Â鶹Éçmadou

In 2022 an external assessment was undertaken that identified Â鶹Éçmadou websites (IP addresses and domains) with vulnerabilities. Depending on the nature and severity of the vulnerability, remediation can happen in a few different ways. It may involve patching or updating software, configuring firewalls or other security controls, restricting access to certain assets, or decommissioning obsolete systems or applications.Ìý

The Program is working on identifying high-priority Â鶹Éçmadou website owners and technical teams to provide recommendations for remediation activities to close out vulnerabilities and reduce the likelihood of them being exploited. This project is expected to close by end of May.

If you would like to learn more or are a Â鶹Éçmadou website owner, please contact ourÌýProgram.

Ìý

By Q2 2024, the Program will facilitate the compliance and certification of Â鶹Éçmadou's Information Security Management System (ISMS) againstÌý. With the Cyber Strategy & Governance team, the Program will undertake a gap analysis, risk assessment, documentation, and audit accreditation with involvement from other key areas of the University.

What are the benefits of ISO27001 certification?

Achieving the globally recognised certification for information security will allow the University to demonstrate to third parties that it has a mature information security governance and risk management practice.
ISO27001 Audit

To achieve certification, the University must undergo an audit performed by an independent body. The independent body provides a certificate if ISMS meets specific requirements under ISO27001. As part of the ISO27001 audit, those within the ISMS must understand the ISO27001 objectives, what the ISMS is, and their role within it.Ìý

For more information, please visit theÌýÌýwebpage andÌýÌýsection.Ìý

Ìý

With the Cyber Security Policy Framework established, theÌýProgram extended theÌýÌýfunctionality to include a searchable policy directory namedÌýCyberPolicyHub.Ìý

CyberPolicyHub will be a central directory of the Cyber Security Policies, Standards, and Guidelines designed to support Business Owners, Information Service Owners, and Technical SMEs (subject matter experts) to understand their cyber security obligations for their Â鶹Éçmadou information resources.Ìý

Within theÌýÌýyou can search for relevant cyber security clauses using your role, asset type, and relevant topics.Ìý

To learn more, please refer to theÌýÌýwebpage for services provided.

Ìý

Together with Business Owners, the Program has continued to identify and migrate applications to the Azure SSO (Single Sign-On) platform for single sign-on functionality. SSO applications enable Multi-Factor Authentication (MFA), via a seamless login, and provide an extra level of protection.

Since 2021, the Program has:

• WorkedÌýwith IT and Business Owners to build an Azure Application Proxy capability for critical legacy applications: SIMS, and NS Financials.
• EngagedÌýwith Business Owners to discuss the suitability of their targeted medium to high cyber risk-rated applications being onboarded to SSO, especially if their application has had a gap identified against the Cyber Security Framework.

From 2022 to April 2024, 243 applications have been onboarded to SSO. This work will continue, and form part of the new Cyber Security Enablement Program deliverables.

Refer to theÌýÌýwebpage for more information or toÌýÌýto the Azure SSO platform.

If you would like to learn more, please contact ourÌýProgram.Ìý

Ìý

Together with Business Owners, the Program has continued to identify and migrate applications to the Azure SSO (Single Sign-On) platform for single sign-on functionality. SSO applications enable Multi-Factor Authentication (MFA), via a seamless login, and provide an extra level of protection.

Since 2021, the Program has:

• WorkedÌýwith IT and Business Owners to build an Azure Application Proxy capability for critical legacy applications: SIMS, and NS Financials.
• EngagedÌýwith Business Owners to discuss the suitability of their targeted medium to high cyber risk-rated applications being onboarded to SSO, especially if their application has had a gap identified against the Cyber Security Framework.

From 2022 to April 2024, 243 applications have been onboarded to SSO. This work will continue, and form part of the new Cyber Security Enablement Program deliverables.

Refer to theÌýÌýwebpage for more information or toÌýÌýto the Azure SSO platform.

If you would like to learn more, please contact ourÌýProgram.Ìý

Ìý

In 2022, all Â鶹Éçmadou Cyber Security Policies and Standards were updated to uplift the maturity of cyber security at our University.

The Program is continuing to work with Business Owners and senior leaders across the University to manage risks through the Â鶹Éçmadou Risk Management Framework as part of the Policy Framework implementation.

