The College: Melbourne School of Theology
Confidential Data:
- Unreleased and classified financial information.
- Student, supplier, and board information.
- Student leads and marketing-related data.
- Patents, business processes, and/or new technologies.
- Employees' passwords, assignments, and personal information.
- Company contracts and legal records.
IT Application Software: Application software encompasses various types of software used within the organisation's IT infrastructure, including but not limited to:
- Productivity Software: Such as Microsoft Office suite, and other productivity tools from Microsoft.
- Databases: Software used for managing databases, storing and retrieving data.
- Web Browsers: Software applications used for accessing information on the World Wide Web.
- Email Servers and Clients: Software used for managing email communications, including both server-side and client-side applications.
- Purchased Applications: Commercial software solutions acquired from vendors for specific business needs.
- Freeware and Open-Source Software: Software available at no cost (freeware) or with source code accessible (open-source).
- In-house Developed Software: Custom software solutions developed internally for organisational use.
- Collaboration Tools: Software enabling teamwork and collaboration, such as instant messaging and project management tools.
- Cloud-based Software: Applications hosted and accessed via the internet, typically offering scalability and remote accessibility.
IT Network Hardware: network hardware including Firewalls, routers, switches, modems and WiFi devices.
IT System Hardware: IT hardware including computer equipment, servers, desktops, laptops, devices and accessories.
IT Network Software: Software that facilitates the operation and management of network devices, including but not limited to network device hardware operating systems, network management tools, and communication protocols.
IT System Software: Computer software essential for the operation of IT systems, including operating systems, device drivers, firmware, and BIOS.
Infrastructure: all items defined above; synonyms include “technology” and “equipment”
Malware: software that is specifically designed to disrupt, damage, or gain unauthorised access to computer systems
Mobile Devices: Portable communication devices including mobile phones, tablets, and other communication devices
Mobile Software: software installed on or used on Mobile Devices
Physical Facilities: physical facilities and locations in which IT infrastructure, as listed above, is stored, operated or used
The risk of data theft, scams, and security breaches can have a detrimental impact on our organisation's systems, and reputation. As a result, the College has created this policy to outline the security measures put in place to ensure information remains secure and protected.
This Cyber Security Policy has the following purposes:
- Protect the operational integrity and availability of the College’s normal operations facilitated by its personnel and IT resources;
- Protect the confidentiality, integrity and availability of data and information managed and retained by the College;
- Protect against external intrusion, denial of service, ransomware, and all other malicious breaches of the College’s IT environment, whether internal or external in origin;
- Ensure all personnel are aware of potential cyber risks and are trained to detect, respond and recover from cyber events;
- Prevent unauthorised and unapproved IT activity of any type within the College’s IT environment;
- Govern IT practices to ensure cyber security is a normal and expected part of the way the College operates internally, and with its students, staff and external stakeholders;
- Manage and recover from any adverse cyber incident in the most effective and efficient manner to restore normal operations as quickly as possible;
Continually review and improve cyber security as the College’s IT environment and the real-world cyber security environment evolve.
The Cyber Security Policy applies to all the College’s permanent, and part-time employees, contractors, remote workers, volunteers, suppliers, interns, and/or any individuals with access to the College's electronic systems, information, software, and/or hardware.
This Cyber Security Policy applies to all IT infrastructure owned or operated by the College, as well as IT infrastructure owned or operated by persons or organisations that interact with the College’s IT environment, either within that environment directly or remotely. This includes, but is not limited to:
- IT System Hardware
- IT Network Hardware
- Mobile Devices
- IT System Software
- IT Network Software
- Mobile Software
- IT Application Software
- Physical Facilities
These various infrastructure items are included in any reference to infrastructure, technology or equipment in this policy document.
All employees must be informed and aware of cybersecurity. To facilitate and foster this, the College provides Cyber Security Training, along with formal processes and procedures, and various other documentation related to cyber security. All personnel have a responsibility to be cyber security aware in the activities they perform for the College and to follow documented requirements.
