Information Security Policy — Study Abroad Crawler

# Information Security Policy

**Source**: https://policy.unimelb.edu.au/MPF1270/
**Parent**: https://policy.unimelb.edu.au/MPF1104/

body{
background: white;
}

## **Information Security Policy (MPF1270)**

- **Category:** 
- **Version:** 8
- **Document Type:** Policy
- **Document Status:** Published
- **Approved On:** 16 February, 2026
- **Audience:** Staff, Students, Research, Academic, Affiliate, Honoraries, Visitors
- **Effective Date:** 17 February, 2026
- **Review Date:** 06 October, 2024
- **Policy Approver:** Vice-President Administration & Finance And Chief Operating Officer
- **Policy Steward:** Chief Information Security Officer
- **Supporting Process:**

  [Information Technology Processes](https://au.promapp.com/unimelb/Process/Group/6c449c7d-1838-4c60-ab0b-0a9acf41739e)

Download

\

<!--
/\* Font Definitions \*/
@font-face
{font-family:Courier;
panose-1:2 7 4 9 2 2 5 2 4 4;}
@font-face
{font-family:"MS Mincho";
panose-1:2 2 6 9 4 2 5 8 3 4;}
@font-face
{font-family:"MS Gothic";
panose-1:2 11 6 9 7 2 5 8 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:"Source Sans Pro";}
@font-face
{font-family:"\@MS Gothic";
panose-1:2 11 6 9 7 2 5 8 2 4;}
@font-face
{font-family:"\@MS Mincho";
panose-1:2 2 6 9 4 2 5 8 3 4;}
/\* Style Definitions \*/
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin-top:0cm;
margin-right:0cm;
margin-bottom:10.0pt;
margin-left:0cm;
line-height:115%;
font-size:10.0pt;
font-family:"Source Sans Pro",sans-serif;}
p.MsoHeader, li.MsoHeader, div.MsoHeader
{mso-style-link:"Header Char";
margin:0cm;
font-size:10.0pt;
font-family:"Source Sans Pro",sans-serif;}
p.MsoFooter, li.MsoFooter, div.MsoFooter
{mso-style-link:"Footer Char";
margin:0cm;
font-size:10.0pt;
font-family:"Source Sans Pro",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-name:"Hyperlink\,MPL - Hyperlink";
color:blue;
text-decoration:underline;}
span.HeaderChar
{mso-style-name:"Header Char";
mso-style-link:Header;}
span.FooterChar
{mso-style-name:"Footer Char";
mso-style-link:Footer;}
p.MPLParagraphlevel1, li.MPLParagraphlevel1, div.MPLParagraphlevel1
{mso-style-name:"MPL Paragraph level 1";
margin-top:0cm;
margin-right:0cm;
margin-bottom:6.0pt;
margin-left:17.85pt;
text-indent:.15pt;
line-height:115%;
font-size:10.0pt;
font-family:"Source Sans Pro",sans-serif;}
p.MPLHeading1, li.MPLHeading1, div.MPLHeading1
{mso-style-name:"MPL Heading 1";
margin-top:10.0pt;
margin-right:0cm;
margin-bottom:6.0pt;
margin-left:0cm;
text-indent:0cm;
line-height:115%;
page-break-after:avoid;
font-size:16.0pt;
font-family:"Source Sans Pro",sans-serif;
color:#000F46;
font-weight:bold;}
p.MPLParagraphlevel2, li.MPLParagraphlevel2, div.MPLParagraphlevel2
{mso-style-name:"MPL Paragraph level 2";
margin-top:0cm;
margin-right:0cm;
margin-bottom:10.0pt;
margin-left:36.0pt;
text-indent:0cm;
line-height:115%;
font-size:10.0pt;
font-family:"Source Sans Pro",sans-serif;}
p.MPLParagraphlevel2CxSpFirst, li.MPLParagraphlevel2CxSpFirst, div.MPLParagraphlevel2CxSpFirst
{mso-style-name:"MPL Paragraph level 2CxSpFirst";
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
text-indent:0cm;
line-height:115%;
font-size:10.0pt;
font-family:"Source Sans Pro",sans-serif;}
p.MPLParagraphlevel2CxSpMiddle, li.MPLParagraphlevel2CxSpMiddle, div.MPLParagraphlevel2CxSpMiddle
{mso-style-name:"MPL Paragraph level 2CxSpMiddle";
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
text-indent:0cm;
line-height:115%;
font-size:10.0pt;
font-family:"Source Sans Pro",sans-serif;}
p.MPLParagraphlevel2CxSpLast, li.MPLParagraphlevel2CxSpLast, div.MPLParagraphlevel2CxSpLast
{mso-style-name:"MPL Paragraph level 2CxSpLast";
margin-top:0cm;
margin-right:0cm;
margin-bottom:10.0pt;
margin-left:36.0pt;
text-indent:0cm;
line-height:115%;
font-size:10.0pt;
font-family:"Source Sans Pro",sans-serif;}
p.MPLParagraphlevel3, li.MPLParagraphlevel3, div.MPLParagraphlevel3
