Document Feedback - Review and Comment
Step 1 of 4: Comment on Document
How to make a comment?
1. Use this to open a comment box for your chosen Section, Part, Heading or clause.
2. Type your feedback into the comments box and then click "save comment" button located in the lower-right of the comment box.
3. Do not open more than one comment box at the same time.
4. When you have finished making comments proceed to the next stage by clicking on the "Continue to Step 2" button at the very bottom of this page.
Important Information
During the comment process you are connected to a database. Like internet banking, the session that connects you to the database may time-out due to inactivity. If you do not have JavaScript running you will recieve a message to advise you of the length of time before the time-out. If you have JavaScript enabled, the time-out is lengthy and should not cause difficulty, however you should note the following tips to avoid losing your comments or corrupting your entries:
-
DO NOT jump between web pages/applications while logging comments.
-
DO NOT log comments for more than one document at a time. Complete and submit all comments for one document before commenting on another.
-
DO NOT leave your submission half way through. If you need to take a break, submit your current set of comments. The system will email you a copy of your comments so you can identify where you were up to and add to them later.
-
DO NOT exit from the interface until you have completed all three stages of the submission process.
(2) HESF: 2.1 Facilities and Infrastructure; 3.3 Learning Resources and Support; 7.3 Information Management. (3) Standards for Registered Training Organisations (RTOs) 2015: Standard 8. (5) Account – A unique identity created for a person, machine or service that provides access to digital infrastructure and information assets. (6) Business Continuity - Capability of the University to continue the delivery of services at predefined acceptable levels following a disruptive incident to minimise any reputational risk to the University. (7) Business Owner – Individual with operational authority for specified information assets and responsibility for establishing controls for its protection. (8) Cryptographic Key Management - Implementation of procedures and internal processes to manage and support approved encryption algorithms and protocols for the secure transmission of information. (9) Information Asset – Any information that is of value to the organisation. This term also includes the underlying supporting infrastructure such as business processes, hardware, networks, storage, applications, removable media, third-party providers and storage amongst others. (10) Information Security – The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability. (11) Information Security Risk – Cyber and information system-related security risks are those risks that arise through the loss of confidentiality, integrity, or availability of information assets and consider impacts to the organisation (mission, functions, image, or reputation), individuals, other organisations, the State and the Nation. (12) This Policy supports VU's cyber security principles and objectives. (13) VU's information assets must not be used, shared or stored in a manner that violates VU's policies and will be used and protected in compliance with this Policy, and other relevant policies including the: (14) Information assets are to be appropriately protected based on their classification and sensitivity in line with VU's Information and Asset Classification Framework. (15) VU staff will be responsible for: (16) All systems at VU will be configured in line with University approved security configuration recommendations to minimise security risks. (17) Information security risks will be managed in line with VU's Risk Management Policy and Procedure. (18) Critical incidents are responded to in line with the Critical Incident, Emergency Planning and Business Continuity Policy and Procedure. (19) Business Continuity response and planning are managed in accordance with the Business Resilience Framework and Policy. (20) Third-party service providers are procured in line with Third Party Arrangements Policy and Purchasing Policy requirements. (21) Third-party service providers that access, store, transmit or process VU’s information assets will be subject to information security due diligence in line with VU’s Ecosystem Security Assurance Framework. (22) Information backups will be performed on applicable information assets based on their classification, business availability and integrity requirements. (23) Changes to production information assets will be controlled through a formal change and transition management process. (24) Information assets will be protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access. (25) Access to physical areas hosting VU’s information assets will be controlled to ensure that only authorized employees, contractors and third-party service providers are allowed access. (26) Keys or equivalent access mechanisms to server rooms, communications rooms and security containers or rooms will be appropriately secured and controlled. (27) Information processing and communication facilities hosting VU’s information assets will be adequately protected and designed against natural, man-made disasters and malicious attacks. (28) Adequate processes to provision, modify, revoke and revalidate accounts are established in order to reduce the risk of unauthorized access to information assets. (29) Access to information assets is authenticated against a central authentication system and authorisation is based on need to know and the principle of least privilege in line with the Information Security - User Access Management Procedure and the Information Security - User Authentication Procedure. (30) Unauthorised use of accounts is prohibited, is a breach of university policy and may be subject to disciplinary and/or legal action. (31) All persons using or accessing VU’s information assets are responsible for protecting information from unauthorised access. (32) Users sending university related email communications both internally and externally must use authorised university email systems and applications using a university issued email address. (33) All persons using or accessing VU's information assets will undergo background verification as per the Enrolments Procedure or Recruitment and Selection Policy. (34) The University will provide training and awareness activities for students, staff, contractors and third-party service providers accessing or using VU’s information assets. (35) The Cyber Security Advisory Committee is responsible for ensuring that University information security controls comply with applicable state, federal and global laws governing information resources, including legal and other compliance requirements. (36) A Cryptographic Key Management System is established and implemented. (37) A list of approved cryptographic algorithms (ACA) and approved cryptographic protocols (ACP) for use at VU will be established. (38) Compliance with established policies and applicable legal and regulatory requirements will be proactively monitored and achieved. This includes intellectual property rights, protection of records, software licenses, privacy and cryptographic controls. (39) Compliance monitoring activities will be enhanced with independent reviews and automated processes. (40) VU has the right to conduct audits on VU information systems including personal devices while connected to the University network to ensure compliance with University polices. (41) Any exceptions to this Policy and associated Information Security procedures must be approved by the Chief Digital Officer and Executive Director Campus Services. (42) Any actual or suspected breaches of this Policy should be reported immediately to the IT Customer Support Desk or line manager or other authority including operational risk and compliance representative. (43) All breaches of this Policy will be treated seriously and may be subject to disciplinary action in accordance with the relevant enterprise agreement (for staff) or Student Misconduct Regulations 2019 (for students). (44) Information Security - Internet Filtering Procedure (45) Information Security - IT Security Audit Authorities Procedure (46) Information Security - User Access Management ProcedureInformation Security Policy
Section 1 - Summary
Top of Page
Section 2 - HESF/ASQA/ESOS Alignment
Section 3 - Scope
Top of PageSection 4 - Definitions
Section 5 - Policy Statement
Part A - Classification and Configuration of Information Assets
Part B - Risk Management
Part C - Physical Access to Information Assets
Part D - Authentication and Access Management
Part E - Responsibilities
Part F - Cryptography Security
Part G - Compliance
Part H - Breach of Policy
Section 6 - Procedures