To engage new employees internally, the College will:
- Prior to engagement, conduct background checks on employees at a level appropriate for the type of engagement; employees who do not meet all relevant checks will not be engaged
- Once engaged, deliver Cyber Security Training to the employees during on boarding
- All employees must undertake the Cyber Security Training provided by the College as required from time-to-time.
All employees have a responsibility to report possible cyber security events as soon as possible after detecting such events. The reports should be directed to the Information Technology Manager or other appropriate personnel such as the Chief Operations Officer.
Cyber Security is the responsibility of the IT Department who are the primary point of responsibility for cyber security within the organisation and have the authority to make and implement cyber security related decisions. All personnel must follow any cyber security related directions given by the IT Department and other authorised personnel.
All employees must maintain appropriate confidentiality of the College’s information and activities to minimise the risk of inadvertently making the College vulnerable to a cyber-security event. Internet traffic may be monitored by the IT Department for the purposes of improved detection of threats and attacks, and that access to specific websites may be blocked if they are identified as a risk. Any attempt to circumvent the internet filtering is considered a breach of policy.
Approved Infrastructure
All infrastructure stored, operated, or used by any employee where that infrastructure interacts with the College IT environment must be approved for use by the IT Manager or their nominated delegate and used in accordance with this Cyber Security Policy. For this purpose, various policies, processes, procedures, checklists and other documents specify matters related to cyber security must be used as defined within those relevant documents.
Known and Approved
All infrastructure must be known and approved by the IT Manager. This includes all existing infrastructure; and all new infrastructure that interacts with the College’s IT environment, including for guest or short-term users, must be approved before connecting to or integrating with the College’s IT environment. This includes, but is not limited to, all infrastructure as listed in Scope – Infrastructure, above.
Secured
All infrastructure must be securely configured as defined by the College. This includes, but is not limited to:
- Operating systems, including server, desktop and laptop;
- Network devices, including firewalls, routers, switches, modems and WiFi devices;
- Mobile devices;
- Collaboration Tools, including Microsoft 365, Google Workspace, etc;
- Microsoft Office, including approval of macros within documents;
- Email Servers and Clients;
- Web Browsers;
- Application software;
- Endpoint protection, includes anti-virus and malware prevention software.
Protected
All infrastructure must be protected against cyber incidents. This includes, but is not limited to:
- Installing approved malware and antivirus software;
- Configuring the malware and antivirus software to run automatically at device start up;
- Enabling comprehensive real-time malware and antivirus scanning;
- Ensuring malware and antivirus software definitions are updated automatically at least daily.
Where WiFi access is available, there must be a dedicated Guest network, separate from the main College network, that is used by all personnel who are external to College, except where functional or operational requirements necessitate otherwise (e.g. approved third-party maintenance). This Guest network must be configured with minimal access rights.
Usage
All infrastructure must be stored, operated and used only as approved by the College.
Systems and Applications
IT systems and applications will have controlled access aligned with the purpose of the program. The controls must include some form of authentication of the user (e.g., login). Where appropriate and possible, multi-factor authentication will be required.
Passwords
IT systems and some applications will have controlled access using a login with a username and password. Passwords are recommended to adhere to the following standards:
- Use a combination of uppercase and lowercase letters, digits and special characters;
- Include at least one each of uppercase and lowercase letters, digits and special characters;
- Be at least twelve to sixteen characters in length, preferably longer;
- Avoid Common Patterns: Do not use easily guessable patterns such as "password123" or sequences like "123456".
- Do not use easily obtainable information like your name, birthdate, or common words.
- Changed at least annually, or more frequently if the nature of the access is more sensitive;
- Passwords should be different for separate systems and applications;
- Passwords should not be written down in “clear text” or in any way that allows them to be guessed;
- Consider using a passphrase—a combination of multiple words or a sentence—that is easy for you to remember but hard for others to guess.