{mso-style-name:"MPL Paragraph level 3";
margin-top:6.0pt;
margin-right:0cm;
margin-bottom:6.0pt;
margin-left:53.85pt;
text-indent:.3pt;
line-height:115%;
font-size:10.0pt;
font-family:"Source Sans Pro",sans-serif;}
p.MPLParagraphlevel3CxSpFirst, li.MPLParagraphlevel3CxSpFirst, div.MPLParagraphlevel3CxSpFirst
{mso-style-name:"MPL Paragraph level 3CxSpFirst";
margin-top:6.0pt;
margin-right:0cm;
margin-bottom:0cm;
margin-left:53.85pt;
text-indent:.3pt;
line-height:115%;
font-size:10.0pt;
font-family:"Source Sans Pro",sans-serif;}
p.MPLParagraphlevel3CxSpMiddle, li.MPLParagraphlevel3CxSpMiddle, div.MPLParagraphlevel3CxSpMiddle
{mso-style-name:"MPL Paragraph level 3CxSpMiddle";
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:53.85pt;
text-indent:.3pt;
line-height:115%;
font-size:10.0pt;
font-family:"Source Sans Pro",sans-serif;}
p.MPLParagraphlevel3CxSpLast, li.MPLParagraphlevel3CxSpLast, div.MPLParagraphlevel3CxSpLast
{mso-style-name:"MPL Paragraph level 3CxSpLast";
margin-top:0cm;
margin-right:0cm;
margin-bottom:6.0pt;
margin-left:53.85pt;
text-indent:.3pt;
line-height:115%;
font-size:10.0pt;
font-family:"Source Sans Pro",sans-serif;}
p.MPLParagraphlevel4, li.MPLParagraphlevel4, div.MPLParagraphlevel4
{mso-style-name:"MPL Paragraph level 4";
margin-top:0cm;
margin-right:0cm;
margin-bottom:6.0pt;
margin-left:72.0pt;
text-indent:0cm;
line-height:115%;
font-size:10.0pt;
font-family:"Source Sans Pro",sans-serif;}
p.MPLParagraphlevel4CxSpFirst, li.MPLParagraphlevel4CxSpFirst, div.MPLParagraphlevel4CxSpFirst
{mso-style-name:"MPL Paragraph level 4CxSpFirst";
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:72.0pt;
text-indent:0cm;
line-height:115%;
font-size:10.0pt;
font-family:"Source Sans Pro",sans-serif;}
p.MPLParagraphlevel4CxSpMiddle, li.MPLParagraphlevel4CxSpMiddle, div.MPLParagraphlevel4CxSpMiddle
{mso-style-name:"MPL Paragraph level 4CxSpMiddle";
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:72.0pt;
text-indent:0cm;
line-height:115%;
font-size:10.0pt;
font-family:"Source Sans Pro",sans-serif;}
p.MPLParagraphlevel4CxSpLast, li.MPLParagraphlevel4CxSpLast, div.MPLParagraphlevel4CxSpLast
{mso-style-name:"MPL Paragraph level 4CxSpLast";
margin-top:0cm;
margin-right:0cm;
margin-bottom:6.0pt;
margin-left:72.0pt;
text-indent:0cm;
line-height:115%;
font-size:10.0pt;
font-family:"Source Sans Pro",sans-serif;}
p.MPFSubheading, li.MPFSubheading, div.MPFSubheading
{mso-style-name:"MPF Subheading";
margin-top:10.0pt;
margin-right:0cm;
margin-bottom:6.0pt;
margin-left:0cm;
line-height:115%;
page-break-after:avoid;
font-size:14.0pt;
font-family:"Source Sans Pro",sans-serif;
color:#000F46;
font-weight:bold;}
p.MPLParapgrah, li.MPLParapgrah, div.MPLParapgrah
{mso-style-name:"MPL Parapgrah";
margin-top:0cm;
margin-right:0cm;
margin-bottom:10.0pt;
margin-left:0cm;
line-height:115%;
font-size:10.0pt;
font-family:"Source Sans Pro",sans-serif;}
p.MPLNoNumberingHeadings, li.MPLNoNumberingHeadings, div.MPLNoNumberingHeadings
{mso-style-name:"MPL No Numbering Headings";
margin-top:10.0pt;
margin-right:0cm;
margin-bottom:0cm;
margin-left:0cm;
line-height:115%;
page-break-after:avoid;
font-size:16.0pt;
font-family:"Source Sans Pro",sans-serif;
color:#000F46;
font-weight:bold;}
.MsoChpDefault
{font-family:"Cambria",serif;}
.MsoPapDefault
{margin-bottom:10.0pt;
line-height:115%;}
/\* Page Definitions \*/
@page WordSection1
{size:612.0pt 792.0pt;
margin:42.5pt 2.0cm 42.5pt 2.0cm;}
div.WordSection1
{page:WordSection1;}
/\* List Definitions \*/
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
-->

1.
Objectives

1.1. The
objective of this policy is to:

a)
provide a framework for managing the security of
University information systems and assets;

b)
assist the University to ensure the confidentiality,
integrity and availability of these systems and assets; and

c)
identify the roles, responsibilities and accountability
of users and providers of information systems and assets.