Compliance Reports were issued to senior leaders (such as DVCs, VPs, and Deans), Business Owners, Information Service Owners, and technical SME (subject matter experts). The reports outline compliance gaps against the minimum defensible controls outlined in the Cyber Security Policy Framework.Ìý

Remediation work to address these gaps will begin as part of the new Cyber Security Enablement Program of work. It will involve Business Owners in the planning and prioritisation of the work required.

Refer to the Cyber Security Policies and Standards webpage for more information about the Framework implementation.

If you have any questions, please contact our Program

From February to March 2024 the Microsoft (MS) 365 strengthening project implemented security controls to improve the University MS Teams, OneDrive, and SharePoint collaboration platforms. Strengthening critical controls of our core collaboration tools minimises the potential for accounts to be compromised, inadvertent sharing of sensitive and highly sensitive data, and the potential of reputational damage to the University.

Summary of the changes implemented:

1. Private cloud storage services will no longer connect with Â鶹Éçmadou Teams:ÌýThird-party cloud storage services (i.e. DropBox, Google Drive, Egnyte, or Box) do not have the same security level as Â鶹Éçmadou and might be exposed to inadvertent or intentional data breaches. Refer to storage guidelines for staff and storage guidelines for students.
2. The GIF setting is upgraded to strict in Â鶹Éçmadou Teams:ÌýThis setting prevents users from sharing inappropriate/adult GIF (short looped video clips) content in Â鶹Éçmadou Teams chat windows.
3. Â鶹Éçmadou Teams app no longer downloads for Skype:ÌýThe Â鶹Éçmadou Teams app will no longer automatically download in the background of Skype for Business.
4. External guests, invited to Â鶹Éçmadou Teams meetings, will wait in the Teams lobby:ÌýThe meeting organiser, or another internal Â鶹Éçmadou user (staff or students using their zID), can allow guests in as the default setting only allows Â鶹Éçmadou users to join a Teams meeting before the organiser.
5. Â鶹Éçmadou SharePoint blocks the use of legacy authentication applications:ÌýLegacy authentication, or basic authentication using username and password only, is not allowed in SharePoint. Only applications that use modern authentication are allowed.
6. External users cannot share links:ÌýSharing links from Â鶹Éçmadou Teams, SharePoint, and OneDrive with other external users is no longer allowed. Only Â鶹Éçmadou users (staff and students using their zID) can share file links with external users.
7. Only allow users from Â鶹Éçmadou-accepted domains can send email to a Teams channel:ÌýAdditional domains that require a channel email communication must request a Security Service Risk Assessment Service to .Ìý
8. Anonymous users cannot interact with a Â鶹Éçmadou Teams application during a meeting:ÌýThe ability for anonymous users to interact with a Teams application (e.g., Whiteboard, Forms, Poll Everywhere, Channel Calendar, Task Planner, To Do, etc.) in meetings has been blocked.
9. Only Â鶹Éçmadou users and invited guests can present during a Â鶹Éçmadou Teams meeting:ÌýThe default setting only allows Â鶹Éçmadou users (staff and students using their zID) and (invited) guests to present during a Teams meeting as the sharing option is disabled. Meeting organisers can change the default setting if required. Refer to the guide: .ÌýÌý
10. Only Â鶹Éçmadou users can bypass the lobby:ÌýThe default setting allows only Â鶹Éçmadou users (staff and students using their zID) to bypass the lobby and join the Teams meeting. Meeting organisers can change the default setting if required. Refer to the guide:
11. A 30-day session applies to non-Â鶹Éçmadou guests for access to Teams Files:ÌýA session expiry will be enforced for non-Â鶹Éçmadou (external) guests who access Â鶹Éçmadou Teams Files (or folders). Non-Â鶹Éçmadou guests will be prompted to enter an OTP (one-time passcode) to re-authenticate their identity every 30 days. Refer to the FAQ: ?ÌýÌý
12. External guests have a 365-day guest link expiration limit set for shared files/folders from MS Teams, SharePoint, and OneDrive:ÌýFrom 26 March 2024, any new links to MS Teams, SharePoint, and OneDrive shared with external guests will automatically expire after 365 days. The link owners will receive Guest Expiration email notifications approximately 2-3 weeks before the access expires. Link owners can further manage guest access by extending or removing the access. Refer to the FAQ: ?ÌýÌý

Refer to the full list of for more information about these changes or contact the IT Service Centre for technical assistance.