- Passwords must not be shared with others, except where operationally required and if so, via a college approved password management system.
- Use a college approved and reputable password manager to generate, store, and manage complex passwords securely.
- Whenever possible, enable MFA for an additional layer of security beyond just passwords.
Additionally, the College utilises a service to monitor and alert the IT department in the event that a breach related to a College email account is identified.
Multi-Factor Authentication
Multi-Factor authentication is required where data or resources that can be accessed are of a sensitive or high value nature. When required, it will be implemented using only methods and technologies approved by IT Department.
Networks
IT networks will have controlled access aligned with the purposes of the College. The controls must include some form of authentication of the user (e.g., login). Where possible and appropriate multi-factor authentication will be required.
Remote Access
Remote access to infrastructure will be controlled – only approved personnel using approved remote access methods and technology will be permitted. As remote employees will be accessing the College’s accounts and systems from a distance, they are obliged to follow all data encryption, protection standards and settings, and ensure their private network is secure. Advice can be obtained from the IT Department.
Physical Facilities and Infrastructure
Physical facilities will be protected as follows:
- Physical barriers must restrict access to critical infrastructure (e.g., dedicated, secure computer room, locked doors, etc).
- Removable disks are not permitted to be used as these pose significant data breach and privacy risks.
- Network devices, except WiFi access points, must be located in a secure, locked cabinet or room.
- Inactive data points should be disabled to prevent unauthorized devices from accessing the network.
Employees have a responsibility to safeguard the Physical Facilities and Infrastructure of the College. They must abide by all physical access requirements for the College facilities and infrastructure.
Transferring Data
The College recognises the security risks of transferring confidential data internally and/or externally. To minimise the chances of data theft, we instruct all employees to:
- avoid transferring sensitive data (e.g., student/member information, employee/volunteer records) to other devices or accounts such as Drop Box or WeChat. When mass transfer of such data is needed, employees should ask the IT Team for assistance;
- only transfer confidential data over ECA networks;
- obtain the necessary authorisation from senior management;
- verify the recipient of the information and ensure they have the appropriate security measures in place;
- adhere to College’s data policy and confidentiality agreement;
- immediately alert the IT team of any suspected breaches, malicious software, and/or scams.
Data Backup
Backups are crucial defences against threats such as phishing, ransomware, and insider incidents. In case of data loss, backups are essential for restoring lost files and emails. Generally, the College's backups are managed by the IT Department. However, employees using personal devices should coordinate backup storage options with the IT Team.
To safeguard the College from data loss and protect its reputation, employees must:
- Backup regularly.
- Store backups offsite and offline.
- Encrypt backup data with a password and store it in a physically secure location.
- Regularly test backups to ensure they function correctly.
These measures help ensure that critical data can be recovered effectively in the event of an incident.
Software Updates
Updates, sometimes called patches, are released by manufacturers and producers of software from time-to-time, usually quite regularly. All infrastructure, most notably IT systems and applications, as well as network devices, must be updated with appropriate updates and patches provided by the manufacturers and suppliers of the infrastructure as soon as possible. Where possible and operationally practical, updates should be applied automatically and therefore incumbent on staff members to download and reset their computer devices accordingly for automatic updates. Staff members should refrain from disabling or delaying updates for extended periods.
Above and beyond normal updates from time-to-time, major new releases of software are made available by software manufacturers and producers. Most notable are major releases of operating systems (e.g. Microsoft Windows 8.1 to Windows 10). The following apply:
- Updates must be investigated to understand the impact of the updates on the existing infrastructure and operations of the organisation;
- The resources required to updates existing infrastructure must be estimated, including labour, time, necessary infrastructure changes, and any consequential financial outlay;
- Where possible and not operationally or financially prohibitive, updates must be planned, scheduled and implemented within 12 months of official public release, unless otherwise directed by IT Manager.
Cyber Security Incident Management
Refer Data Breach Policy for details on data breaches and cyber security incident management.