2.
Scope

2.1. This
policy applies to:

a)
the management of all information security matters in
the University;

b)
all University information systems and information
assets regardless of location;

c)
all users of University information systems and
information assets;

d)
all providers, for the facilities they provide; and

e)
all asset owners, for the assets they own.

3.
Authority

3.1. This
policy is made under the [*University of Melbourne Act 2009*](https://www.legislation.vic.gov.au/in-force/acts/university-melbourne-act-2009)
(Vic) and the [Vice-Chancellor Regulation](https://about.unimelb.edu.au/strategy/governance/regulatory-framework/legislative-framework) and supports
compliance with the:

a)
*Copyright Act 1968*
(Cth);

b)
*Health Records Act 2001*
(Vic);

c)
*Privacy and Data Protection Act 2014* (Vic);

d)
*Public Records Act 1973*
(Vic);

e)
*Privacy Act 1988* (Cth),
where applicable;

f)
General Data Protection Regulation (EU) 2016/679, where
applicable;

g)
AS ISO/IEC 27001:2015 – Information technology –
Security techniques – Information security management systems – Requirements;

h)
AS ISO/IEC 27002:2015 – Information technology –
Security techniques – Code of practice for information security management; and

i)
 ISO 27001:2017 control objectives.

4.
Policy

4.1. All
users of information assets are responsible for information security in
accordance with this policy, and its supporting processes and standards.

4.2. University
divisions that operate information systems, and providers of information
systems to the University, should include among the duties of one or more of
their employees, the role of overseeing information security and providing
expert local advice as required. Information security and risk management
advice is available to University divisions from the Executive Director,
Business Services and Chief Technology Officer.

4.3. External
providers engaged by the University must comply with this policy and supporting
processes and standards, as applicable to their role.

4.4. Information
security is governed within the University, including by:

a)
development of an information security strategy;

b)
planning, monitoring, reviewing and ensuring the
effectiveness of the overall Information Security Management Framework (ISMF);

c)
development of comprehensible and workable information
security processes;

d)
measuring the effectiveness of the information security
program through the collection and analysis of metrics, self-assessments and
independent review; and

e)
providing guidance and support to role-bearers under
this policy to fulfil their duties.

4.5. The
University generally conducts internal audits at planned intervals to assess
and inform whether the ISMF and the information security program:

a)
conform to the University’s requirements; and

b)
are effectively implemented and maintained.

4.6. The
University endeavours to continually improve the suitability, adequacy and
effectiveness of the ISMF and the information security program.

4.7. The
University aims to manage information security risks using a risk-based
approach aligned to the University’s [Risk
Management Policy](https://policy.unimelb.edu.au/MPF1194.5) and framework.

5.
Procedural principles

Responsibilities of asset and service
owners

5.1. Information
assets have the following nominated asset owners:

a)
financial data – Vice-President (Administration &
Finance) and Chief Operating Officer, and/or head of division;

b)
human resources data – Executive Director, Human
Resources and OH&S, and/or head of division;

c)
student data – Executive Director, Student &
Scholarly Services and Academic Registrar, and/or head of division;

d)
research data – Executive Director, Research,
Innovation and Commercialisation, and/or head of division; and

e)
division-specific data – faculty executive director
and/or head of division.

5.2. Where
new access or changes to existing access or privileges are requested, the
Service Owners will endeavour to:

a)
gain the approval of all relevant Asset owners before
the request is fulfilled; and

b)
formally record the access changes and retain these
records for a period of at least two years.

5.3. Service
owners are responsible for:

a)
information assets within their responsibility being
managed and used in accordance with this policy and any applicable legislation,
regulations, or other University policy (including privacy and records
management requirements);

b)
determining the importance, value and sensitivity of
the information asset in accordance with relevant legislation, supporting
processes and standards;

c)
deciding how and by whom the information asset may be
used;

d)
specifying the business controls applying to the
information asset;

e)
maintaining controls to protect information assets for
which they are responsible;

f)
specifying the protection requirements for the
information asset;

g)
monitoring compliance with this policy and initiating
corrective action for breaches of this policy;

h)
the protection of the confidentiality, integrity and
availability of information assets and information systems by appropriate
controls determined through a risk-based approach;

i)
the classification of information assets and
information systems in accordance with this policy and the relevant supporting
processes;

j)
communicating the classification of the information
assets to relevant stakeholders; and

k)
using a defence in depth approach to the implementation
of security controls.

