Information Security Policy

On this page

Purpose | Scope | Principles Policy statements Roles and responsibilities Definitions Approval information Version history References

1. Purpose

1.1 The Information Security Policy (the policy) aims to reduce the risks to personal, sensitive and proprietary information that is held on UTS information technology (IT) resources and at UTS authorised locations. 

1.2 This policy, along with the Acceptable Use of Information Technology Resources Policy, works to manage and protect UTS’s information security infrastructure, its IT resources and its information assets. 

1.3 These policies form part of the Information Security Policy Framework (ISP framework) published at Beyond the firewall: UTS Cybersecurity (SharePoint).

2. Scope

2.1 This policy applies to all: 

  1. staff, students, participants, affiliates and visitors as well as any person (hereafter users) with access to, or responsibility for, the management of UTS data and UTS IT resources, and 
  2. UTS IT resources and information assets (hereafter IT resources).

2.2 The policies and practices of controlled entities must be equivalent to the standards and expectations outlined in this policy and the Acceptable Use of Information Technology Resources Policy. Controlled entities with access to UTS IT resources must use this policy or develop their own policy that ensures the requirements of this policy are met.

2.3 In addition to this policy, the security of: 

  1. corporate data is managed in line with the Records Management Policy, the Acceptable Use of Information Technology Resources Policy and the Data Governance Policy 
  2. personal information is managed in line with the Privacy Policy, and 
  3. research data is managed in line with the Research Policy (and associated procedures).

3. Principles

3.1 IT resources and infrastructure are considered vital UTS assets, critical to the effectiveness and success of the university’s core business. UTS is committed to the protection and security of these assets by preventing unauthorised access to, modification and/or compromise of IT resources and the information stored within them.

3.2 Information security is a challenge shared among all users of UTS IT resources. The collective responsibility of users includes the maintenance UTS’s cyber aware culture facilitated by continuous cybersecurity education, higher awareness of potential risks and threats, and immediate and appropriate responses to any breaches or incidents.

4. Policy statements

Information Security Policy Framework

4.1 The ISP framework, which also comprises Chief Information Officer (CIO) information security directives (available at Beyond the Firewall: UTS Cybersecurity (SharePoint)), works alongside related governance instruments including, but not limited to, the:

  1. Data Governance Policy, which outlines the management and classification of data 
  2. Data Breach Policy, which outlines how UTS identifies, responds to and manages a data breach involving personal information and/or health information (hereafter personal information) 
  3. Artificial Intelligence Operations Policy, which guides the use, procurement, development and management of artificial intelligence (AI) at UTS for the purposes of teaching, learning and operations 
  4. Privacy Policy, which outlines requirements for complying with relevant privacy legislation 
  5. Records Management Policy, which provides a framework to ensure full and accurate records are created, captured and managed in compliance with legislation 
  6. Risk Management Policy, which guides the identification, assessment and treatment of risks and opportunities at UTS, and 
  7. Procurement Policy and the Supplier Management CIO Information Security Directive (available at Beyond the firewall: UTS Cybersecurity (SharePoint)), which outline the requirements for acquiring IT resources and the use of their suppliers.

Cyber awareness and training

4.2 The Information Technology Unit (ITU) will provide users with access to information and training to minimise information security risks and support compliance with this policy.

4.3 The Chief Operating Officer (COO) may, on the recommendation of the CIO or the Chief Information Security Officer (CISO), require users (and identified third parties where required) to undertake mandatory training in support of the university’s cybersecurity measures. Users must complete any mandatory training provided by UTS as part of UTS’s cyber aware culture.

4.4 The UTS information security profile will be maintained by ITU in line with industry standards, compliance requirements and best practice (for example, the Guidelines to counter foreign interference in the Australian university sector). This policy and the ISP framework are continuously reviewed and improved to align with the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

4.5 Supervisors are responsible for ensuring that: 

  1. staff complete any mandatory cybersecurity awareness training 
  2. information security responsibilities are reflected in business planning and individual workplans, and 
  3. all IT resource procurement and management complies with the Procurement Policy and the Acceptable Use of Information Technology Resources Policy

4.6 Users must take steps to ensure they are informed about cyber risks that may impact their work, including: 

  1. protecting against, recognising and reporting cyber incidents 
  2. securing UTS information, data and the UTS network 
  3. managing passwords and access, and 
  4. protecting their devices and accounts.

Risk management and mitigation

4.7 The CISO office is responsible for risk mitigation activities, including: 

  1. regular assessment of the university’s information security posture 
  2. cyber hygiene checks 
  3. maintenance of a forward plan that ensures continuous improvement 
  4. provision of guidance and advice on cybersecurity matters as part of the university’s business continuity planning process, and 
  5. external assessments (annually or as otherwise requested) to identify and assess UTS’s cyber maturity level.

4.8 ITU maintains an IT risk register to develop a knowledge base for risks and associated responses as part of the continuous improvement cycle.

4.9 IT resource owners must implement security controls in line with the ISP framework and report these to ITU as part of the risk management process.

