(1) For the purpose of this policy:
(2) The Network Policy for the University is designed as a resource to assist the University in maximising the integrity, availability and efficacy of University information whilst minimising the risk of unauthorised collection, disclosure, modification or destruction of University data.
(3) Access to the University Network is the starting point for extending the reach of the University, expanding the educational and research resources available to staff and students and also for encouraging internal collaborations within the University itself. The University is committed to the principle that information should be shared subject to privacy and confidentiality requirements and consequently to an open flow of information within the University.
(4) The University's Network is a powerful tool for institutional effectiveness and efficiency only to the extent that network connections are easily established and broadly available. The University must make decisions concerning security of the network based on an objective assessment of potential risks balanced against the costs and other organisational priorities. Responsibility and accountability for the security and privacy of the network and the data that it contains rests solely with the University.
(5) The University has become more and more reliant on this network for business function and efficiency.
(6) The University network is a single entity that supports all core information systems and services for the University and its partners. Other networks may exist within the University that operate independently.
(7) This policy has been developed for Southern Cross University and forms part of the Technology Services Policy Framework. It seeks to define the management of the computing network within the University and provide a foundation for the conditions of use that informs the University community of their rights and responsibilities.
(8) This policy applies to management of the University Network and is specifically related, but not limited to, those facilities administered by Technology Services.
(9) This Policy addresses detail necessary for the overall Network Policy to operate effectively throughout the University. It covers the areas of:
(10) This policy is underpinned by the Computing Conditions of Use Policy.
(11) The Director, Technology Services will ensure that the network is capable of providing access controls to the University network based on defined security levels that reflect requirements for access to information system needs as defined by the information systems owners.
(12) Network availability will ensure continuity of the University's information systems. These information systems will determine network availability and network maintenance windows will be negotiated with the information system owners.
(13) Any partner or joint venture wishing to connect to the University network must conform to SCU network security policies in order to protect both the University and the partner involved.
(14) The sites chosen to locate network equipment and cabling will be suitably protected from physical intrusion, theft, fire, hazardous materials, flood and other intrusions.
(15) All premises housing network equipment must be protected from unauthorised access using an appropriate balance between simple ID cards to more complex technologies to identify, authenticate and monitor all access attempts.
(16) All network devices and communication services located outside of designated secure areas should be contained in secure cabinets with locking hardware. There should be no signage indicating the presence or importance of such facilities.
(17) When locating network equipment, adequate cooling and power supplies will be provided to guard against excessive ambient temperature / humidity.
(18) An uninterruptible power supply is to be installed to ensure the continuity of essential services during power outages. All hardware devices required for continued operation will be powered through the UPS.
(19) An annual check will be conducted to ensure that all UPS devices comply with industry standards.
(20) The University network will be monitored to identify breaches of the Computer Conditions of Use Policy.
(21) The University network will be protected by Firewalls in accordance with industry best practice.
(22) An audit of Network policies, procedures and standards will be conducted periodically in order to evaluate current policies and to identify key risks that may have arisen.
(23) Any external network that is connected to the University network will be considered untrusted.
(24) Users wishing to access corporate information systems on the University network from external networks will require adherence to SCU standards for strong authentication.
(25) The acquisition of all network equipment must meet current standards and be approved by the Director, Technology Services.
(26) Network installation and cabling will be required to meet current standards and specifications as outlined by Technology Services. All new installations will require auditing and approval by Technology Services before being connected to the SCU network.
(27) The installation, maintenance or alteration of network equipment and cabling must be carried out by an SCU preferred supplier or contractor. Technology Services must be notified of all such work and is subject to approval by Technology Services.
(28) Network configurations, documentation and software will be stored in a secure location. Duplicate copies will be made and kept at appropriately secure offsite locations.
(29) A network disaster recovery plan will be established and maintained so that the University will have a controlled, timely, and effective response to a disaster. The main goal of the Network Disaster Recovery Plan will be to avoid or minimise damage to the University's resources, reputation and ability to operate. This plan will be regularly tested.
(30) Equipment maintenance and replacement strategies will be in place to ensure that loss or failure of network components is recoverable in a timely fashion. There will be adequate network hardware arrangements in place to ensure the network can be maintained with minimal disruptions to the information systems operating at the University.
(31) All changes to system hardware and configurations are to be performed through formal change control procedures to ensure that all changes are recorded and included in network documentation.
(32) The Director, Technology Services will be responsible for the training of the University community in policies, procedures and standards for the Network.
(33) Training will be made available to reflect the individual staff member's responsibility for configuring and maintaining the network. Staff not involved in the actual function of the network need to be aware of the relevance of policies that drive the network.
(34) For further advice and assistance, staff and students should first contact the relevant IT Service Desk
(35) Institutional Context - The issue of network security has become more prevalent as a greater amount of information is stored and passed using networked systems. There is often a belief that security is purely about ensuring the safekeeping of information. From the perspective of the University, Network Security refers to:
(36) There are a number of legislative requirements that the University must abide by on both a State and Federal level. While much of this information relates specifically to privacy related issues, it is important that other relevant legislation is taken into account, in regard to such areas as archiving, evidence and Freedom of Information. The University also needs to be aware of issues of contract law in regard to arrangements made with regard to the security of data provided by and to corporate joint venture partners.
(37) Of specific concern in the preparation of this document are the following:
(38) The Privacy and Personal Information Protection Act (NSW) 1998 states at Section 12 Retention and security of personal information:
"A public sector agency that holds personal information must ensure:
(c) that the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse,"
(39) This Policy should be read in conjunction with the following:
(40) The Director, Technology Services will be responsible for establishing standards for network equipment, protocols for which these systems operate and arrangements with preferred suppliers.
(41) The Director, Technology Services is responsible for ensuring the availability of network services as dictated by the needs of the University.
(42) The Director, Technology Services is responsible for ensuring the management of the Network is consistent with the University's needs.
(43) Responsibility for information systems that operate on the University network will fall to the Head of the department from which the system originates. For example, Financial and Business Services will be the custodian for the E-Trans system.
(44) The University community will use the University Network in a responsible manner consistent with the Computing Conditions of Use Policy.
(45) Refer to Part C - Content and Implementation.