5.4. Service
owners provide users with access to information systems based on the user’s
role and the system’s associated functions.

5.5. Service
Owner ensure that the Information systems should be configured to identify and
authenticate all access to information assets that have not been classified as
‘public’ and deny access by default.

5.6. Service
owners approve the assignment of access privileges or authorisations based on:

a)
the principle of least privilege, which dictates that
only the required privileges are assigned (and no others); and

b)
on a need-to-know basis as appropriate to the user’s
role.

5.7. Service
owners implement segregation of duties principles and consider any conflicts
prior to access being granted.

5.8. Asset
owners are responsible for privacy collection notices being provided to
individuals when their personal or health information is collected or otherwise
processed.

5.9. Line
Managers are responsible for ensuring that a user’s access is changed when that
user’s role changes, so that it reflects the requirements of their new role.
Access rights not required for the new role should be revoked.

5.10. Line
Managers are responsible for requesting users’ access privileges are revoked or
disabled immediately after a user’s relationship with the University is
terminated or when access is no longer required.

5.11. Asset
owners document the security classification of the information assets for which
they are responsible.

5.12. University
information systems and assets are classified as:

|  |  |
| --- | --- |
| ***Classification*** | ***Definition*** |
| Restricted | Information that is extremely sensitive, of great value to the University, and intended for use only by specific roles or named individuals. |
| Confidential | Information intended strictly for distribution to, or use by, a selected group of University employees and approved non-employees. |
| Internal | University information intended for all employees and approved non-employees such as contractors, vendors or students, but not the general public. |
| Public | Information available to the general public and intended for distribution outside the University. |

 

5.13. Service
owners are responsible for:

a)
the confidentiality, integrity and availability of
information assets and information systems being protected by appropriate
controls that are determined through a risk-based approach;

b)
the classification of information assets and
information systems in accordance with this policy and the relevant supporting
processes; and

c)
security controls being implemented using a defence in
depth approach, unless considered unnecessary through a risk assessment.

5.14. Asset
owners may delegate the routine management of information asset security to
asset custodians, for example to a service owner. Administrative
responsibilities may be delegated to asset custodians, but overall ownership
of, and responsibility for, information assets remains with the asset owner.

5.15. Service
owners are responsible for ensuring that all visitors and contractors are given
temporary authorisation for appropriate system access, which will expire on the
visitor or contractor’s expected departure date or contract end date.

5.16. Service
owners are responsible for ensuring that information systems enforce University
password requirements.

5.17. Service
owners are responsible for ensuring that an information security risk
assessment and privacy impact assessment are completed, in consultation with
Legal and Risk and the Cybersecurity team in Business Services, at planned
intervals, and when:

a)
new information systems are being developed or
acquired;

b)
a significant change is planned that may exceed the
University's risk appetite; and

c)
new risks to production information systems are
identified.

5.18. Service
owners are responsible for ensuring that:

a)
application or infrastructure projects fulfil the
requirements specified; and

b)
information systems that are developed are built,
configured and maintained according to the relevant University security
standards.

Responsibilities of asset custodians

5.19. Asset
custodians have administrative and operational responsibility for information
assets and follow all relevant information security policies, processes and
standards to ensure the protection of information assets.

5.20. Asset
custodians are responsible for:

a)
protecting the information asset in accordance with the
directions of the asset owner;

b)
exercising sound business judgement in protecting the
information asset;

c)
reporting to the asset owner on the discharge of asset
custodianship activities; and

d)
maintaining individual registers of risks in relation
to information assets that are critical to the University in line with the
University’s Risk Management Framework.

Responsibilities of heads of divisions

5.21. Heads
of divisions are responsible for:

a)
actively supporting information security through clear
direction, demonstrated commitment, explicit assignment, and acknowledgment of
information security responsibilities;

b)
ensuring that all information security roles and
responsibilities are clearly allocated;

c)
ensuring that the Information Security Policy and all
supporting processes are effectively implemented in their areas of
responsibility;

d)
conducting risk assessments to identify and define the
positions that require applicants to pass personal background checks as part of
the recruitment process; and

e)
communicating to employees, honorary appointees and
university visitors leaving the University their ongoing responsibilities to
the University (which include ongoing confidentiality requirements in relation
to University information assets).

Responsibilities of all users

5.22. Any
action performed under a user ID is attributed to the person represented by the
user ID. If an action performed under a user ID breaches, or leads to a breach
of, University policy or process, then the user accepts responsibility for the
breach, unless there is reasonable doubt that they are responsible for the
breach.

5.23. Users
must:

a)
keep passwords confidential and not disclose them to
others;

b)
change their password as soon as possible if they
suspect, or come to know, that their password has been compromised;

c)
distribute, transmit, move or delete information assets
only if there is a valid business or academic need to do so;

d)
not remove a University information asset or equipment
from University facilities without prior authorisation. Authorisation is deemed
to have been granted to use University issued portable devices (such as
laptops, mobiles, and tablets) to conduct daily business activities from remote
locations; and

e)
distribute, transmit, move or delete information assets
in accordance with University information handling standards and relevant
contractual regulations and legal regulations as set out in section 3.

