九州影院

Menu

Wananga landing Wananga landing
Topic

Cyber security controls

02 September 2024

The 九州影院 implements a defence-in-depth approach to information security and employs a multitude of cyber security controls to protect our infrastructure and data. These controls are aligned to National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) and the ISO 27001 standard.鈥

HOW TO APPLY

Objective:

鈥疶o limit access to information and information processing facilities and ensure authorised user access and to prevent unauthorised access to systems and services. Also, to make users accountable for safeguarding their authentication information and prevent unauthorised access to systems and applications.鈥

Control implementation overview:鈥

  • All University user accounts follow industry best practice identity management guidelines e.g. the use of Single-Sign-On, Multi-Factor-Authentication (MFA)鈥

  • Privileged IT access management follows industry best practices鈥

  • Managed end-user devices (computing and mobile devices) and Virtual Private Network (VPN) access provided to all staff鈥

  • Adherence to the Identity and Access Management Standard鈥

翱产箩别肠迟颈惫别:鈥

To identify organisational data and technology assets and define and implement appropriate levels of protection responsibilities and controls.鈥

Control implementation overview:鈥

  • Guidance on information classification and the acceptable use of University assets via the:鈥

  • 鈥痝overning the access to, use of and return of University assets鈥

  • IT Asset management practices aligned with industry tools and frameworks鈥

  • Data encryption best practices implemented in a managed IT environment鈥

  • Secure physical storage of core IT equipment within University managed facilities鈥

翱产箩别肠迟颈惫别:鈥

Information security continuity shall be embedded in the organisation's business continuity management systems and to ensure availability of information processing facilities.鈥

Control implementation overview:鈥

  • University enterprise business continuity and crisis management framework implemented following industry best practice鈥

  • Resilience in the managed IT environment is designed and implemented to ensure continuous operations of key enterprise IT services and systems鈥

翱产箩别肠迟颈惫别:鈥

To ensure the protection of information in networks and its supporting information processing facilities.鈥

Control implementation overview:鈥

  • Industry best practice network security protection and detection controls and capabilities support the managed IT environment鈥

  • Dedicated IT network management capability to ensure the best practice management of all network communications infrastructure across the managed IT network (including network infrastructure device configuration, deployment and management)鈥

  • Virtual Private Network (VPN) mechanisms provided where applicable to secure access to enterprise IT services and systems鈥

翱产箩别肠迟颈惫别:鈥

To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements and to ensure that information security is implemented and operated in accordance with the organisational policies and procedures.鈥

Control implementation overview:鈥

  • Regular internal cyber security management and security control maturity assessments are conducted across the managed IT environment鈥

  • The鈥疷niversity Internal Audit capability鈥痳eviews the cyber security management and security control maturity of the University on a periodic basis鈥

  • Independent regulatory security management audits are conducted on an periodic basis (based on the relevant regulatory scope)鈥

  • Independent industry security certification audits are conducted on a regular basis (based on relevant University security certifications ) including鈥 PCI DSS security compliance鈥

翱产箩别肠迟颈惫别:鈥

To establish a management framework to initiate and control the implementation and operation of information security within the organisation.鈥

Control implementation overview:鈥

  • University Cybersecurity and Risk capability鈥痑nd the associated cyber security functions and services it provides to the University鈥

  • University cyber security policies and procedures鈥

  • University cyber security standards鈥

翱产箩别肠迟颈惫别:鈥

To provide management direction and support for information and cyber security in accordance with business requirements and relevant laws and regulations.鈥

Control implementation overview:鈥

  • University cyber security policies and procedures鈥

  • University cyber security standards鈥

  • Regular periodic review and update of cyber security policies, procedures and standards to ensure they continue to support business, regulatory and legal requirements and the cyber security risk and threat landscape鈥

翱产箩别肠迟颈惫别:鈥

To ensure proper and effective use of encryption to protect the confidentiality, authenticity and/or integrity of information.鈥

