View Document

Information Security - IT Security Audit Authorities Procedure

This is the current version of this document. To view historic versions, click on the 'Historic Versions' tab above.

Section 1 - Summary

(1) This Procedure ensures the integrity and stability of the University’s computing and network environment, Information Technology (IT) will regularly conduct audits on systems at Victoria University.

Top of Page

Section 2 - HESF/ASQA/ESOS Alignment

(2) HESF: 2.1 Facilities and Infrastructure, 3.3 Learning Resources and Support and 7.3 Information Management.

Top of Page

Section 3 - Scope

(3) This Procedure applies to all staff, students, contractors, visitors and other authorised users of Information and Communication Technology (ICT) facilities and services.

(4) University-owned ICT computers and devices.

(5) Personal (BYOD) equipment and devices located on University premises.

Top of Page

Section 4 - Definitions

(6) Nil.

Top of Page

Section 5 - Policy/Regulation

(7) See the Information Security Policy.

Top of Page

Section 6 - Procedures

Part A - Summary of Roles and Responsibilities

Roles Responsibility
Director / Senior Manager
a. Inform IT staff involved in an audit of their responsibilities under the Information Security policy and associated procedures.
b. Maintain a record of all IT Security audits conducted.
c. Provide authorisation of IT Security audits to be conducted as required.
IT Staff a. Adhere to the Information Security Policy and associated procedures when conducting IT security audits.

Procedures

(8) Information Technology Services (IT) staff have the authority to conduct a security audit on any system at Victoria University (VU). 

(9) IT security audits may be conducted on all computers and communication devices owned or operated by the University as well as any computer and communications devices that are present on the University premises, but may not be owned or operated by the University.

(10) IT Security audits may be conducted to:

  1. Ensure integrity, confidentiality and availability of information and resources.
  2. Investigate possible security incidents to ensure conformance to the University's security policies and procedures.
  3. Investigate possible violations of laws applicable in the State of Victoria, the Commonwealth of Australia and any international jurisdiction in which Victoria University (VU) conducts operations.
  4. Ensure the University complies with relevant legislation.
  5. Monitor user or system activity where there is a legitimate concern that one or more of the above conditions is not being met.
  6. Ensure university resources are used appropriately and for work-related purposes in accordance for work-related purposes in accordance with IT Appropriate Use and Appropriate Workplace Behaviour Policy and associated procedures.
  7. Facilitate the recovery of corporate information stored on individual desktop PCs, Laptops or devices etc.
     

(11) Prior to conducting an audit, personnel performing the IT security audit must be aware of the relevant state, federal and international laws that may be pertinent to their investigation.

(12) Authorisation to conduct an IT security audit must be obtained as required according to the authority requirements for the type of security audit to be performed.

  1. Authorisation to conduct an IT security audit can be obtained from:
    1. Director, ITS Security and Risk Assurance or delegate;
    2. Vice-President, Resources and Transformation or delegate; or
  2. Security audits that involve access to confidential material require an audit brief to be prepared for sign-off by the Executive Director, IT Services or delegate.

(13) Any access as required will be granted to authorised personnel for the purpose of performing an audit. This access may include:

  1. User-level and/or system-level access to any computing or communications device;
  2. Access to information (electronic, hardcopy, etc.) that may be produced, transmitted or stored on VU equipment or premises;
  3. Access to work areas (labs, offices, cubicles, storage areas, etc.);
  4. Access to interactively monitor and log the traffic on VU networks.

(14) A record of all IT security audits will be maintained by the IT Security Office and made available when required to a University Lawyer or Privacy Officer. If required, a final report detailing the outcome of the IT security audit is to be completed.

Top of Page

Section 7 - Supporting Documents and Information

(15) Nil.