5.24. Users
must not store information assets classified as ‘confidential’ or ‘restricted’
on the facilities of external providers, unless use of the facility has been
approved by the applicable asset owner and the Executive Director, Business
Services and Chief Technology Officer.

Responsibilities of all providers

5.25. Providers
should ensure that operations that may impact the security of information
assets are documented, with instructions maintained and communicated to all
relevant parties.

5.26. Providers
should allocate a unique user ID to each individual for information system
access.

5.27. Providers
should keep records of individuals’ access to, and use of, University computer
systems, infrastructure and information assets.

5.28. Providers
should ensure event log records of user activities, exceptions, faults and
information security events are produced, kept securely and regularly reviewed.

5.29. Providers
should ensure that information systems are configured in accordance with the
relevant University information security standards and policies, including the [Privacy
Policy](https://policy.unimelb.edu.au/MPF1104) .

5.30. Providers
are responsible for ensuring information assets are protected and they:

a)
place information assets in logical network zones with
similar security and connectivity requirements; and

b)
use network segmentation and information flow controls
appropriate to the information classification.

5.31. Providers
are responsible for ensuring that they:

a)
segregate duties between employees assigned to
development and testing environments, and employees assigned to production
environments;

b)
where segregation of duties is not feasible, put a
tracking mechanism and monitoring activities in place to trace production
changes to an individual for accountability;

c)
segregate development, testing and production
environments where resources permit; and

d)
where segregation of environments is not feasible,
establish compensating controls to prevent the integrity, availability and
confidentiality of the information asset from being compromised.

5.32. Providers
should ensure that:

a)
test plans and cases are documented, testing is
performed, and test results recorded and retained;

b)
test data and accounts are deleted from the developed
system or application, and from third parties’ systems, before deploying
software into the production environment;

c)
security testing is performed prior to deployment which
provides assurance that residual security vulnerabilities have been formally
risk accepted; and

d)
security testing is periodically performed in
accordance with University information security standards.

5.33. Providers
are responsible for performing regular system checks and capacity monitoring
(such as memory, network performance, disk-space utilisation and processing
power) to ensure optimum performance.

5.34. Providers
should obtain timely information about technical vulnerabilities of all systems
being used, assess the University’s exposure to identified vulnerabilities and
perform a risk assessment. Based on the results of the assessment, providers
should ensure that appropriate measures are taken (including applying patches
or other compensating controls) to address the associated risk.

5.35. Providers
are responsible for ensuring that all incidents that could impact on the
University are promptly identified, managed and resolved, through formal
information security incident management processes that minimise these impacts
and allow affected processes to be quickly resumed.

5.36. Providers
should ensure that information critical to the University is backed up and/or
copied to an alternative site on a regular and frequent basis.

5.37. Providers
should ensure information security processes and controls are monitored,
evaluated and outcomes documented to ensure their continued effectiveness and
timeliness.

5.38. Providers
should ensure that University information systems are physically protected in
accordance with relevant University physical security standards.

5.39. Providers
should ensure that:

a)
University information systems in controlled areas,
such as data centres, are physically protected by establishing a security
perimeter, access controls, intrusion detection, environmental protection,
surveillance, and ensuring the availability of utilities;

b)
any individual who accesses a data centre must provide
their access card for identification purposes when requested;

c)
processes are implemented and maintained to grant,
update and revoke access to data centres;

d)
all individuals accessing data centres either:

i. complete an on-site induction prior to their access; or

ii. for visitors, are accompanied at all times by an authorised person
(who has completed induction).

e)
University information systems are protected from
damage by fire, flood, earthquake, explosion, civil unrest, and other forms of
natural or artificial disaster;

f)
a data centre recovery plan is created, maintained and
tested annually to allow the continuous operation of the data centre;

5.40. Providers
ensure that physical and logical network documentation is created, reviewed and
maintained for all networks under their control.

5.41. Providers
document the configuration of all systems under their control and ensure that
they review and update documentation to reflect changes in configurations at
least annually or after every major change.

5.42. Providers
ensure that access to administration/maintenance zones requires two-factor
authentication.

External providers

5.43. External
providers must not commence handling or processing any information assets for
the University until it has entered into an appropriate contract with the
University that includes relevant information security controls with which the
provider must comply.

5.44. Without
limiting external providers’ other obligations set out in this policy, external
providers must implement, operate and maintain the appropriate information
security controls as specified in their contracts with the University.

5.45. Heads
of division monitor and review external provider services and manage any
changes to external provider contracts taking into account information assets
and information systems.

5.46. External
providers must ensure that they only connect devices to the University network
using approved secure access methods.

