of any procedure (identify by organisational title or position).

   Examples: identify the individuals responsible for powering up or shutting down the system; for issuing or deleting passwords.

2.3 Designated Responsibility

1. The university should designate an individual who will be responsible for the development, implementation, monitoring and evaluation of the university's Security and Privacy Policy, and ensuring that standard operating procedures respecting security and privacy are followed. For the purposes of this document, this individual shall be referred to as the Security and Privacy Officer.

   University operating units should likewise designate an individual who will be responsible for the development, implementation, monitoring and evaluation of the unit's Security and Privacy Policy, and ensuring that standard operating procedures respecting security and privacy are followed. For the purposes of this document, this individual shall be referred to as the Faculty/Division Security and Privacy Officer.

2. The Security and Privacy Officer should report to a senior executive within the university to ensure that the necessary authority exists for enforcement of the Security and Privacy Policy.

   The Security and Privacy Officer should be a member of the CQU Computer Security Committee.

   The Faculty/Division Security and Privacy Officer should report to the Dean/Head of Division to ensure that the necessary authority exists for enforcement of the Security and Privacy Policy.

   The Security and Privacy Policy should identify key management personnel who have responsibility for security and privacy, including the Chief Executive Officer, Chief Information Officer, and Faculty/Division Heads. These responsibilities should be included in position descriptions, mandates and goals of each position.

3. All contractual arrangements or agreements between the university and external organisations which affect university data, equipment or data should contain clauses specifying security and privacy requirements. Private sector facilities supporting the processing of university data, or supporting an essential university service, should be required, by contractual obligation, to ensure that employees are completely aware of their security obligations.

2.4 Use of Data and Information Systems

1. The purpose of all university information systems and databases within the university should be clearly defined. The systems should not be used for any other purpose unless they are specifically authorised by the university.

   Example: A teaching or lab system and database established for teaching or clinical purposes should not be used for research purposes unless specifically authorised by the university.

2. No information system should be used in the university, unless its existence and purpose is known to the university's management, and its operation can be monitored by the Security and Privacy Officer. This includes external systems (researchers, consultants, commercial operations, etc.) that may access databases and application systems that are part of the university's information system.

   Example: Individuals or departments should not be allowed to set up or use stand-alone computers, whether university or individually owned, to collect and analyse student data without notifying the Security and Privacy Officer and implementing required security and privacy safeguards.

2.5 Review and Audit

1. Computer systems which process and store university data should be subject to a periodic independent inspection and audit of security and privacy safeguards. In addition to those regularly scheduled, reviews should be undertaken in the following circumstances:

   a) physical move,
   b) change in hardware, software, or communications networks,
   c) change in operation, or
   d) a major security incident.

2. A threat and risk assessment for the university should be prepared and maintained, with an up-to-date report outlining security measures in place and describing possible security risks which have been identified (see Annex 1).

2.6 Collection, Access and Release

1. University data should be obtained, retained and accessed only by ethical and lawful means.

2. The university should establish a standard operating procedure for the collection, access and release of university data. University data should be accessed or released only for:

   a) direct service use - when requested by a university service provider or facility responsible for the direct service of the student/staff member;

   b) individual use - when authorised by the student/staff member or his legally authorised representative;

   c) secondary use - when requested by properly authorised persons or agencies (note: data should be provided in a form appropriate to the secondary user, ie. aggregated, anonymous, etc.);

   d) legal use - when required by law.

3. Where data is released for research purposes, the data should be anonymous. All personal identifiers should be removed. Individual privacy should be maintained in the processing of university data and in any report or publication of findings. Where release of personal data is required because of the nature of the research, strict controls should be placed upon the use and final disposition of the data.

4. The university should ensure, to the best of its ability, that university data released to third parties will not be used for any unauthorised purpose or exposed to the risk of disclosure. If a third party requesting data fails to agree that university data will be protected in manner consistent with the university's Security and Privacy Policy, the request for data should be denied.

5. University data received by the university from another authority should be used only for the purpose for which it was provided.

2.7 Student/Client/Staff Member Access to University Information

1. The student/client/staff member has the right to request access to their own university data. The university should establish policies and standard operating procedures governing student/staff member access to university data in accordance with Commonwealth and state legislation and regulations, prevailing principles established by judicial decisions. All requests for access to university data by students/clients/staff members should be in writing.

2. Always subject to Freedom of Information legislation, university staff should have the ability to withhold university data in situations where release of the data may result in harm to the physical or mental well-being of the student/client/staff member or a third person.

3. The university should provide an internal appeal mechanism to the student/client/staff member for those instances where access is denied.

4. The student/client/staff member should not be allowed, or have the opportunity to alter, deface or remove any part of the university data contained in the university record. The student/client/staff member should be permitted to append to the university record a written, signed, dated statement detailing any comments.

5. The university should establish procedures to ensure comments from students/clients/staff members are reviewed and all files containing the data in dispute are either amended to reflect correct data or have a notation added detailing the changes requested by the student/client/staff member but refused by the university.

2.8 Quality of University Information

1. University data must be accurate and current. Every reasonable step must be taken to rectify data that is inaccurate or incomplete.

   Note: Corrections to computerised university data should never delete or overwrite the original entry and/or audit trail for the original entry. The correction should append the revised data to the original entry, together with information identifying the individual who is making the correction, the date and time of the correction.

2. The university is responsible for maintaining the integrity and accuracy of university data supported by policies, procedures and controls outlining responsibility of documentation/data entry and record completion.

   Computer systems which process and store university data should be subject to periodic independent reviews to ensure that the quality standards of the university are being met.

2.9 Information System Activity Records

1. The university should maintain all information system activity records for a period of at least 1 year.

   Examples: hardware, software and communications maintenance records, change control logs, problem logs, access control logs, security incident reports.

Contents
Background: [1] [2] [3] _Section: [1] [2] [3] [4] [5] [6] [7] [8] [9] _Annex: [1] [2] [3] [4] [Index]
Guidelines for Computer Security at CQU, A C Lynn Zelmer, PhD; Editor/Adaptor
Copyright © 1996 CQU Computer Security Committee

Central Queensland University Home Page