Asset Publisher

Cyber Security Policy


1. Policy statement

The Department of Education (the Department) implements measures to protect the Department’s electronic information, infrastructure and services from theft, unauthorised access or use, disclosure, modification or destruction during the information lifecycle.

2. Policy rules

Employees must:

  • only use the Department’s Information and Communication Technologies (ICT) resources to which they have been granted access privileges;
  • prevent unauthorised disclosure of data;
  • prevent unauthorised access to information on an inactive workstation;
  • report any suspicion of, or known, security threats or breaches to their line manager or the ICT Customer Service Centre; and
  • only use the Department’s ICT resources for:
    • work/business and educational purposes; or
    • personal use when it is not for commercial gain or in any way counterproductive to the business of the Department (refer to Telecommunications Use Policy).

Principals must maintain ICT infrastructure security in schools.

Site managers must:

  • confirm that employees are made aware of the requirements of this policy; and
  • endorse the use of the Department ICT infrastructure by non- employees and confirm supervision by a Department employee.


Employees are accountable for all actions and functions performed on their account.

Employees are encouraged to use private email services for conducting personal business rather than Department provided email facilities. There is no expectation of privacy when using Department email for private use.

3. Responsibility for implementation and compliance

Principals and line managers are responsible for implementing the policy.

Line managers are responsible for compliance monitoring.

4. Scope

This policy applies to all Department employees.

6. Definitions

An administrator account is a user account with high-level privileges to make changes on a computer that will affect other users of the computer. Administrators can change security settings, install software and hardware, access all files on the computer, and make changes to other user accounts.

Department of Education Account Manager (DAM) administrators use the DAM tool to give schools, business areas, employees and visitors access to online services in accordance with their employment position or agreed contract access requirements.

A Department employee is any person paid by the Department to provide a service, be it full time or part time as a staff member or teacher, or as a contractor for a short time or long time.

All physical, virtual and cloud-based infrastructure and software owned by the Department, including physical or logical connection to the network, including use of Corporate Information Systems.

An account created which cannot be directly attributed to an identifiable, auditable user. For example, admin front desk, admin temp, temp technician and temp teacher.

A volunteer or a work-place experience person, or other non-paid individual using the Department ICT infrastructure, is not an employee. For the purposes of this policy, they are classified as non-employees.

A service account is a user account that is created explicitly to provide a security context for services running on Windows Server operating systems. The security context determines the service's ability to access local and network resources. The Windows operating systems rely on services to run various features.

Officers, including principals, site managers and line managers, who have executive responsibility for overall management and control of any Department workplace.

7. Related documents

8. Contact information

Policy manager:            

Director, ICT Operations and Customer Service

Policy contact officer:    

Cyber Security Consultant                        

Other contact:          

Customer Service Centre (CSC)

T: (08) 9264 5555

7.30am – 5.00pm Monday to Friday (excluding public holidays)

9. History of changes

Effective date Last update date Policy version no.
18 August 2015 2.0
Major review undertaken and split into policy and procedures. Endorsed by Corporate Executive 14 November 2014.
18 August 2015 2.1
Corrected typing error D15/0324518 Version 2.1 updated prior to version 2.0 becoming effective.
9 August 2022 3.0
The new Cyber Security Policy and Procedures, replaces the Information and Communication Technologies Security policy and procedures. Approved by the Director General on 14 July 2022 D22/0539066.

Summary of changes to the Cyber Security Policy on Ikon (staff only).

9 August 2022 17 November 2022 3.1
Minor change to update links D22/0841360

10. More information

This policy:

Download policy PDFCyber Security Policy v3.1

Supporting procedures:

Download Procedures PDFCyber Security Procedures

Policy and all supporting documents:

Download Policy Bundle ZIPCyber Security Policy Bundle

Policy review date

9 August 2025

Policy last updated

17 November 2022