Business continuity and disaster
recovery

5.47. Develop,
implement, maintain and test business continuity and disaster recovery plans
with the goal of ensuring that the recovery of business processes and critical
information assets is within acceptable business timeframes, and to promote the
ongoing availability of business processes and critical information assets.

5.48. The
Executive Director, Business Services and Chief Technology Officer is
responsible for the development and currency of a master information technology
disaster recovery plan that:

a)
identifies the technical services making up a business
service and the interdependencies between these technical services; and

b)
presents an overall plan for recovering and restoring
the University’s technological services and capabilities after a disaster.

Information security awareness

5.49. The
Executive Director, Business Services and Chief Technology Officer is
responsible for:

a)
employees, honorary appointees and university visitors
receiving information security induction and awareness training upon
commencement of a role;

b)
training reoccurring at least every two years and at a
frequency meeting the University’s obligations in relation to the employee’s,
honorary appointee’s or university visitor’s role;

c)
such training including the information security
policy, related guidance, and the correct use of information assets and
information systems; and

d)
users formally acknowledging, and agreeing to abide by,
the information security policy at a frequency relevant to the  employee’s,
honorary appointee’s or university visitor’s role.

5.50. The
University’s information security awareness program aims to promote awareness,
through a number of methods, of:

a)
this policy and supporting processes;

b)
the types of information asset that may be encountered;

c)
how information assets should be handled and
transmitted;

d)
information security concerns such as viruses, malware
and social engineering;

e)
workplace and facility security, including building
access, security controls and incident reporting;

f)
the consequences of failure to comply with this policy
and related processes; and

g)
information security considerations as appropriate to
the individual’s role.

Compliance

5.51. The
Executive Director, Business Services and Chief Technology Officer monitor
compliance with this policy and supporting processes.

5.52. An
authorised deviation from this policy may be granted if, following risk
assessment, the impact of non-compliance is outweighed by the benefit of
non-compliance. All deviations must be approved by the Executive Director,
Business Services and Chief Technology Officer.

5.53. The
Executive Director, Business Services and Chief Technology Officer is
responsible for ensuring that:

a)
a register of policy exceptions is maintained;

b)
remediation is tracked, and effectiveness reviewed;

c)
an assessment is performed to identify other systems
requiring a similar exception; and

d)
changes are recommended to the ISMF based on identified
nonconformities.

5.54. With
respect to any exceptions from this policy, asset owners are responsible for:

a)
performing a risk assessment to understand the impact
of the exception;

b)
documenting a time-bound remediation plan;

c)
providing advice to the Director of Cybersecurity to
maintain the exceptions register; and

d)
ensuring that the exception, and the actions to be
taken to control and correct it, are formally approved by relevant asset
owners, service owners and the Executive Director, Business Services and Chief
Technology Officer.

5.55. Any
record created as a result of this policy must be managed in accordance with
the University’s [Privacy Policy](https://policy.unimelb.edu.au/MPF1104) and [Records
Management Policy](https://policy.unimelb.edu.au/MPF1106) .

Breaches and non-compliance

5.56. Any
breach of this policy or related processes may result in:

a)
suspension of access to the information system or
asset, or other systems;

b)
disciplining action under the relevant disciplinary
instrument, and/or;

c)
termination of contract or future legal action.

5.57. External
providers who breach this policy will be subject to suspension of access,
termination of contract and/or further legal action.

5.58. Users
must promptly report potential breaches of this policy and suspected
information security weaknesses to the Executive Director, Business Services
and Chief Technology Officer.

5.59. Users
must notify the IT Service Centre and the University Privacy and Data
Protection Officer immediately of any potential breach if ‘internal’,
‘confidential’ or ‘restricted’ information (including personal or health
information):

a)
is accidentally or unlawfully lost, misused, or
altered, or if it is accessed by or disclosed to unauthorised parties; or

b)
is suspected of being accidentally or unlawfully lost,
misused, altered, or accessed by or disclosed to unauthorised parties.

5.60. Anyone
who identifies any damage to, or loss of University server or network hardware
or software must promptly report this to the IT Service Centre and University
security employees.

5.61. Asset
owners and service owners are responsible for ensuring that faults with
business-critical applications are reported to the Executive Director, Business
Services and Chief Technology Officer as quickly as possible.

