Information technology and security principles and responsibilities for the safe and effective use of technology and data across the university and related entities, partners and stakeholders.
|Effective date||2 March 2020|
|Review date||12 December 2022|
|Owner||Chief Operating Officer|
|Author||Chief Information Security Officer|
|Print version||Information Technology and Security Policy|
The purpose of this policy is to:
- protect information resources against accidental or unauthorised disclosure, modification, or destruction and assure the confidentiality, integrity, and availability of University data and assets
- apply appropriate physical, operational and technical safeguards without creating unjustified obstacles to the conduct of business and research of the university and the provision of services
- comply with applicable state, federal and global laws governing information resources.
Information technology and security principles underpin RMIT’s approach to information technology management.
This policy is the foundation for RMIT’s information technology and security program and supports the University’s Information Technology Strategy. It provides principles to support a mandated set of minimum security and operational standards that protect RMIT from technology-based threats to data, systems, personal information and health and safety.
This policy applies to all:
- RMIT students, researchers, staff, controlled entities of RMIT, contractors, visitors and any other parties who have access to RMIT's Information Technology Resources
- information resources owned, leased, operated, or under the custodial care of RMIT or third-parties operated on behalf of RMIT.
4.1. RMIT information systems, tools and hardware are a shared resource for the benefit of RMIT authorised users only, to be used fairly, securely, lawfully and for legitimate University purposes.
4.2. Access to RMIT Information will be available only to those with a legitimate need related to the business and operations of the University and its entities.
4.3. Information generated by RMIT users relating to University business or operations remains the property of RMIT and is accessible by authorised RMIT staff after termination of the account holder’s employment.
4.4. Information technology systems and solutions will be designed, sourced, implemented, and operated in ways that are secure, sustainable, cost effective and aligned to University strategy.
5.1. All users of RMIT information technology have a responsibility to:
b) report and respond to incidents impacting systems process and data and/or cyber bulling or harassment as instructed. All actual or suspected information security breaches must be reported immediately.
c) keep their password secure, active and registered
d) ensure ITS endorsement is obtained for all software installed on the RMIT network,
e) keep data secure and apply data classification labels where available on RMIT systems.
f) engage ITS for all technology-related asset procurement, including IT hardware, software, and cloud services, to ensure alignment with RMIT strategy, policies, standards and the University’s risk appetite
5.2. All RMIT Information technology designers, implementors and operators have a responsibility to:
a) comply with information technology standards and related resources published and communicated by Information Technology Services (ITS)
b) implement logical, physical and environmental controls to secure information processing facilities and data
c) identify and comply with relevant global information security and privacy regulatory frameworks, relating to technology and data use, storage and transmission
d) design and implement controls that are proportionate to:
• information classification levels under the Information Governance Policy, and
• the risk of unauthorised access, disclosure, modification, or destruction of information, whether accidental or malicious
e) follow governance requirements as directed by ITS including, but not limited to, Security Risk Assessment, Privacy Impact Assessment, ITS change and governance processes and standards, for all new technology solutions and services.
5.3. Information Technology Services has a responsibility to ensure:
a) authorised users are informed and educated about their accountabilities, responsibilities and appropriate information technology practices.
b) user activity is identifiable to an individual and may be monitored by duly authorised RMIT staff for security, compliance or other legitimate purposes.
c) system logs, including audit, access, activity and performance logs are captured and retained according to regulatory and business needs.
d) ICT services are measurable to the University’s needs.
5.4. The Chief Information Security Officer has a responsibility to:
a) implement appropriate information security controls processes and technologies to protect RMIT and controlled entities from cyber security threats.
b) maintain this policy and govern the publication of related information technology and security standards resources.
c) implement capability for secure user access management for all RMIT authorised users.
d) undertake risk-assessments of the technology control environment and advise on information security risks and controls.
e) deliver educational activities to raise awareness and understanding of the obligations identified in this policy and educate users on how to reduce the risks of cyber security incidents.
6.1. Internal Audit, Compliance, Risk and Regulation is authorised to assess compliance with this policy and related obligations at any time.
6.2. Breaches of this policy will be managed in accordance with the RMIT Compliance Breach Management Procedure.
6.3. RMIT and third parties, must comply with all relevant global information security and related regulations and legislation.
6.4. Third parties, including cloud services providing information technology or software services or resources, must have an information technology policy in place that provides no lesser security controls than RMIT’s policy.
6.5. Contractual arrangements with third parties must include security terms approved by CISO office.
Information technology resources
Includes RMIT systems that hold RMIT information and ICT assets owned or licensed by RMIT, or on behalf of RMIT by a third party.
IT Business Partner
Role in ITS that works with university stakeholders to engage and deliver ICT services in the most effective way.
Any hardware or data used for or related to information technology or communication.
- Acceptable Use Standard - Information Technology
- Information Security, Identity and Access Management Standard
- User Device Security Standard
Resources enforceable under this policy may be amended or added to at any time with the endorsement of the RMIT Chief Information Officer.
Current endorsed resources for staff will be published and available at www.rmit.edu.au/staff/our-rmit/policies
|Version||Approval date||Effective date||Summary of changes||Approval authority|
|1.0||12 December 2019||2 March 2020||New policy||Vice-Chancellor's Executive|