In early 2024 the Program completed a current state assessment of Â鶹Éçmadou's Data Loss Prevention (DLP) capability, including a review of findings from the previous DLP pilot conducted in 2021. The Program, who engaged with key stakeholders, produced a Cyber Data Loss Prevention Strategy and Roadmap for Â鶹Éçmadou.Ìý

If you would like to learn more, please contact our Program

Cyber security is everyone's responsibility and by understanding a few simple steps and guidelines, we can help protect ourselves and the University from cyber security threats and keep data and information safe.

In mid-November 2023, the University introduced a new Cyber Security Awareness eLearning module mandatory for all staff. The module will help staff improve their awareness of cyber security threats and develop good cyber-savvy behaviours to protect themselves and the University. Staff will receive a direct email asking them to access and complete the module on an annual basis.

Refer to Cyber Security training and awareness webpage to access all information regarding the training as well as other cyber awareness advice.Ìý

If you have questions, please contact the Cyber Security Awareness team.

In 2022, all Â鶹Éçmadou Cyber Security Policies and Standards were updated to uplift the maturity of cyber security at our University.

In 2023 the Program worked with Business Owners and Technical Owners to:

• outline their accountabilities,
  
• identify (and cyber risk assess) their Â鶹Éçmadou Information Resources (into an Asset Inventory), and
• perform a Cyber Security baseline Gap Assessment against the new Policy Framework to identify and manage risks through the Â鶹Éçmadou Risk Management Framework.Ìý

All Gap Assessments were completed by Business Owners using the MyCyberHub tool. Compliance reports have been issued to senior leaders (such as DVCs, VPs and Deans) for resources in their area with Business Owners receiving individual reports for each of their information resources.Ìý

Refer to the Cyber Security Policies and Standards webpage for more information about the Policy Framework.Ìý

Multi-Factor Authentication (MFA) is a requirement at Â鶹Éçmadou for all staff (including casuals and affiliates) and current students.Ìý

Currently, students and staff who access Physical Containment (PC 2/3) laboratories are not protected by MFA when working on campus. This is due to those labs not allowing mobile phones or YubiKeys in the containment area. As a result MFA only applies to them when working remotely (off-campus) and accessing Â鶹Éçmadou single sign-on (SSO) applications.

From November 2023, MFA coverage for these staff and students has been improved by extending MFA controls to apply when they are on campus. Once the Campus Wi-Fi Upgrade is complete, staff/students will be MFA-exempt only when working from within a PC 2/3 rated lab.

Important: Lab Managers are requested to advise the IT Service Centre of any changed conditions for their PC 2/3 labs so that the appropriate IT Lab Support Team can assist in enabling MFA controls.Ìý

Visit the Cyber Security MFA page for information and support materials.

If you have set up rules in Outlook to automatically forward Â鶹Éçmadou email to an external mailbox you are potentially exposing that email, and any data it includes, to security risks.Ìý

The University takes great steps to protect our email systems by implementing cyber security controls such as anti-phishing and anti-malware. By setting up rules to automatically forward emails to an external mailbox that doesn't have the same level of security as the University, you expose that data to potential compromise, and the University to liability for any associated privacy or security breach.

Staff are encouraged to directly check their staff email inbox regularly for important University updates.

Instead of using auto-forwarding, it is recommended that you:

• Set up your device (computer, tablet, phone) to remotely access University email through a supported email application (Outlook), or
  
• Access your Â鶹Éçmadou email via Outlook Web Access (OWA) using a browser on your device.

Support

• Access the guide to .
• Access other self-help guidesÌý
• Contact the IT Service CentreÌýfor technical assistance.ÌýÌý

In 2023 Endpoint Security Policies were deployed to Â鶹Éçmadou IT-managed endpoints (Windows and Mac OS devices). An endpoint is any physical device that can be connected to the Â鶹Éçmadou network, such as computers, laptops (smartphones, tablets), and servers.

These policies have improved the security of staff using Â鶹Éçmadou IT-managed computers to access the university network. The policies are aligned with the Cyber Security Policy Framework, which aims to reduce the cyber security risk exposure across the University.Ìý Ìý

Support:

• Refer to the to understand the changes implemented.
  