6.
Roles and Responsibilities

|  |  |  |
| --- | --- | --- |
| ***Role/Decision/Action*** | ***Responsibility*** | ***Conditions and limitations*** |
| Responsible for the roles set out in sections 5.1-5.8, 5.11-5.18, and 5.61 of this policy | *Asset owner and Service Owner* | In accordance with this policy and [supporting processes](https://au.promapp.com/unimelb/Process/Group/6c449c7d-1838-4c60-ab0b-0a9acf41739e) |
| Responsible for the roles set out in sections 5.9-5.10 of this policy | *Line managers* | In accordance with this policy and [supporting processes](https://au.promapp.com/unimelb/Process/Group/6c449c7d-1838-4c60-ab0b-0a9acf41739e) |
| Responsible for the roles set out in sections 5.19–5.20 of this policy | *Asset custodian* | In accordance with this policy and [supporting processes](https://au.promapp.com/unimelb/Process/Group/6c449c7d-1838-4c60-ab0b-0a9acf41739e) . Where an asset custodian is also a provider, the asset custodian also has the same responsibilities as a provider (see below). |
| Responsible for the roles set out in section 5.21 and 5.45 of this policy | *Heads of Division* | In accordance with this policy and [supporting processes](https://au.promapp.com/unimelb/Process/Group/6c449c7d-1838-4c60-ab0b-0a9acf41739e) |
| Responsible for the roles set out in sections 5.22–5.24, 5.58, and 5.59 of this policy | *Users* | In accordance with this policy and [supporting processes](https://au.promapp.com/unimelb/Process/Group/6c449c7d-1838-4c60-ab0b-0a9acf41739e) |
| Responsible for the roles set out in sections 5.25–5.42 of this policy | *Providers* | In accordance with this policy and [supporting processes](https://au.promapp.com/unimelb/Process/Group/6c449c7d-1838-4c60-ab0b-0a9acf41739e) |
| Responsible for the roles set out in sections 5.43, 5.44, and 5.46 of this policy | *External providers* | In accordance with this policy and [supporting processes](https://au.promapp.com/unimelb/Process/Group/6c449c7d-1838-4c60-ab0b-0a9acf41739e) |
| Responsible for the roles set out in sections 5.49 and 5.53 of this policy | *Executive Director, Business Services and Chief Technology Officer* | In accordance with this policy and [supporting processes](https://au.promapp.com/unimelb/Process/Group/6c449c7d-1838-4c60-ab0b-0a9acf41739e) |
| May approve storage of information assets classified as ‘confidential; or ‘restricted’ on facilities provided by external providers | *Executive Director, Business Services and Chief Technology Officer* | In accordance with section 5.24 of this policy |
| Ensure a master IT disaster recovery plan exists | *Executive Director, Business Services and Chief Technology Officer* | In accordance with section 5.48 of this policy |
| Monitor compliance with this policy and supporting processes | *Executive Director, Business Services and Chief Technology Officer* | In accordance with section 5.51 of this policy |
| May authorise a deviation from this policy | *Executive Director, Business Services and Chief Technology Officer* | In accordance with section 5.52 of this policy |

 

7.
Definitions

**Asset custodian** means an individual, group or
external provider to whom responsibility for the information security of an
information asset is delegated by the Asset owner. Asset custodian will
commonly be a Service Owner but may also be the owner of a non-technical business
service or process.

**Asset owner** means an individual who holds
accountability for an information asset. An asset owner is the owner of
specific data elements, wherever the data resides. An asset owner may delegate
operational responsibility to many asset custodians.

**Availability** refers to ensuring that authorized
parties are able to access the information when needed. Information only has
value if the right people can access it at the right times.

**Central facilities** means the data networks owned
or operated by the University for which the Executive Director, Business
Services and Chief Technology Officer is responsible and includes all
associated computing and network facilities but does not include any local
facilities.

**Computing and network facilities** includes
computers, computer systems, data network infrastructure, dial‐in network access
facilities, email and other communications and information facilities together
with associated equipment, software, files, and data storage and retrieval
facilities, all of which are owned or operated by the University and form part
of the central facilities or the local facilities.

**Confidentiality** is the property, that information
is not made available or disclosed to unauthorised individuals, entities, or
processes.

**Defence in depth** means the practice of layering
information asset defences to provide added protection.

**External provider** means an external entity which
provides an information system to the University or a service that involves the
handling or processing of information assets.

**Generic user account** means an account that does
not have a named owner or does not belong to any one individual.

**Honorary appointee** holds the same meaning as per
the Honorary Appointments Policy ([MPF1156](https://policy.unimelb.edu.au/MPF1156/)).

**Information asset** means recorded information in
any format.

**Information security** means the preservation of
confidentiality, integrity and availability of information assets, and may also
include other properties such as authenticity, accountability, non-repudiation
and reliability of information assets.

**Information Security Management Framework (ISMF)** governs
the processes and responsibilities comprising the overall information security
framework. It is supported by a suite of policies, processes and metrics which
apply to all information assets accessed by employees, students, contractors,
agents and third parties.

**Information security program** means the operations,
initiatives and activities that are undertaken to ensure the confidentiality,
integrity, availability and accountability of the University’s information
assets.

**Information system** means hardware, software,
devices, networks, media and other resources that store, process or transmit
information assets, whether individually or in combination.

**Integrity** means that information assets,
facilities and services are what they are reasonably represented as. They are
protected from tampering which would make their content or functionality other
than what would be reasonably expected.

**Least privilege** means that entities (whether these
are people, processes, or devices) must be assigned the fewest privileges
consistent with their assigned duties and functions. Under this approach, zero
access is the default access level, and access is added or opened as required,
but no more than the minimum access levels necessary to perform required
functions or tasks.

