Â鶹Éçmadou

As per the Â鶹Éçmadou Cyber Security Policies and Standards, the Cyber Security Policy Framework was established in 2023.Ìý

As part of the Framework, Business Owners of Â鶹Éçmadou Information Resources are required to:Ìý

1. Understand their accountabilities and responsibilities concerning relevant Cyber Security Policies and Standards.
2. Identify Â鶹Éçmadou Information Resources and submit these for Cyber Security Risk Rating assessment.
3. Perform a cyber security baseline Gap Assessment on all Medium and High-Risk Rated information resources.

Items 2 and 3 above are supported by the Â鶹Éçmadou IT Cyber Security Strategy and Governance teams.

°¿²Ô³¦±ðÌýGap AssessmentsÌýare completed in theÌýÌýtool, the Cyber Security Strategy and Governance team will assess the information provided and issue Compliance Reports to:

Business Owners

Reports are by information resource and provide insights into gaps against controls outlined in the Cyber Security Standard - Risk Management. The report also provides remediation recommendations.

Senior leaders (DVCs, VPs, and Deans)

Senior leaders receive a Summary Report for their Faculty/Division which provides an overview of compliance gaps for their area of responsibility.

When the Compliance Reports are issued discussions begin with each area to planÌýremediation activitiesÌýto address gaps.

Under the Cyber Security Policy, Deputy Vice-Chancellors, Vice-Presidents, Deans, and the Rector Â鶹Éçmadou Canberra are accountable for theÌýannual attestationÌýof compliance to the Cyber Security Risk Management Framework within their area of accountability.Ìýaccountability. Attestation occurs after remediation activities have commenced.

Ìý

TheÌýCyberPolicyHubÌýis a central directory of the Cyber Policy Framework and is designed to support Â鶹Éçmadou staff in understanding their Cyber Security obligations.

The CyberPolicyHub function lies within theÌýÌýplatform. It can be used to search for relevant Cyber Security clauses using your role type and keywords. Refer to theÌýreference guideÌýfor assistance using the CyberPolicyHub.Ìý

Please visit the Cyber SecurityÌýStrategy & GovernanceÌýfor a listing of all support services provided.Ìý
Ìý

Acceptable Use of Â鶹Éçmadou Resources Policy

The policy sets out the principles for ensuring Â鶹Éçmadou information resources are used responsibly. This includes defining the conditions of personal use and informing users of their responsibilities, and the penalties for misuse. The policy establishes requirements for compliance and reporting cyber security events to reflect Â鶹Éçmadou values.

Acceptable Use of Â鶹Éçmadou Resources Policy (pdf, 268KB), opens in a new windowÌý

Cyber Security Policy

The Cyber Security Policy sets out the principles for ensuring University-wide information resources are appropriately protected. This policy;

• outlines appropriate governance of cyber security
• management of cyber security risk
• ensures cyber security events are detected and responded to promptly
• Â鶹Éçmadou Information Resources recover from cyber security incidents in a secure and timely manner.Ìý

Cyber Security Policy (pdf, 283KB), opens in a new window

Data Security Standard

This standard establishes the minimum requirements related to handling and protection of Â鶹Éçmadou Digital Information consistent with data classification, Cyber Security Risk Rating as well as applicable laws, regulations, standards, and contractual obligations.

The following Cyber Security Standards apply to University-wide users.

Risk Management Standard

This standard establishes cyber security risk ratings for Â鶹Éçmadou Information Resources and ensures that cyber security risks are appropriately identified, assessed, reported, and treated consistently with the Â鶹Éçmadou Risk Management Framework and applicable laws, regulations, standards, and contractual obligations. It defines the minimum set of controls that are required for Â鶹Éçmadou Information Resources, consistent with the type of resource and its cyber security risk rating. This standard links the Cyber Security Policy and supporting Cyber Security Standards.

Ìý

The following Cyber Security Standards apply to all University-wide users including those Division/Faculty users with technology management or operational responsibilities.ÌýÌý

Framework Exemption Standard

This Standard outlines the process by which deviations, from the Cyber Security Policies and Standards, are to be managed and recorded.Ìý

Incident Management Standard

This Standard establishes the detailed responsibilities and requirements related to cyber security incident management, including the relationships between Faculty and Division security incident response processes, Security Operations Centres (SOC), the Â鶹Éçmadou IT Service Centre, the Â鶹Éçmadou IT Cyber Security Incident Response Team, and other internal and external stakeholders.

Identity and Access Management Standard

This Standard establishes the minimum standards related to user account management including privileged access management and periodic reviews, defining manager and supervisor responsibilities, centralised authentication, and multi-factor authentication.

Information Asset Management Standard

This Standard establishes the minimum cyber security requirements related to management oversight and lifecycle management of Â鶹Éçmadou Information Resources, including formally mandating a centralised inventory of Â鶹Éçmadou Information Service and Information Assets, as well as prohibiting end-of-life or end-of-support Â鶹Éçmadou Information Resources.Ìý

IT Hosting Standard

The purpose of this standard is to establish minimum requirements for the hosting of Cyber Security Risk-Related Â鶹Éçmadou Information Resources, including detailed physical access and environmental controls to support the required confidentiality, integrity, and availability.Ìý

Logging and Monitoring Standard

This Standard establishes minimum standards for security event logs, and minimum requirements for log protection, log retention, and log monitoring, including the requirement to utilise a Security Operations Centre (SOC) for Â鶹Éçmadou Information Resources.Ìý

Network Security Standard

This Standard establishes the minimum requirements for the configuration of network-related Information Assets, including network segmentation controls, and traffic flow control requirements for specific network devices.

Secure-by-Design Standard

This Standard establishes the minimum requirements related to Â鶹Éçmadou Information Resource configuration and hardening, and secure development, including formally mandating the Enterprise Security Architecture.

Secure Continuity Standard

This Standard establishes the minimum cyber security requirements for High-Resilience Â鶹Éçmadou Information Resources throughout the Disaster Recovery (DR) lifecycle, including DR vendor risk and security assessments, the continuity of physical access and environmental controls, as well as backup, and restore arrangements to support the required availability.

Threat and Vulnerability Management Standard

This Standard establishes the minimum requirements for malicious code and malware protection and vulnerability management for Â鶹Éçmadou Information Resources, including vulnerability scanning, penetration testing, and patch management.

Vendor Risk Management Standard

This Standard establishes the minimum cyber security requirements throughout the vendor management lifecycle, including initial and periodic risk and security assessments, contract inclusions, compliance obligations, data security, and mandatory breach reporting.

Ìý