Control implementation overview:鈥

  • Centralised management of SSL certificates for University web domains鈥

  • Encryption of data implemented for enterprise managed end user devices鈥

  • Industry best practice encryption protocols and mechanisms implemented for enterprise managed IT compute and storage hosting platforms鈥

翱产箩别肠迟颈惫别:鈥

To ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered.鈥

Control implementation overview:鈥

  • Enterprise Human Resources capability which governs and supports HR activities across the University鈥

  • University HR policies and procedures鈥

  • Employment contracts/agreements (including confidentiality and intellectual property requirements)鈥

  • Employment screening processes (as governed by University HR policies and procedures)鈥

  • Employment on-boarding and offboarding processes (as governed by University HR policies and procedure鈥

翱产箩别肠迟颈惫别:鈥

To ensure correct and secure operations of information processing facilities, to protect against loss of data and to record events and generate evidence.鈥

Control implementation overview:鈥

  • Enterprise grade antivirus and anti-malware detection, prevention and recovery technology across lT managed devices鈥

  • Technical vulnerability management program and supporting tools implemented across the managed IT environment (including vulnerability scanning, vulnerability disclosure program, bug bounty program)鈥

  • Security penetration testing capabilities applied to verify the technical security posture of enterprise IT service and infrastructure in a risk-based manner鈥

  • Security threat identification, monitoring and response capabilities based on industry best practice frameworks鈥

  • IT change management procedures and processes embedded into the managed enterprise IT environment in alignment with industry best practices (including change management and release procedures, change advisory board (CAB) and change management records etc.鈥

  • Operational monitoring of the managed IT environment to ensure appropriate IT system and platform health and resilience鈥

  • Standard patch management processes based on industry best practice for managed end-user devices, IT hosting platforms and core IT infrastructure鈥

翱产箩别肠迟颈惫别:鈥

To prevent unauthorised physical access, damage and interference to the organisation's information and information processing facilities and to prevent loss, damage, theft or compromise of assets and Interruption to the organisation鈥檚 operations.鈥

Control implementation overview:鈥

  • Use of commercial grade ISO 27001 certified data centre hosting providers within New 九州影院for the storage of core IT equipment鈥

  • Use of commercial grade ISO 27001 certified cloud hosting providers for managed cloud platform services鈥

  • Centralised physical security management and support services provided by the鈥疷niversity Facilities Security Services鈥痗apability鈥

  • Implementation of standard physical security access and monitoring controls across all University offices and buildings (including electronic building access management, 24/7 CCTV monitoring and security guard services etc.)鈥

  • Implementation of standard environmental management and monitoring controls across all University offices and buildings (including managed heating, cooling, lighting etc.)鈥

翱产箩别肠迟颈惫别:鈥

To ensure protection of the organisation's assets that are accessible by suppliers. To maintain an agreed level of information security and service delivery in line with supplier agreements.鈥

Control implementation overview:鈥

  • support the procurement and use of externally managed IT services鈥

  • Standard University data security and data privacy requirements are considered within contractual agreements with external suppliers鈥

  • Supplier delivery and commercial management processes in place to ensure that suppliers continue to perform and meet the requirements of the supplier agreements鈥

翱产箩别肠迟颈惫别:鈥

To ensure that information security is an integral part of information systems across the entire system development and maintenance lifecycle.鈥

Control implementation overview:鈥

  • and the the development, release or significant changes of IT services or systems within the managed environment鈥

  • 鈥痵upport the design, development and implementation of IT systems鈥

  • Specific security awareness and secure code development training for development capabilities and resources鈥

  • Implementation of industry best practice approaches to secure development life cycle practices (e.g.鈥痵ecure code training, security testing, and communities of practice etc.)鈥

  • IT change management procedures and processes embedded into the s managed enterprise IT environment in alignment with industry best practices (including change management and release procedures, change advisory board (CAB) and change management records etc.)鈥


Privacy Preferences

By clicking "Accept All Cookies", you agree to the storing of cookies on your device to enhance site navigation, analyse site usage, and assist in our marketing efforts.