IT security is about defining who can access what, when and on what devices, while providing an environment that keeps people, and the systems and data they use safe from cyberattacks.
In order to fulfil your obligation to implement appropriate divisional, departmental or faculty-level IT security, you must:
- Ensure all systems within your division, department or faculty comply with the University's 'baseline' information security standards
- Implement additional security controls where confidential data is processed
The University's 'baseline' information security standards describe the minimum security controls needed to make and keep your IT systems secure, and should be referred to when meeting the following requirements.
The baseline is series of technical controls which define minimum levels of control. Each control describes a single working practice that needs to be implemented. The controls are split into 8 different domains, which are:
- Access control
- System acquisition and development
- Change management
- Incident management
- Monitoring and logging
- Vulnerability management
The controls align with industry standards such as ISO/IEC27001 and PCI-DSS, to ensure their effectiveness and so that there is less work for units who need to achieve formal certification in the future.
It is important to note that the baseline represents minimum standards for handing internal data, and that confidential data or data which is subject to other restrictions – such as patient identifiable data – may require higher levels of controls. They may also be supplemented with hardening guides for specific systems, such as webservers.
Ensure all new systems conform to all applicable security requirements contained in the baseline. You may feel that some requirements are not applicable, but it is up to you to justify if this is the case. It is still possible to comply with the intent of the baseline so long as:
- There is a documented business or technical constraint that prevents you from applying any of the baseline controls and
- There has been an appropriate and documented risk assessment and
- There is an appropriate and documented mitigating control (or controls) in place
For more information and to obtain a copy of the baseline please see our compliance pages.
Mobile devices such as smartphones, laptops and tablets require special security controls owing to the increased threat to data that working on the move presents. At a minimum the following controls should be implemented on any mobile device used to store or access internal or confidential data:
- Protected from unauthorised access by using a PIN or a passphrase
- Configured to ensure they automatically lock after a period of inactivity
- Configured in such a way that they can be remotely wiped in the event of loss
- Data is encrypted at rest
- Only have trusted applications from reputable sources installed
- Currently receiving software updates from the manufacturer and other 3rd parties
- Receive software updates for security patches within a reasonable timeframe
It is University policy that:
- Appropriate information security controls are implemented to protect all IT facilities, technologies and services you use to access, process and store University information