• For technical assistance, please contact the IT Service Centre.

Laptop with internet connection

Important: Connect your Â鶹Éçmadou IT-owned computer to the Â鶹Éçmadou network or internet, on a regular basis to ensure the latest security updates are installed and you are protected. Good practice would be to restart your computer weekly.Ìý

In September 2023, the University migrated the on-premises Cisco Email Security Appliance (ESA) to the new Cisco Cloud Email Security solution. The new solution provides an advanced and layered defence to stop a broad array of sophisticated email-based threats.Ìý

Application administrators are to configure their platform to use (TLS) protocol for outbound email traffic.Ìý

Refer to the or report technical issues via the IT Service Centre.

The Program is continuing to harden the University's network firewall rules. Firewall policies will be audited, reviewed, and hardened to address all agreed critical to medium vulnerabilities and to align with the Cyber Security Standard - Network Security.

Non-production firewall rule change

On 21 August 2023, changes were made that block all unidentified traffic in non-production (test) environments. This improves our cyber security posture and ensures that only safe and legitimate network traffic is allowed.Ìý

New requests, or technical issues, will need to follow existing processes via the IT Service Centre.

In November 2023 a SIEM onboarding request service was established.

Security Information and Event Management (SIEM) is a solution that helps the University detect, analyse, and respond to security threats before they harm operations. Once onboarded to the SIEM, the Security Operations Centre (SOC) will provide 24x7 real-time monitoring, threat detection, and security incident response services for your platforms, applications, or services.Ìý

Please refer to the Cyber Security Operations services webpage to make a request and learn more

EDR Service for Â鶹Éçmadou IT-managed endpoints.

In early 2023, a state-of-the-art endpoint detection and response (EDR Service) software, CrowdStrike, was implemented on all Â鶹Éçmadou IT-managed endpoints which include servers, desktops, and laptops.Ìý

With CrowdStrike, Â鶹Éçmadou can provide more advanced threat detection, monitoring, and endpoint remediation capabilities to enhance the protection of our systems.

EDR Crowdstrike Falcon Notification message.

If a potential threat is detected, staff may be presented with a pop-up Falcon Notification, indicating that CrowdStrike has protected your device and generally there is no further action required. If a potential or actual threat is detected, an alert is raised for Â鶹Éçmadou IT Cyber Security Operations to manage.

For Â鶹Éçmadou IT-managed endpoints, CrowdStrike installs occur automatically when connected to the Â鶹Éçmadou network or internet.ÌýÌý

EDR Service for Â鶹Éçmadou-owned endpoints

From September 2023, the EDR Service was made available for installation on Â鶹Éçmadou-owned endpoints that are not managed by Â鶹Éçmadou IT. Please refer to Cyber Security Operations to make a request for the EDR Service and understand the conditions that apply.

Microsoft Defender for Endpoint provides antivirus and firewall protection to Â鶹Éçmadou-managed computers (laptops and desktops). Microsoft Defender helps the University to prevent, detect, investigate, and respond to advanced threats, improving security and reducing cyber risk.

Microsoft Defender for Endpoint replaced Symantec Endpoint Protection (SEP) and is licensed for enterprise-wide use.Ìý

Learn more:

• Refer to the (PDF, 630KB)Ìý
  
• Refer to resolving connectivity issues with Global ProtectÌý

For further assistance please contact the IT Service Centre.

In 2023 the Program conducted a current state assessment of the University's legacy Cisco Email Security solution and developed an Email Security Strategy and Roadmap. The strategy proposes a refresh of Â鶹Éçmadou's current solution to incorporate advanced capabilities which include Business Email Compromise and Behavioural Protection, Account Takeover Prevention, and Supply Chain Compromise Protection. These capabilities will leverage Natural Language Understanding (NLU) techniques in conjunction with AI/ML technologies

If you would like to learn more, please contact our Program

Zero Trust is a maturity approach that prioritises data security controls, requiring all requests (regardless of origin) to be authorised, authenticated, and continuously validated against data controls.

In mid-2023 the Program facilitated workshops with key Â鶹Éçmadou IT senior leaders, subject matter experts, and Service Owners to understand the current Â鶹Éçmadou environment.

In September 2023, a Zero Trust Strategy was finalised and endorsed. It will be used to inform the development of potential future Cyber Security initiatives.

