Security policies and standards

As per the UNSW Cyber Security Policies and Standards, the Cyber Security Policy Framework was established in early 2023. 

As part of the Framework, Business Owners of UNSW Information Resources are required to: 

1. Understand their accountabilities and responsibilities concerning relevant Cyber Security Policies and Standards.
2. Identify UNSW Information Resources and submit these for Cyber Security Risk Rating assessment.
3. Perform a cyber security baseline Gap Assessment on all Medium and High-Risk Rated information resources.

Items 2 and 3 above are supported by the UNSW IT Cyber Security Strategy and Governance teams.

Once Gap Assessments are completed in the myCyberHub tool, the Cyber Security Strategy and Governance team will assess the information provided and issue Compliance Reports to:

• Business Owners
  Reports are by information resource and provide insights into gaps against controls outlined in the Cyber Security Standard - Risk Management. The report also provides remediation recommendations.
• Senior leaders (DVCs, VPs, and Deans)
  Senior leaders receive a Summary Report for their Faculty/Division which provides an overview of compliance gaps for their area of responsibility.

When the Compliance Reports are issued discussions begin with each area to plan remediation activities to address gaps.

Under the Cyber Security Policy, Deputy Vice-Chancellors, Vice-Presidents, Deans, and the Rector UNSW Canberra are accountable for the annual attestation of compliance to the Cyber Security Risk Management Framework within their area of accountability. accountability. Attestation occurs after remediation activities have commenced.

The CyberPolicyHub is a central directory of the Cyber Policy Framework and is designed to support UNSW staff in understanding their Cyber Security obligations.

The CyberPolicyHub function lies within the MyCyberHub platform and can be easily found by selecting CyberPolicyHub from the top menu bar. It can be used to search for relevant Cyber Security clauses using your role type and keywords. Refer to the reference guide, opens in a new window for assistance using the CyberPolicyHub. 

Please visit the Cyber Security Strategy & Governance, opens in a new window for a listing of all support services provided. 
 

The following Cyber Security Policy and Standards apply to University-wide users.

• Cyber Security Policy
  The Cyber Security Policy sets out the principles for ensuring University-wide information resources are appropriately protected. This policy outlines appropriate governance of cyber security, management of cyber security risks, ensures cyber security events are detected and responded to promptly, and that UNSW Information Resources recover from cyber security incidents in a secure and timely manner. 
  Cyber Security Policy (pdf, 283KB), opens in a new window

• Data Security Standard
  This standard establishes the minimum requirements related to handling and protection of UNSW Digital Information consistent with data classification, Cyber Security Risk Rating as well as applicable laws, regulations, standards, and contractual obligations.
  Cyber Security Standard - Data Security (pdf, 256KB) 
  
  
• Risk Management Standard
  This standard establishes cyber security risk ratings for UNSW Information Resources and ensures that cyber security risks are appropriately identified, assessed, reported, and treated consistently with the UNSW Risk Management Framework and applicable laws, regulations, standards, and contractual obligations. It defines the minimum set of controls that are required for UNSW Information Resources, consistent with the type of resource and its cyber security risk rating. This standard links the Cyber Security Policy and supporting Cyber Security Standards. 
  Cyber Security Standard - Risk Management (pdf, 654KB)

The following Cyber Security Standards apply to all University-wide users including those Division/Faculty users with technology management or operational responsibilities.  
 

• Framework Exemption Standard
  This Standard outlines the process by which deviations, from the Cyber Security Policies and Standards, are to be managed and recorded. 
  Cyber Security Standard - Framework Exemption (pdf, 280KB) 
  
  
• Incident Management Standard
  This Standard establishes the detailed responsibilities and requirements related to cyber security incident management, including the relationships between Faculty and Division security incident response processes, Security Operations Centres (SOC), the UNSW IT Service Centre, the UNSW IT Cyber Security Incident Response Team, and other internal and external stakeholders.
  Cyber Security Standard - Incident Management (pdf, 386KB) 
  
  
• Identity and Access Management Standard
  This Standard establishes the minimum standards related to user account management including privileged access management and periodic reviews, defining manager and supervisor responsibilities, centralised authentication, and multi-factor authentication.
  Cyber Security Standard - Identity and Access Management (pdf, 376KB), opens in a new window 
  Cyber Security Guideline - User Access Review (pdf, 567KB), opens in a new window 
  Cyber Security Guideline - Multi-Factor Authentication (pdf, 278KB), opens in a new window
  
  
• Information Asset Management Standard
  This Standard establishes the minimum cyber security requirements related to management oversight and lifecycle management of UNSW Information Resources, including formally mandating a centralised inventory of UNSW Information Service and Information Assets, as well as prohibiting end-of-life or end-of-support UNSW Information Resources. 
  Cyber Security Standard - Information Asset Management (pdf, 337KB), opens in a new window 
   
• IT Hosting Standard
  The purpose of this standard is to establish minimum requirements for the hosting of Cyber Security Risk-Related UNSW Information Resources, including detailed physical access and environmental controls to support the required confidentiality, integrity, and availability. 
  Cyber Security Standard - IT Hosting (pdf, 335KB), opens in a new window 
  
  
• Logging and Monitoring Standard
  This Standard establishes minimum standards for security event logs, and minimum requirements for log protection, log retention, and log monitoring, including the requirement to utilise a Security Operations Centre (SOC) for UNSW Information Resources. 
  Cyber Security Standard - Logging and Monitoring (pdf, 475KB), opens in a new window 
  
  
• Network Security Standard
  This Standard establishes the minimum requirements for the configuration of network-related Information Assets, including network segmentation controls, and traffic flow control requirements for specific network devices.
  Cyber Security Standard - Network Security (pdf, 408KB), opens in a new window 
  
  
• Secure-by-Design Standard
  This Standard establishes the minimum requirements related to UNSW Information Resource configuration and hardening, and secure development, including formally mandating the Enterprise Security Architecture.
  Cyber Security Standard - Secure-by-Design (pdf, 388KB), opens in a new window
  
  
• Secure Continuity Standard
  This Standard establishes the minimum cyber security requirements for High-Resilience UNSW Information Resources throughout the Disaster Recovery (DR) lifecycle, including DR vendor risk and security assessments, the continuity of physical access and environmental controls, as well as backup, and restore arrangements to support the required availability.
  Cyber Security Standard - Secure Continuity (pdf, 350KB), opens in a new window

• Threat and Vulnerability Management Standard 
  This Standard establishes the minimum requirements for malicious code and malware protection and vulnerability management for UNSW Information Resources, including vulnerability scanning, penetration testing, and patch management.
  Cyber Security Standard - Threat and Vulnerability Management (pdf, 389KB), opens in a new window

• Vendor Risk Management Standard
  This Standard establishes the minimum cyber security requirements throughout the vendor management lifecycle, including initial and periodic risk and security assessments, contract inclusions, compliance obligations, data security, and mandatory breach reporting. 
  Cyber Security Standard - Vendor Risk Management (pdf, 371KB), opens in a new window