4.10 IT resource owners must perform annual risk assessments for all IT resources under their ownership and/or remit of responsibility in line with the Risk Management Policy and the Operations and Infrastructure CIO Directive (available at Beyond the firewall: UTS Cybersecurity (SharePoint)). This risk assessment is designed to: 

  1. confirm existing active IT resources at UTS for inclusion on the IT risk register 
  2. identify any information security risks (potential or known) 
  3. help IT resource owners develop or update appropriate security controls, and 
  4. prompt collaboration with ITU to document and learn from risks and risk mitigation strategies.

4.11 Identified risks must be managed by the IT resource owner where possible. Advice on risk management and mitigation may be sought from ITU and/or the Office of General Counsel. 

4.12 Cybersecurity considerations must be included in UTS’s business continuity planning (refer Critical Incident Response Policy). IT resource owners and other individuals with specific information security responsibilities must have these reflected in their workplans.

Information security management and governance

4.13 The Cybersecurity Steering Committee, chaired by the CIO with cross-UTS representation, provides advice and guidance to UTS on cybersecurity matters. 

4.14 UTS, with advice from the Cybersecurity Steering Committee, will continuously work to safeguard and maintain IT resources in accordance with current leading practice to avoid and minimise the impact of unwanted access or breaches (refer Acceptable Use of Information Technology Resources Policy).

Access controls

4.15 Access to UTS IT resources is restricted to authorised users in line with the: 

  1. Data Governance Policy 
  2. Privacy Policy 
  3. Information Security Classification Standard (available at Records and archives hub: Information security (SharePoint)), and 
  4. Access Control and Authentication CIO Directive (available at Beyond the firewall: UTS Cybersecurity (SharePoint)).

4.16 Background checks may be conducted for staff in roles that involve elevated access to UTS information systems before employment, promotion or the granting of increased access. Guidance on appropriate probity, reference checks and background checks for access and security purposes is available from the People Unit at Recruitment at UTS: Background checks (SharePoint).

4.17 UTS acknowledges and will seek to meet the security information described in the Guidelines to counter foreign interference in the Australian university sector where possible.

4.18 Data is assigned a classification in line with the Information Security Classification Standard (available at Records and archives hub: Information security (SharePoint)). UTS IT resources that store or transit UTS data must be encrypted in line with the Access Control and Authentication CIO Directive and the Operations and Infrastructure CIO Directive (available at Beyond the firewall: UTS Cybersecurity (SharePoint)).

4.19 UTS uses multi-factor authentication (MFA) as part of its access control strategy. MFA must be used in line with the Access Control and Authentication CIO Directive (available at Beyond the firewall: UTS Cybersecurity (SharePoint)).

4.20 Data and records of the university must be accessed, stored and managed in line with the Records Management Policy.

4.21 Unless required by law, disclosure to an external party of any data or corporate data relating to UTS’s information security processes must be approved by the CISO.

Use of non-UTS resources and remote working

4.22 Personal devices (bring your own device (BYOD)) may be used to undertake study, UTS business or duties when necessary (refer Acceptable Use of Information Technology Resources Policy).

4.23 Users are accountable for the protection and control of university information on personal devices. Users must: 

  1. minimise temporary local storage of information (digital or print) 
  2. use UTS controlled file sharing/record management systems or, where this isn’t possible, transfer information to a UTS controlled file sharing/record management system as soon as possible (normally within a week of access or creation), deleting all copies on their personal device 
  3. ensure home networks have appropriate security controls in place (for example, wi-fi password protection and antivirus software) 
  4. ensure personal devices that connect to UTS networks have up-to-date security patches and anti-virus software installed (refer BYOD CIO Directive (available at Beyond the firewall: UTS Cybersecurity (SharePoint)), and 
  5. take appropriate measures to mitigate cyber risks associated with international travel (refer Beyond the firewall: Cybersecurity travel tips (SharePoint)).

Incident management and reporting

4.24 Information security incidents (including data breaches, unauthorised access, unauthorised disclosure, loss of networked device, ransomware), regardless of whether they occur on campus or at another location, must be immediately reported to ensure a quick response and to initiate insurance coverage in consultation with the Office of General Counsel (as required). Refer Beyond the firewall: UTS Cybersecurity (SharePoint) for incident reporting. 

4.25 Data breaches involving personal or health information must be managed in line with the Data Breach Policy (refer also Data breaches: Report a suspected data breach). 

4.26 Confirmed IT security or cybersecurity incidences will be actively managed by the appropriate UTS team in line with the CISO Office’s Cyber Security Incident Response Plan.

Policy exemptions and breaches

4.27 Exemptions to this policy and the ISP framework are not normally approved, however, in exceptional circumstances, may be requested in line with the Acceptable Use of Information Technology Resources Policy

4.28 Exemptions granted in line with this policy must be reported to the Cybersecurity Steering Committee and used as part of the continuous improvement cycle. 

4.29 Breaches of this policy will be managed in line with the Acceptable Use of Information Technology Resources Policy and the Data Breach Policy (as appropriate).