If you would like to learn more, please contact our Program.Ìý

Identity and Access Management (IAM) is critical to managing our cyber security risk exposure, but just as importantly it is a key enabler of the University's strategy in education and research. An updated IAM Strategy and Roadmap will prioritise and inform Â鶹Éçmadou of what it needs to focus on going forward.Ìý

In late 2022 workshops were held with key stakeholders across the University to understand stakeholder perspectives on business technology priorities for improvements to our identity and access management infrastructure. A draft Â鶹Éçmadou IAM Strategy (and Roadmap) summary was produced and socialised with key stakeholders.

In 2023 the strategy was finalised and includes a prioritised roadmap for Â鶹Éçmadou.

If you would like to learn more, please contact our Program.

In 2022, Â鶹Éçmadou continued to improve the resilience of our Microsoft 365 platform though the implementation of additional technical controls to SharePoint, Teams, and Outlook in line with the University Cyber Security and Acceptable Use policies.

Strengthening critical controls of our core collaboration tools will minimise the potential for accounts to be compromised and for potential reputational damage.Ìý

Anti-phishing

Phishing is an email attack that tries to steal sensitive information in messages that appear to be from legitimate or trusted senders. With the growing complexity of attacks, it's even difficult for trained users to identify sophisticated phishing messages. Â鶹Éçmadou has implemented advanced anti-phishing controls that will assist users in identifying sophisticated phishing attacks and protect the University, including:

• First Contact Safety Tip.
• User Impersonation Unusual Characters Tip.
• Show (?) for Unauthenticated Senders for Spoof.

Safe Attachments

Safe Attachments is a feature that provides an additional layer of protection for email attachments that have already been scanned by anti-malware protection by removing attached files that are found to have malicious software. Safe Attachments controls help detect and block new and existing files that are identified as malicious in document libraries in SharePoint, Teams, and Outlook.

Safe Links

Safe Links is a feature that provides URL scanning of inbound email messages and time-of-click verification of URLs and links in email messages and other locations. Safe Links scanning occurs in addition to the regular anti-spam and anti-malware in inbound email messages in Exchange Online Protection (EOP). Safe Links scanning can help protect the organisation from malicious links that are used in phishing and other attacks.

Important: The above improvements are necessary to protect the confidentiality of the University’s information, and the privacy of our students and staff information and to reduce the risk of financial loss associated with business email fraud.

Refer to the to understand these changes more clearly.Ìý

Contact the IT Service Centre for assistance with SharePoint, Teams, or Outlook.Ìý

In 2022, Â鶹Éçmadou implemented changes to Microsoft 365 (Office) services, to prevent the use of insecure login methods (legacy authentication), typically associated with the use of older email software and some applications. All students and staff were required to update their email client software to a version that supports modern authentication.Ìý

To access Â鶹Éçmadou email on any of your devices, please see for guidance on recommended University applications or use on the web. Contact the IT Service Centre for further assistance.

Important: Non-Azure Active Directory applications that utilise legacy authentication protocols, such as PIMS, SIMS, NSF, etc, are not impacted.

In December 2022, all Â鶹Éçmadou Cyber Security Policies and Standards were updated to uplift the maturity of cyber security at our University. The CyberSecurity Policy, Acceptable Use of UNSw Information Resources Policy, and two University-wide Cyber Security Standards were approved by the Â鶹Éçmadou Management Board.

The remaining Cyber Security Standards, which apply to staff with technology management or operational responsibilities, were approved by the Â鶹Éçmadou IT Chief Information Officer (CIO).

ÌýAccess all policies, standards, and guidelines.Ìý

In 2022 the UAR process was introduced for an annual review to be undertaken to evaluate and manage user accounts and access rights associated with IT services and assets. Business Owners of targeted applications are involved in the entire process. Managers/Supervisors, or anyone with staff reporting to them, are involved in the review phase only.ÌýÌý

Refer to the Cyber Security UAR webpage for all details and support materials relating to a current, future, or past UARs.

In 2022, MFA became an ongoing requirement at Â鶹Éçmadou for all staff (including casuals and affiliates) and current students. All new students and staff are prompted to set up MFA as part of their onboarding activity.ÌýÌý

Visit the Cyber Security MFA webpage for all information and support materials.

For technical assistance contact the IT Service Centre.