**Line manager** means the direct manager in a
division who is responsible for the management of employees.

**Local facility** means a network of interconnected
computers and equipment operated by a particular faculty, department or other
organisational unit of the University and for which the Executive Director,
Business Services and Chief Technology Officer is not responsible, whether or
not that network is also connected to the central facilities. This includes all
associated computing and network facilities.

**Non-compliance** means any action or inaction that
is contrary to this policy and its related processes or standards.

**Privileged** user means a user with a high level of
access to data (with the power to read, update, delete) and is able to perform
functions over and above those that can be completed by the majority of users.

**Provider** means the University division or
third-party provider which provides and manages any part of the facilities.

**Segregation of duties** means the controls that
support the separation of incompatible duties and/or responsibilities.
Segregation of duties helps to ensure that individuals are not able to:

a)
conceal errors and/or irregularities;

b)
cause the inaccurate or incomplete reporting of
financial information; and

c)
commit fraud, theft or other illegal acts.

**Service owner** means an individual who has been
allocated responsibility for an information system (such as an. application,
device, network, cloud service, or a specific component thereof). There is only
one service owner for each information system. A service owner will commonly be
delegated asset custodian responsibilities by several asset owners.

**Significant assets** means information assets that
support the efficient and effective operation of key business processes.
Significant assets can be identified by undertaking an assessment in accordance
with the University’s [Risk Management Policy](https://policy.unimelb.edu.au/MPF1194) to determine if the
information has value to the University.

**Student** has the meaning given to it in Part 8,
Division 1 – Student Misconduct – of the Academic Board Regulation.

**University Visitors** (sometimes referred to as
University Guests) are individuals that hold recognised academic qualifications
or industry equivalent experience and are performing an academic or
professional activity of at least one week and are visiting from external
institutions that are paying their salary whilst at The University of
Melbourne. These engagements may involve reimbursement of reasonable
expenses.  These engagements are formalised agreements between
institutions.  Note that this policy applies should the visitor use the
University’s wireless services regardless of whether the University visitor is
authorised to have a user ID attributed to their person.

**Use** means any act or omission by a user which
affects in any way the operation of an information system.

**User(s)** means any person who uses, or may impact
the security of, university information assets whose activity the University
may reasonably expect to able to exert authority. This includes, but is not
limited to employees, students, officers, third parties and other agents.

POLICY APPROVER

Vice-President (Administration & Finance) and Chief
Operating Officer

POLICY STEWARD

Chief Information Security Officer

REVIEW

This policy is to be reviewed by 6 October 2024.

## **VERSION HISTORY**

| Version | Approved By | Approval Date | Effective Date | Sections Modified |
| --- | --- | --- | --- | --- |
| 1 | Vice Principal Administration & Finance on behalf of the Senior Vice-Principal | 27 March 2014 | 27 March 2014 | N/A |
| 2 | Vice-Principal Administration and Finance & CFO | 2 June 2016 | 21 July 2016 | New version arising from the Policy Consolidation Project. This policy and its supporting processes replace the former Information Security Policy MPF1270, Computer Operations Procedure MPF1272, Data Centre Physical Security Procedure MPF1273, Disaster Recovery Procedure MPF1286, Information Classification and Handling Procedure MPF1274, Logging and Monitoring Procedure MPF1275, Network Security Procedure MPF1276, Service Development Security Requirements Procedure MPF1277 and User and System Access Procedure MPF1278. |
| 3 | - |  |  | *Created in error* |
| 4 | University Secretary | 24 May 2019 | 4 June 2019 | Amended Policy Approver title. Editorial amendments to correct minor errors or align with the University’s policy style guide. |
| 5 | University Secretary | 31 July 2019 | 1 August 2019 | Amended Policy Steward title. |
| 6 | Vice-President (Administration & Finance) and Chief Operating Officer | 6 November 2019 | 14 November 2019 | Amendments made across various sections to improve internal consistency and clarity, as well as ensure the policy statements and procedural principles align with industry best practice including ISO27001 control objectives, NIST Cybersecurity framework, Copyright Act 1968, Public Records Act 1973, and privacy related legislation including the EU General Data Protection Regulation (GDPR), Privacy and Data Protection Act 2014, Privacy Act 1988 and the Health Records Act 2001. |
| 7 | Chief Information Security Officer | 3 February 2026 | 4 February 2026 | Updated terminology to align with the Honorary Appointments Policy. |
| 8 | Chief Information Security Officer | 16 February 2026 | 17 February 2026 | Definition of University Visitors |

table, th, td{
padding: 0.75rem !important;
vertical-align: top !important;
border: 1px solid #dee2e6 !important;
width: auto !important;
}

table, th, td{
padding: 0.75rem !important;
vertical-align: top !important;
border: 1px solid #dee2e6 !important;
width: auto !important;
}