51³Ô¹Ïapp

As per the UNSW Cyber Security Policies and Standards, the Cyber Security Policy Framework was established in 2023.Ìý

As part of the Framework, Business Owners of UNSW Information Resources are required to:Ìý

1. Understand their accountabilities and responsibilities concerning relevant Cyber Security Policies and Standards.
2. Identify UNSW Information Resources and submit these for Cyber Security Risk Rating assessment.
3. Perform a cyber security baseline Gap Assessment on all Medium and High-Risk Rated information resources.

Items 2 and 3 above are supported by the UNSW IT Cyber Security Strategy and Governance teams.

°¿²Ô³¦±ðÌýGap AssessmentsÌýare completed in theÌýÌýtool, the Cyber Security Strategy and Governance team will assess the information provided and issue Compliance Reports to:

Business Owners

Reports are by information resource and provide insights into gaps against controls outlined in the Cyber Security Standard - Risk Management. The report also provides remediation recommendations.

Senior leaders (DVCs, VPs, and Deans)

Senior leaders receive a Summary Report for their Faculty/Division which provides an overview of compliance gaps for their area of responsibility.

When the Compliance Reports are issued discussions begin with each area to planÌýremediation activitiesÌýto address gaps.

Under the Cyber Security Policy, Deputy Vice-Chancellors, Vice-Presidents, Deans, and the Rector UNSW Canberra are accountable for theÌýannual attestationÌýof compliance to the Cyber Security Risk Management Framework within their area of accountability.Ìýaccountability. Attestation occurs after remediation activities have commenced.

Ìý

TheÌýCyberPolicyHubÌýis a central directory of the Cyber Policy Framework and is designed to support UNSW staff in understanding their Cyber Security obligations.

The CyberPolicyHub function lies within theÌýÌýplatform. It can be used to search for relevant Cyber Security clauses using your role type and keywords. Refer to theÌýreference guideÌýfor assistance using the CyberPolicyHub.Ìý

Please visit the Cyber SecurityÌýStrategy & GovernanceÌýfor a listing of all support services provided.Ìý
Ìý

Acceptable Use of UNSW Resources Policy

The policy sets out the principles for ensuring UNSW information resources are used responsibly. This includes defining the conditions of personal use and informing users of their responsibilities, and the penalties for misuse. The policy establishes requirements for compliance and reporting cyber security events to reflect UNSW values.

Acceptable Use of UNSW Resources Policy (pdf, 268KB), opens in a new windowÌý

Cyber Security Policy

The Cyber Security Policy sets out the principles for ensuring University-wide information resources are appropriately protected. This policy;

• outlines appropriate governance of cyber security
• management of cyber security risk
• ensures cyber security events are detected and responded to promptly
• UNSW Information Resources recover from cyber security incidents in a secure and timely manner.Ìý

Cyber Security Policy (pdf, 283KB), opens in a new window

Data Security Standard

This standard establishes the minimum requirements related to handling and protection of UNSW Digital Information consistent with data classification, Cyber Security Risk Rating as well as applicable laws, regulations, standards, and contractual obligations.

The following Cyber Security Standards apply to University-wide users.

Risk Management Standard

This standard establishes cyber security risk ratings for UNSW Information Resources and ensures that cyber security risks are appropriately identified, assessed, reported, and treated consistently with the UNSW Risk Management Framework and applicable laws, regulations, standards, and contractual obligations. It defines the minimum set of controls that are required for UNSW Information Resources, consistent with the type of resource and its cyber security risk rating. This standard links the Cyber Security Policy and supporting Cyber Security Standards.

Ìý

The following Cyber Security Standards apply to all University-wide users including those Division/Faculty users with technology management or operational responsibilities.ÌýÌý

Framework Exemption Standard

This Standard outlines the process by which deviations, from the Cyber Security Policies and Standards, are to be managed and recorded.Ìý

Incident Management Standard

This Standard establishes the detailed responsibilities and requirements related to cyber security incident management, including the relationships between Faculty and Division security incident response processes, Security Operations Centres (SOC), the UNSW IT Service Centre, the UNSW IT Cyber Security Incident Response Team, and other internal and external stakeholders.

Identity and Access Management Standard

This Standard establishes the minimum standards related to user account management including privileged access management and periodic reviews, defining manager and supervisor responsibilities, centralised authentication, and multi-factor authentication.

Information Asset Management Standard

This Standard establishes the minimum cyber security requirements related to management oversight and lifecycle management of UNSW Information Resources, including formally mandating a centralised inventory of UNSW Information Service and Information Assets, as well as prohibiting end-of-life or end-of-support UNSW Information Resources.Ìý

IT Hosting Standard

The purpose of this standard is to establish minimum requirements for the hosting of Cyber Security Risk-Related UNSW Information Resources, including detailed physical access and environmental controls to support the required confidentiality, integrity, and availability.Ìý

Logging and Monitoring Standard

This Standard establishes minimum standards for security event logs, and minimum requirements for log protection, log retention, and log monitoring, including the requirement to utilise a Security Operations Centre (SOC) for UNSW Information Resources.Ìý

Network Security Standard

This Standard establishes the minimum requirements for the configuration of network-related Information Assets, including network segmentation controls, and traffic flow control requirements for specific network devices.

Secure-by-Design Standard

This Standard establishes the minimum requirements related to UNSW Information Resource configuration and hardening, and secure development, including formally mandating the Enterprise Security Architecture.

Secure Continuity Standard

This Standard establishes the minimum cyber security requirements for High-Resilience UNSW Information Resources throughout the Disaster Recovery (DR) lifecycle, including DR vendor risk and security assessments, the continuity of physical access and environmental controls, as well as backup, and restore arrangements to support the required availability.

Threat and Vulnerability Management Standard

This Standard establishes the minimum requirements for malicious code and malware protection and vulnerability management for UNSW Information Resources, including vulnerability scanning, penetration testing, and patch management.

Vendor Risk Management Standard

This Standard establishes the minimum cyber security requirements throughout the vendor management lifecycle, including initial and periodic risk and security assessments, contract inclusions, compliance obligations, data security, and mandatory breach reporting.

Ìý