5. Roles and responsibilities

5.1 Policy owner: The Chief Information Officer (CIO) is responsible for policy enforcement and compliance, ensuring that its principles and statements are observed. The CIO is also responsible for the approval and maintenance of the Information Security Policy (ISP) framework (available at Beyond the firewall: UTS Cybersecurity (SharePoint)), ensuring continued alignment of this policy with the ISP framework and authorising any training associated with this policy.

5.2 Policy contact: The Chief Information Security Officer (CISO) is responsible for cybersecurity at UTS and the development, review and implementation of this policy. The CISO acts as the primary point of contact for advice on fulfilling its provisions and is responsible for reviewing information security risk assessments and providing guidance and advice to the CIO.

5.3 Implementation and governance roles:

The Cybersecurity Steering Committee is responsible for providing guidance and advice to the CISO in line with this policy.

The Chief Data Officer is responsible for managing corporate data in line with the Data Governance Policy.

6. Definitions

The following definitions apply for this policy and all associated procedures. These are in addition to the definitions outlined in Schedule 1, Student Rules. Definitions in the singular also include the plural meaning of the word.

BYOD is defined in the Acceptable Use of Information Technology Resources Policy.

Corporate data is defined in the Data Governance Policy.

Cybersecurity means the various mechanisms used by UTS to protect its IT resources and information assets (see also information security below).

Data breach is defined in the Data Breach Policy.

Encryption means the method of protecting digital data by converting it into a ‘secret code’. This can help protect sensitive information from exposure in the event of a data breach. 

Information asset is defined in the Acceptable Use of Information Technology Resources Policy.

Information security means the various mechanisms used by UTS to protect its information assets by preventing, detecting and responding to information security attacks. Threats to the security of UTS information and systems include, but are not limited to:

  1. unauthorised access allowing for potential malicious activity (for example, theft, manipulation or misuse of information). This could be from organised criminal groups, individual attackers, nation state actors, competitors and/or UTS staff
  2. accidents and errors in sharing or providing access as a result of low user awareness of good practice
  3. attacks that deny access of legitimate users to the systems and information for a period of time and, in the worst case, require complete replacement of systems and huge loss of information, and
  4. poor records management (refer Records Management Policy).

Information Security Policy Framework (or ISP framework) means the collection of procedures, directives, forms and guidelines approved by the Chief Information Officer and published at Beyond the firewall: UTS Cybersecurity (SharePoint).

Information technology infrastructure (or IT infrastructure) means the university’s framework of software, hardware, networks and other components.

IT resource is defined in the Acceptable Use of Information Technology Resources Policy.

IT resource owner means the director, dean or other senior manager responsible for the faculty, unit or other business area that is the owner of an IT resource.

Multi-factor authentication (MFA) means the multi-step login process used for UTS accounts that requires users to confirm their identity via more than one means (for example, as password plus a code, security question, facial scan, fingerprint or other as appropriate).

Participant is defined in the Short Forms of Learning Policy.

Approval information

Policy contactChief Information Security Officer
Approval authorityVice-Chancellor
Review date2026
File numberUR21/822
Superseded documentsInformation Technology Security Vice-Chancellor’s Directive 2014 (UR12/1005)

Version history

VersionApproved byApproval dateEffective dateSections modified
1.0Vice-Chancellor26/07/202112/08/2021New policy.
1.1Vice-Chancellor28/04/202228/04/2022Changes and updates to reflect new ownership under portfolio realignment under Fit for 2027 project.
1.2Deputy Director, Corporate Governance (Delegation 3.14.2)24/11/202205/12/2022Minor change to reflect new position title of General Counsel and Executive Director, Risk and Compliance.
1.3Deputy Director, Corporate Governance (Delegation 3.14.2)12/04/202312/04/2023Changes to reflect new unit title of Office of General Counsel.
1.4Director, Governance Support Unit (Delegation 3.14.1)16/03/202309/06/2023Minor update to reflect the new Artificial Intelligence Operations Policy.
1.5Deputy Director, Corporate Governance (Delegation 3.14.2)13/11/202328/11/2023Minor update to reflect the new Data Breach Policy.
2.0Vice-Chancellor28/06/202404/07/2024Full review and alignment with the Information Security Policy Framework.

References

Acceptable Use of Information Technology Resources Policy

Artificial Intelligence Operations Policy 

Beyond the firewall: UTS Cybersecurity (SharePoint)

Data Breach Policy

Data Governance Policy

Guidelines to counter foreign interference in the Australian university sector

Information Security Classification Standard (available at Records and archives hub: Information security (SharePoint))

Information Security Policy Framework (available at Beyond the firewall: UTS Cybersecurity (SharePoint))

National Institute of Standards and Technology (NIST) Cybersecurity Framework

Privacy Policy

Records Management Policy

Research Policy

Risk Management Policy

Acknowledgement of Country

UTS acknowledges the Gadigal people of the Eora Nation, the Boorooberongal people of the Dharug Nation, the Bidiagal people and the Gamaygal people, upon whose ancestral lands our university stands. We would also like to pay respect to the Elders both past and present, acknowledging them as the traditional custodians of knowledge for these lands.