Asset Publisher

Information and Communication Technologies Security Procedures

procedure

These procedures must be read in conjunction with the Information and Communication Technologies Security Policy.

2. Scope

These procedures apply to all employees.

3. Procedures

3.1 Passwords and user identification

Employees must not disclose their password or allow another person to access the Department of Education’s (the Department’s) information and communication technology (ICT) infrastructure using their user identification number (user ID).

Employees responsible for password and user ID management must:

  • where technically feasible, use the system password setting standards detailed in Appendix A;
  • create a separate user ID for every person requiring access to the Department’s infrastructure and not create generic accounts; and
  • not establish permissions to enable access to one user’s account from another.

Line managers must confirm that at all times, any individual user of any section of the Department’s ICT infrastructure, is identifiable and auditable.

Guidance

A unique user ID is created for every individual user of the Department’s ICT infrastructure. This is a significant factor in protecting staff and student users, the Department systems, and the information stored on both the local and central networks from malicious or inappropriate access and misuse.

3.2 Portable storage device security

Employees must:

  • adhere to the Encryption of Removable Media Guidelines (staff only) when using any form of communication, computing or portable storage device to store any confidential or sensitive information belonging to the Department;
  • mitigate the risk of introducing malware into the Department’s ICT infrastructure; and
  • prior to the disposal of any and all forms of ICT equipment capable of storing sensitive or confidential information belonging to the Department, securely delete that information in accordance with Department guidelines found at the ICT Equipment Disposal (staff only) web page.

Guidance

Examples of equipment capable of storing sensitive or confidential information include but is not limited to USB thumb drives, external hard drives, laptops, iPads, PDAs, mobile phones, printers, scanners, photo copiers, multifunction devices.

3.3 Work station screen lockout

If it has not been automatically set, employees must set a 10 minute lock out on their workstation.

Guidance

An automatic screen lockout time of 10 minutes is globally set across the Department’s ICT infrastructure on centrally managed devices.

Employees have a responsibility to prevent unauthorised access to information on their workstation.  To facilitate this employees should screen lock their computer if leaving their desk for more than five minutes.

3.4 Access for external parties

Line managers must:

  • use the approved mechanism for providing external parties temporary access to the Department’s ICT infrastructure; and
  • advise external parties that their access to the Department’s ICT infrastructure is subject to their adherence to the Information Communication Technologies Security Policy and Procedures.

 

 

Guidance

External parties include temporary/relief/visiting staff or members of the public, for example, assisting parents, medical staff and contractors.

3.5 Infrastructure security in schools

Principals will maintain infrastructure security in schools and implement effective information security practices.

 

 

Guidance

The following measures should be in place for infrastructure security in schools:

  • confirm correct security setting;
  • implement effective exit procedures;
  • carefully manage security groups;
  • review the location of sensitive information;
  • keep network operating systems up-to-date;
  • deploy up-to-date anti-virus software;
  • understand application system security requirements; and
  • secure equipment.

See Appendix B: Infrastructure Security for Schools Guidelines for further information.

4. Definitions

All physical equipment and software owned by the Department, including physical or logical connection to the network and/or use of Corporate Information Systems.

An account created which cannot be directly attributed to an identifiable, auditable user.  For example admin front desk, admin temp, temp technician and temp teacher.

5. Related documents

6. Contact information

Policy manager:

Director, ICT Infrastructure and Telecommunications

Policy contact officer:

ICT Security Administrator

T: (08) 9264 5114

Other:

Customer Service Centre (CSC)

T: (08) 9264 5555

7.30am – 5.00pm Monday to Friday (excluding public holidays)

7. History of changes

Effective date Last update date Procedure version no.
18 August 2015 2.0
Major review undertaken and split into policy and procedures. Endorsed by Corporate Executive 14 November 2014.
18 August 2015 2.1
Updated inconsistencies in Appendix A D15/0324895. Version 2.1 updated prior to version 2.0 becoming effective.

9. More information

This procedure:

Download procedure PDFInformation and Communication Technologies Security Procedures v2.1

Please ensure you also download the policy supported by this procedure.


Supported policy:

Download Policy PDFInformation and Communication Technologies Security Policy


Supporting content:


Procedure review date

18 August 2018